Privacy Policy
This Privacy Policy explains how the Instagram Automation System ("Platform", "we", "us", or "our"), operated by AK online pvt ltd. , collects, uses, stores, and protects information when you access and use the Platform and its associated services. By registering, connecting your Instagram account, or otherwise using the Platform, you agree to the practices described herein. If you do not agree, please discontinue use of the Platform immediately.
01. Information We Collect
We collect information that you provide directly, information generated automatically as you use the Platform, and information received from third-party services such as Meta (Instagram).
Personal Identifiable Information
When you register and use the Platform, we may collect your name, email address, and account credentials used for registration. We do not store your Instagram password or login credentials at any time.
Instagram Account Data
When you connect your Instagram Business Account via Meta OAuth, we receive and store: Instagram Business ID and Page ID, encrypted OAuth access tokens, account name and profile details provided by Meta, and webhook event data (comments, DMs, reactions) necessary for automation.
Automation & Usage Data
This includes workflow configurations and automation settings, trigger keywords, action rules and resource mappings, automation execution logs and event records, conversation history associated with automated DM flows, and usage metrics and subscription plan activity.
Technical & Device Data
IP address, browser type, and operating system, timestamps, referring URLs and session information, and cookies and local storage as described in Section 10.
Payment Information
Payment transactions are processed through Razorpay. We do not store card numbers, banking credentials, or any raw financial data on our servers. See Section 6 for details.
02. How We Use Your Information
We use the information collected for the following purposes, limited to what is necessary for the proper operation of the Platform:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account registration & authentication | Name, email, password hash | Contract / Consent |
| Instagram account connection & automation | Access tokens, Instagram IDs, webhook events | Contract |
| Workflow execution & automation delivery | Trigger data, configurations, conversation logs | Contract |
| Subscription & billing management | Plan data, usage logs, payment status | Contract |
| Security, fraud prevention & abuse detection | IP, usage logs, request data | Legitimate Interest |
| Platform improvements & analytics | Aggregated, anonymised usage data | Legitimate Interest |
| Communications & support | Email address, support interactions | Consent / Contract |
We do not sell, trade, or commercially exploit your personal information to third parties. We do not use your data for automated profiling or decision-making that produces legal effects without human oversight.
03. Instagram & Meta Integration
OAuth Authentication
Instagram account connections are made exclusively through Meta's OAuth 2.0 authentication flow. You authenticate directly with Meta — we never receive your Instagram password. Meta returns an access token which is encrypted and stored securely on our servers. You may revoke access at any time through your Instagram or Facebook account settings.
Webhook Event Processing
Instagram sends webhook events to the Platform when a user interacts with your account (e.g., comments on a post, sends a DM, reacts to a story). These events are validated via webhook signature verification before processing to prevent spoofing or unauthorized triggers.
Data Never Stored
- Instagram login credentials or passwords
- Private messages of Instagram users beyond what is needed to execute the configured automation
- Payment methods or banking information linked to your Meta account
The Platform operates in compliance with Meta Platform Policies, including the 24-hour messaging window requirement and user-initiated interaction rules. Automated DMs are sent only following a qualifying user action such as a comment, message, or story reaction.
04. Data Storage & Security
Database
All persistent data is stored in a PostgreSQL relational database. The database stores user accounts, encrypted access tokens, workflow configurations, automation states, analytics logs, and subscription records. Multi-user isolation ensures that each user's data is logically separated from others.
Token Security
All Instagram access tokens are encrypted before storage. Tokens are never exposed in frontend responses or public API outputs. Tokens are used exclusively for authorised Meta Graph API communication.
Infrastructure Security
- Cloudflare acts as the primary edge security and DDoS mitigation layer — all incoming traffic is filtered before reaching backend infrastructure.
- API rate limiting and request validation are enforced at the backend level.
- Webhook requests are cryptographically verified to prevent fake events.
- Access control mechanisms restrict data access by role and tenant.
- Firewall and intrusion prevention systems are active at the infrastructure level.
While we take commercially reasonable steps to protect your data, no internet transmission or storage system is completely secure. You are responsible for maintaining the confidentiality of your account credentials.
05. Queue & Automation Processing
To protect platform stability and comply with Meta's API rate limits, all automation events are processed through a Redis-based queue and throttling system before any API requests are dispatched.
This means incoming webhook events and automation triggers are queued rather than processed simultaneously. Workers process jobs in controlled intervals to prevent API flooding or message bursts. Each user's automation queue is isolated from others (per-tenant isolation). Temporary session data and scheduling information are stored in Redis with appropriate time-to-live (TTL) limits.
