Welcome to HavenDM. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Instagram DM management service. We are committed to protecting your privacy and handling your data transparently.
By using HavenDM, you agree to the collection and use of information in accordance with this policy. For questions, contact us at privacy@havendm.com.
1. Information We Collect
Account Information
When you create a HavenDM account, we collect:
- Email address — For account creation, authentication, and communication
- Name — For personalization and support
- Password — Stored securely using industry-standard hashing (never stored in plain text)
Instagram Data (via Meta API)
When you connect your Instagram account, we access the following data through Meta's official Instagram Graph API:
- Instagram Profile — Display your account info, identify messages (instagram_basic permission)
- Direct Messages — Display, organize, and help you respond to DMs (instagram_manage_messages permission)
- Comments — Enable comment-to-DM automation triggers (instagram_manage_comments permission)
- Connected Facebook Page — Required by Meta for Instagram API access (pages_read_engagement permission)
Important: We only access data necessary to provide the Service. We do NOT access your Instagram password, private posts or stories, follower/following lists beyond what's visible in DMs, or financial information from Instagram.
Message Content
To provide our Service, we store:
- Instagram DM content — Messages you send and receive through our platform
- Message metadata — Timestamps, read status, conversation participants
- Templates — Message templates you create within HavenDM
- Automation rules — Comment-to-DM triggers and settings you configure
Payment Information
Payment processing is handled by Stripe. We do NOT store full credit card numbers, CVV codes, or bank account details. We receive and store from Stripe: last 4 digits of your payment method, billing address, transaction history, and subscription status.
Usage Data
We automatically collect:
- Log data — IP address, browser type, device information, pages visited, access times
- Feature usage — Which features you use, frequency, templates created, messages sent
- Performance data — App errors, load times, technical diagnostics
Cookies and Tracking
We use essential cookies for authentication, security, and preferences.
2. How We Use Your Information
Provide and Improve the Service
- Display and organize your Instagram DMs
- Send messages on your behalf through the Instagram API
- Execute comment-to-DM automations
- Track 24-hour messaging windows
- Store and apply your message templates
- Process your subscription payments
Communicate With You
- Send service-related notifications (trial expiring, payment issues)
- Respond to support requests
- Send product updates and tips (you can unsubscribe anytime)
Ensure Security and Prevent Abuse
- Detect and prevent fraud, abuse, or violations of our Terms
- Monitor for security threats
- Comply with legal obligations
We do NOT: Sell your personal data to third parties, use your DM content for advertising, share your data with data brokers, or train AI models on your private messages without consent.
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), UK, or Switzerland, we process your data under these legal bases:
- Providing the Service — Performance of contract
- Processing payments — Performance of contract
- Security and fraud prevention — Legitimate interests
- Service improvement — Legitimate interests
- Marketing communications — Consent (opt-in)
- Legal compliance — Legal obligation
4. Data Sharing and Third Parties
Service Providers
- Meta (Instagram) — Instagram API access
- Stripe — Payment processing
- Resend — Transactional email
- Fly.io — Cloud hosting (all data encrypted at rest)
- Sentry — Error tracking (anonymized usage data)
All service providers are contractually obligated to protect your data and use it only for the specified purposes.
Legal Requirements
We may disclose your information if required by law, including responding to valid legal process, protecting rights and safety, and enforcing our Terms of Service.
Business Transfers
If HavenDM is acquired, merged, or sells assets, your data may be transferred. We will notify you via email and/or prominent notice before any transfer.
5. Data Retention
- Account information — Until you delete your account
- Instagram messages — Until you delete your account or disconnect Instagram
- Message templates — Until you delete them or your account
- Usage logs — 90 days
- Payment records — 7 years (legal requirement)
- Support conversations — 2 years
After Account Deletion: Personal data is deleted within 30 days. Anonymized, aggregated data may be retained for analytics. Backups containing your data are purged within 90 days.
6. Your Rights and Choices
All Users
You have the right to:
- Access — Request a copy of your personal data
- Correction — Update inaccurate information
- Deletion — Delete your account and associated data
- Export — Download your data in a portable format
- Disconnect — Revoke Instagram access at any time
To exercise these rights, email privacy@havendm.com or use the account settings in the app.
EEA/UK Users (GDPR)
Additionally, you have the right to object to processing, restrict processing, withdraw consent, and lodge a complaint with your local data protection authority.
California Users (CCPA/CPRA)
California residents have the right to know what personal information we collect, delete personal information, opt out of data sales (we do not sell data), and non-discrimination for exercising privacy rights. Email privacy@havendm.com with subject "CCPA Request."
7. Data Security
We implement industry-standard security measures:
- Encryption in transit — All data transmitted via TLS 1.3
- Encryption at rest — Database encrypted using AES-256
- Access controls — Role-based access, principle of least privilege
- Authentication — Secure password hashing (bcrypt), optional 2FA
- Token security — Instagram OAuth tokens encrypted at rest
No system is 100% secure. If you discover a vulnerability, please report it to security@havendm.com.
8. International Data Transfers
HavenDM is based in the United States. If you access our Service from outside the US, your data will be transferred to and processed in the US.
For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and data processing agreements with all sub-processors.
9. Children's Privacy
HavenDM is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact privacy@havendm.com.
10. Meta Platform Terms
By connecting your Instagram account to HavenDM, you acknowledge:
- We access your data through Meta's official Instagram Graph API
- We comply with Meta's Platform Terms and Developer Policies
- Your use of Instagram remains subject to Meta's Terms of Service and Privacy Policy
- We are an independent company and not affiliated with Meta
Data Deletion: You can revoke HavenDM's access to your Instagram account through HavenDM settings, Instagram settings (Settings → Security → Apps and Websites), or by emailing privacy@havendm.com. Upon disconnection, we delete your Instagram data within 30 days.
11. Changes to This Policy
We may update this Privacy Policy periodically. When we make material changes, we will notify you via email at least 7 days before changes take effect, update the "Last Updated" date, and continued use after changes constitutes acceptance.
12. Contact Us
For privacy-related questions or to exercise your rights:
Email: privacy@havendm.com
We aim to respond to all requests within 30 days.
By using HavenDM, you acknowledge that you have read and understood this Privacy Policy.