Legal

Privacy Policy

Last updated: June 30, 2026

PingLynk(“we”, “our”, or “us”) operates as an Instagram DM automation service. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our application, and how we process data obtained through Meta’s Instagram Platform in accordance with Meta’s Platform Terms and Developer Policies.

By using PingLynk, you agree to the collection and use of information described in this policy. If you do not agree, please discontinue use of the service.


1. Information We Collect

1.1 Instagram Platform Data

When you connect your Instagram Business or Creator account through Meta’s OAuth flow, we receive and process the following data solely to provide the automation service:

  • Instagram User ID of commenters (not their username or profile details)
  • Comment text content, to match against your configured trigger keyword
  • Media (post/reel) IDs on which comments appear
  • Your Instagram Business account access token (stored encrypted, used only to send DMs)

We do not collect, store, or process follower profile data, follower email addresses, phone numbers, or any other personal data beyond what is strictly necessary to match a keyword comment and send the configured DM reply.

1.2 Configuration Data You Provide

  • Trigger keyword(s) you set for your campaign
  • Your DM message template
  • Fulfilment link(s) embedded in DMs
  • Target media IDs (optional)

1.3 Technical / Operational Data

  • Webhook request logs (timestamp, action taken, result) — retained for operational debugging
  • Deduplification records: a hashed identifier per commenter, to prevent duplicate DMs
  • Server-side error logs (no personal data beyond Instagram User IDs)

2. How We Use Your Information

We use the data collected exclusively for the following purposes:

  • Keyword matching: To detect when a comment on your post contains your configured trigger keyword.
  • DM delivery: To send the configured message to the commenter via the Instagram Messaging API on your behalf.
  • Deduplication: To ensure each commenter receives the automated reply only once per campaign.
  • Activity logging: To provide you with a visible audit trail of webhook events and DM outcomes.
  • Security:To verify webhook authenticity via Meta’s HMAC-SHA256 signature mechanism.

We do not use any Instagram data for advertising, profiling, training machine learning models, or any purpose other than delivering the automation service described above.


3. Data Sharing and Disclosure

We do not sell, rent, or trade any personal data. We may share data only in these limited circumstances:

  • Meta (Instagram):Data is transmitted to and from Meta’s Graph API as part of the core service function. Meta’s own Privacy Policy governs data held on their platform.
  • Infrastructure providers: We use Railway (hosting) and optionally Redis (deduplication cache). These providers process data only as directed by us and under appropriate data processing agreements.
  • Legal requirements: We may disclose data if required to do so by law or in response to valid requests by public authorities.

4. Meta Platform Data Policy Compliance

PingLynk is built on Meta’s Instagram Platform and is subject to Meta’s Platform Terms and Developer Policies. In compliance with these policies:

  • We only request the minimum Instagram permissions required: instagram_business_basic, instagram_business_manage_messages, instagram_business_manage_comments.
  • We do not use Instagram data to build user profiles or cross-reference with other data sources.
  • We do not transfer Instagram user data to any third-party data broker or analytics platform.
  • Instagram user data (commenter IDs) is used solely for the in-session purpose of sending a single DM and recording the deduplication hash.
  • We retain Instagram-derived data only for as long as necessary to operate the service (see Section 5 below).

5. Data Retention

  • Webhook event logs: Retained for up to 30 days for operational debugging, then automatically purged.
  • Deduplication records: Retained for up to 30 days (configurable via DEDUPE_TTL_SECONDS), then automatically expired by the Redis TTL mechanism.
  • Access tokens: Stored in the environment configuration of your self-hosted deployment and deleted when you revoke the token or disconnect your account.
  • Campaign configuration: Stored only on the server you control. Deleted when you remove it via the dashboard or redeploy without the configuration.

6. Data Security

We implement appropriate technical measures to protect data in transit and at rest:

  • All webhook payloads are validated via HMAC-SHA256 signature verification before processing.
  • HTTPS/TLS is enforced for all API communications with Meta’s Graph API and your deployment.
  • Access tokens are stored as environment variables (not in databases or source code).
  • Admin endpoints are protected by an optional API key (ADMIN_API_KEY).

No method of transmission over the Internet or electronic storage is 100% secure. We recommend you restrict access to your deployment and rotate access tokens periodically.


7. Your Rights

As an operator using PingLynk, or as a third party whose data is processed (i.e., a commenter on an Instagram post), you may have the following rights depending on your jurisdiction:

  • Access & portability: Request a copy of data we hold about you.
  • Erasure: Request deletion of your data. For commenters, the only data held is a hashed user ID for deduplication, which expires automatically after the TTL period.
  • Correction: Request correction of inaccurate data.
  • Objection: Object to processing of your data.

To exercise any of these rights, contact us at privacy@pinglynk.app. We will respond within 30 days.

Note: Because PingLynkis a self-hosted, operator-controlled tool, the operator (the Instagram Business account owner who deployed the app) is the primary data controller for their followers’ comment data. Commenters may also contact Instagram directly to manage their data via Instagram’s built-in privacy controls.


8. Children's Privacy

PingLynk is not directed at individuals under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.


9. Third-Party Links

The fulfilment links sent in automated DMs are configured by the operator. We are not responsible for the privacy practices of third-party sites or services linked in those DMs. We encourage users to review the privacy policies of any third-party sites they visit.


10. International Data Transfers

PingLynk is hosted on infrastructure that may be located outside your country of residence. By using the service, you consent to the transfer of data to servers in the country where the operator has deployed the application. We ensure that any such transfers are subject to appropriate safeguards.


11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If changes are material, we will provide additional notice. Your continued use of PingLynk after any changes constitutes your acceptance of the revised policy.


12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

← Back to Home