CommentFlow — Turn comments into DMs automatically

1. Introduction

CommentFlow("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This policy complies with the General Data Protection Regulation (GDPR) and Brazil's Lei Geral de Proteção de Dados (LGPD).

2. Information We Collect

Account Information:

Name, email address, and password (hashed)
Google account data if you sign in with Google

Instagram Data (with your authorization):

Instagram username and profile information
Direct messages sent and received through our automations
Comments on your posts (for automation triggers)
Account insights and analytics

Usage Data:

Pages visited and features used
Chatbot configurations and automation rules
Device type, browser, and IP address

3. How We Use Your Information

We use your data to:

Provide and operate the Service (sending DMs, replying to comments)
Process your automation rules and chatbot flows
Send transactional emails (welcome, password reset, notifications)
Improve and optimize the Service
Prevent fraud and ensure security

4. Legal Basis for Processing (GDPR)

Consent: When you connect your Instagram account and authorize permissions
Contract: To provide the Service you signed up for
Legitimate Interest: For analytics and service improvement

5. Data Sharing

We do NOT sell your personal data. We share data only with:

Meta/Instagram: To execute automations via their API
Resend: To send transactional emails
Hosting providers: For infrastructure (servers, databases)

All third-party processors are contractually obligated to protect your data.

6. Data Retention

Account data is retained while your account is active
Message logs and session data are retained for up to 90 days
Upon account deletion, all data is permanently removed within 30 days
We may retain anonymized, aggregated data for analytics

7. Your Rights

Under GDPR and LGPD, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate data
Erasure: Request deletion of your data
Portability: Receive your data in a structured format
Object: Opt out of certain data processing
Withdraw Consent: Disconnect your Instagram account at any time

To exercise these rights, contact us at contact@comentflow.com.

8. Cookies

We use essential cookies for:

Authentication (session tokens)
Language preference

We do not use tracking cookies for advertising purposes.

9. Security

We implement security measures including:

HTTPS/TLS encryption for all connections
Bcrypt password hashing
Database access controls
Regular security updates

No method of transmission is 100% secure. We cannot guarantee absolute security.

10. International Transfers

Your data may be processed in servers located outside your country. We ensure appropriate safeguards are in place for international data transfers in accordance with GDPR and LGPD.

11. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this policy at any time. Material changes will be communicated via email or in-app notice. The "Last updated" date at the top reflects the most recent revision.

13. Data Deletion and Deauthorization

When you disconnect your Instagram account from CommentFlow, we will delete all associated Instagram data within 30 days. You can also request full account deletion through your account settings or by contacting us.

14. Contact Us

For privacy-related questions or to exercise your rights, contact us at: contact@comentflow.com