Comment 2 ChatComment 2 Chat
HomeLegal

Privacy Policy

Effective: 1 May 2025. This is the long-form description of how we handle data. Plain-English summary: we collect what we need to operate the service, encrypt it at rest, and never sell it.

1. Who we are

comment2chat.online ("Instagram Automation", "we", "us") operates the SaaS product accessible at comment2chat.online. You can reach us at support@comment2chat.online.

2. Data we collect

  • Account data: email address, hashed password, account creation date.
  • Meta App credentials: the Facebook App ID and App Secret you provide. Encrypted at rest.
  • Instagram tokens: short-lived OAuth tokens issued by Meta, refreshed by us automatically. Encrypted at rest.
  • Workflow data: the automations you configure, the keywords, the messages.
  • Execution logs: records of triggers fired, DMs sent, errors. Includes the recipient's Instagram user ID and the message body.
  • Billing data: processed by Stripe; we store only the subscription status and the last four digits of your card.
  • Usage analytics: page views, button clicks, feature usage, processed via Vercel Analytics. Anonymized and aggregated.

3. How we use it

  • To operate the service: run your workflows, send DMs, show you logs.
  • To bill you: charge for Unlimited subscriptions via Stripe.
  • To support you: respond to your emails, debug your account.
  • To improve the product: anonymized usage analytics.
  • To comply with law: respond to lawful requests from authorities.

4. Legal basis (GDPR)

  • Contractual necessity: we process your data to deliver the service you signed up for.
  • Legitimate interest: minimal usage analytics to improve the product.
  • Consent: for any optional marketing emails (unsubscribe in one click).
  • Legal obligation: tax records, lawful disclosure requests.

5. Sharing

We do not sell your data. We share it only with sub-processors strictly required to operate the service:

  • Vercel hosting infrastructure.
  • Supabase database and authentication (PostgreSQL on AWS).
  • Stripe payment processing.
  • Meta Instagram Graph API and Messenger API (per your authorization).
  • Resend transactional email delivery (login codes, receipts).

6. Retention

  • Account data: until you delete your account.
  • Workflow data: until you delete the workflow.
  • Execution logs: 7 days on Free, configurable up to unlimited on Unlimited.
  • Billing records: 7 years (legal requirement).

7. Your rights

If you're in the EU/UK, GDPR gives you the right to access, correct, delete, port, or restrict processing of your data. Email support@comment2chat.online and we'll respond within 30 days. Californians have analogous CCPA rights.

8. Security

All data encrypted in transit (TLS 1.2+) and at rest (AES-256). Meta App secrets and Instagram tokens are additionally encrypted with a per-row key. Production database access is restricted to a small set of audited engineers.

9. Cookies

We use first-party session cookies for authentication. We do not use third-party advertising cookies.

10. Children

Instagram Automation is not directed at children under 13. We don't knowingly collect data from children.

11. Changes

We'll email you at least 30 days before any material change to this policy.

12. Contact

For privacy questions: support@comment2chat.online