Privacy Policy

What we collect

We collect your email address (for authentication), and when you connect your Instagram account, we receive and store the following from Meta's Instagram API:

• Instagram username and account ID
• Instagram access token (encrypted at rest)
• Comment data from webhook notifications (comment text, commenter username, commenter ID, media ID)
• DM delivery logs (recipient username, recipient ID, timestamp, delivery status)
• Click events on short links (timestamp, referrer — no IP addresses stored)

How we use Instagram data

We use data received from Meta's Instagram API exclusively for the following purposes:

• Account connection: We read your Instagram professional account's basic profile information (username, account ID) to display it in your dashboard and associate it with your drop rules.
• Comment monitoring: We receive webhook notifications when someone comments on your posts. We check if the comment text matches an active keyword rule. We do not edit or delete comments.
• Comment replies: After a successful DM delivery, we post a single reply to the triggering comment (e.g., “Check your DM! 📩”) to notify the commenter. This reply text is customizable by you.
• DM sending: When a comment matches an active keyword rule, we send a single DM to the commenter containing a short link to your destination URL. Messages are only sent in direct response to the user's comment action.
• Analytics: We track DM delivery status and short link clicks to display stats on your dashboard.

Messaging policy

DMs are only sent in direct response to a user-initiated action (commenting a keyword on your post). We enforce a limit of 1 DM per user per rule per 24-hour period. We do not send bulk messages, follow-up sequences, drip campaigns, or unsolicited marketing messages. All messages are triggered solely by the commenter's own action.

Access token storage

Instagram access tokens are encrypted at rest and stored in our database hosted on Neon (PostgreSQL). Tokens are only used to make authorized API calls to Meta's Instagram Graph API and Messenger API on your behalf. Tokens are deleted immediately when you disconnect your Instagram account.

Payment processing

Payments are processed securely by Stripe. We do not store credit card numbers, CVVs, or any sensitive payment information on our servers. Stripe's privacy policy applies to payment data.

Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising pixels.

Third-party services

We share data with the following third-party services strictly to operate DropTh.is:

• Meta (Instagram Graph API, Messenger API): To connect accounts, receive comment webhooks, and send DMs.
• Stripe: For payment processing.
• SendGrid: For transactional emails (magic links, receipts).
• Vercel: For hosting and deployment.
• Neon: For database hosting (PostgreSQL).

We do not sell your data to any third party.

Data retention and deletion

Account data is retained while your account is active. Instagram access tokens are deleted immediately when you disconnect your account. If you delete your account, all associated data (rules, delivery logs, click events, tokens) is permanently removed within 30 days.

To request data deletion: Email support@dropth.is with the subject line “Data Deletion Request” and the email address associated with your account. We will process your request within 30 days and confirm deletion by email.

Children's privacy

DropTh.is is not directed at children under 13. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 13, we will delete it promptly.

Changes to this policy

We may update this policy from time to time. We will notify users of material changes via email. Continued use of the service after changes constitutes acceptance.

Contact

For privacy concerns or data deletion requests, email support@dropth.is.