AutoEngage

Legal

Privacy Policy

This policy explains what personal data AutoEngage collects, why we collect it, and how we protect it. We are committed to transparency and to complying with Indian data protection law.

Last updated: June 24, 2025·Effective: June 24, 2025

01. Overview

AutoEngage ("we", "us", "our") is an Instagram automation platform operated by Thanush Gowda P, an individual proprietor based in India. Our registered contact address for data-related matters is support.autoengage@gmail.com.

By creating an account or using any feature of AutoEngage, you agree to the collection and use of your information as described in this Privacy Policy. This policy is governed by the Information Technology Act, 2000 (IT Act) and the Digital Personal Data Protection Act, 2023 (DPDP Act).

02. Data We Collect

We collect only the data necessary to provide our automation services:

Data Categories
Account informationYour name, email address, and account password (hashed).
Instagram account dataInstagram username, page ID, and OAuth access tokens obtained through the official Meta Graph API when you connect your account.
Message & comment contentDMs and comments that pass through automations you create. This data is processed in transit to apply your configured rules; we do not store raw message bodies beyond what is needed to display logs in your dashboard.
Automation configurationKeywords, triggers, response templates, and workflow rules that you define.
Payment informationSubscription plan and billing status. Card details and bank information are handled exclusively by Razorpay and are never transmitted to or stored on our servers.
Referral & Wallet dataYour unique referral code, records of referred users, ledger transactions (commissions earned, withdrawals, peer transfers, and subscription purchases), and wallet balance statements.
Anti-abuse payment hashesIrreversible cryptographic hashes of your payment source fingerprint (provided by Razorpay) to identify and prevent self-referral and duplicate-referral abuse on shared payment instruments.
Usage dataPages visited, feature interactions, timestamps, and browser/device type — used solely for improving the product.
Log dataIP address, request timestamps, and error logs retained for up to 90 days for security and debugging purposes.

Meta Platform Permission Scopes & Justification

To operate Instagram automations via official Meta Graph APIs, AutoEngage requests the following granular permissions during the Facebook OAuth connection flow. Here is why they are required and how they are used:

Permission Scopeinstagram_basic
Data Accessed

Instagram username, profile info, media list, and permalinks.

Why We Need It

To identify connected professional profiles and let you select specific posts to attach keyword triggers.

Permission Scopeinstagram_manage_messages
Data Accessed

Direct message text, postback payloads, and sender scoped IDs.

Why We Need It

To receive webhook events for new DMs, parse triggers/payloads (including Follow-Gate checks), and deliver automatic responses in the DM window.

Permission Scopeinstagram_manage_comments
Data Accessed

Public comment content, commenter scoped IDs, and comment permalinks.

Why We Need It

To receive real-time webhook updates when a user comments on your media, detect matching keywords, and reply to comments.

Permission Scopepages_show_list
Data Accessed

List of Facebook Pages managed by the logged-in user.

Why We Need It

To let you choose which Facebook Page is linked to your target Instagram Professional Account during the onboarding wizard.

Permission Scopepages_read_engagement
Data Accessed

Page parameters, access tokens, and connection statuses.

Why We Need It

To verify the linked page configuration and metadata before establishing real-time data sync.

Permission Scopepages_manage_metadata
Data Accessed

None (subscription action only).

Why We Need It

To register AutoEngage webhook listeners on your Facebook page so comments and DMs can be routed to your workspace instantly.

03. How We Use Your Data

  • Provide, operate, and maintain the AutoEngage platform and all automation features.
  • Authenticate your account and connect to your Instagram profile via the Meta Graph API.
  • Execute the DM reply, comment-reply, keyword-trigger, and broadcast automations you configure.
  • Process subscription payments and send billing receipts through Razorpay.
  • Send transactional emails — account activation, password reset, subscription confirmation, and service notices.
  • Detect abuse, investigate security incidents, and enforce our Terms of Service.
  • Improve our product through aggregated, anonymised usage analytics.
  • Comply with applicable Indian law and lawful government requests.

Follow-Gate Feature

When the Follow-Gate feature is enabled on an automation, our system makes a real-time API call to the Instagram Graph API to check whether a commenter is following the connected account. This relationship check is performed in real-time and the result (following / not following) is not stored in our databases. No follower relationship data is persisted.

Refer & Earn Wallet Feature

When you participate in our Refer & Earn program, we track ledger transactions (commissions, withdrawals, peer transfers, and purchases) linked to your profile ID to calculate and maintain your active wallet balance. To prevent system abuse (such as self-referrals or creating multiple accounts using the same credit card/UPI ID), we hash and securely check your payment metadata fingerprint.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

04. Data Storage & Security

Your data is stored in Supabase (PostgreSQL), with infrastructure hosted in the European Union (eu-west region) and, in some configurations, the United States. Supabase is SOC 2 Type II certified.

Instagram OAuth access tokens are stored encrypted at rest using AES-256 encryption. All data in transit between your browser, our servers, and third-party APIs is protected by TLS 1.2 or higher.

Our web application is hosted on Vercel, which employs industry-standard infrastructure security controls. Vercel does not process or store your personal data beyond request routing.

We retain your account data for as long as your account is active. If you delete your account, we purge your personal data within 30 days except where retention is required by law (e.g., payment records under the IT Act may be kept for up to 5 years).

05. Third-Party Services

We work with the following sub-processors and third-party services. Each is bound by its own data protection commitments:

Meta / Instagram

Instagram API access — DMs, comments, and account data. Governed by Meta's Data Policy.

Razorpay

Payment processing for Indian subscriptions. Razorpay is PCI DSS compliant and an RBI-authorised payment aggregator.

Supabase

Database and authentication infrastructure. SOC 2 Type II certified.

Vercel

Web application hosting and edge functions. GDPR compliant.

We do not share your data with any other third parties except when required by a court order or statutory authority under Indian law.

06. Your Rights

Under the DPDP Act 2023 and the IT Act 2000, you have the following rights as a data principal:

Right to access: Request a copy of all personal data we hold about you.
Right to correction: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
Right to withdraw consent: Withdraw your consent to data processing at any time; this will not affect processing done before withdrawal.
Right to grievance redressal: Lodge a grievance with us and receive a response within 30 days as required by the DPDP Act.

To exercise any of these rights, email us at support.autoengage@gmail.com with the subject line "Data Rights Request". We will verify your identity before processing the request.

07. Cookies

AutoEngage uses the following types of cookies and similar browser storage:

  • Session cookies: Required to keep you logged in during your session. These are deleted when you close your browser.
  • Persistent authentication cookies:Used to remember your login across sessions if you select "Stay signed in". Expires after 30 days.
  • Analytics cookies: Aggregated, anonymised usage data. No cross-site tracking. You may opt out via your browser settings.

We do not use third-party advertising cookies or sell cookie data.

08. Children's Privacy

AutoEngage is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact support.autoengage@gmail.com and we will delete that data promptly.

09. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or business practices. When we make material changes, we will notify you by email (to the address on your account) at least 14 days before the change takes effect, and update the "Last updated" date at the top of this page.

Your continued use of AutoEngage after any change constitutes acceptance of the updated policy.

10. Contact Us

For privacy questions, data rights requests, or grievances, please reach out:

AutoEngage Data Controller

Name: Thanush Gowda P

Email: support.autoengage@gmail.com

Country: India

We aim to respond to all data-related enquiries within 7 business days.

Terms of Service →Refund Policy →