Privacy Policy

This Privacy Policy describes how our Instagram AI Agent service operating at nurdan.me ("Service", "we", "us", or "our") collects, uses, and protects your information when you use our application to manage Instagram direct messages through automated AI responses, static reply automation, and comment-triggered direct messaging.

By using our Service, you agree to the collection and use of information in accordance with this policy. We are committed to protecting your privacy and complying with all applicable data protection laws, including Meta's Platform Terms and Developer Policies.

1. Information We Collect

1.1 Instagram Account Information

When you connect your Instagram business account to our Service, we collect:

• Your Instagram business account username and user ID
• Basic profile information (name, profile picture)
• Account permissions granted through Instagram's OAuth flow

1.2 Direct Message Data

Through Instagram's webhook API, we receive and temporarily store:

• Business-related direct messages sent to your Instagram account
• Message content, sender information, and timestamps
• Conversation threads and context necessary for AI or static responses
• Message metadata (delivery status, read receipts)
• A record of whether a given conversation has previously been handled by the Service, used to determine whether a static greeting reply should be sent

1.3 Comment Data

If you enable the Comment DM feature, we receive and temporarily process:

• Public comments posted on your Instagram posts or reels, as delivered via Instagram's webhook API
• The commenter's Instagram user ID and username
• Comment text, post identifier, and timestamp
• Signal word(s) you configure to trigger automated DMs — these are stored as part of your account settings

Comment data is used solely to evaluate whether a configured signal word is present and, if so, to dispatch a single automated DM to the commenter. Comment content is not retained beyond what is necessary for this evaluation.

1.4 Usage Information and Configuration Data

We automatically collect certain information about your use of the Service:

• Service usage statistics and performance metrics
• AI agent configuration and preferences (when AI mode is enabled)
• Static reply text configured by you (when static reply mode is enabled)
• Comment DM configuration, including signal words and reply text configured by you
• Response accuracy and user feedback data
• Technical logs for troubleshooting and service improvement

2. How We Use Your Information

We use the collected information for the following purposes:

• AI-Powered Responses: When AI mode is enabled, to analyze incoming direct messages and generate appropriate automated responses through our AI agent
• Static Reply Delivery: When static reply mode is enabled, to detect new or previously unrecorded conversations and send the greeting text you have configured, without involvement of any AI model
• Comment DM Automation: When the Comment DM feature is enabled, to monitor incoming comment notifications for your configured signal words and automatically send your pre-configured DM to the commenter via Instagram's Messaging API
• Service Functionality: To maintain the connection between your Instagram account and our Service
• Customer Support: To respond to your inquiries, provide technical support, and resolve issues
• Security and Fraud Prevention: To detect, prevent, and address technical issues, abuse, or fraudulent activity
• Legal Compliance: To comply with applicable laws, regulations, and Meta's Platform Policies

3. Data Security and Encryption

We take data security seriously and implement industry-standard measures to protect your information:

• Encryption at Rest: All message and comment data is encrypted using industry-standard AES-256 encryption in our databases
• Encryption in Transit: All data transmission occurs over secure HTTPS/TLS connections
• Access Controls: Strict access controls ensure that only authorized systems can process encrypted data
• Secure Infrastructure: Our servers and infrastructure are hosted with reputable cloud providers that maintain SOC 2 compliance
• Regular Security Audits: We conduct regular security assessments and updates to maintain the highest security standards

4. Data Retention and Automatic Deletion

Our data retention practices include:

• Message data is retained for a maximum of 7 days to enable AI processing, static reply logic, and service functionality
• Comment data received via webhook is retained only for the duration of signal-word evaluation and DM dispatch, and is purged no later than 7 days from receipt
• Conversation records used to determine whether a static greeting has been sent are retained for as long as your account remains active, and are deleted upon account termination
• After 7 days, all message and comment content is automatically purged from our systems
• Your configured static reply text, signal words, and Comment DM text are stored as account settings and are deleted upon account termination or upon your explicit request
• Account connection data is retained only while your account remains active with our Service

5. Data Sharing and Third Parties

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following limited circumstances:

5.1 Service Providers

We may share data with trusted third-party service providers who assist in operating our Service, such as:

• Cloud infrastructure providers (for secure data storage)
• OpenAI (for generating automated AI responses when AI mode is enabled). OpenAI's privacy policy is available at openai.com/privacy. Note: when static reply mode is enabled instead of AI mode, message content is not transmitted to OpenAI.

