Privacy Policy

1. Who We Are

Inboxcore ("we", "us", "our") is a shared inbox and CRM tool operated by Inboxcore. Our platform enables businesses to view and respond to customer inquiries received via Instagram Direct Messages.

Data Controller contact: contact@killianmrc.com

2. Data We Collect

When you connect your Instagram Business or Creator account, we access and store the following data through the Meta (Facebook / Instagram) APIs:

• Instagram account information (username, name, profile picture URL)
• Facebook Page information (Page ID, Page name)
• Instagram Direct Message content (text messages, timestamps, message IDs)
• Participant information (Instagram-scoped user IDs, usernames, and names of people who message your business)
• Page access tokens (stored securely server-side, used solely for API communication)

We do NOT collect or store:

• Media files (images, videos, audio) — we display them directly from Instagram's CDN URLs and never download or cache them
• Passwords or login credentials for Instagram or Facebook
• Private personal data unrelated to business conversations

3. Purpose of Data Collection

We collect and process this data solely to enable businesses to respond to customer inquiries received via Instagram Direct Messages. Specifically:

• Display incoming Instagram DMs in a shared inbox for human support agents
• Allow human agents to manually compose and send replies to customers
• Enable team collaboration on customer conversations (assignment, internal notes)
• Match conversations with CRM contacts for better customer service

All replies are manually composed and sent by human agents. No automated messages are sent without human oversight.

4. How We Use Your Data

Your data is used exclusively for the purposes described above:

• Displaying and organizing Instagram conversations
• Sending replies on behalf of your business account
• Providing real-time notifications for incoming messages via webhooks
• Maintaining conversation history for customer support

We do not use your data for advertising, profiling, targeting, behavioral tracking, or any purpose other than the messaging functionality described in this policy.

5. Third-Party Sharing

We do not sell, rent, trade, or share your data with third parties for their own purposes. Your data is shared only with the following service providers, strictly to operate our platform:

• Meta / Instagram — to send and receive messages via their APIs
• Supabase — database hosting and authentication (PostgreSQL, hosted in the EU/US)
• Vercel — application hosting and deployment

Each provider processes data in accordance with their own privacy policies and data processing agreements.

6. Data Storage & Security

All data is stored in a Supabase-managed PostgreSQL database with the following security measures:

• Row-Level Security (RLS) policies ensuring users only access their own data
• Access tokens are stored server-side and never exposed to the client browser
• All communications use HTTPS / TLS encryption in transit
• Database encryption at rest
• Webhook payloads verified via HMAC SHA-256 signature validation

Data retention: Conversation and message data is retained for as long as your account is active. Upon account deletion or disconnection, data is removed within 30 days.

Instagram media: We do not store or cache Instagram media files. Images, videos, and audio are displayed directly from Instagram's Content Delivery Network (CDN) URLs and are subject to Instagram's own expiration policies.

7. Message Deletion

When a user deletes a message on Instagram, we receive a webhook notification from Meta and immediately remove the corresponding message from our database. Deleted messages are no longer visible in the dashboard.

8. Your Rights

You have the following rights regarding your personal data, in accordance with applicable data protection laws (including GDPR where applicable):

• Access — request a copy of your data
• Rectification — request correction of inaccurate data
• Deletion — request deletion of your data
• Portability — request your data in a machine-readable format
• Restriction — request limitation of processing
• Objection — object to processing of your data

To exercise any of these rights, contact us at contact@killianmrc.com. We will respond within 30 days.

You can also disconnect your Instagram account at any time from the dashboard settings, which will revoke API access and deactivate stored tokens.

9. Children's Privacy

Our service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected data from a minor, we will promptly delete it.

10. International Data Transfers

Your data may be processed and stored in servers located in the United States and the European Union (via Supabase and Vercel). When data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards as required by GDPR.

11. Cookies & Tracking Technologies

We use essential cookies solely for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics tools that track individual user behavior.

12. Prohibited Uses

In compliance with Meta Platform Terms and Instagram API policies, we commit to the following:

• We do not sell Instagram user data to any third party
• We do not use data for surveillance, discrimination, or profiling
• We do not circumvent Instagram's privacy protections or messaging restrictions
• We do not store or cache Instagram media files (images, videos, audio)
• We do not send automated messages without human oversight

13. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

14. Contact Us

For any privacy-related questions, data requests, or concerns, contact us at:

Email: contact@killianmrc.com

Company: Inboxcore