Legal

Privacy Policy

Last updated July 14, 2026

the Instaflow service operator operates Instaflow and is responsible for the personal data described here. This policy covers the website, workspace application, and connected services.

1. Information we collect

Account and workspace data includes names, email addresses, authentication records, roles, invitations, billing-customer references, and support communications.

Customer content includes brand information, prompts, drafts, documents, uploaded assets, task configuration, approval history, and content you choose to publish. Connected-provider data may include account identifiers, OAuth tokens, email metadata and content, social posts, comments, and delivery metrics, according to the permissions you grant.

Operational data includes IP-derived security signals, device and browser metadata, request logs, audit events, usage and credit-ledger records, provider delivery receipts, and diagnostic errors. The service does not intentionally collect sensitive personal data unless you place it in customer content.

2. How we use information

We use data to authenticate users; isolate and administer workspaces; generate, store, review, schedule, and deliver requested work; operate billing and credits; provide support; prevent abuse; maintain auditability; and comply with law.

When you request AI processing, relevant prompts, brand context, and selected source content are sent to the configured AI or media provider. Provider processing is limited to the feature you invoke and is subject to that provider's data terms configured by the operator.

3. Legal bases and your instructions

Where applicable law requires a legal basis, processing is performed to provide the contracted service, pursue legitimate security and product-operation interests, comply with legal obligations, or with consent where requested. Workspace administrators determine which content and connected accounts users may process.

4. Sharing and subprocessors

We do not sell personal information. Data is shared only with personnel who need it, service providers used for hosting, storage, email, payments, observability, AI generation, and connected-provider delivery, or authorities and transaction counterparties where legally required.

Stripe processes checkout and payment details on its hosted pages; Instaflow stores customer, subscription, event, and reconciliation references rather than full card numbers. Connected services receive only actions that an authorized user or approved automation requests.

5. Retention and deletion

Workspace content is retained while the account is active unless a user deletes it or an operator-configured retention rule applies. Security, webhook, idempotency, and audit records use documented retention windows and may be retained longer when required for fraud prevention, disputes, or law.

Account export and deletion controls are available in account settings. Deletion is processed across the database, object storage, connected-provider tokens, and queued cleanup records; backups expire according to the operator's backup lifecycle.

6. Security and international processing

The service uses access controls, workspace isolation, encryption for stored provider credentials, signed webhook verification, upload inspection, audit records, and transport security in production. No security program eliminates all risk.

Providers may process data in other countries. The operator uses the contractual and transfer mechanisms required for its deployment and provider accounts.

7. Your rights and choices

Depending on your location, you may request access, correction, deletion, restriction, portability, or objection, and may withdraw consent without affecting earlier lawful processing. You may disconnect integrations, revoke provider access, export workspace data, or start account deletion from the product.

Workspace members should first contact their workspace owner because the owner controls workspace content. You may also complain to the data-protection authority available in your location.

8. Children and policy changes

Instaflow is a business service and is not directed to children under 16. Do not provide a child's personal data without the authority and safeguards required by law.

Material policy changes will be posted with a new effective date and, when appropriate, communicated through the account or email.

9. Contact

Privacy requests: the privacy address supplied by your Instaflow service operator. Operator: the Instaflow service operator, the registered address supplied by your Instaflow service operator.