Privacy Policy

Last updated: May 2026

The short version: We collect only what's needed to run DMFlow. We never sell your data. We store your Instagram connection securely using Meta's official API. You can delete everything at any time.

1. Information We Collect 2. How We Use Your Information 3. Instagram & Meta Data 4. Data Storage & Security 5. Data Sharing 6. Data Retention 7. Your Rights 8. Cookies 9. Children's Privacy 10. Changes to This Policy 11. Contact Us

1. Information We Collect

We collect information you provide directly and information generated by your use of the Service:

Data Type	What We Collect	Why
Account	Name, email address, password (hashed)	To create and manage your account
Instagram	Username, account ID, access token (encrypted)	To connect and run automations on your behalf
Usage	DMs sent count, automation logs, feature usage	To provide analytics and improve the service
Leads	Email addresses collected via DM flows (Pro)	Stored in your Contacts dashboard for your use
Payment	Billing details (processed by Stripe — we never see card numbers)	To process subscription payments
Technical	IP address, browser type, device info	Security, fraud prevention, debugging

2. How We Use Your Information

Provide, maintain, and improve the DMFlow Service
Send automated DMs and comment replies on your behalf
Process payments and manage your subscription
Send transactional emails (account alerts, receipts)
Detect and prevent fraud or abuse
Comply with legal obligations
Send product updates (you can opt out at any time)

We do not use your data for advertising, sell it to third parties, or share it with data brokers.

3. Instagram & Meta Data

DMFlow connects to Instagram through Meta's official Graph API with your explicit authorization. We access:

instagram_basic — Your username and profile info
instagram_manage_comments — To read comments and trigger automations
instagram_manage_messages — To send DMs on your behalf
pages_show_list / pages_read_engagement — For Business accounts linked to Pages

We store your Instagram access token encrypted at rest. We only make API calls that are required to run your active automations. You can revoke access at any time from Instagram Settings → Apps and Websites → DMFlow → Remove.

DMFlow complies with Meta's Platform Terms and Data Use Policy. Your Instagram data is never shared with third parties outside of what Meta's policies permit.

4. Data Storage & Security

All data is stored on encrypted servers (AES-256 at rest)
All data in transit is protected by TLS 1.3
Instagram access tokens are encrypted before storage
Passwords are hashed using bcrypt — we never store plain-text passwords
We perform regular security audits and vulnerability testing
Access to production data is restricted to authorised engineers only

Our infrastructure is hosted on AWS (EU region) with SOC 2 compliant providers. See our Security page for full details.

We share data only in these limited circumstances:

Meta / Instagram — As required to operate the Instagram API integration
Stripe — Payment processing (they are PCI DSS compliant)
Analytics providers — Aggregated, anonymised usage data only
Legal requirements — If required by law, court order, or to protect our rights

We never sell, rent, or trade your personal information.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it by law (e.g. billing records for 7 years). Automation logs are retained for 90 days.

7. Your Rights

Depending on your location, you may have the following rights:

Access — Request a copy of all data we hold about you
Correction — Update or correct your personal information
Deletion — Request deletion of your account and all associated data
Portability — Export your data in a machine-readable format
Opt-out — Unsubscribe from marketing emails at any time
Restriction — Request we restrict processing of your data

To exercise any of these rights, email us at privacy@dmflow.app. We will respond within 30 days.

8. Cookies

We use cookies for authentication (session management), security (CSRF protection), and basic analytics (page views, feature usage). We do not use advertising or tracking cookies. You can disable cookies in your browser settings, though this may affect Service functionality.

9. Children's Privacy

DMFlow is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us immediately and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the app at least 14 days before changes take effect. Continued use of the Service after changes constitutes acceptance.

11. Contact Us

For privacy-related questions or to exercise your rights:

Email: privacy@dmflow.app
Data Protection Officer: dpo@dmflow.app
Response time: Within 30 days (legal requirement)