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.2 Meta/Instagram

We interact with Instagram's API in accordance with Meta's Platform Terms and Policies. Message and comment data flows through Instagram's webhook and Messaging API systems as authorized by you.

5.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of our Service, users, or others.

6. Your Rights and Choices

You have the following rights regarding your data:

6.1 Access and Portability

You have the right to request access to the personal information we hold about you and to receive a copy of your data in a portable format.

6.2 Data Deletion

You can request immediate deletion of your data at any time by any of the following methods:

• Contacting us through our support channels
• Sending a written request to our designated contact email
• Revoking access to our application directly through your Instagram account settings — this will automatically trigger deletion of all your associated data from our systems

Upon receiving your deletion request, we will permanently delete all your personal data within 30 days, except where we are legally required to retain certain information.

6.3 Account Termination

You can terminate your account and disconnect our Service from your Instagram account at any time. This will:

• Immediately revoke all access permissions to your Instagram account
• Stop all AI agent, static reply, and Comment DM activities
• Initiate the deletion process for all stored data, including your configured reply texts and signal words (completed within 30 days)
• Remove the connection between your Instagram account and our Service

6.4 Modify or Correct Information

You can update your account information, AI agent settings, static reply text, signal words, and Comment DM text at any time through your account dashboard.

6.5 Opt-Out

You can disable the AI agent, static reply mode, or Comment DM functionality independently at any time while maintaining your account, preventing further processing of new messages or comments under the respective feature.

7. Meta Platform Compliance

Our Service is built in full compliance with Meta's Platform Terms, Developer Policies, and Instagram API requirements:

• Authorized Access: We access Instagram data only through official APIs and with your explicit permission
• Data Usage Restrictions: We use Instagram message and comment data solely for providing our automated response service as described in this policy
• Webhook Security: All webhook data from Instagram is securely received, processed, and stored according to Meta's security requirements
• Comment DM Compliance: Comment-triggered DMs are sent only in response to organic public comments containing user-configured signal words, and only through Instagram's official Messaging API, in compliance with Meta's policies on automated messaging
• User Control: You maintain full control over the connection and can revoke access at any time through Instagram's settings
• Policy Updates: We stay current with Meta's policy changes and update our practices accordingly

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain your session, remember your preferences, and improve our Service. These include:

• Essential Cookies: Required for authentication and basic Service functionality
• Performance Cookies: Help us understand how users interact with our Service
• Preference Cookies: Remember your settings and customization choices

You can control cookies through your browser settings, though disabling certain cookies may limit Service functionality.

9. Children's Privacy

Our Service is intended for Instagram business account owners who are at least 18 years old. We do not knowingly collect or solicit personal information from individuals under 18. If you believe we have inadvertently collected information from a minor, please contact us immediately, and we will take steps to delete such information.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from those in your jurisdiction. We ensure that appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable law, including:

• Standard contractual clauses approved by relevant authorities
• Compliance with EU-US and Swiss-US Privacy Shield frameworks (where applicable)
• Ensuring third-party processors meet equivalent data protection standards

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by one of:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice within the Service

Your continued use of the Service after such modifications constitutes your acknowledgment and acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to all legitimate requests within 30 days or as required by applicable law.

13. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), our legal basis for collecting and using your personal information depends on the data concerned and the context in which we collect it:

• Contract Performance: Processing is necessary to provide the AI agent service, static reply service, and Comment DM service you requested
• Legitimate Interests: We have a legitimate interest in improving our Service, preventing fraud, and ensuring security
• Consent: You have given explicit consent for specific processing activities (such as connecting your Instagram account and enabling individual features)
• Legal Obligation: Processing is necessary to comply with legal requirements

You have the right to withdraw consent at any time where we rely on consent as the legal basis for processing.

14. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose for collecting it, and the categories of third parties we share it with.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Opt-Out: We do not sell personal information. You therefore have no need to opt out of a sale, but you may contact us to confirm this at any time.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your rights, contact us at privacy@nurdan.me. We will respond within 45 days as required by law. You may designate an authorized agent to make a request on your behalf by providing written authorization.

15. Acceptance of This Policy

By using our Service, connecting your Instagram business account, or accessing our platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, please do not use our Service.