Legal
Last updated: July 5, 2026
This Privacy Policy explains what personal data AutoMes collects, why we collect it, how we use and protect it, and the rights you have over it. It applies to our website, dashboard, and services (the "Service"). By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.
AutoMes is an Instagram DM automation platform that helps creators and businesses automatically send direct messages to users who comment on their Instagram posts, and run follow-gate flows. For the personal data we process about our account holders, AutoMes acts as the data controller. For the data processed about the Instagram users who interact with your content, you (our customer) are the controller and AutoMes acts as your processor, handling that data on your instructions. AutoMes is not affiliated with Meta Platforms, Inc. For any privacy question, contact us at automes849@gmail.com.
Account information: your email address and, optionally, your name. Instagram account data: your username, account ID, and an access token that is encrypted before storage. Automation and usage data: your automation configurations, follow-gate settings, message and delivery logs, and message counts. Payment data: the amount, date, plan, and payment status of your subscription. We do NOT store card numbers, UPI IDs, bank details, or your Instagram password at any point.
To deliver automations on your behalf, we process limited data about Instagram users who comment on your posts or message your account: their Instagram user ID and username, the comment or message content that triggers an automation, follow status where a follow-gate is enabled, and delivery records of messages sent to them. We use this data solely to send the messages you have configured and to honour opt-outs. We do not use it to build advertising profiles and we do not sell it.
We use data to: operate the Service (receive comment and message webhooks from Meta and send the DMs you configure); run follow-gate flows and record new-follower conversions; send transactional emails such as token-expiry warnings, renewal reminders, quota alerts, and payment confirmations; enforce plan limits and prevent abuse; provide support; and debug, secure, and improve the Service. We do not use your data for third-party advertising and we do not sell your data.
Where the law requires a legal basis, we rely on: performance of our contract with you (to provide the Service you signed up for); your consent (which you may withdraw at any time, for example by disconnecting your Instagram account); our legitimate interests in securing, maintaining, and improving the Service; and compliance with legal obligations, such as retaining financial records. We process data in accordance with India's Digital Personal Data Protection Act, 2023 and applicable Meta platform requirements.
Data is stored in Supabase (PostgreSQL) hosted on AWS in the ap-south-1 (Mumbai) region. Instagram access tokens are encrypted using AES-256-CBC before being written to the database. All data in transit is protected with HTTPS/TLS. Access to production data is restricted to what is necessary to operate the Service. No method of transmission or storage is completely secure, but we take reasonable technical and organisational measures to protect your data.
We retain message and delivery logs for 90 days, after which they are automatically deleted. Account, automation, and Instagram-connection data is retained while your account is active. Payment records are retained for up to 7 years to comply with Indian financial and tax regulations. When you delete your account or disconnect your Instagram account, we delete your personal data (other than records we must keep by law) within 30 days.
In line with Meta's platform policies, if an Instagram user deletes a message, we delete any stored copy of that message from our logs within 24 hours of receiving Meta's deletion notification.
We rely on the following trusted providers to run the Service: Meta / Instagram Graph API (to receive webhooks and send DMs), Supabase (database and authentication), Vercel (application hosting), Upstash / QStash (message queue and rate limiting), Razorpay (payment processing), and Resend (transactional email delivery). Each provider processes data only as needed to perform its function and is bound by its own security and privacy obligations.
Our primary data store is located in India (Mumbai). Some sub-processors listed above may process limited data (such as email delivery or hosting metadata) on infrastructure located outside India. Where that happens, we take reasonable steps to ensure your data continues to receive an appropriate level of protection.
Subject to applicable law, you have the right to access the personal data we hold about you, to correct inaccurate data, to request deletion, to export your data, and to withdraw consent. You can disconnect your Instagram account at any time from the Settings page, which stops further processing of that account's data. To exercise any of these rights, email us at automes849@gmail.com. You may also nominate another person to exercise your rights in the event of death or incapacity, as provided under applicable law.
The Service is intended for users who are at least 18 years old. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at automes849@gmail.com and we will delete it.
AutoMes uses only essential cookies required for authentication and session management. We do not use advertising, tracking, or third-party analytics cookies.
If a personal data breach occurs that is likely to affect your rights, we will take prompt remedial action and, where required by law, notify the relevant Data Protection Board and affected users without undue delay.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or in-app. Your continued use of the Service after an update takes effect constitutes acceptance of the revised policy.
For any privacy question, data request, or grievance regarding how we handle your personal data, contact us at automes849@gmail.com. We aim to acknowledge grievances promptly and to resolve them within the timelines required by applicable law.