MentioflowMentioflow

Privacy Policy

Effective May 4, 2026

Mentioflow (“we”, “us”) provides software that connects to Instagram Business and Creator accounts to automate comment-to-DM responses and capture leads. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to the website at mentioflow.com and the connected services.

Operator. The service is operated by Mentioflow, contactable at mentioflow@gmail.com. If you are a resident of the European Economic Area or the United Kingdom, the operator acts as the data controller for personal data described below.

1. Data we collect

1.1 Information you provide

  • Account details — name, email, password (stored as a bcrypt hash, rounds=12).
  • Billing details processed by Razorpay; we never see full card numbers.
  • Automation settings — keywords, message templates, schedules you configure.

1.2 Information collected from Instagram (with your consent)

When you connect an Instagram Business or Creator account via the Instagram Business Login flow, Instagram returns:

  • An access token, which we encrypt at rest with AES-256-GCM before storing.
  • Your Instagram user ID, username, account type, profile picture, and follower count.
  • On webhook events: the comments and direct messages we are authorized to process, plus the sender’s scoped ID (PSID) and public username. We do not request or store email addresses, phone numbers, or any other private information from your audience.

1.3 Operational logs

We log webhook events, DM-send attempts, errors, and request metadata (IP, user agent, timestamps) for security, debugging, and abuse prevention. Logs are retained for up to 30 days unless required longer for fraud or legal investigations.

2. How we use the data

  • To deliver the service: triggering automations, sending DMs you authorized, surfacing analytics.
  • To bill you and prevent abuse.
  • To send transactional emails (account, billing, security). We do not send marketing email without an opt-in.
  • To comply with legal obligations and respond to lawful requests.

We do not sell your data. We do not use Instagram data to train machine-learning models that we make available to other customers.

3. Sharing

We share data only with:

  • Instagram / Meta — to fulfil the API actions you request (sending DMs, fetching profile info).
  • Cloud infrastructure providers — Google Cloud (Cloud Run, Cloud SQL, Cloud Tasks, Secret Manager) hosted in the United States.
  • Razorpay — for billing and payment processing.
  • OpenAI — only if you enable AI personalisation; the message text is sent for the purpose of generating a reply, then discarded.
  • Authorities, where required by law.

4. Storage and security

  • Instagram access tokens are encrypted at rest with AES-256-GCM.
  • All transport is TLS 1.2+ (Google-managed certificates).
  • Webhook payloads are verified with HMAC-SHA256 before processing.
  • Access to production systems is limited to operator administrators using Google IAM.
  • Data is hosted in us-central1 (Iowa, USA).

5. Retention

We keep account data while your account is active. Automation logs and DM history are kept for 12 months and then deleted. You can request earlier deletion at any time (Section 7).

6. International transfers

If you access Mentioflow from outside the United States, your data is transferred to and processed in the United States. We rely on the Standard Contractual Clauses for transfers from the EU/UK where applicable.

7. Your choices and rights

You can:

  • Disconnect any Instagram account at any time from Settings → Connected Instagram accounts; this immediately invalidates the stored token and stops automations.
  • Request a copy of your data, correction of inaccurate data, or deletion of your account by emailing mentioflow@gmail.com.
  • Initiate a data deletion request at /data-deletion.

EU/UK users additionally have the right to object to processing, to portability, and to lodge a complaint with their supervisory authority. California residents have rights under the CCPA, including the right to know what we collect and to request deletion; we do not sell personal information.

8. Children

Mentioflow is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect data from anyone in those categories.

9. Changes

We will post updates here and, for material changes, notify you by email. Continued use after the effective date constitutes acceptance of the updated policy.

10. Contact

Questions or requests: mentioflow@gmail.com.

This document is a working template. Mentioflow has not yet had it reviewed by external counsel; consult a lawyer before relying on it for production.