CheckYourDM

Privacy Policy

Last updated: May 27, 2026

CheckYourDM (“we,” “our,” “us”) operates the website checkyourdm.com and the application at app.checkyourdm.com(together, the “Service”). This Privacy Policy explains what information we collect, how we use it, and your rights over it.

CheckYourDM is an Instagram automation tool for creators. The Service connects to your Instagram Business / Creator account via Meta’s official Instagram Graph API and sends automated direct messages, comment replies, and story-reply responses on your behalf — strictly within the rules Meta enforces.

1. Information we collect

1.1 Information you provide

  • Account info: name, email address, profile picture (via Google sign-in or one-time-password email login).
  • Instagram connection: the access token Meta issues when you authorize CheckYourDM, your Instagram username, follower count, and profile picture URL.
  • Automation content: the trigger keywords, DM templates, comment replies, button labels, image URLs, and flow logic you configure.
  • Saved replies, ice breakers, persistent menus, lead-capture forms you create.
  • Payment metadata (when billing is enabled) — never raw card numbers; only provider transaction IDs and the plan you purchased.

1.2 Information we receive from Meta

  • Webhook events — when someone comments on your post, messages you, or replies to your story, Meta forwards that event to us so the matching automation can fire.
  • Recipient identifiers — the Instagram-scoped user ID and (when available) username of the person who interacted with your account.

We do notrequest, store, or scrape information that Meta does not explicitly send us through the Graph API. We never store recipients’ passwords, email addresses, or phone numbers obtained outside of our public lead-capture forms.

1.3 Information collected automatically

  • IP address (hashed for our anti-spam rate limiter on public forms).
  • Browser type, device type, and timestamps of your sessions.
  • Aggregate, non-identifying usage statistics (e.g. number of automations created).

2. How we use information

  • To operate the Service — match incoming Instagram events to your automations and send the configured replies.
  • To enforce safety rules — opt-out detection (STOP keywords), frequency caps, content moderation, and abuse prevention.
  • To compute analytics you see in your dashboard (DMs sent, top automations, engagement timing).
  • To send you account-related emails (login codes, weekly performance digests, security alerts).
  • To respond to support requests you send us.

We do not sell your data, share it with advertisers, or use it for any purpose beyond running CheckYourDM.

3. How we store and protect data

  • Instagram access tokens are encrypted at rest using AES-256-GCM. Plaintext tokens never appear in our database.
  • Data is stored on managed PostgreSQL infrastructure (Supabase) with daily encrypted backups.
  • Webhook events are verified using Meta’s HMAC-SHA256 signature before being processed — unsigned events are rejected.
  • All traffic between your browser, our servers, Meta, and our database is encrypted in transit (TLS).
  • Authentication uses NextAuth with cryptographic session signing.

4. Recipient opt-out (STOP)

Recipients of automated DMs can opt out at any time by sending one of the following words to your connected Instagram account: STOP, UNSUBSCRIBE, CANCEL, QUIT, END, or REMOVE. Once a recipient opts out:

  • They are immediately added to our opt-out list for that Instagram account.
  • No further automated DM from any of your automations will be sent to them.
  • A polite confirmation is sent inside the active 24-hour messaging window.
  • Their opt-out is logged for audit purposes.

Recipients can re-enable automated messages by sending START.

5. Data sharing

We share data only with the following service providers, strictly to operate the Service:

  • Meta / Instagram — to receive webhooks and send messages on your behalf.
  • Supabase — primary database hosting.
  • Vercel — application hosting.
  • Resend — transactional email (login codes, digests).
  • Cloudinary — image hosting for automation attachments.
  • Razorpay / Stripe — payment processing (once billing is enabled).
  • Sentry — error monitoring (optional; only if enabled in your environment).

We do not share, sell, rent, or trade your personal data with any other third party. We never share recipient identifiers across creator accounts.

6. Data retention

  • Automation activity logs are retained for up to 365 days for Business plan users, 30 days for Pro users, and 7 days for Free users (matching the analytics history shown in your dashboard).
  • Opt-out records are retained indefinitely so we can continue honoring opt-outs.
  • Account data is retained until you delete your account or disconnect your Instagram account.
  • Backups are retained for up to 30 days after the source data is deleted.

7. Your rights

You can, at any time:

  • Access all data we hold about you by visiting your dashboard.
  • Export your automations and activity log via the Business plan’s PDF report and API access features.
  • Delete individual automations, saved replies, lead-capture pages, or your entire account from Settings. Full step-by-step instructions live at checkyourdm.com/data-deletion.
  • Disconnect your Instagram account at any time. Disconnecting revokes our access token and stops all automation processing.
  • Request a manual data export or full data deletion by emailing [email protected]. We will respond within 30 days.

8. Children

CheckYourDM is not intended for users under 18. We do not knowingly collect data from children. If you believe a minor has created an account, please contact us and we will delete the account.

9. International users

CheckYourDM is operated from India and stores data on servers managed by our infrastructure providers. By using the Service, you consent to your data being processed in jurisdictions that may have different data-protection laws than your own. We comply with applicable GDPR principles for EEA users and CCPA principles for California residents.

10. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. For material changes, we will notify you by email or via a banner inside the Service at least 7 days before the change takes effect.

11. Contact us

Questions, requests, or complaints about this Privacy Policy or our data practices can be sent to [email protected].

Instagram™, Meta™, and Facebook™ are trademarks of Meta Platforms, Inc. CheckYourDM is an independent product built on Meta’s public Instagram Graph API and is not endorsed by, sponsored by, or affiliated with Meta.