Privacy Policy
- Who We Are
- Information We Collect
- How We Use Your Information
- Instagram & Meta Platform Data
- Link Tracking & Click Analytics
- How We Share Your Data
- Data Retention
- Data Security
- Your Rights
- Cookies & Local Storage
- Third-Party Services
- Children's Privacy
- International Users
- Changes to This Policy
- Contact Us
1. Who We Are
EngageDM ("EngageDM", "we", "us", "our") is an Instagram comment-to-DM automation platform that helps Instagram Business and Creator account holders automatically send Direct Messages (DMs) to users who comment on their posts.
EngageDM operates as an independent platform and is a registered Meta Tech Provider with official access to the Instagram Graph API. We are not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc.
For privacy-related inquiries, contact us at: [email protected]
2. Information We Collect
2.1 Account Information (You provide directly)
- Google Account Data: When you sign in with Google, we receive your name, email address, and profile picture from Google via OAuth 2.0. We do not receive or store your Google password.
- Instagram Account Data: When you connect an Instagram account, we receive and store your Instagram username, profile picture URL, Instagram account ID, and a long-lived access token required to operate automations on your behalf. We do not receive or store your Instagram password.
2.2 Data We Generate & Store on Your Behalf
- Workspace Data: Details about the Instagram accounts you connect, including workspace names and account configurations.
- Automation Configurations: The triggers, keywords, DM messages, post scopes, and settings you configure in your automations.
- Instagram Post Cache: A local copy of your recent Instagram posts (media ID, media type, thumbnail URL, caption, like/comment counts, posted date) to power the automation builder interface. This is synced from Instagram on your request.
- Automation Logs: Records of automation executions including the Instagram user ID and username of commenters who triggered your automations, the comment ID, whether a DM was successfully sent, and any error details.
- Link Tracking Data: When you include a CTA link in your automation, we store the target URL, a unique short redirect code, and click event records (timestamp, and optionally the Instagram user ID if available at click time).
- Contacts Log: EngageDM automatically logs the Instagram username, user ID, and engagement timestamp of Instagram users who interact with your automations (i.e., whose comments trigger a DM). This log is displayed in the Contacts section of your dashboard for your reference. We do not enrich this data with information from other sources.
- Templates: DM message templates you save in EngageDM โ including template name and message body โ are stored in our database and associated with your account.
- My Content Cache: A local copy of your synced Instagram posts and reels (media ID, media type, thumbnail URL, caption, like and comment counts, and posted date) displayed in the My Content section. This data is fetched from Instagram on your request and is not independently collected.
2.3 Billing & Payment Data
We use Razorpay as our payment processor. When you subscribe to a paid plan, Razorpay collects and processes your payment details directly. EngageDM stores only the Razorpay subscription ID, billing cycle, workspace count, subscription status, and billing period โ not your card number, UPI ID, or any payment credentials.
2.4 Usage & Technical Data
- Server-side session data (stored in our database, tied to your authenticated session)
- Server access logs (IP addresses, request paths, timestamps) โ retained for security and debugging
- Error logs and crash reports for service reliability
2.5 Third-Party Commenters' Data
When your automations execute, EngageDM processes data about Instagram users who comment on your posts โ specifically their Instagram user ID, username, and comment text (to match against your keyword triggers). This data is used solely to execute your automation rules and is logged for your analytics. We do not use this data for our own marketing or sell it to third parties.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Authenticate and identify you on the platform | Google account data, session token | Contract performance |
| Execute your automation rules (trigger matching, DM sending) | Instagram token, commenter user ID, keywords, DM message | Contract performance |
| Display your automations, post library, and analytics dashboard | Automation configs, IG post cache, automation logs | Contract performance |
| Track link clicks on your CTA buttons | Short code, target URL, click timestamp, IG user ID | Contract performance / Legitimate interest |
| Process subscription billing | User ID, Razorpay subscription data | Contract performance |
| Prevent fraud and enforce our Terms of Service | Account data, server logs | Legitimate interest |
| Improve the platform (bug fixes, feature development) | Aggregated, anonymised usage data | Legitimate interest |
| Send important service communications (billing alerts, security notices) | Email address | Contract performance / Legal obligation |
We do not use your data or your users' data for targeted advertising. We do not sell your data to any third party.
