Privacy Policy

1. Information We Collect

We collect information you provide directly: name, email, username, profile data, and content you create. We also collect usage data (page views, clicks) to improve the product.

When you connect an Instagram account, we collect your Instagram Business/Creator profile information — including your IG username, profile picture, follower count, and account type — via Meta's Graph API. We never collect private Instagram data outside of what you authorize through Meta's OAuth consent screen.

We also receive Instagram comments and direct messages sent to your account when you enable DM automation. This includes commenter usernames, message text, and timestamps.

2. How We Use Your Data

Your data is used to provide the DigiTag service: creating your profile, generating products with AI, processing payments, showing analytics, and powering DM automation. We never sell your personal data.

Instagram comment and DM data is used exclusively to: (a) classify incoming message intent, (b) generate AI-powered reply variations, (c) send automated replies on your behalf, and (d) track conversation metrics. This data is never shared with third parties or used to train AI models.

3. Instagram & Meta Data

When you connect your Instagram account, we store an access token that allows DigiTag to send DMs and reply to comments on your behalf. This token is encrypted at rest using industry-standard AES-256 (Fernet) encryption and is never exposed to unauthorized parties.

We respect Meta's 24-hour Standard Messaging Window. After 24 hours, we only message users who have interacted with your content within the window, using compliant message tags where required by Meta's Platform Policy.

Commenter data (IG user IDs, usernames, message text) is retained for 90 days to support conversation threading and analytics. After 90 days, raw message text is anonymized and only aggregate metrics are kept. You can request earlier deletion at any time.

Opt-out mechanism: Any Instagram user can opt out of automated DMs by replying "STOP", "UNSUBSCRIBE", or "NO THANKS" at any point in a conversation. Once opted out, no further automated messages will be sent to that user, and their data is flagged for exclusion from future automation runs.

4. Data Storage

Data is stored securely on Supabase (PostgreSQL) with encryption at rest. Files are stored in Supabase Storage. Payments are processed by Stripe/Razorpay — we never store card details. Meta access tokens are encrypted with Fernet symmetric encryption before storage.

5. AI & Content

When you use the AI Interview, AI Twin, or DM Automation features, your data may be sent to AI providers (Google Gemini, Groq) to generate variations, classify intents, and produce replies. We do not use your data to train AI models. For DM Automation, comment context is used in real-time to generate human-like reply variations — the live generation path applies to approximately 10% of replies to maintain natural conversation flow.

6. Cookies

We use essential cookies for authentication. We use analytics to track page views on your storefront. No third-party advertising cookies.

7. Data Retention & Deletion

You can export or delete your data at any time via your dashboard settings. Instagram commenter data is retained for 90 days. When you disconnect an Instagram account, the access token is immediately deleted and all associated automation data is queued for deletion within 30 days. To request full account deletion, email jatinhyder@gmail.com.

8. Your Rights (India DPDPA 2023)

If you are in India, you have the following rights under the Digital Personal Data Protection Act (DPDPA) 2023: the right to know what data we collect, the right to correct inaccurate data, the right to erase your data, the right to nominate a representative for data processing after your death, and the right to grievance redressal. To exercise any of these rights, contact our Data Protection Officer at jatinhyder@gmail.com.

9. Contact

For privacy questions: jatinhyder@gmail.com