Privacy Policy

Effective date: 17 May 2026 · Last updated: 17 May 2026

This Privacy Policy explains how CommentLink ("we," "us," "our") collects, uses, discloses, and safeguards information when you use our website (commentlink.in), our application (app.commentlink.in), and our APIs (collectively, the "Service"). It applies to account holders (the creators, coaches, and businesses who sign up) and to end users (the Instagram followers who interact with automations our account holders build).

CommentLink is built on Meta's official Instagram Graph API. Our use and transfer of information received from Meta APIs adhere to the Meta Platform Terms and the Meta Developer Policies, including the Limited Use requirements.

1. Information we collect

1.1 Information from account holders

• Identity & contact: name, email, profile photo (via Google OAuth or email signup), country, locale.
• WhatsApp number (optional) for service notifications and support.
• Billing data: GSTIN (optional), payment method tokens, invoice address. Payment instruments themselves are stored by Razorpay (India) or Stripe (international) — never by us.
• Instagram account metadata: handle, display name, profile picture, follower count, media count, account type. Pulled via the Instagram Graph API after you authorise the connection.
• Long-lived access token for your Instagram account, stored encrypted at rest, never exposed to the browser.
• Usage telemetry: automations created, messages sent, login events, plan tier, support tickets.

1.2 Information from Meta / Instagram (the API)

When you connect an Instagram account, we receive (and store) only the information needed to deliver the Service:

• Your Instagram user ID, username, profile picture, follower count, and media count.
• The list of your recent media (post IDs, captions, thumbnails) used to power the post-picker.
• Real-time webhook events: new comments on your posts, story replies, story mentions, direct messages, and live-stream comments — but only when the event matches an automation you have built.
• Identifiers for the Instagram users who comment or message you, together with their public username, profile picture, and the content of their public comments or messages sent to your account.

1.3 Information from end users (your followers)

When a follower comments on a post or sends a DM that matches one of your automations, we store:

• Their Instagram user ID, username, and profile picture.
• The text of comments and DMs exchanged.
• Information they explicitly volunteer in reply to your DM (e.g. an email address or phone number you asked for).
• Conversation timestamps and link-click events from CommentLink short links.

End users are your contacts, not ours — we process this data on your behalf as your processor.

1.4 Information collected automatically

• Standard server logs: IP address, user-agent, request timestamps, error traces.
• Cookies and similar technologies strictly necessary to keep you logged in. No advertising cookies.

2. How we use information

• Deliver the Service: match incoming Instagram events against automations you've built, send DMs, post comment replies, capture leads, populate the dashboard.
• Account management: authenticate logins, send transactional emails and WhatsApp alerts, process payments and issue GST invoices.
• Support: respond to your requests, troubleshoot issues you report.
• Safety & compliance: detect abuse, prevent spam, enforce Meta's policies, respond to legal process.
• Product improvement: aggregated, de-identified usage metrics. We do not train AI models on the contents of your messages.

We do not use information received from Meta APIs to:

• Build, train, or improve AI/ML models.
• Sell, license, or rent to third parties.
• Determine credit-worthiness or eligibility for finance, employment, housing, or insurance.
• Serve advertising targeted at you or your followers.

3. Legal bases (EU/UK users)

• Contract: processing necessary to deliver the Service you signed up for.
• Legitimate interests: service security, fraud prevention, product analytics.
• Consent: optional marketing emails.
• Legal obligation: tax records, responding to lawful requests.

4. Sharing & sub-processors

We share information only with the following categories of recipients, under contracts that require equivalent protection:

• Infrastructure: Supabase (Postgres, auth, edge functions — AWS Mumbai), Vercel (frontend hosting), Cloudflare (DDoS & CDN).
• Payments: Razorpay (India), Stripe (international).
• Email & messaging: Resend (transactional email), WhatsApp Business API (creator alerts).
• Analytics: a privacy-preserving, cookie-less analytics service. No personally identifying information shared.
• Legal: when required by law, court order, or to protect rights, property, or safety.

We do not sell or rent personal information. We do not share follower message content with any party other than the account holder who created the automation.

5. Data retention

• Active accounts: we retain data as long as your account is active.
• Contacts & messages: retained while the related Instagram account is connected. You can delete individual contacts (and all of their messages) anytime from the Contacts page.
• After account deletion: personal data is purged within 30 days. Backups containing personal data are overwritten within 90 days.
• Logs: standard server logs retained 30 days; security logs up to 12 months.
• Tax records: retained for the statutory period required by Indian tax law (currently 8 years for GST records).

6. Security

We take security seriously and apply industry-standard safeguards:

• TLS 1.2+ for all data in transit.
• AES-256 encryption at rest for all data in our database, with separate encryption for Instagram access tokens.
• Row-Level Security in Postgres so accounts cannot access each other's data, even via a misconfigured query.
• Access tokens never sent to the browser. Service-role keys held only in server-side edge functions.
• Quarterly review of access controls; principle of least privilege for staff.

No system is perfectly secure. If you believe you have found a vulnerability, please email security@commentlink.in.

7. Your rights

Subject to local law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data (see Data Deletion).
• Export your contacts and messages as CSV from inside the app.
• Object to or restrict certain processing.
• Withdraw consent for any processing based on consent.
• Lodge a complaint with your local data-protection authority.

To exercise these rights: privacy@commentlink.in. We respond within 30 days.

8. Followers' rights (end users)

If you are an Instagram follower who interacted with an automation someone built using CommentLink and you would like your data deleted, you can:

• Reply STOP, UNSUBSCRIBE, or REMOVE to the DM. You'll be flagged as opted out and never receive another automated DM from that account holder via CommentLink.
• Email privacy@commentlink.in with your Instagram username and the account that messaged you, and we'll delete your record within 30 days.

9. Children

The Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal data from minors. If you believe a minor has used the Service, please contact us and we'll delete the data.

10. International transfers

Our primary data centre is AWS Mumbai (ap-south-1). Some sub-processors (Stripe, Resend) operate from the US or EU. Where personal data is transferred outside India or the EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

11. Changes to this policy

We may update this Privacy Policy. Material changes will be notified by email at least 14 days before they take effect. Continuing to use the Service after the effective date constitutes acceptance.

12. Contact

CommentLink
Email: privacy@commentlink.in
Support: support@commentlink.in
Security disclosures: security@commentlink.in