Privacy Policy · DmSetter

1. Who we are

DmSetter, operated by 9568-8099 Québec inc. (“DmSetter”, “we”, “our”, or “us”), provides a task-specific tool that helps a business operator respond to direct messages they receive on their own Instagram Business or Creator account. Users connect their Instagram account through Meta’s authorization flow, and the Service reads inbound messages and sends replies on the owner’s behalf, using a persona and reply rules the owner configured.

The Service only responds to people who message the business first — no outbound, bulk, or unsolicited messaging. The owner can pause the Service (per conversation or for the whole account) and take over manually at any time.

This Policy describes how we handle data when you connect your Instagram account.

We are a Tech Provider under Meta’s Platform Terms — we obtain data through Meta’s APIs only to operate the Service for the User who connected the account, never for our own purposes. The capitalized terms throughout this Policy match Meta’s contractual vocabulary:

Platform Data — data we obtain from Meta through the Instagram Graph API (tokens, user IDs, usernames, message content, conversation metadata).
Process / Processing — any operation on data: collection, storage, use, sharing, or transmission.
User — the business operator who connects their Instagram account to the Service.
Service Provider — a third party we use to Process data on our behalf (our hosting, database, and LLM vendors).

The Service is offered to business users only — sole proprietors, freelancers, or incorporated entities operating Instagram Business or Creator accounts in the course of their commercial activity. This Policy is written accordingly.

DmSetter is operated from the Province of Quebec, Canada. Our Processing is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and by Quebec’s Act respecting the protection of personal information in the private sector (Law 25).

2. Information we Process

When a User connects their Instagram account through Meta’s authorization flow, we receive and Process the following categories of Platform Data:

Instagram user ID (page-scoped IGSID).
Instagram username (the public @handle).
Instagram Business Account ID.
Long-lived access tokens issued by Meta, used to authenticate requests to the Instagram Graph API on the User’s behalf.
Conversation metadata for each direct-message thread on the connected account — the lead’s Instagram ID (IGSID), their Instagram username, their display name (where Meta provides it), message identifiers, the total message count, a short category label (Lead, Support, Spam, etc.), a brief one-line summary of the conversation, and the conversation state (active, paused, etc.).
Direct message content (transcripts). Incoming messages received on the User’s connected account, and outgoing replies the Service sends on the User’s behalf, are accessed live from Meta’s Instagram Graph API at the time the Service generates a reply and processed in memory to produce the response. Message content is not stored or retained by DmSetter — only the metadata described above is persisted.

Separately, we collect the User’s email address to authenticate them into the Service (one-time passcode login). The email address is account information you provide directly to us, not Platform Data obtained from Meta.

3. How we use it

We Process Platform Data and account data solely to operate the Service for our Users. The specific purposes are:

Reading inbound direct messages received on the User’s connected Instagram account and generating replies on the owner’s behalf, using the persona and reply rules the owner configured, to respond promptly to incoming inquiries.
Filtering and qualifying genuine leads from inbound messages, and directing interested prospects toward booking a call with the business.
Classifying inbound messages so the Service can determine whether to reply, hold, or surface a conversation for the owner’s manual review.
Operating, maintaining, securing, and improving the Service’s reliability.
Detecting, investigating, and preventing fraud, abuse, or violations of our terms or Meta’s Platform Terms.
Complying with applicable legal and regulatory obligations.

What we do not do.In accordance with Section 3.a of Meta’s Platform Terms, DmSetter does not sell, license, or purchase Platform Data; does not use it to discriminate or make eligibility determinations about people; does not use it for surveillance; does not build or augment user profiles outside operating the Service; does not attempt to re-identify, decode, or reverse engineer Platform Data; and does not Process Platform Data for any purpose other than those expressly permitted by Meta’s Platform Terms.

AI-generated content.Replies generated by the Service are presented as the User’s own communications, in accordance with Meta’s Tech Provider model. The User retains full attribution and responsibility for all messages sent from their connected Instagram account, regardless of whether the reply was generated by the Service’s AI.

4. Instagram permissions we request

DmSetter requests only the Instagram permissions necessary to operate the Service. Each permission is used solely for the purpose described below.