4. Instagram & Meta Platform Data
EngageDM operates as a Meta Tech Provider and accesses the Instagram Graph API under the following permissions you explicitly grant during the OAuth flow:
instagram_business_basicโ Read your profile and postsinstagram_business_manage_messagesโ Send DMs on your behalfinstagram_business_manage_commentsโ Read comments on your posts to trigger automations
Your Instagram access token is stored encrypted at rest and is used exclusively to operate EngageDM features on your behalf. We refresh long-lived tokens before they expire (Instagram tokens expire after 60 days) to keep your automations running without interruption.
The use of Instagram data obtained via the API is governed by Meta's Platform Terms and Data Use Policy. EngageDM does not use Instagram data for purposes beyond those described in this Privacy Policy and permitted by Meta's terms.
You may revoke EngageDM's access to your Instagram account at any time from your Instagram account settings under Settings โ Security โ Apps and Websites. Revoking access will disable your automations.
5. Link Tracking & Click Analytics
When you enable the "Link Button" feature in an automation, EngageDM replaces your destination URL with a short redirect link (e.g., engagedm.in/r/abc12345). When an Instagram user clicks that link:
- We record the click event (link ID, timestamp, workspace ID, automation ID)
- We increment the click count on your tracked link
- We immediately redirect the user to your original destination URL (HTTP 302)
- We do not set cookies on the destination page or track users after the redirect
As an automation creator, you are responsible for ensuring that your use of link tracking complies with applicable laws and Instagram's platform policies. You should disclose to your audience that links may be tracked where required by law.
6. How We Share Your Data
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
6.1 Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Meta Platforms (Instagram Graph API) | Sending DMs, reading comments on your behalf | Your access token, DM content, recipient IG user ID |
| Google (Google OAuth) | Authentication | OAuth flow only โ no ongoing data sharing |
| Razorpay | Payment processing | Name, email, subscription amount |
| Cloud / Hosting Infrastructure | Database and application hosting | All platform data (stored on your behalf, under contractual data protection obligations) |
6.2 Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or to protect the rights, property, or safety of EngageDM, our users, or the public.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or part of EngageDM, your data may be transferred to the acquiring entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account & profile data | Until you delete your account, or 90 days after confirmed inactivity |
| Instagram access tokens | Until you disconnect your account or delete your EngageDM account |
| Automation configurations | Until you delete them or delete your account |
| Automation execution logs | 90 days from execution date, then permanently deleted |
| Instagram post cache | Until the next sync or account disconnection |
| Link click records | 180 days from click date, then permanently deleted |
| Billing records | 7 years (as required under Indian tax and financial regulations) |
| Server access logs | 30 days, then permanently deleted |
When you delete your EngageDM account, all personal data (except billing records required by law) is permanently deleted within 30 days.
8. Data Security
We implement industry-standard technical and organisational measures to protect your data:
- Encryption in transit: All data between your browser and our servers is transmitted over HTTPS/TLS.
- Encrypted credentials: Instagram access tokens are stored encrypted at rest.
- Authentication tokens: Session tokens are stored in httpOnly, SameSite cookies โ inaccessible to JavaScript.
- Database access controls: Our database is not publicly accessible and requires authenticated connections.
- Access controls: Only authorised personnel have access to production systems, and access is logged.
- Payment security: We never handle raw payment credentials โ all payment processing is delegated to Razorpay, which is PCI-DSS compliant.
While we take reasonable measures to protect your data, no system is 100% secure. If you suspect a security breach involving your account, please contact us immediately at [email protected].
8.1 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights or freedoms, we will notify you and, where required, the relevant regulatory authority, within 72 hours of becoming aware of the breach. Our notification will describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we are taking to address it. For lower-risk breaches, we will record the incident internally and take corrective action without delay.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
9.1 For All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your account and all associated personal data (subject to legal retention requirements).
- Data Portability: Request an export of your automation configurations and analytics data in a machine-readable format.
- Disconnect Instagram: Disconnect your Instagram account at any time from Settings โ Integrations. This immediately stops all automations and removes your access token from our systems.
