Privacy Policy

This policy applies to (a) the operator and invited users who sign in to the Service’s dashboard, and (b) the Instagram Business or Creator accounts that the operator connects to the Service. The Service is not a consumer product and does not collect data from the general public.

We collect only what is necessary to operate the analytics dashboard:

• Dashboard accounts: username, role (admin or viewer), and a one-way bcrypt hash of the password. Plain-text passwords are never stored.
• Instagram access tokens: long-lived Graph API tokens that you explicitly provide when connecting an account. Tokens are encrypted at rest using AES-256-GCM before being written to the database.
• Instagram account metadata: the Instagram user ID, username, and follower count for each account connected by the operator.
• Post data: public post metadata (caption, media type, permalink, timestamp, hashtags) for posts published by the connected accounts, fetched from the Instagram Graph API.
• Post metrics: engagement metrics returned by the Instagram Graph API (likes, comments, saves, shares, reach, impressions, video views), captured periodically to build a time series.
• Server logs: the backend logs request and job activity (timestamps, status codes, sync outcomes) for operational monitoring.

We do not collect data from followers, commenters, or any other third-party Instagram users beyond the post’s aggregate metric counters returned by Meta.

Collected data is used solely to:

• Authenticate dashboard users and enforce role-based access control.
• Periodically fetch metrics from the Instagram Graph API using the operator-supplied access tokens.
• Compute aggregate metrics (engagement rate, impact score) and render them in the dashboard.
• Maintain a historical time series so changes in engagement can be visualized.

We do not use collected data to train machine-learning models, to target advertising, or for any purpose outside of the operator’s own internal reporting.

Data is not sold, rented, or shared with any third party for commercial purposes. The only external systems data is sent to are:

• Meta / Instagram Graph API — access tokens are sent to Meta’s servers as required to fetch metrics. This is inherent to the integration.
• The operator’s own infrastructure — data is stored on PostgreSQL hosted by the operator’s database provider and the backend is hosted on the operator’s chosen platform.

Data is retained until manually removed by an operator or until an account is disconnected. Operators can:

• Disable or delete a connected Instagram account from the dashboard; deleting an account cascades to its posts, snapshots, and cached metrics.
• Configure the snapshot lookback window (how many days of post history are retained) from the dashboard’s Settings area.
• Delete dashboard users from the Users settings page.

To request deletion of any data associated with you or your Instagram account, contact us at the address below and we will remove it within 30 days.

Instagram access tokens are encrypted at rest with AES-256-GCM before storage. Passwords are hashed with bcrypt. The dashboard is gated behind username/password authentication, and all API traffic uses signed JWTs. Transport is expected to be secured by HTTPS in any production deployment.

No system is perfectly secure. If you become aware of a vulnerability, please report it to the contact address below.

The dashboard sets a single session cookie (an HTTP-only, signed JWT) to keep users signed in. No analytics, advertising, or tracking cookies are set.

The Service is not intended for and does not knowingly collect data from individuals under 13 years of age.

We may update this policy to reflect changes in functionality or legal requirements. The “Last updated” date at the top of this page reflects the most recent change.

Questions, deletion requests, or security reports can be sent to edgarcardona87@gmail.com.