Permission	What it grants access to	Why we need it
`instagram_business_basic`	The connected account’s basic profile information: Instagram account ID and username.	To identify which Instagram Business or Creator account is connected to the Service, route incoming messages to the correct account, and display the connected account to the owner inside the Service.
`instagram_business_manage_messages`	The ability to read direct messages received on the connected account and send replies on the account’s behalf.	To respond to inbound DMs the business receives — reading the incoming message, generating a reply using the persona and rules the owner configured, and sending it on the owner’s behalf. The owner can pause the Service for any conversation or for the whole account at any time.

5. Legal basis

We Process your data on two grounds:

Consent— you provide explicit consent when you connect your Instagram account through Meta’s authorization flow and grant the permissions DmSetter requests (instagram_business_basic and instagram_business_manage_messages).
Contractual necessity — once you start using the Service, we Process data as necessary to perform the Service you requested: generating and sending replies on your behalf, classifying inbound messages, surfacing conversation history.

You may withdraw consent at any time by disconnecting your Instagram account or by emailing us (see Your rights). Where the GDPR applies, we rely on the same legal bases — consent (Article 6(1)(a)) and contractual necessity (Article 6(1)(b)).

6. How we share it

We rely on the following Service Providers to operate the Service. Each Service Provider Processes Platform Data only on our written instructions, for the purposes listed below, and under contractual obligations to protect the data consistent with this Policy. We do not sell Platform Data, and we do not authorize Service Providers to do so.

Service Provider	Purpose	Jurisdiction	Privacy
Supabase	Postgres database and authentication	United States	Link
Vercel	Frontend hosting	United States	Link
Railway	Backend hosting	United States	Link
Anthropic (via OpenRouter)	AI language model used to generate replies to inbound DMs. Message content is sent at reply time only. Per Anthropic’s commercial API terms, content is not used to train Anthropic’s models; Anthropic retains API inputs and outputs for up to 7 days for abuse monitoring before automatic deletion. We do not opt into prompt logging or extended retention.	United States	Link
Hookdeck	Inbound webhook delivery from Meta to our servers	Canada / United States	Link

Data source.Platform Data originates from Meta through the Instagram Graph API. DmSetter acts as a Tech Provider under Meta’s Platform Terms; Meta is not a Service Provider of DmSetter.

Per-Client isolation.Platform Data belonging to each User is segregated by a unique organization identifier so that one User’s Platform Data cannot be accessed from the context of another User. This mirrors our Tech Provider obligation under Section 5.b of Meta’s Platform Terms to manage Platform Data for each Client separately.

Notification of Meta communications.We will promptly notify the relevant User of any communication we receive from Meta regarding the Processing of that User’s Platform Data, including requests to exercise data subject rights.

7. Data retention

We retain Platform Data only for as long as necessary to operate the Service for the relevant User:

Direct message content (transcripts)— not stored. Direct message content is fetched live from Meta’s Instagram Graph API when generating a reply, processed in memory to produce the response, and never persisted. DmSetter does not maintain a copy of your DM transcripts.
Conversation metadata(the lead’s Instagram ID, username, and display name; message identifiers; message count; category; one-line summary; conversation state) — retained while the connected Instagram account remains linked to the Service. Deleted on User request, on disconnection of the account, or when no longer necessary for the operation of the Service.
Access tokens— retained for the lifetime of the long-lived token issued by Meta (approximately 60 days), refreshed automatically while the User’s Instagram account remains connected. Deleted within 30 days after the User disconnects the account, or earlier on deletion request.
Account and configuration data — retained for as long as the User maintains an account with DmSetter, and for a limited period afterward to comply with legal obligations or resolve disputes.
Organization-level deletion (cascade)— when a User’s organization is deleted (on request or on account closure), all of that organization’s operational data is removed from our systems in one cascading delete: Instagram account bindings and tokens, conversation metadata, persona configuration, team memberships, and Telegram bindings. This is the mechanism behind “deletion on request”.

Disconnection and Meta deauthorization.When a User disconnects their Instagram account — either through the Service or directly via Instagram — we receive a deauthorization callback from Meta. On receipt we immediately stop all Processing of new Platform Data for that account, revoke our stored access tokens, and delete the User’s tokens and conversation metadata within 30 days, consistent with the schedule above.

Message deletion (unsend).Because DmSetter does not store DM message content (only metadata), there is no stored message content to remove when an Instagram user unsends a message. Conversation metadata is retained per the schedule above and deleted on User request, disconnection, or organization deletion. We subscribe to Meta’s messaging webhook events to receive notifications about the connected account.

