Privacy Policy

This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use the Boomly service and tells you about your privacy rights and how the law protects you.

We use your personal data to provide and improve the service. By using the service, you agree to the collection and use of information in accordance with this Privacy Policy.

Definitions

• Account means a unique account created for you to access our service.
• Company (referred to as “We”, “Us” or “Our”) refers to Boomly, operated as a sole proprietorship registered in India.
• Cookies are small files placed on your device by a website, containing details of your browsing history.
• Country refers to: India.
• Personal Data is any information that relates to an identified or identifiable individual.
• Service refers to the Boomly website, dashboard and Instagram automation features.
• Third-party Social Media Service refers to any website or social network through which a user can log in or connect their account.
• Usage Data refers to data collected automatically, generated by the use of the service.
• You means the individual accessing or using the service.

Personal Data We Collect

While using our service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you, including:

• Email address
• First name and last name
• Phone number (optional)
• Address, state, ZIP/postal code, city
• Usage data

Usage Data

Usage data is collected automatically when using the service. It may include information such as your device's IP address, browser type, browser version, the pages of our service that you visit, the time and date of your visit, time spent on those pages, unique device identifiers and other diagnostic data.

Information from Instagram & Meta Platforms

When you connect an Instagram Business or Creator account to Boomly via the Meta “Instagram API with Instagram Login” product, we collect — strictly for delivering the automation features youconfigure — the following data from the Meta Graph API:

• Instagram username, user ID, profile picture and account type
• Comments on your posts that match your trigger keywords
• Direct messages your followers send to your business inbox
• Story replies and @mentions
• Basic insights (follower counts, engagement metrics) shown only to the connected user

We collect this data through Meta Webhook events (comments, messages, messaging_postbacks, messaging_referral, mentions, story_insights) only after you explicitly authorize Boomly during the OAuth flow. Boomly requests three Meta permissions: instagram_business_basic (read profile), instagram_business_manage_comments (read & reply to comments) and instagram_business_manage_messages(read & send DMs). We use no other Meta permissions.

We never sell or rent your Instagram data, and we never use it for advertising, profiling, training AI models, or any purpose unrelated to executing the automations you create. All access and refresh tokens are encrypted at rest using AES-256-GCM and decrypted only at the moment of an outgoing Graph API call. Webhook payloads are stored for up to 30 days for delivery debugging and then permanently deleted.

Boomly's use of Meta Platform data is subject to and complies with the Meta Platform Terms and Meta Developer Policies.

Third-Party Social Media Services

Boomly allows you to log in or connect your account through Google, Facebook, and Instagram. If you decide to register through a third-party service, we may collect personal data already associated with that account.

Cookies & Tracking

We use cookies and similar tracking technologies to track activity on our service:

• Essential / Session cookies — required for authentication and security.
• Functionality cookies — remember your preferences (theme, language, login).
• Analytics cookies — help us understand how the service is used.

How We Use Your Personal Data

• To provide and maintain our service
• To manage your account and registration
• To execute the Instagram automations you configure
• To contact you about updates, security alerts and product news
• To process payments via Razorpay
• To detect, prevent and address fraud or abuse
• To comply with legal obligations

Sharing Your Information

We may share your personal information with:

• Service providers — Supabase (database), Razorpay (payments), Vercel (hosting), email providers (transactional email).
• Meta Platforms — limited to the data needed to deliver Instagram features you have configured.
• Affiliates — required to honor this Privacy Policy.
• Law enforcement — when required by valid legal process.
• With your consent — for any other purpose disclosed at the time.

Retention of Your Personal Data

We retain your personal data only for as long as necessary for the purposes set out in this Privacy Policy. Specific retention periods:

• Account profile (name, email, hashed password) — for the lifetime of your account; deleted within 7 days of account deletion request.
• Instagram access & refresh tokens — until you disconnect Instagram from Boomly or delete your account; deleted immediately on disconnect.
• Automation rules & logs — retained while your account is active; logs older than 90 days are auto-purged.
• Raw webhook event payloads — retained for up to 30 days for delivery debugging, then auto-deleted.
• Lead / contact data captured by your automations — retained until you delete the automation rule or your account, whichever is sooner.
• Audit deletion records (timestamp + hashed user ID, no PII) — up to 90 days after account deletion to satisfy security and compliance obligations.
• Billing & tax records — up to 7 years as required by Indian tax law, even after account deletion.

Security

The security of your personal data is important to us. We use industry-standard practices including bcrypt password hashing, AES-256 encryption for tokens, HTTPS-only transit, and Postgres row-level security. However, no method of transmission over the internet is 100% secure.

Delete Your Personal Data

You have the right to delete your personal data at any time. There are three deletion paths:

1. From the app — sign in, open Settings → Account and click Delete my account.
2. By email — write to abid.akram01@gmail.com from your registered address with subject “Boomly data deletion”.
3. From Instagram — revoke Boomly's access at Instagram → Apps and Websites. Meta will send a Data Deletion Request callback to our endpoint POST /api/data-deletion, which automatically queues your data for deletion within 7 days.

See our complete Data Deletion Instructions for verification steps and exact retention timelines after deletion. We may retain limited information (billing records for 7 years, audit hashes for 90 days) where required by Indian law.

Children's Privacy

Our service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13.

Links to Other Websites

Our service may contain links to other websites that are not operated by us. We strongly advise you to review the Privacy Policy of every site you visit. We assume no responsibility for the practices of third-party sites.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date.

Contact Us

If you have any questions about this Privacy Policy:

• By email: support@boomly.app
• By visiting: boomly.app/contact