Privacy Policy

Last updated: April 25, 2026

1. About SocialFlow

SocialFlow ("we", "us", "the Service") is a self-hosted Instagram content operations platform that helps Instagram Business account owners schedule and publish Reels, Posts and Stories, view comments and direct messages, and analyse their account activity from a single dashboard.

The Service is operated by an individual entrepreneur and is currently available at socialflow.nurgaliyev.com. This Privacy Policy explains what data we collect from users of SocialFlow and from their connected Instagram Business accounts, and how we handle that data.

2. Data we collect

2.1. Account information

• SocialFlow login (username) and a hashed password (bcrypt)
• Preferred interface language (Russian or Kazakh)
• Session cookies for authentication

2.2. Instagram Business account data

When a user connects an Instagram Business account through the official Instagram OAuth flow, we receive and store:

• Instagram user ID, username, profile picture URL, biography, follower/following counts, media count
• Long-lived access token (encrypted at rest)
• Recent media (last ~50 posts): media ID, caption, media URLs, thumbnails, timestamp, like and comment counts
• Comments on the connected account's media: comment ID, text, author username, parent comment ID, timestamp
• Direct message conversations and individual messages of the connected account
• Daily follower count snapshots (used to draw growth charts)
• Audience insights (reach, impressions, demographics) where available through the Instagram Graph API

2.3. Content uploaded by users

• Image and video files uploaded for publication (Reels, Posts, Stories)
• Captions, scheduled publishing time, hashtags
• Publication status logs

2.4. Server logs

• HTTP request logs (IP address, user agent, timestamp, requested URL)
• Application logs related to publishing actions and API calls

3. How we use the data

We use the data described above strictly for the following purposes:

• Display dashboard analytics — show profile information, follower growth, post performance, and engagement
• Comment management — allow account owners to read, reply to, hide and delete comments on their own media
• Direct message management — allow account owners to read and reply to direct messages on their own account
• Content scheduling and publishing — upload media to Instagram via the Graph API at the scheduled time
• Authentication and security — verify user identity, prevent unauthorised access, log audit events

4. How we store the data

• Data is stored on a private dedicated server located in Kazakhstan
• Database: MariaDB, accessed only over the internal Docker network
• Passwords are hashed with bcrypt; passwords are never stored in plain text
• Long-lived Instagram access tokens are stored in an encrypted column
• HTTPS is enforced for all external traffic via Traefik with TLS certificates from Let's Encrypt
• Backups, if produced, are encrypted at rest and not shared with third parties

5. Data sharing

We do not sell, rent or share your data with third parties, with the following narrow exceptions:

• Meta Platforms — we send authenticated requests to the Instagram Graph API on behalf of the connected account; the Instagram access token is required for these requests
• Hosting infrastructure — server, network and DNS providers process the data only for the purpose of delivering the Service
• Legal compliance — when required by Kazakhstan law or a valid court order

6. Data retention

• Cached comments and DMs: up to 24 hours, after which the cache is refreshed from Instagram
• Profile snapshots: up to 30 days for follower growth charts
• Daily follower stats: up to 729 days (Instagram Graph API limit)
• Uploaded media files: kept until the user deletes the related queue entry; deleting a Reel / Post / Story from the Content Manager also deletes the underlying file from disk
• Access tokens: kept until the user disconnects the account or the token expires (Instagram long-lived tokens last 60 days)
• Server logs: rotated and removed within 30 days

7. Your rights and choices

As a user of SocialFlow you have the right to:

• Access a copy of your data (contact us)
• Correct inaccurate data via the application interface
• Disconnect your Instagram account at any time from the Settings page
• Delete your SocialFlow account, which removes all associated data
• Withdraw consent at any time by ceasing to use the Service and requesting deletion

8. Data deletion

You can request deletion of your data at any time. The full procedure, including the Meta-initiated data deletion callback, is documented at /data-deletion.

9. Meta Platform data

SocialFlow uses the Instagram Graph API and is bound by the Meta Platform Terms and the Meta Developer Policies. The following Instagram API permissions are used:

• instagram_business_basic — to read profile and media data
• instagram_business_manage_comments — to read, reply to, hide and delete comments
• instagram_business_manage_messages — to read and reply to direct messages
• instagram_business_content_publish — to publish Reels, Posts and Stories
• instagram_business_manage_insights — to read audience analytics

All data obtained through these permissions is treated according to Meta's Platform Terms. We do not transfer Platform Data to any party other than what is strictly required to provide the Service to the account owner.

10. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated to authenticated users via an in-app notice.

11. Contact

For privacy-related requests please contact:
Email: almas@nurgaliyev.com

This Privacy Policy is provided in English to comply with Meta App Review requirements. A Russian version is available on request.