Privacy Policy

Your privacy matters. This policy explains what data we collect, how we use it, and your rights.

Last updated: June 25, 2026

1. Introduction

IGMsg ("we", "our", "us") is owned and operated by IGMsg. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website at igmsg.com or use our services (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account, we collect:

  • Account details: Your full name, email address, and password (stored as a one-way cryptographic hash - we never see your actual password)
  • Billing information: For paid plans, payment is processed by our payment provider (Stripe). We do not store credit card numbers on our servers; we only retain the last four digits and card brand for reference
  • Communications: If you contact our support team, we keep records of your correspondence

2.2 Instagram Account Data

When you connect your Instagram Professional account via secure OAuth, we receive and store:

  • Your Instagram user ID and username
  • Your Instagram profile picture URL
  • An access token (stored encrypted with AES-256) used to operate the Service on your behalf
  • Public metadata of your posts and reels: media ID, caption, media URL, type, and permalink
  • Comments posted on your media: comment text, commenter's username, and commenter's user ID

We only access data needed to deliver the automation service you configure. We do not access your private messages, stories, or any other data outside the scope of our service.

2.3 Automatically Collected Information

  • Usage data: Log files of DMs sent through the Service - recipient username, delivery status, timestamps, and any error messages
  • Device & browser: IP address, browser type, operating system, device type, and referring URL
  • Analytics: Page views, feature usage, and interactions with our Service

2.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and store certain information. Types of cookies we use:

  • Essential cookies: Required for authentication, session management, and security
  • Analytics cookies: Help us understand how visitors use our Service
  • Preference cookies: Remember your settings and preferences

You can control cookies through your browser settings. However, disabling essential cookies may limit your ability to use parts of the Service.

3. How We Use Your Information

We use the collected data for the following purposes:

  • To provide and maintain the Service you've signed up for
  • To display your Instagram posts in your dashboard so you can set up automations
  • To send direct messages on your behalf when trigger keywords are detected in comments
  • To provide analytics and delivery reports on your automations
  • To process payments for paid subscriptions
  • To communicate with you about your account, security, and service updates
  • To provide customer support when you contact us
  • To detect, prevent, and address technical issues, fraud, or abuse
  • To comply with legal obligations

We do not sell, rent, trade, or share your personal data or Instagram data with third parties for marketing or advertising purposes.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), our legal basis for processing your personal data depends on the specific data and context:

  • Consent: You have given us explicit consent to process your data for specific purposes
  • Contract: Processing is necessary to perform our contract with you (delivering the Service)
  • Legal obligation: We are required by law to process certain data
  • Legitimate interest: Processing is in our legitimate business interest and does not override your rights

5. Data Sharing and Disclosure

We only share your information in these limited circumstances:

5.1 Service Providers

We use trusted third-party services to operate our business:

  • Meta/Instagram: To read comments and send DMs on your behalf via their messaging infrastructure. Meta's data policy applies to data they process
  • Stripe: To securely process subscription payments
  • Cloud hosting: Our servers are hosted on secure, industry-standard cloud infrastructure
  • Email service: For transactional emails (account notifications, receipts)

5.2 Government and Law Enforcement Requests

When required to disclose user information by subpoena, court order, or other valid legal process, IGMsg adheres to the following principles:

  • Legal review. We review each request for legality and scope before disclosing any information. Requests that do not meet the applicable legal standard are rejected.
  • Data minimization. We disclose only the minimum information strictly necessary to respond to a legally valid request. We do not provide bulk access to user data.
  • Challenging unlawful requests. Where we believe a request is overbroad, legally deficient, or otherwise unlawful, we will challenge it through appropriate legal channels.
  • User notification. Where legally permitted, we will notify affected users of a request for their information so they have an opportunity to object, unless a court order or applicable law prohibits such notification.
  • Documentation. We maintain an internal record of each request we receive, our response, the legal basis cited, and the data disclosed.
  • Emergency requests. We may disclose information without the steps above only in emergency situations involving imminent risk of death or serious physical injury, consistent with applicable law.

In addition, we may disclose information to protect the rights, property, or safety of IGMsg, our users, or the public as required or permitted by law.

5.3 Business Transfers

If IGMsg is involved in a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.

6. Data Security

We implement robust security measures to protect your data:

  • All Instagram access tokens are stored using AES-256 encryption at rest
  • Passwords are hashed using industry-standard bcrypt algorithms
  • All data transmission uses HTTPS/TLS encryption
  • Our infrastructure follows security best practices with regular updates and monitoring
  • Access to production systems is restricted and logged

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your data for as long as your account is active. Specific retention periods:

  • Account data: Retained while your account is active
  • Instagram access tokens: Deleted within 30 days of account deletion or Instagram disconnection
  • DM logs: Retained for 12 months for analytics, then anonymized or deleted
  • Payment records: Retained for 7 years for accounting and tax compliance
  • Support correspondence: Retained for 2 years

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (right to be forgotten)
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Restrict or object to the processing of your data
  • Withdraw consent: Withdraw previously given consent at any time
  • Complaint: Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@igmsg.com. We will respond within 30 days.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to know what personal information we collect and how we use it
  • Right to delete personal information we collect from you
  • Right to opt out of the sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising CCPA rights

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us so we can remove it.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from those of your country. By using our Service, you consent to such transfers.

12. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage you to review their privacy policies.

13. Data Deletion Requests

You can delete your account and all associated data from your account settings page at any time. Alternatively, email privacy@igmsg.com with your deletion request. We will process deletion requests within 30 days and send a confirmation once complete.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with a new "Last updated" date. For material changes, we will notify you via email or a prominent notice on our website before the changes take effect.

Your continued use of the Service after such changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: