Requex.me LogoRequex.me

Instagram Automation Privacy Policy

Last Updated: May 26, 2026

1. Overview

This policy describes how Requex.me ("we," "us," "our") handles data when you connect your Instagram business or creator account to our Instagram Automation feature. It supplements our general Privacy Policy and applies specifically to the use of Meta's Instagram Graph API through Requex.me.

2. What We Access

When you connect your Instagram account, you grant us limited access to perform the automations you configure. We request only the minimum permissions required:

  • Basic profile (instagram_business_basic) — your Instagram user ID and username, used to identify your account in our dashboard.
  • Comments (instagram_business_manage_comments) — to receive webhook notifications about new comments on your posts and reels, and to post replies when an automation rule matches.
  • Messages (instagram_business_manage_messages) — to receive webhook notifications for direct messages sent to your account, and to send automated replies when an automation rule matches.
  • Media — read-only access to the list of your posts and reels (ID, caption, thumbnail, permalink) so you can pick which post an automation should apply to.

3. What We Do Not Access

  • We do not read your private inbox. We only process DMs that arrive via webhook events while your account is connected — i.e., messages sent to you after connection. We do not bulk-export or browse your existing DM history.
  • We do not access your followers, following list, or audience insights.
  • We do not access stories, story replies, or live broadcasts unless you explicitly enable a future feature that requires those scopes.
  • We do not read or post on other connected social accounts (Facebook Pages, WhatsApp, etc.).
  • We do not sell, rent, or share your Instagram data with third parties for advertising or marketing.
  • We do not use your Instagram data to train AI models.

4. How We Use Your Data

We use the data we access for one purpose only: to run the automation rules you configure. Specifically:

  • Matching incoming comments and direct messages against the keyword, regex, or all-events rules you set up.
  • Posting public comment replies, sending private replies to commenters, or sending direct messages — only when a rule you created matches.
  • Displaying your connected account's username, post thumbnails, and automation status inside the Requex dashboard you signed in to.
  • Refreshing your Instagram access token before it expires, so your automations keep running without re-authorization.

5. How We Store Data

  • Access tokens are encrypted at rest using AES-256-GCM with a key held only by our backend. Tokens are never exposed to the browser or to other users.
  • Webhook events (comments and DMs) are processed in memory and used to trigger your configured actions. We retain a minimal audit record (timestamp, matched rule, action result) for debugging and you can clear this at any time.
  • Automation configurations (rule name, trigger, match criteria, response template) are stored in our PostgreSQL database and visible only to your account.
  • Data is hosted on infrastructure located in the EU/US and protected by industry-standard access controls.

6. Sharing and Disclosure

We do not share your Instagram data with third parties except where strictly necessary to operate the service: (a) our hosting provider, which stores encrypted data on our behalf, and (b) Meta's Instagram Graph API, which is the source of the data and the destination of replies you send through Requex. We will disclose data only if compelled by valid legal process and will notify you where permitted by law.

7. Your Rights

  • Disconnect at any time. Use the "Disconnect" button in the Instagram Automation dashboard. This revokes our access, deletes your access token, and removes all automations associated with that account.
  • Revoke from Instagram. You can also revoke our access directly from Instagram → Settings → Apps and Websites → Active.
  • Request deletion. Email privacy@requex.me to request deletion of all data associated with your account. We will action requests within 30 days.
  • Data deletion callback. When you trigger data deletion from Instagram, Meta calls our endpoint at /integrations/instagram/data-deletion and we purge associated records.

8. Data Retention

Connection records and automation configurations are retained for as long as your Instagram account remains connected. When you disconnect or delete an account, all associated tokens, automation rules, and webhook audit records are deleted within 30 days. Anonymized, aggregated metrics (e.g., total automations executed) may be retained indefinitely.

9. Compliance with Meta's Platform Terms

Our use of the Instagram Graph API complies with Meta's Platform Terms and Developer Policies. We do not use Instagram data to build user profiles for advertising, do not attempt to re-identify users, and do not store data longer than necessary for the automation you configured.

10. Changes to This Policy

We may update this policy as the feature evolves. Material changes will be communicated by updating the "Last Updated" date above and, for substantive changes, by email or in-app notification.

11. Contact

For privacy questions, data requests, or to report a concern, email privacy@requex.me.