Privacy Policy

Last updated: April 1, 2026

At DM Tracker ("DM Tracker," "we," "us," or "our"), your privacy and the security of your personal data are top priorities. This Privacy Policy explains how we collect, use, share, and protect personal data when you use our services.

DM Tracker processes data for two purposes: for our own legitimate business purposes (e.g., marketing, support, legal compliance) and as a data processor handling customer Instagram conversations and pipeline workflows on behalf of our users.

This policy applies to users of the DM Tracker web application, the website www.dmtracker.ai, and communications with the company.

1. How We Collect Personal Data

We gather information through these channels:

• Account registration and workspace setup: email addresses, names, and organization settings.
• Instagram API connection: when you connect your Instagram Business or Creator account through Meta's OAuth flow, we receive your Instagram user ID, username, display name, and profile picture. We also receive access tokens that let us make API requests on your behalf.
• Instagram conversations: once connected, we fetch your existing Instagram DM threads and receive new messages in real time through Meta's webhook system. This includes message text, timestamps, sender/recipient IDs, and media attachments (images, videos).
• Instagram contact profiles: we fetch the username, display name, and profile picture of people who message your Instagram account, so we can show them as contacts in your CRM.
• ManyChat webhooks: if you use the ManyChat integration, DMs, timestamps, and usernames are sent to us through ManyChat's webhook system.
• Manual contact additions: any data you manually enter about contacts.
• User support communications: contact details and message content when you reach out to support.
• Website visits: device data, IP addresses, cookies, and browser activity.

2. What Types of Personal Data We Process

• Account information: email address, full name, organization name.
• Instagram account data: Instagram user ID, username, display name, profile picture.
• Instagram messages: DM text content, timestamps, sender/recipient IDs, attachments (images, videos).
• Instagram contact profiles: usernames, display names, profile pictures of people who message you.
• Access tokens: OAuth tokens that let us access Instagram on your behalf (encrypted at rest).
• Device and browser data: IP address, browser type, operating system.
• Billing information: processed through third-party payment providers. We do not store full payment card details.

3. How We Use Personal Data

We use your data to:

• Provide the service: display your Instagram conversations, let you reply to messages, manage your contacts and pipeline.
• Authenticate your Instagram connection: use access tokens to make API calls to Instagram on your behalf.
• Receive messages in real time: process webhook events from Instagram to show new messages as they arrive.
• Show contact information: fetch and display profile info for people who message you.
• Operate and secure your account: verify your identity, manage roles and permissions within your organization.
• Process payments: handle subscription billing through our payment provider.
• Provide support: respond to your questions and troubleshoot issues.
• Improve the product: understand how the service is used (through aggregated, anonymized data only).
• Comply with legal obligations: respond to legal requests and enforce our terms.

We only process Instagram data to provide the features you've asked for. We do not use your Instagram messages or contact data for advertising, marketing, or any purpose beyond the CRM functionality.

4. How We Share Personal Data

We do not sell personal data.

We may share information with:

• Service providers: companies that help us run the service (hosting, database, payment processing), under contracts that require them to protect your data.
• Legal authorities: when required by law, court order, or government request.
• Business transfers: if DM Tracker is acquired or merged, your data may transfer to the new entity under the same privacy protections.

We do not share your Instagram messages, contact data, or access tokens with any third party for their own purposes.

5. Data Security

We take the following steps to protect your data:

• Token encryption: Instagram access tokens are encrypted using AES-256 encryption before being stored in our database. They are never exposed to the client-side application.
• Webhook verification: all incoming Instagram webhooks are verified using HMAC-SHA256 signature validation to make sure they come from Meta.
• Row Level Security: our database uses Row Level Security (RLS) policies so that each organization can only access their own data.
• HTTPS everywhere: all data in transit is encrypted using TLS/HTTPS.
• Role-based access: users can only access organizations they belong to, with different permission levels (Owner, Admin, Team Member).
• Encrypted storage: our database is hosted on Supabase with encryption at rest enabled.

No system is 100% secure, and we cannot guarantee absolute security. But we work to protect your data using industry-standard practices.

6. Your Data Rights

You have the right to:

• Access your personal data: see what we have stored about you.
• Correct inaccurate data.
• Delete your data (see Section 7 for how).
• Restrict processing of your data.
• Export your data in a portable format.
• Withdraw consent for marketing communications.
• Object to certain types of processing.

To exercise any of these rights, email us at privacy@dmtracker.ai. We will respond within 30 days.

7. Data Deletion

You can delete your data in several ways:

• Disconnect your Instagram account: go to Settings > Connections and disconnect. This removes your stored access token and Instagram connection data. Your conversation history and contacts remain until you delete them separately.
• Delete individual contacts: remove specific contacts and their conversation history from your CRM.
• Delete your organization: this permanently deletes all contacts, conversations, connection data, and team member associations for that organization.
• Remove DM Tracker from Instagram: if you revoke DM Tracker's access from your Instagram account settings, Meta sends us a notification. When we receive it, we delete your access token and mark the connection as removed.
• Request full deletion: email privacy@dmtracker.ai and we will delete all your personal data, unless we are legally required to retain it.

8. Data Retention

• Account data: retained while your account is active and until you request deletion.
• Instagram messages and contacts: retained while your organization is active. Deleted when you request it or when you remove specific contacts.
• Access tokens: retained while your Instagram account is connected. Deleted when you disconnect your Instagram account or when Meta notifies us of deauthorization.
• Billing data: retained as required by tax and financial regulations.
• Support communications: retained for quality and support purposes unless you request deletion.

9. Instagram and Meta Platform Data

DM Tracker uses Meta's Instagram API to provide its features. When you connect your Instagram account, you authorize DM Tracker to access specific data through Meta's platform. Here's what you should know:

• We only request the Instagram permissions we need: basic profile info, messaging, and human agent support.
• We use Instagram data only to provide the CRM features you see in the app. We do not use it for advertising, analytics beyond aggregated usage metrics, or any other purpose.
• We do not share Instagram data with third parties.
• If you remove DM Tracker from your Instagram account, we are notified by Meta and delete your connection data.
• We comply with Meta's Platform Terms and Developer Policies.

10. Cookies and Tracking

We use cookies for:

• Essential cookies: keeping you logged in, remembering your session.
• Analytics cookies: understanding how the app is used (aggregated, anonymized data).

We do not use cookies for advertising or tracking across other websites.

11. International Data Transfers

DM Tracker is based in the United States. If you are outside the U.S., your data will be transferred to and processed in the United States. Where required by law, we use Standard Contractual Clauses or other approved transfer mechanisms to protect your data.

12. Children's Privacy

DM Tracker is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@dmtracker.ai so we can delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or through a notice in the app. The current version is always available at www.dmtracker.ai/privacy-policy.

14. Contact Us

If you have any questions about this Privacy Policy or how we handle your data:

DM Tracker
Email: privacy@dmtracker.ai