Privacy Policy

1. Introduction Welcome to our Instagram business account management application ("the App"). We are committed to protecting your privacy and safeguarding your personal data in accordance with the highest standards of security and legal compliance. This policy explains how we collect, use, store, share, and protect your data. The App integrates with the Meta platform to access Instagram account data, and uses Google's Gemini AI service to automatically reply to customer direct messages. By using the App, you expressly agree to the terms of this policy. ⚡ This policy is fully compliant with: Meta Platform Terms of Service | Meta Data Policy | GDPR | CCPA | Google AI Terms of Service 2. Definitions "User" or "you": The individual or business entity that uses the App to manage its Instagram accounts. "Personal Data": Any information that identifies you directly or indirectly. "Meta Platform Data": Data provided by the Meta Graph API or Instagram Graph API under explicit permission. "AI": Google's Gemini model used to generate automated replies to customer direct messages. "Processing": Any operation performed on data, including collection, storage, use, transfer, and deletion. 3. Data We Collect 3.1 Data You Provide Directly Account name, email address, and password (fully encrypted) when creating your account. Business information such as business name, industry type, and country. App settings and preferences that you define yourself. 3.2 Meta / Instagram Platform Data (via Meta Graph API) We access the following data only after obtaining your explicit permission through Meta's official OAuth 2.0 protocol: Account information: Instagram account name, account ID, and profile picture. Incoming and outgoing Instagram direct messages — for the automated reply service only. Access Token and its expiry — encrypted and never shared with any third party. 3.3 Data Generated by AI (Gemini) Automated replies generated for customer direct messages. Conversations and messages are stored to operate the service, display them to you in the dashboard, and enable the bot to understand conversation context. 3.4 Technical Data Collected Automatically IP address, browser/device type, and operating system. Error and crash logs for technical maintenance purposes. Cookies necessary for session operation — see the separate Cookie Policy. Aggregated, anonymized usage data for App improvement. 4. Purposes of Data Use We use your data exclusively for the following purposes and nothing beyond them: Operating the App and providing account management and dashboard services. Enabling AI-powered automated replies to customer direct messages with your explicit permission. Displaying performance statistics and analytical reports within the App. Sending essential technical notifications related to your service (outages, token expiry, etc.). Complying with applicable legal and regulatory obligations. Improving service quality based solely on aggregated and anonymized data. 🚫 We expressly prohibit: selling your data | using it for targeted advertising | sharing it with third parties for commercial purposes | using Meta data outside the scope of the Meta Platform Terms 5. Meta Platform Policy We fully and unconditionally comply with the Meta Platform Terms of Service, the Meta Platform Policy, and the Instagram Platform Policy. Below are our key commitments: 5.1 Permitted Use Limits We use Meta data only within the scope of the permissions you have expressly granted. We collect Meta data only when actually needed to provide the stated service. We do not use Meta data to build independent databases outside the scope of the stated service. We do not use Meta data for ad targeting or behavioral tracking outside the App. We do not share Meta data with third parties except within the limits expressly permitted by Meta's policy. 5.2 Requested Permissions and Their Reasons We request only the following permissions, in line with the Principle of Least Privilege: instagram_business_basic — to read and display basic Instagram business account information in the dashboard. instagram_business_manage_messages — to access the account's Instagram direct messages and reply to them automatically using AI for customer service. 5.3 Data Deletion Rights In accordance with Meta's mandatory requirements, we provide multiple deletion mechanisms: In the App: a "Delete my data" button on the Settings page immediately and permanently deletes all data associated with your Meta account (access tokens, conversations and messages). A "Disconnect" option is also available, which stops the bot and clears access tokens while keeping your conversation history so you can reconnect later. When you remove the App from your Instagram/Facebook settings: Meta sends us a deletion request automatically (Data Deletion Callback), and we delete all data associated with your Meta account. By contacting us at privacy@tamkar.online with "Data Deletion Request". After any deletion request you receive a unique confirmation code that you can use to track the request status on the data deletion page. 6. Use of Artificial Intelligence (Gemini AI) Our App uses Google's Gemini model to generate smart, automated replies to your customers' direct messages. We fully comply with the Google AI Terms of Service and the Google Cloud Privacy Policy. 6.1 How AI Works in the App The system receives the customer's direct message from your account via the Instagram API. The message is sent — along with the appropriate context (business type, the reply rules you defined) — to the Gemini API. Gemini generates a suggested reply that can be published automatically or reviewed manually according to your settings. Messages and conversations are stored to provide the service and display them to you in the dashboard, and are deleted upon a deletion request or account deletion. 