We delete Platform Data as soon as practicable when (a) the data is no longer required for legitimate business purposes; (b) the User requests deletion or closes their account; (c) Meta requests deletion for User protection; or (d) deletion is otherwise required by applicable law or our obligations to Meta. If we are legally required to retain Platform Data beyond these periods, we will maintain evidence of the legal requirement and provide it to Meta if requested.

8. Your rights

Under PIPEDA and Quebec’s Law 25, you have the following rights regarding the personal information and Platform Data we hold about you:

Right of access — request a copy of the personal information we hold about you.
Right of rectification — request correction of inaccurate or incomplete information.
Right of erasure— request deletion of your information (the “right to be forgotten”), subject to legal retention exceptions. See also our Data Deletion Instructions page.
Right to portability (Law 25) — request a copy of your information in a structured, commonly used technological format.
Right to object or restrict — request that we restrict or stop Processing your information for particular purposes.
Right to withdraw consent — withdraw any consent you previously gave for Processing, subject to legal or contractual restrictions.

Requesting deletion of your data. You can request deletion of your data at any time through any of the following:

Through Instagram:Settings → Apps and websites → DM Setter Agent-IG → Remove.
Through the app:Settings → Disconnect & Delete → Disconnect Instagram.
By email: legal@dmsetter.app.

We delete data within 30 days of any request.

Rights for leads and contacts.If you are an Instagram user who has messaged a User of DmSetter, the User (account holder) is the data controller for your conversation data. To exercise data subject rights (access, deletion, correction), please contact the User directly. DmSetter acts as a data processor at the User’s direction and will assist Users in responding to valid requests as required by law.

To exercise any of these rights, email legal@dmsetter.app with the appropriate subject line: Data Access Request, Data Deletion Request, or Privacy Officer for any concern you want routed directly to our designated officer.

We respond to verified requests within 30 days of receipt, consistent with the timeline set out in PIPEDA. We may take reasonable steps to verify your identity before fulfilling a request, to protect against unauthorized disclosure.

9. Security

DmSetter maintains administrative, physical, and technical safeguards designed to prevent unauthorized Processing of Platform Data, meeting or exceeding industry standards given the sensitivity of the Platform Data. These measures include, at a minimum:

Encryption in transit (TLS 1.2 or higher).
Encryption at rest in our databases.
Access controls limiting Platform Data to authorized personnel on a need-to-know basis.
Storage of access tokens and application secrets in secured infrastructure, never exposed to client-side code, never shared except with Service Providers under contract.

Reporting a security vulnerability. Email legal@dmsetter.app with the subject line Security Report. We acknowledge reports promptly and remediate identified deficiencies.

Incident reporting to Meta. In the event of any unauthorized Processing of Platform Data, we will notify Meta immediately using the incident reporting channels provided by Meta and cooperate with Meta in the investigation and remediation of the incident.

10. International transfers

Most of our Service Providers are located outside Canada, primarily in the United States. Platform Data may therefore be Processed in jurisdictions whose data-protection laws differ from those of Quebec or Canada. In accordance with Law 25, we disclose that personal information may be Processed outside Quebec, including in the United States. Service Providers in the United States are bound by written agreements with data-protection obligations consistent with this Policy. Service Provider locations are listed in Section 6.

11. Cookies

We use a single strictly-functional cookie: the Supabase authentication session cookie, used to keep you signed in. We do not use analytics, marketing, or third-party tracking cookies.

12. Children

The Service is not intended for individuals under 18. Instagram Business and Creator accounts require an account holder who meets Meta’s eligibility requirements. We do not knowingly Process Platform Data belonging to individuals under 18. If you believe a minor has provided us with personal information, contact our Privacy Officer so we can take appropriate action.

13. Privacy Officer

In accordance with Quebec’s Law 25, we have designated a Privacy Officer responsible for the protection of personal information at DmSetter:

Privacy Officer: contact via legal@dmsetter.app with subject line Privacy Officer.

You may contact the Privacy Officer with any question, request, or complaint regarding our Processing of your personal information. You also have the right to file a complaint with the Commission d’accès à l’information du Québec (CAI) or the Office of the Privacy Commissioner of Canada (OPC).

14. Contact and changes

All privacy-related correspondence: legal@dmsetter.app.

Changes.We may update this Policy. Material changes are reflected in the “Last updated” date and, where appropriate, notified to Users through the Service. Continued use after an update constitutes acceptance.