Privacy Policy — EngageDM

1. Who We Are

EngageDM ("EngageDM", "we", "us", "our") is an Instagram comment-to-DM automation platform that helps Instagram Business and Creator account holders automatically send Direct Messages (DMs) to users who comment on their posts.

EngageDM operates as an independent platform and is a registered Meta Tech Provider with official access to the Instagram Graph API. We are not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc.

For privacy-related inquiries, contact us at: [email protected]

2. Information We Collect

2.1 Account Information (You provide directly)

Google Account Data: When you sign in with Google, we receive your name, email address, and profile picture from Google via OAuth 2.0. We do not receive or store your Google password.
Recovery Google Account: You may optionally link a second Google account as a recovery method from Settings → Account. If you do, we store that account's Google ID and email address solely to allow you to sign in if you lose access to your primary Google account. The recovery account cannot be used to manage automations or access billing. You may remove the link at any time.
Instagram Account Data: When you connect an Instagram account, we receive and store your Instagram username, profile picture URL, Instagram account ID, and a long-lived access token required to operate automations on your behalf. We do not receive or store your Instagram password.

2.2 Data We Generate & Store on Your Behalf

Workspace Data: Details about the Instagram accounts you connect, including workspace names and account configurations.
Automation Configurations: The triggers, keywords, DM messages, post scopes, and settings you configure in your automations.
Instagram Post Cache: A local copy of your recent Instagram posts (media ID, media type, thumbnail URL, caption, like/comment counts, posted date) to power the automation builder interface. This is synced from Instagram on your request.
Automation Logs: Records of automation executions including the Instagram user ID and username of commenters who triggered your automations, the comment ID, whether a DM was successfully sent, and any error details.
Link Tracking Data: When you include a CTA link in your automation, we store the target URL, a unique short redirect code, and click event records (timestamp, and optionally the Instagram user ID if available at click time).
Contacts Log: EngageDM automatically logs the Instagram username, user ID, and engagement timestamp of Instagram users who interact with your automations (i.e., whose comments trigger a DM). This log is displayed in the Contacts section of your dashboard for your reference. We do not enrich this data with information from other sources.
Templates: DM message templates you save in EngageDM — including template name and message body — are stored in our database and associated with your account.
My Content Cache: A local copy of your synced Instagram posts and reels (media ID, media type, thumbnail URL, caption, like and comment counts, and posted date) displayed in the My Content section. This data is fetched from Instagram on your request and is not independently collected.

2.3 Billing & Payment Data

We use Razorpay as our payment processor. When you subscribe to a paid plan, Razorpay collects and processes your payment details directly. EngageDM stores only the Razorpay subscription ID, billing cycle, workspace count, subscription status, and billing period — not your card number, UPI ID, or any payment credentials.

2.4 Usage & Technical Data

Server-side session data (stored in our database, tied to your authenticated session)
Internal account identifier (UUID): Each account is assigned a randomly generated unique identifier (UUID) at registration. This UUID is stored in our database and included in your authenticated session token. It is used internally to reference your account in system operations and admin interfaces — it does not expose your sequential sign-up position or any personal information.
Server access logs (IP addresses, request paths, timestamps) — retained for security and debugging
Error logs and crash reports for service reliability

2.5 Third-Party Commenters' Data

When your automations execute, EngageDM processes data about Instagram users who comment on your posts — specifically their Instagram user ID, username, and comment text (to match against your keyword triggers). Comment text is used in real time for keyword matching and is not retained after matching. The comment ID, commenter user ID, username, and timestamp are stored for deduplication and audit purposes for 90 days.

As an EngageDM user (the business account holder), you are the data controller for your commenters' data. EngageDM acts as your data processor. We do not use this data for our own marketing or sell it to third parties. Instagram commenters may request deletion of their data — see Section 9.5 for details.

2.6 Affiliate Program Data

If you join the EngageDM affiliate program, we collect and store:

Affiliate profile: Your display name, unique referral code, programme status (active / suspended), and join date.
Commission ledger: A record of commissions earned from referred purchases, including the commission amount, status (processing / confirmed / paid / rejected), and the date of the underlying transaction. We do not share the referred user's personal identity with you through the affiliate dashboard.
Payout requests: When you submit a payout request, we store the requested amount, the UPI ID you provide, and the payout status (including gross amount, TDS deducted, and net amount transferred). Payout details are visible only to authorised EngageDM administrators and are used solely to process your payment and fulfil our tax-filing obligations.
Referral attribution: When a new user signs up via your referral code, we record the association between your affiliate account and their account to attribute commissions. The referred user's personal data is not shared with you.
PAN number (KYC): If your total affiliate payouts in a financial year (April 1 – March 31) exceed ₹19,500, we are required under Indian tax law to collect your Permanent Account Number (PAN) before processing further payouts. Your PAN is encrypted at rest using AES-256-GCM and is never displayed in plaintext in the application interface. It is decrypted solely when generating the quarterly TDS report (Form 26Q) filed with the Income Tax Department of India. Once submitted, your PAN cannot be changed.
TDS tracking: We maintain a per-financial-year record of total payouts made to you to determine TDS (Tax Deducted at Source) applicability. When TDS applies, we deduct 2% from the gross payout amount, transfer the net amount to you, and deposit the deducted amount with the Indian Income Tax Department. A copy of your (encrypted) PAN is stored alongside each TDS-applicable payout for audit accuracy.

2.7 Notification Preferences

Your account stores your opt-in preferences for the following notification categories: token-expiry alerts, billing and plan notifications, and automation error alerts. These preferences are stored as flags in our database and determine which transactional emails you receive. You can update these at any time from Settings → Notifications.

2.8 Security & Audit Logs

For security and accountability purposes, we maintain an internal audit log of sensitive account actions — including billing events (purchases, refunds), administrative actions applied to your account, and account-level changes. These logs record your user ID, email, IP address at the time of the action, a truncated browser user-agent string, and the action type. Audit logs are retained for security and legal compliance purposes and are not shared with you or third parties except as required by law.

3. How We Use Your Information

Purpose	Data Used	Legal Basis
Authenticate and identify you on the platform	Google account data, session token	Contract performance
Execute your automation rules (trigger matching, DM sending)	Instagram token, commenter user ID, keywords, DM message	Contract performance
Display your automations, post library, and analytics dashboard	Automation configs, IG post cache, automation logs	Contract performance
Track link clicks on your CTA buttons	Short code, target URL, click timestamp, IG user ID	Contract performance / Legitimate interest
Process subscription billing	User ID, Razorpay subscription data	Contract performance
Prevent fraud and enforce our Terms of Service	Account data, server logs	Legitimate interest
Improve the platform (bug fixes, feature development)	Aggregated, anonymised usage data	Legitimate interest
Send important service communications (billing alerts, security notices)	Email address	Contract performance / Legal obligation
Process affiliate commissions, attribute referrals, and pay out affiliate earnings	Affiliate code, referral association, commission ledger, payout details	Contract performance
Generate AI-powered comment reply suggestions in the automation builder	General automation context (no personal data or commenter identifiers)	Contract performance / Legitimate interest
Maintain security and audit trail for sensitive account actions	User ID, email, IP address, action type, timestamp	Legal obligation / Legitimate interest

We do not use your data or your users' data for targeted advertising. We do not sell your data to any third party.

4. Instagram & Meta Platform Data

EngageDM is a Meta Tech Provider that accesses the Instagram Graph API under permissions you explicitly grant during the OAuth flow. Our use of Instagram and Meta platform data is governed by Meta's Platform Terms and Data Use Policy in addition to this Privacy Policy.

4.1 Permissions & What Each Accesses

Permission	Data Accessed	How EngageDM Uses It
`instagram_business_basic`	Your Instagram username, account ID, profile picture URL, account type	Display your account in the dashboard; identify your workspace; sync your post library
`instagram_business_manage_messages`	Ability to send Direct Messages and private replies from your account; receive incoming message events	Send automated DMs and private replies to commenters; detect user replies that trigger Phase 2 follow-up DMs
`instagram_business_manage_comments`	Read comments on your Instagram posts; publish public replies to comments	Detect comments matching your automation triggers; optionally post a public comment reply on your behalf

4.2 Token Storage & Refresh

Your Instagram access token is stored encrypted at rest using strong encryption. Tokens have a 60-day lifetime; EngageDM proactively refreshes them before expiry to keep your automations running without interruption. If a token cannot be refreshed, we notify you and disable automations until you reconnect.

4.3 Message & Comment Data Handling

DM content: EngageDM stores the DM message templates you configure. We do not separately store copies of sent message content beyond what is recorded in your automation logs (recipient Instagram user ID, timestamp, and delivery outcome). Message content is transmitted to Instagram's API at send time and is not cached or logged after transmission.

Comment content: Comment text is read in real time to match against your keyword triggers. Comment records (comment ID, commenter Instagram user ID, commenter username, and timestamp) are stored as deduplication records for 90 days, after which they are permanently deleted. Comment text itself is not retained after keyword matching is complete.

4.4 Prohibited Uses of Meta Platform Data

In full compliance with Meta's Platform Terms, EngageDM will never use Instagram or Meta platform data to:

Sell, license, rent, lend, or otherwise transfer any platform data to any third party
Profile or discriminate against individuals based on protected characteristics (including race, ethnicity, national origin, religion, age, sex, sexual orientation, gender identity, disability, or health condition)
Conduct, enable, or facilitate surveillance — including tracking individuals without their knowledge, monitoring based on political views, or intelligence collection
Combine Instagram platform data with data from other sources to build profiles of individuals for purposes beyond operating your automations
Attempt to decode, de-anonymise, reverse-engineer, or reverse-hash anonymised or pseudonymised platform data
Use access tokens or platform data to access any data beyond what is necessary to provide the features you have configured
Use data obtained via instagram_business_manage_messages for any purpose other than operating the Direct Message and reply features on your behalf
Target any individual with advertisements or marketing using Meta platform data
Transfer Meta platform data to data brokers or advertising analytics providers

4.5 Service Providers & Meta Platform Data

Any third-party service providers that process Meta platform data on EngageDM's behalf (including our cloud infrastructure provider) are contractually bound to the same data use restrictions and deletion obligations that apply to EngageDM under Meta's Platform Terms. We do not share Meta platform data with any service provider for purposes other than operating the EngageDM service.

4.6 Revoking Access

You may revoke EngageDM's access to your Instagram account at any time from Instagram's own settings under Settings → Security → Apps and Websites. Revoking access will immediately disable your automations. You can also disconnect your account from within EngageDM at Settings → Integrations.

5. Link Tracking & Click Analytics

When you enable the "Link Button" feature in an automation, EngageDM replaces your destination URL with a short redirect link (e.g., engagedm.in/r/abc12345). When an Instagram user clicks that link:

We record the click event (link ID, timestamp, workspace ID, automation ID)
We increment the click count on your tracked link
We immediately redirect the user to your original destination URL (HTTP 302)
We do not set cookies on the destination page or track users after the redirect

As an automation creator, you are responsible for ensuring that your use of link tracking complies with applicable laws and Instagram's platform policies. You should disclose to your audience that links may be tracked where required by law.

6. How We Share Your Data

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

6.1 Service Providers

Provider	Purpose	Data Shared
Meta Platforms (Instagram Graph API)	Sending DMs, reading comments on your behalf	Your access token, DM content, recipient IG user ID
Google (Google OAuth)	Authentication	OAuth flow only — no ongoing data sharing
Razorpay	Payment processing	Name, email, subscription amount
OpenAI	AI-powered comment reply suggestion generation	General automation context only — no personal data, commenter identifiers, or Instagram account data is sent to OpenAI
Cloud / Hosting Infrastructure	Database and application hosting	All platform data (stored on your behalf, under contractual data protection obligations)

6.2 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or to protect the rights, property, or safety of EngageDM, our users, or the public.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of EngageDM, your data may be transferred to the acquiring entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

7. Data Retention

Data Type	Retention Period
Account & profile data	Until you delete your account, or 90 days after confirmed inactivity
Instagram access tokens	Until you disconnect your account or delete your EngageDM account
Automation configurations	Until you delete them or delete your account
Automation execution logs (DM outcome records)	90 days from execution date, then permanently deleted
Instagram comment records (deduplication store)	90 days from the comment date, then permanently deleted. Comment text is not retained after keyword matching.
Instagram post cache	Until the next sync or account disconnection
Link click records	180 days from click date, then permanently deleted
Billing records	7 years (as required under Indian tax and financial regulations)
Affiliate commission & referral records	Until you close your affiliate account, or 7 years if the records are tied to a financial transaction (as required under Indian financial regulations)
Affiliate PAN number	7 years from the financial year in which it was first used for TDS deduction, as required under the Income Tax Act, 1961. Retained in encrypted form even if you close your affiliate account, to satisfy statutory audit obligations.
Security & audit logs	1 year from the date of the recorded event, then permanently deleted
Server access logs	30 days, then permanently deleted

When you delete your EngageDM account, all personal data (except billing records and financial records required by law) is permanently deleted within 30 days.

8. Data Security

We implement industry-standard technical and organisational measures to protect your data:

Encryption in transit: All data between your browser and our servers is transmitted over HTTPS/TLS.
Encrypted credentials: Instagram access tokens are stored encrypted at rest.
Authentication tokens: Session tokens are stored in httpOnly, SameSite cookies — inaccessible to JavaScript.
Database access controls: Our database is not publicly accessible and requires authenticated connections.
Access controls: Only authorised personnel have access to production systems, and access is logged.
Payment security: We never handle raw payment credentials — all payment processing is delegated to Razorpay, which is PCI-DSS compliant.

While we take reasonable measures to protect your data, no system is 100% secure. If you suspect a security breach involving your account, please contact us immediately at [email protected].

8.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights or freedoms, we will notify you and, where required, the relevant regulatory authority, within 72 hours of becoming aware of the breach. Our notification will describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we are taking to address it. For lower-risk breaches, we will record the incident internally and take corrective action without delay.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

9.1 For All Users

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your account and all associated personal data (subject to legal retention requirements).
Data Portability: Request an export of your automation configurations and analytics data in a machine-readable format.
Disconnect Instagram: Disconnect your Instagram account at any time from Settings → Integrations. This immediately stops all automations and removes your access token from our systems.

9.2 For EEA / UK Users (GDPR)

Restriction: Request that we restrict processing of your data in certain circumstances.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Where processing is based on consent, withdraw consent at any time.
Lodge a complaint: File a complaint with your local data protection authority.

9.3 For Indian Users (IT Act / SPDI Rules / DPDP Act 2023)

Under the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act), you have the right to:

Access a summary of the personal data we hold about you and the purposes for which it is processed.
Correct or update inaccurate personal data.
Erase your personal data, subject to legal retention obligations.
Withdraw consent for processing at any time, without affecting the lawfulness of processing before withdrawal.
Nominate another individual to exercise these rights on your behalf in the event of your incapacitation or death.
File a complaint with the Data Protection Board of India once constituted under the DPDP Act, if you believe your rights have been violated.

As a Data Fiduciary under the DPDP Act, EngageDM processes your personal data only for the purposes described in this policy and retains it only for as long as necessary. We will process children's data only with verifiable parental consent.

9.4 Grievance Officer

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, we have designated a Grievance Officer for India:

Name: EngageDM Grievance Officer
Email: [email protected] (subject line: "Grievance — EngageDM")
Platform: engagedm.in

We will acknowledge your grievance within 24 hours and resolve it within 15 days of receipt. If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India.

9.5 Rights of Instagram Users Whose Data Is Processed (Third-Party Commenters)

If you are an Instagram user who commented on a business's post and may have received an automated DM through EngageDM, your Instagram user ID, username, comment ID, and engagement timestamp may be stored in that business's account as part of their automation logs or deduplication records.

You are not an EngageDM account holder, but you still have the right to request deletion of your data. To submit a data deletion request:

Email [email protected] with the subject line "Commenter Data Deletion Request"
Include your Instagram username and the approximate date of the interaction
We will identify and delete your data within 30 days and confirm completion by reply email if you provide a contact address

Please note: EngageDM acts as a data processor on behalf of the business account that configured the automation (the data controller). You may also exercise your rights directly with that business account. For requests that require coordination with a specific workspace owner, we will facilitate the process.

