1. Introduction
CreatorPilot ("we," "us," or "our") operates the CreatorPilot platform, which enables Instagram creators and businesses to automate direct message delivery in response to comment keywords. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
2. Data We Collect
2.1 Data from Instagram (via Meta API)
When you connect your Instagram account, we access the following through the official Meta API:
- Account information — Instagram user ID, username, profile picture, and account type
- Comments — public comments on your Instagram posts (read-only, to detect keyword triggers)
- Direct messages — we send DMs on your behalf to users who comment specific keywords; we do not read your existing DM inbox
2.2 Data you provide
- Campaign configuration (keywords, message templates, variant settings)
- Workspace name and settings
2.3 Automatically collected data
- Browser type, IP address, and device information (via server logs)
- Pages visited and actions taken within the dashboard
3. How We Use Your Data
- Deliver the service — detect keyword comments and send the DM you configured
- Analytics — show you campaign performance (DMs sent, click-through rates)
- Account management — authenticate you, manage your workspace, refresh API tokens
- Service improvement — diagnose errors, improve reliability and performance
We do not sell your data to third parties. We do not use your data for advertising.
4. Data Storage and Security
- Instagram API tokens are encrypted at rest using AES-256 before storage
- Authentication uses HTTP-only, secure cookies with JWT tokens
- All data is transmitted over HTTPS/TLS
- Infrastructure is hosted on Railway with encrypted PostgreSQL databases
5. Data Sharing
We share data only with:
- Meta/Instagram — API calls to send messages and read comments (required for the service)
- Infrastructure providers — Railway (hosting), for the sole purpose of operating the service
We do not share, sell, or rent your personal data to any other third parties.
6. Data Retention
- Campaign and analytics data is retained while your account is active
- Instagram API tokens are refreshed automatically and old tokens are replaced
- If you delete your account, all associated data (campaigns, analytics, tokens) is permanently deleted within 30 days
7. Your Rights
You can:
- Access your data through the dashboard at any time
- Disconnect your Instagram account, which revokes our API access
- Delete your account and all associated data by contacting us
- Export your campaign and analytics data upon request
You can also revoke CreatorPilot's access directly from your Instagram settings under Apps and Websites > Active.
8. Meta Platform Data Policy
Our use of data received from Meta APIs adheres to the Meta Platform Terms and Developer Policies. We only request the minimum permissions necessary to operate the service (instagram_business_basic, instagram_business_manage_messages, instagram_business_manage_comments).
9. Cookies
We use essential cookies only (authentication tokens). We do not use advertising or third-party tracking cookies.
10. Children's Privacy
CreatorPilot is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via the dashboard or email. Continued use of the service after changes constitutes acceptance of the updated policy.
12. Contact
For privacy-related questions or data deletion requests, contact us at: theeppisai@gmail.com