9.2 For EEA / UK Users (GDPR)
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw Consent: Where processing is based on consent, withdraw consent at any time.
- Lodge a complaint: File a complaint with your local data protection authority.
9.3 For Indian Users (IT Act / SPDI Rules / DPDP Act 2023)
Under the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act), you have the right to:
- Access a summary of the personal data we hold about you and the purposes for which it is processed.
- Correct or update inaccurate personal data.
- Erase your personal data, subject to legal retention obligations.
- Withdraw consent for processing at any time, without affecting the lawfulness of processing before withdrawal.
- Nominate another individual to exercise these rights on your behalf in the event of your incapacitation or death.
- File a complaint with the Data Protection Board of India once constituted under the DPDP Act, if you believe your rights have been violated.
As a Data Fiduciary under the DPDP Act, EngageDM processes your personal data only for the purposes described in this policy and retains it only for as long as necessary. We will process children's data only with verifiable parental consent.
9.4 Grievance Officer
In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, we have designated a Grievance Officer for India:
- Name: EngageDM Grievance Officer
- Email: [email protected] (subject line: "Grievance โ EngageDM")
- Platform: engagedm.in
We will acknowledge your grievance within 24 hours and resolve it within 15 days of receipt. If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India.
To exercise any of the rights above, email us at [email protected] with the subject line "Data Rights Request". We will respond within 30 days.
10. Cookies & Local Storage
10.1 Cookies We Set
| Cookie Name | Purpose | Duration |
|---|---|---|
token |
Stores your authenticated session JWT. Required for you to stay logged in. | 7 days |
active_workspace |
Remembers which Instagram account (workspace) you last had active. | Session / persistent |
We do not use any advertising cookies, third-party tracking pixels, or analytics cookies (e.g., Google Analytics, Facebook Pixel).
10.2 Local Storage
We store your theme preference (dark/light mode) in your browser's localStorage. This contains no personal data and is never transmitted to our servers.
11. Third-Party Services
EngageDM integrates with the following third-party services. Your use of EngageDM implies acceptance of their respective privacy policies:
- Meta / Instagram Graph API โ governs how Instagram data is accessed and used. See Meta's Data Policy.
- Google OAuth 2.0 โ used for sign-in. See Google's Privacy Policy.
- Razorpay โ payment processing. See Razorpay's Privacy Policy.
- Google Fonts โ the Inter typeface is loaded from Google's CDN. Google may collect your IP address as part of font delivery.
EngageDM does not embed any social media widgets, third-party trackers, or advertising networks on its platform.
12. Children's Privacy
EngageDM is intended for use by individuals aged 13 years or older (consistent with Instagram's minimum age requirement). We do not knowingly collect personal data from children under 13.
If you believe we have inadvertently collected data from a child under 13, please contact us immediately at [email protected] and we will delete the data promptly.
13. International Users
EngageDM is operated from India. If you access EngageDM from outside India, your data will be transferred to and processed in India. By using EngageDM, you consent to this transfer. We apply appropriate safeguards to ensure your data receives an adequate level of protection.
For users in the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) as a mechanism for cross-border data transfers where required under GDPR.
14. Changes to This Policy
As EngageDM is in Beta, this Privacy Policy may be updated periodically. We will notify you of material changes by:
- Sending an email to the address associated with your account, and/or
- Displaying a prominent notice in the EngageDM dashboard
The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of EngageDM after changes take effect constitutes acceptance of the revised policy.
15. Contact Us
For any privacy-related questions, data rights requests, or concerns:
- General privacy queries: [email protected]
- Data rights requests: [email protected] (subject: "Data Rights Request")
- Grievance Officer (India): [email protected] (subject: "Grievance โ EngageDM")
- Security / breach reports: [email protected] (subject: "Security Report")
- Legal & compliance notices: [email protected] (subject: "Legal Notice โ EngageDM")
- Platform: engagedm.in
We aim to respond to all privacy requests within 30 days. For data rights requests under the DPDP Act 2023, we will respond within 30 days and complete the requested action (or provide a reasoned refusal) within that period.
If you are unsatisfied with our response to a privacy complaint, you may escalate to the Data Protection Board of India (once constituted) or, for EEA/UK users, to your local data protection supervisory authority.