You may also revoke a business's ability to contact you in the future by blocking their Instagram account directly on Instagram.

To exercise any of the rights above, email us at [email protected] with the subject line "Data Rights Request". We will respond within 30 days.

10. Cookies & Local Storage

10.1 Cookies We Set

Cookie Name	Purpose	Duration
`token`	Stores your authenticated session JWT. Required for you to stay logged in.	7 days
`active_workspace`	Remembers which Instagram account (workspace) you last had active.	Persistent (until workspace switch or logout)
`csrf-token`	Double-submit CSRF token that protects your account against cross-site request forgery. Set automatically on each page load.	Session
`ig_oauth_state`	A short-lived, signed cookie set only during the Instagram account connection flow. Contains a tamper-proof state value to prevent CSRF attacks during OAuth. Deleted immediately after connection completes or fails.	10 minutes
`post_login_redirect`	Set if you click a call-to-action on the landing page before signing in. Used to return you to your intended destination after Google sign-in completes. Deleted immediately after use.	Short-lived (cleared on use)
`recovery_link_state`	A short-lived, signed cookie set only when you initiate the recovery account linking flow from Settings. Contains a tamper-proof token that carries your session across the Google OAuth round-trip. Deleted immediately after linking completes or fails.	10 minutes (cleared on use)

We do not use any advertising cookies, third-party tracking pixels, or analytics cookies (e.g., Google Analytics, Facebook Pixel).

10.2 Local Storage

We store your theme preference (dark/light mode) in your browser's localStorage. This contains no personal data and is never transmitted to our servers.

11. Third-Party Services

EngageDM integrates with the following third-party services. Your use of EngageDM implies acceptance of their respective privacy policies:

Meta / Instagram Graph API — governs how Instagram data is accessed and used. See Meta's Data Policy.
Google OAuth 2.0 — used for sign-in. See Google's Privacy Policy.
Razorpay — payment processing. See Razorpay's Privacy Policy.
OpenAI — when you use the AI-powered comment reply suggestion feature in the automation builder, we send the automation context (post type, use case description) to OpenAI's API to generate suggested reply messages. No personally identifiable information about you or your commenters is sent to OpenAI. See OpenAI's Privacy Policy.
Google Fonts — the Inter typeface is loaded from Google's CDN. Google may collect your IP address as part of font delivery.

EngageDM does not embed any social media widgets, third-party trackers, or advertising networks on its platform.

12. Children's Privacy

EngageDM is intended for use by individuals aged 13 years or older (consistent with Instagram's minimum age requirement). We do not knowingly collect personal data from children under 13.

If you believe we have inadvertently collected data from a child under 13, please contact us immediately at [email protected] and we will delete the data promptly.

13. International Users

EngageDM is operated from India. If you access EngageDM from outside India, your data will be transferred to and processed in India. By using EngageDM, you consent to this transfer. We apply appropriate safeguards to ensure your data receives an adequate level of protection.

For users in the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) as a mechanism for cross-border data transfers where required under GDPR.

14. Changes to This Policy

As EngageDM is in Beta, this Privacy Policy may be updated periodically. We will notify you of material changes by:

Sending an email to the address associated with your account, and/or
Displaying a prominent notice in the EngageDM dashboard

The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of EngageDM after changes take effect constitutes acceptance of the revised policy.

15. Contact Us

For any privacy-related questions, data rights requests, or concerns:

General privacy queries: [email protected]
Data rights requests: [email protected] (subject: "Data Rights Request")
Grievance Officer (India): [email protected] (subject: "Grievance — EngageDM")
Security / breach reports: [email protected] (subject: "Security Report")
Legal & compliance notices: [email protected] (subject: "Legal Notice — EngageDM")
Platform: engagedm.in

We aim to respond to all privacy requests within 30 days. For data rights requests under the DPDP Act 2023, we will respond within 30 days and complete the requested action (or provide a reasoned refusal) within that period.

If you are unsatisfied with our response to a privacy complaint, you may escalate to the Data Protection Board of India (once constituted) or, for EEA/UK users, to your local data protection supervisory authority.