Privacy Policy

Last updated: July 12, 2026

Magnet ("we", "us") helps Instagram creators automatically respond to comments and deliver files through direct messages. This policy explains what we collect, why, and the controls you and your audience have. It applies to the Magnet web app and to data we process through Instagram's official APIs.

What we collect from creators (our customers)

  • Account details: name, email address, and password hash (via our auth provider).
  • Instagram professional account data you authorize through Instagram's consent screen: your account ID, username, account type, follower count, profile picture, your posts' metadata (captions, counts), and an access token we store encrypted.
  • Campaign configuration you create: trigger keywords, reply text, DM text, attached files.
  • Usage and billing metadata: DM counts, plan, and event logs that power your analytics.

What we collect about commenters (your audience)

When someone interacts with an automated campaign, we process the minimum needed to run the flow the creator configured:

  • Their Instagram username and Instagram-scoped ID (IGSID).
  • The text of the comment that matched a trigger keyword.
  • Whether they follow the creator (a yes/no from Instagram's API — nothing more).
  • An email address only if they voluntarily submit it on a download page.
  • Delivery events (DM sent, link clicked, file downloaded) tied to the campaign.

We never see anyone's Instagram password, private messages outside the automated conversation, or their activity elsewhere on Instagram.

How we use data

  • To run the automations creators configure — replying, sending DMs, verifying follows, delivering files.
  • To show creators analytics about their own campaigns.
  • To enforce plan limits and prevent abuse.
  • To comply with Instagram platform policies, including messaging windows and rate limits.

We do not sell personal data, use it for advertising, or train AI models on it. Audience data belongs to the creator whose campaign collected it.

Where data lives

Data is stored with Supabase (Postgres and file storage) with row-level security isolating each workspace. Instagram access tokens are encrypted at rest. Uploaded files are private and served only through expiring signed links.

Sharing

We share data only with the infrastructure providers needed to run the service (hosting, database, email delivery), each bound by their own data-processing terms, and with Meta/Instagram when calling their APIs on the creator's behalf. We disclose data if legally required.

Retention and deletion

  • Creators can delete campaigns, leads, and files at any time from the app.
  • Deleting a workspace removes all of its data after a 14-day grace period.
  • Audience members can request deletion of their data via Instagram's data-deletion flow (we honor Meta's deletion callbacks automatically) or by emailing us.
  • Disconnecting an Instagram account invalidates its stored token.

Your rights

Depending on where you live (including under GDPR and CCPA), you may have rights to access, correct, export, or delete your personal data, and to object to processing. Email us and we'll respond within 30 days.

Contact

Data controller: Magnet. For any privacy request or question: privacy@replymagnet.app. Changes to this policy will be posted here with a new "last updated" date.