This Privacy Policy describes how FloChat ("we", "us", or "our") collects, uses, and protects your information when you use our platform and services (the "Service"). By accessing or using the Service, you agree to the practices described in this policy.
1. Information We Collect
1.1 Account Information
When you create an account we collect your name, email address, and password (stored as a secure hash).
1.2 Instagram Data
When you connect your Instagram Business account via our Instagram OAuth integration, we receive and store:
- Your Instagram user ID and username
- An access token that allows us to send and receive Direct Messages on your behalf
- Basic profile information (name, profile picture URL) used to display your account in the dashboard
We do not access your personal Instagram feed, followers list, or any content beyond what is required to operate your automations.
1.3 Automation & Message Data
To deliver the Service we store:
- The automation rules, triggers, and message templates you configure
- Metadata about messages sent or received through your automations (timestamps, recipient Instagram handles)
- Conversation context needed for AI follow-up sequences
1.4 Usage Data
We automatically collect standard server logs including IP address, browser type, pages visited, and actions taken within the Service. This data is used for security monitoring, debugging, and improving the platform.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Execute your configured Instagram DM automations on your behalf
- Send you transactional emails (account verification, password reset, billing receipts)
- Monitor and ensure the security and integrity of the platform
- Comply with our obligations to Meta (Instagram's parent company) and other third-party platforms
- Improve the Service through aggregated, anonymised analytics
We do not sell your personal data to third parties.
3. Data Sharing
We share your data only in the following circumstances:
- Service providers: Trusted sub-processors (cloud hosting, email delivery, AI inference) who process data on our behalf under appropriate data protection agreements.
- Meta / Instagram: Data is transmitted to and from Instagram's API solely to execute your automations.
- Legal requirements: We may disclose data if required by law, court order, or to protect the rights and safety of our users or the public.
- Business transfers: In the event of a merger or acquisition, your data may be transferred as part of that transaction. We will notify you in advance.
4. Instagram Platform Policy Compliance
Our use of Instagram data is governed by the Meta Platform Terms and the Meta Platform Policies. We only request the minimum permissions necessary to provide the Service and we do not use Instagram data for advertising or to build profiles unrelated to the Service.
5. Data Retention
We retain your account data for as long as your account is active. You may request deletion of your account and associated data at any time by contacting us. Upon deletion, your data is removed within 30 days except where we are required to retain it for legal or financial compliance reasons.
When you disconnect your Instagram account from the Service, your Instagram access token is immediately invalidated and deleted from our systems.
6. Security
We use industry-standard security practices including encryption in transit (TLS), encrypted storage of access tokens, and regular security reviews. However, no method of transmission over the internet is 100% secure. We encourage you to use a strong, unique password and to contact us immediately if you suspect any unauthorised access to your account.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data ("right to be forgotten")
- Object to or restrict certain processing
- Data portability (receive a copy of your data in a machine-readable format)
To exercise any of these rights, please contact us at the email address below.
8. Cookies
We use session cookies and a CSRF cookie required for the secure operation of the web application. We do not use tracking cookies or third-party advertising cookies. You can disable cookies in your browser settings, but this may prevent the Service from functioning correctly.
9. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, notify you by email. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
FloChat
Email: onboarding@resend.dev