Privacy Policy
Effective date: May 4, 2026
Version 1.0
What this is
Comment Operator ("the Service") helps Instagram creators manage public comments and direct messages on their connected Instagram Business or Creator accounts. This policy explains what we collect, why, who we share it with, and the rights you have over it.
Who's responsible
The data controller for personal data processed by the Service is:
Jacob Darish (sole proprietor, d/b/a Comment Operator)
[Needham, MA 02492]
legal@commentoperator.com
What we collect
From you (creators)
- Account identity from Clerk: email, name, profile photo URL.
- Instagram OAuth tokens, encrypted at rest with AES-256-GCM.
- Settings: per-account mode (engagement / sales / hybrid), autopilot on/off, voice example pairs you add.
From Instagram, via Meta's Graph API and webhooks
- Public comments on your media: text, comment ID, commenter username and Instagram ID, timestamp.
- Direct messages sent to you within Meta's 24-hour messaging window in response to comments you reply to.
- Media metadata: media ID, type, caption, timestamp.
- Your account profile: ig_user_id, username, account type.
About other Instagram users (commenters)
When commenters interact with your account, we receive their comment text, comment ID, Instagram username and ID, and timestamp; for DMs sent in response, the message text. We process this only to operate the Service for you — to classify each message and generate a reply in your voice. We don't contact users who haven't first interacted with you. Commenter data follows the same retention rules as the connected account's data.
A commenter can opt out by emailing us, or by deleting the original message on Instagram (we delete it on next sync).
How we use it
- Classify incoming comments by intent, sentiment, and buying-signal strength to decide whether to reply.
- Generate draft replies in your voice using your past comment+reply pairs as examples.
- Send public replies and Private Reply DMs on your behalf, after your approval — or automatically when autopilot is on.
- Show you the inbox of recent comments and the queue of pending drafts.
Legal basis
For users in the EEA and UK, we rely on the following bases under GDPR Art. 6:
- Operating the Service for creators (account, settings, dashboard) — contract performance, Art. 6(1)(b).
- Sending and receiving messages on creators' Instagram accounts at their direction — contract performance, Art. 6(1)(b).
- Processing commenters' messages to classify and reply — legitimate interest, Art. 6(1)(f), balanced against the limited interaction needed to respond to messages voluntarily sent into a public-facing creator account.
- Security, fraud prevention, audit logging — legitimate interest, Art. 6(1)(f), and legal obligation, Art. 6(1)(c).
Who we share data with
We share data with these processors only as needed to operate the Service:
- Anthropic (Claude API) — comment text, classification metadata, and voice examples for classification and reply generation. Anthropic does not train on data sent via the API; see Anthropic Commercial Terms §B (anthropic.com/legal/commercial-terms).
- OpenAI (Embeddings API) — voice example text, sent to compute an embedding stored in our database. Text is not retained by OpenAI for training (openai.com/policies/api-data-usage-policies).
- Meta / Instagram — replies and DMs sent on your behalf; webhook events received for comments on your media.
- Supabase (Postgres, US region) — stores all data described above. Encrypted at rest at the database layer; tokens additionally encrypted with our own key.
- Clerk — sign-in and account identity.
- Inngest — background job orchestration.
- Vercel — application hosting.
Each processor is bound by a data processing agreement that limits use to what we engage them for. We may add or change processors over time; material changes are announced here at least 30 days before they take effect.
We don't sell your data, don't show ads, and don't use your data to train models or for any purpose beyond operating the Service for you.
Retention
- Comment, classification, and action data stays while your Instagram account is connected. Disconnecting stops new ingestion immediately. Existing data stays until you delete your user account or request deletion via /data-deletion.
- Your user account stays until you delete it. Deleted accounts enter a 30-day recovery window during which you can restore them. After 30 days, the account is no longer accessible. You can request immediate permanent deletion at any time by emailing us or using /data-deletion.
- Audit logs are retained for security and compliance. You can request deletion as part of a data-subject request.
Your rights
You can:
- Access a copy of your data — email us.
- Correct profile fields in your Clerk account. Comment and action data reflects Instagram and can be deleted but not edited.
- Delete your account from Settings or via /data-deletion.
- Port your data — request a copy in machine-readable form.
- Object to processing for a specific account by disconnecting it from Settings.
If you're in the EEA or UK
You have the rights above plus the right to lodge a complaint with the supervisory authority in your country of residence. EU authorities are listed at edpb.europa.eu/about-edpb/about-edpb/members_en.
If you're a California resident
Under the CCPA (as amended by the CPRA), you have the rights above plus the right to:
- Know the categories of personal information we collect — for us: identifiers (email, name, profile photo, Instagram username/ID), internet activity (Instagram comments, DMs, media metadata), and inferences (intent and sentiment classification of processed comments). We collected each of these categories in the past 12 months.
- Opt out of sale or sharing — we don't sell or share for cross-context behavioral advertising. You have this right by default.
- Limit the use of sensitive personal information — we don't collect sensitive PI as defined by the CCPA.
- Non-discrimination for exercising these rights.
International transfers
Data is stored in the United States (Supabase US region). For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses executed with our subprocessors, plus the EU-US Data Privacy Framework where a subprocessor self-certifies. Email us for a copy of the applicable transfer mechanism.
Security
Access tokens are encrypted with AES-256-GCM using a key separate from the database password. Database access is gated by Supabase service-role keys and Clerk-issued user JWTs, with row-level security as a defense in depth. All traffic is over HTTPS.
No system is fully secure. If you believe your data has been compromised, contact us immediately. If we discover a security incident affecting your data, we'll notify affected users without undue delay and, where applicable, the relevant supervisory authority within statutory deadlines (e.g., 72 hours for GDPR Art. 33).
Cookies
We use a small number of essential cookies: authentication cookies set by Clerk to keep you signed in, and hosting/security cookies set by Vercel for routing and DDoS protection. We don't use advertising or third-party profiling cookies. If we add product analytics later, we'll update this policy and request consent where required.
Children
The Service is intended for adult creators. We don't knowingly collect personal information from anyone under 13 (per COPPA). For users in the EEA and UK, the Service is not directed at children below the digital age of consent in their member state (13 to 16). Because we process public Instagram interactions, some commenters may be minors; we rely on Instagram's age-gating and the creator's compliance with Meta's policies. If you become aware that a minor's data has been processed inappropriately, email us and we'll remove it.
Changes
Material changes are announced via email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.
Contact
For data-deletion requests, you can also use the in-product Settings page or Meta's data-deletion callback documented at /data-deletion.