Queue data is ephemeral and is not retained beyond the period required to complete the associated automation task.
06. Payments & Transactions
Payment processing is handled through Razorpay, a PCI-DSS compliant payment gateway. The Platform does not directly collect, process, or store any payment card data, bank account numbers, or UPI credentials.
Payment Flow
- You select a subscription plan or service on the Platform
- The backend creates a payment order via the Razorpay API
- You complete payment through Razorpay's secure interface
- Razorpay sends a signed webhook event confirming payment status
- The backend verifies the payment signature and activates your access
Data We Store Regarding Payments
- Razorpay Order ID and Payment ID (for reconciliation)
- Payment status (success / failure / refunded)
- Subscription plan and activation timestamps
All sensitive financial data — including card details and banking credentials — remains exclusively within Razorpay's infrastructure and is never transmitted to or stored by the Platform.
07. Third-Party Services
The Platform integrates with the following third-party services. Each operates under its own privacy policy and terms of service:
| Service | Purpose | Data Shared |
|---|---|---|
| Meta / Instagram | OAuth authentication, webhook events, DM sending | Access tokens, automation actions |
| Razorpay | Payment processing | Order details, payment status |
| Cloudflare | DDoS protection, CDN, traffic filtering | IP addresses, request metadata |
| n8n (self-hosted) | Workflow automation engine | Workflow configs, event payloads |
We do not share personally identifiable information with advertising networks, data brokers, or any entity for commercial marketing purposes.
08. Data Retention
We retain your personal information for as long as your account is active or as necessary to fulfil the purposes described in this Policy, including legal and compliance obligations.
- Account data — retained for the duration of your account and up to 90 days following deletion
- Automation logs and event records — retained for up to 12 months for debugging and analytics
- Payment records — retained for up to 7 years in accordance with applicable financial regulations
- Queue data (Redis) — ephemeral, discarded upon job completion or expiry
- Access tokens — retained until revoked by you or until the linked Instagram account is disconnected
Upon account deletion, we will anonymise or delete your personal information from active systems. Aggregated, non-identifiable analytics data may be retained indefinitely.
09. Your Rights & Choices
Subject to applicable law, you have the following rights with respect to your personal information:
Right to Access — You may request a copy of the personal information we hold about you.
Right to Correction — You may request correction of inaccurate or incomplete personal information.
Right to Erasure — You may request deletion of your personal information. Note that deletion of your account will permanently remove your automation configurations and account history.
Right to Restrict Processing — You may request that we limit the processing of your data in certain circumstances.
Right to Data Portability — Where applicable, you may request an export of your data in a structured, machine-readable format.
Right to Disconnect Instagram — You may disconnect your Instagram account at any time through the Platform dashboard or through your Facebook / Instagram account settings, which will revoke the access token held by the Platform.
Right to Withdraw Consent — Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at the details in Section 13.
10. Cookies & Tracking
The Platform uses cookies and similar technologies to maintain sessions, remember user preferences, and improve platform performance.
- Essential cookies — required for authentication and core Platform functionality
- Functional cookies — to remember your settings and preferences
- Analytics cookies — anonymised data used to understand Platform usage patterns
You may configure your browser to refuse or delete cookies. However, disabling essential cookies may prevent access to certain features of the Platform. We do not use cookies for cross-site advertising or third-party behavioural tracking.
11. Cross-Border Data Transfer
The Platform's infrastructure, including database and backend services, is primarily operated within India. However, certain third-party service providers — including Cloudflare and Meta — may process data in jurisdictions outside India.
By using the Platform, you acknowledge and consent to the transfer of your information to India and, where applicable, to other countries in connection with the third-party services described in Section 7. We take reasonable steps to ensure such transfers comply with applicable data protection laws.
12. Changes to This Policy
We may revise this Privacy Policy from time to time to reflect changes to the Platform, applicable laws, or our data practices. When material changes are made, we will update the "Last Updated" date at the top of this document and, where appropriate, notify registered users via email or in-platform notification.
Your continued use of the Platform following the posting of any changes constitutes acceptance of those changes. We encourage you to review this Policy periodically.
13. Grievances & Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please reach out to us:
ReplyNest
Instagram Automation System
Email: contact@replynest.tech
Website: www.repynest.tech
We aim to respond to all valid requests within 30 days of receipt. For complex requests, we may require additional time and will notify you accordingly.
If you are located in India and believe your rights under the Digital Personal Data Protection Act (DPDPA) or related regulations have been violated, you may contact us using the details above before escalating to the appropriate supervisory authority.
© 2026 ReplyNest — Instagram Automation System. All rights reserved.