Who We Are
Flowtalk ("we", "our", "us") is a productivity platform that helps Instagram Business accounts automate customer DM responses using keyword rules and AI. Our service is available at flowtalk-production-f650.up.railway.app.
This Privacy Policy explains what data we collect, how we use it, and your rights. By using Flowtalk, you agree to the practices described here.
We only collect the minimum data needed to provide the service. We never sell your data or use it for advertising.
Data We Collect
| Data Type | Source | Purpose | Stored? |
|---|---|---|---|
| Email address | You (signup) | Account login and identification | Yes |
| Password | You (signup) | Account authentication | Yes, hashed |
| Instagram username & user ID | Instagram API | Account identification and display | Yes |
| Instagram access token | Instagram OAuth | Sending replies on your behalf | Yes, encrypted |
| Incoming DM content | Instagram webhook | Generating automated replies | Activity log only |
| Message statistics | Generated internally | Dashboard analytics for you | Yes |
How We Use Instagram Data
Flowtalk connects to your Instagram Business account via the official Instagram Graph API with your explicit consent through OAuth. We use this connection exclusively to:
- Receive incoming direct messages via Meta's webhook system
- Send automated replies to customers on your behalf
- Configure Ice Breaker questions shown to customers who first open your DM
- Display your Instagram username and connection status in the dashboard
We do not use Instagram data for advertising, profiling, training AI models, or any purpose outside of providing the auto-reply service described above.
Your Instagram access token is encrypted using AES-256 encryption before being stored in our database. It is never exposed in API responses, logs, or to any third party.
Data Sharing
We do not sell, rent, or share your personal data with any third parties, with limited exceptions:
- Groq (AI provider): Incoming message text is sent to Groq's API to generate AI replies. No personally identifiable information is attached.
- MongoDB Atlas: Your account data is stored in MongoDB Atlas with encryption at rest.
- Railway: Our application is hosted on Railway's infrastructure.
- Legal requirements: We may disclose data if required by law.
Data Retention
- Account data (email, password hash) — retained until account deletion
- Instagram connection data — retained until you disconnect or delete your account
- Activity logs (DM summaries) — retained for 90 days, then automatically deleted
- Message statistics (counts) — retained until account deletion
Your Rights
- Access: Request a copy of all data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and all associated data
- Disconnection: Revoke Instagram access at any time from Instagram settings or the Flowtalk dashboard
- Portability: Request your data in a portable format
To exercise any of these rights, contact us at contactflowtalk@gmail.com. We will respond within 30 days.
Security
- AES-256 encryption for all stored Instagram access tokens
- Bcrypt hashing for all user passwords
- HTTPS enforced on all connections
- Webhook signature verification (HMAC-SHA256) to prevent spoofed requests
- Session-based authentication with secure, HTTP-only cookies
- Rate limiting on all authentication endpoints
Meta Platform Policy Compliance
- We only request permissions necessary for core functionality
- We do not scrape, store, or process Instagram data beyond what is described in this policy
- Users can revoke access at any time by disconnecting their Instagram account
- We do not use Instagram data to build profiles for advertising
- Message data is processed only to generate automated replies for the account owner
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. Continued use of Flowtalk after changes constitutes acceptance of the updated policy.
Questions or Data Requests?
We typically respond within 30 days