GrowSpace ("we," "our," or "us") operates the GrowSpace platform (the "Service"), an Instagram marketing automation tool. This Privacy Policy describes how we collect, use, store, and protect your information when you use our Service.
Summary: We only collect data necessary to provide our automation services. We encrypt sensitive data, never sell your information, and you can delete your data at any time.
1. Information We Collect
1.1 Account Information
- Email address and password (for login)
- Instagram Business/Creator account username and profile picture (via Instagram OAuth)
- Instagram account ID
1.2 Instagram API Data
When you connect your Instagram account via Meta's OAuth, we receive access to:
- instagram_business_basic — Profile info (username, profile picture, account ID)
- instagram_business_manage_messages — Ability to send and receive Direct Messages on your behalf
- instagram_business_content_publish — Ability to publish scheduled posts/reels
- instagram_business_manage_insights — Account analytics and insights data
- instagram_business_manage_comments — Comment monitoring for keyword-based automation triggers
1.3 Automation Data
- Automation configurations (keywords, DM templates, target posts)
- Contact records (commenter usernames, comment text, interaction timestamps)
- DM delivery status (sent, pending, failed)
- Follower gain metrics per automation
1.4 Scheduled Content
- Videos and images uploaded for scheduling
- Captions, hashtags, and cover images
- Scheduled publish dates and times
2. How We Use Your Information
We use the collected information to:
- Authenticate your identity and manage your account
- Execute automated DM responses based on your configured triggers
- Publish scheduled content at your specified times
- Display analytics and performance metrics
- Track follower growth attributed to your automations
- Send service-related notifications and alerts (e.g., token expiry warnings)
We do NOT: Sell, rent, or share your personal data or Instagram data with third parties for marketing purposes.
3. Data Storage & Security
3.1 Token Encryption
Instagram access tokens are encrypted using Fernet symmetric encryption (AES-128-CBC) before storage. Tokens are never stored in plaintext.
3.2 Token Management
- Tokens are automatically refreshed before expiry
- If a token expires, all automations are paused until re-authentication
- Tokens are immediately revoked upon account disconnection
3.3 Data Storage
- Application data is stored in a secure database
- Media files (uploaded videos/images) are stored securely and deleted after publishing
- All data transmission uses HTTPS/TLS encryption
4. Data Retention
- Account data: Retained until you delete your account
- Contact records: Retained for the lifetime of the automation
- Scheduled media: Deleted within 7 days after publishing
- Logs: Retained for 30 days then automatically purged
5. API Rate Limits & Compliance
We comply with Meta's API rate limits and policies:
- Maximum 200 automated messages per Instagram account per hour
- Excess messages are queued and sent in subsequent hours
- We do not send unsolicited messages; all DMs are triggered by user actions (comments, story replies)
6. Your Rights
You have the right to:
- Access: View all data we have about your account via the dashboard
- Delete: Delete your account and all associated data from Settings
- Disconnect: Revoke Instagram access at any time from Settings or Instagram's authorized apps page
- Export: Request a copy of your data by contacting us
7. Data Deletion
To delete your data:
- Go to Settings → Delete Account on the GrowSpace dashboard
- This will permanently delete all your automations, contacts, scheduled content, and account data
- You can also email us at support@growspace.com to request deletion
We also support Meta's Data Deletion Callback — when you remove our app from your Instagram settings, we receive a callback and automatically delete your data.
8. Third-Party Services
We integrate with the following third-party services:
- Meta/Instagram Graph API: For Instagram authentication, messaging, publishing, and insights
- Google Fonts: For web typography (no personal data shared)
9. Children's Privacy
Our Service is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or dashboard notification. Continued use of the Service after changes constitutes acceptance.
11. Contact Us
If you have questions about this Privacy Policy or our data practices: