Back to Comment Operator

Privacy Policy

Effective date: May 4, 2026

Version 1.0

What this is

Comment Operator ("the Service") helps Instagram creators manage public comments and direct messages on their connected Instagram Business or Creator accounts. This policy explains what we collect, why, who we share it with, and the rights you have over it.

Who's responsible

The data controller for personal data processed by the Service is:

Jacob Darish (sole proprietor, d/b/a Comment Operator)
[Needham, MA 02492]
legal@commentoperator.com

What we collect

From you (creators)

From Instagram, via Meta's Graph API and webhooks

About other Instagram users (commenters)

When commenters interact with your account, we receive their comment text, comment ID, Instagram username and ID, and timestamp; for DMs sent in response, the message text. We process this only to operate the Service for you — to classify each message and generate a reply in your voice. We don't contact users who haven't first interacted with you. Commenter data follows the same retention rules as the connected account's data.

A commenter can opt out by emailing us, or by deleting the original message on Instagram (we delete it on next sync).

How we use it

Legal basis

For users in the EEA and UK, we rely on the following bases under GDPR Art. 6:

Who we share data with

We share data with these processors only as needed to operate the Service:

Each processor is bound by a data processing agreement that limits use to what we engage them for. We may add or change processors over time; material changes are announced here at least 30 days before they take effect.

We don't sell your data, don't show ads, and don't use your data to train models or for any purpose beyond operating the Service for you.

Retention

Your rights

You can:

If you're in the EEA or UK

You have the rights above plus the right to lodge a complaint with the supervisory authority in your country of residence. EU authorities are listed at edpb.europa.eu/about-edpb/about-edpb/members_en.

If you're a California resident

Under the CCPA (as amended by the CPRA), you have the rights above plus the right to:

International transfers

Data is stored in the United States (Supabase US region). For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses executed with our subprocessors, plus the EU-US Data Privacy Framework where a subprocessor self-certifies. Email us for a copy of the applicable transfer mechanism.

Security

Access tokens are encrypted with AES-256-GCM using a key separate from the database password. Database access is gated by Supabase service-role keys and Clerk-issued user JWTs, with row-level security as a defense in depth. All traffic is over HTTPS.

No system is fully secure. If you believe your data has been compromised, contact us immediately. If we discover a security incident affecting your data, we'll notify affected users without undue delay and, where applicable, the relevant supervisory authority within statutory deadlines (e.g., 72 hours for GDPR Art. 33).

Cookies

We use a small number of essential cookies: authentication cookies set by Clerk to keep you signed in, and hosting/security cookies set by Vercel for routing and DDoS protection. We don't use advertising or third-party profiling cookies. If we add product analytics later, we'll update this policy and request consent where required.

Children

The Service is intended for adult creators. We don't knowingly collect personal information from anyone under 13 (per COPPA). For users in the EEA and UK, the Service is not directed at children below the digital age of consent in their member state (13 to 16). Because we process public Instagram interactions, some commenters may be minors; we rely on Instagram's age-gating and the creator's compliance with Meta's policies. If you become aware that a minor's data has been processed inappropriately, email us and we'll remove it.

Changes

Material changes are announced via email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

Contact

legal@commentoperator.com

For data-deletion requests, you can also use the in-product Settings page or Meta's data-deletion callback documented at /data-deletion.