Privacy Policy

Effective date: 2026-05-28

meta-auto-live ("the Service") is operated as a single-tenant tool that connects to Meta Platforms (Instagram and Facebook) on behalf of the operator. This policy describes the limited categories of data we process, why, and how to request deletion.

1. Information we collect

• Meta authorization tokens. When the operator authorizes the Service via Facebook Login for Business, we receive a long-lived User Access Token and one Page Access Token per linked Page. Tokens are encrypted at rest with AES-128 in CBC mode (Fernet) using a key separate from the database.
• Instagram and Facebook profile metadata. Page id, Page name, linked Instagram Business account id and username. Required to address the correct account when publishing or replying.
• Message and comment content received via Meta webhooks. The text of DMs, the text of post comments, sender ids, sender usernames, message ids and post ids. Used to generate context-aware replies and to deduplicate against webhook retries.
• Reply content we generate and send. Stored to enable rate limiting, idempotency, and audit.
• Post and media metadata. Caption, scheduled time, post type, and a private URL to the media stored in Cloudflare R2.
• Insights metrics for posts the Service has published (likes, comments, shares, saves, reach, impressions, views, average watch time), sampled at +1h, +24h, +7d, and +30d after publishing.

2. How we use it

• Publish scheduled posts to the operator’s linked Instagram and Facebook accounts.
• Generate auto-replies to inbound DMs and comments, grounded in operator-provided brand documents.
• Show the operator a dashboard of post performance.
• Refresh expiring access tokens before they expire.

3. How we store it

• Encrypted Postgres database hosted on Railway (USA region).
• Media files in a private Cloudflare R2 bucket. URLs are pre-signed with a 7-day expiry.
• Page Access Tokens are encrypted with a key separate from the database.

4. Third parties we share data with

• Meta Platforms. All publishing and replying happens via the Meta Graph API. We send Meta the content the operator authored or the LLM generated, and the recipient/post id required to route it.
• OpenAI. When generating an auto-reply we send the inbound message text, optional post caption, and brand-voice excerpts to the OpenAI API. We do not send any identifier that uniquely re-identifies a sender. OpenAI’s API processes the request and returns the generated reply.
• Cloudflare hosts the R2 bucket and the marketing site CDN.
• Railway hosts the API backend and Postgres database.
• Vercel hosts this marketing site and the operator dashboard.

We do not sell any data. We do not use any data for advertising.

5. Retention

• Webhook events and inbound messages: 365 days.
• Outbound replies: 365 days.
• Published posts and Insights snapshots: indefinite (the operator’s own content).
• Access tokens: until revoked or replaced.

6. Your rights

Senders whose DMs or comments were processed by the Service may request deletion of the stored content by emailing architectpujari@gmail.com with the Instagram/Facebook username and approximate dates. We will delete within 30 days and confirm by reply.

See also our Data Deletion Instructions for an alternate deletion request mechanism.

7. Contact

Email: architectpujari@gmail.com
Domain: ig.learn3dfashion.com