6.2 AI Use Safeguards Your customers' data is not used to train AI models without your explicit permission. You can disable the automated reply feature at any time from the App settings. You can enable manual review mode to review every reply before it is sent. All generated replies are subject to Instagram's Community Guidelines. We prohibit the AI from sending misleading or harmful content, or content that violates Meta's policies. 7. Sharing Data With Third Parties We do not sell your data and do not share it with third parties for commercial purposes. We share data only in the following cases: Technical service providers (Sub-processors): Google Cloud for data hosting and the Google Gemini API for AI, all of whom are bound by the same data protection standards. Meta: We send data back to them only under the official Graph API requirements (such as sending replies on your behalf). Legal requirements: If the law or a court order requires disclosure of data, we notify you upon receiving the request unless the law prevents us from doing so. Protecting our rights: In cases of fraud or violation of the terms of service — limited to the necessary minimum. 7.1 Sub-processors We disclose a full list of our data sub-processors: Google LLC (Gemini API & Cloud) — United States — AI processing and hosting. Meta Platforms, Inc. — United States — Instagram Graph API. Operational email service provider — for technical notifications only. 8. Data Retention and Storage 8.1 Data Retention Schedules Account data (name, email): for the duration of account activity + 90 days after deletion. Meta access tokens: deleted immediately upon expiry or disconnection. Conversations and messages: retained for the duration of account activity and deleted upon a deletion request or account deletion. Technical error logs: 90 days for maintenance and security purposes only. Anonymized aggregated data (for analytics): may be retained for no more than two years. 8.2 Data Storage Location Your data is stored on secure Google Cloud servers. Data may be transferred across different geographic regions according to service reliability requirements, while ensuring the same protection standards are applied in all locations under approved transfer mechanisms (Standard Contractual Clauses for European users). 9. Your Data Rights We guarantee you the following rights under applicable regulations (GDPR, CCPA, and others): 9.1 List of Guaranteed Rights Right of Access: request a complete copy of all data we hold about you within 30 days. Right to Rectification: correct any inaccurate or incomplete data. Right to Erasure: delete all your data (the "right to be forgotten") — subject to what the law requires us to retain. Right to Restriction: restrict how your data is used in specific cases. Data Portability: receive your data in a machine-readable JSON or CSV format. Right to Object: object to the processing of your data for particular purposes. Right not to be subject to automated decisions: request human review of any automated decision that affects you. 9.2 How to Exercise Your Rights To exercise any of these rights, contact us by email at privacy@tamkar.online with "Privacy Request" in the subject line, and we will provide your data in a machine-readable format upon request. To delete your Meta account data you can use the "Delete my data" button in Settings directly. We undertake to respond to all requests within 30 days of receipt. 10. Data Security We apply multiple layers of security to protect your data: Data encryption in transit: TLS 1.3 for all communications. Data encryption at rest: AES-256 for all sensitive data. Password encryption: bcrypt algorithm with a random salt. Access tokens: encrypted and not exposed in system logs. Limited access: only authorized employees access data on a need-to-know basis. Periodic security reviews of the code and infrastructure to detect and address vulnerabilities. 10.1 Data Breach Notification In the event we discover any security breach affecting your data, we commit to notifying you within 72 hours of its discovery in accordance with Article 33 of the EU GDPR, with a full description of the incident and the steps taken to mitigate its harm. 11. Children's Privacy Our App is designed for businesses and adults (18 years and older). We do not knowingly collect any personal data from children under 18. If we discover that we have collected a child's data by mistake, we delete it immediately. Please notify us if you are aware of this at: privacy@tamkar.online 12. Cookie Policy We use only three types of cookies: Strictly Necessary cookies: for session operation and authentication — cannot be disabled. Functional cookies: to save your preferences such as language and settings — can be disabled. Analytics cookies: to analyze App usage anonymously — can be disabled from the settings. We do not use advertising or tracking cookies of any kind. 13. Changes to the Privacy Policy We may update this policy periodically to keep pace with legal or operational changes. When we make any material changes: We send an email notification 30 days before the changes take effect. We display a clear in-App notice with a summary of the changes. We keep all previous versions of the policy available for review. Your continued use of the App after the changes constitutes acceptance of them. 14. Governing Law and Dispute Resolution This policy is governed by and construed in accordance with the laws of the Republic of Iraq. In the event of any dispute, we first seek an amicable settlement. If an amicable settlement cannot be reached within 60 days, the dispute is referred to arbitration under the rules in force in the Republic of Iraq. These provisions do not affect your statutory rights guaranteed under the regulations applicable in your country. 15. Contact Us For any inquiry or request related to your privacy or data: Privacy email: privacy@tamkar.online Data Protection Officer (DPO): privacy@tamkar.online App website: https://app.tamkar.online/privacy Meta data deletion link: https://app.tamkar.online/data-deletion Response time: within a maximum of 30 days from receiving your request. Last updated: May 30, 2026 | Version 1.0 This policy is documented and approved in accordance with Meta Platform Policy v17+