Privacy Policy

Last updated:

Who we are

DMBud ("we", "us") provides a service that lets a business ("workspace owner") connect their own Instagram Business account and their own Shopify or WooCommerce store, so that when someone comments a trigger keyword on the workspace owner's post, we automatically send that commenter a private reply (DM) with product details and post a public reply to their comment. This policy explains what data we collect to provide that service and how it is handled.

Data we collect

  • Account data — name, email address, and a securely hashed password for the person who signs up for a DMBud workspace.
  • Instagram data — only after a workspace owner explicitly connects their own Instagram Business account through Meta's official login flow: the account's Instagram user ID, username, and a long-lived access token. We also receive, via Meta's webhook, the comment ID, comment text, media ID, and the commenting user's Instagram ID and username for comments on the workspace owner's own posts, and we read the caption of the workspace owner's own posts — all solely to determine whether a comment matches a trigger keyword and contains a product code.
  • Store data — the store domain and API credentials the workspace owner provides for their own Shopify or WooCommerce store, used only to look up product details in response to a matched comment.
  • Billing data — subscription and payment records via Razorpay (our payment processor). We do not collect or store full card numbers; card entry is handled directly by Razorpay's own secure checkout.

How we use this data

Data is used exclusively to operate the automation the workspace owner configured: matching a comment's keyword, extracting a product code from the post caption, looking up that product in the workspace's own connected store, and sending the reply/DM on the workspace owner's behalf. We do not use Instagram data for advertising, and we do not sell or rent personal data to third parties.

Who we share data with

We share data only with the service providers strictly necessary to run the product: Meta/Instagram (to send the reply/DM you configured), the workspace's own Shopify or WooCommerce store (to look up product details), Razorpay (to process payments), and an email delivery provider (to send account and billing notifications). None of these providers may use the data for their own purposes beyond delivering that service to us.

Data retention

Instagram access tokens are stored only while a workspace keeps the connection active, and are deleted immediately on disconnect. Comment-processing records (used for the workspace owner's activity log and troubleshooting) are retained for a limited period and can be deleted on request. Account data is retained for as long as the workspace is active, and deleted or anonymized after account closure except where we are required to retain billing records by law.

Security

All access tokens and store credentials are encrypted at rest (AES-256). Passwords are one-way hashed and never stored in plain text. All traffic to and from DMBud is encrypted in transit (HTTPS/TLS). Every Instagram webhook we receive is verified against Meta's signature before being processed.

Your choices

A workspace owner can disconnect their Instagram account or store at any time from the Connections page, which immediately deletes the stored credentials. Anyone whose data was processed by this service (including commenters) can request deletion of that data — see our Data Deletion page for instructions.

Children's privacy

DMBud is a business tool and is not directed at children. We do not knowingly collect data from children.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the date at the top of this page.

Contact us

Questions about this policy or your data can be sent to privacy@dmbud.app.

← Back to sign in