Privacy Policy

1. Who we are

BotPilot is operated by 1 MEDIA Studio LLC. ("BotPilot", "we", "us"). Contact: email@jonathanprivat.com.

2. The two products

3. BotPilot for Android — data we handle

What stays on your phone: your Instagram login state (already present in the Instagram app), the accounts you browse, the posts/stories you view, the likes / GIF reactions / emoji reactions you trigger, and the session counters shown in the in-app HUD.

What we collect: nothing personally identifying. We do not see your Instagram username, password, DMs, followers, content you engage with, or the people you engage with.

Optional anonymous diagnostics: if you opt in, we may receive crash reports and anonymized usage counters (e.g. "Stories mode ran successfully") through Google Play services. These never include account data.

Accessibility permission: required for the app to function. We use it only to read the on-screen state of the Instagram app and dispatch tap/scroll/text actions. We do not capture, transmit, or store screen contents.

4. BotPilot Creator for iOS — data we handle

Because BotPilot Creator uses Meta's Instagram API on your behalf, we process the data Meta delivers to our backend in order to power the features you turn on. This is the data Meta authorizes us to receive when you connect your Instagram Professional account.

4.1 What we receive from Instagram

• Your Instagram user ID, username, profile picture URL, and account type (Business or Creator).
• Direct messages within Instagram's 24-hour conversation window (sender, recipient, text/media payload, timestamps).
• Comments on posts you own and basic metadata about the commenters Instagram exposes to us.
• Media you choose to schedule (image, video, carousel) and the publication metadata.
• Account-level insights you turn on (followers, reach, engagement) at the granularity Meta provides.
• Webhook events Meta sends us when you receive a new DM, comment, mention, or response feedback.

4.2 Why we hold it

• Inbox: store recent DMs so you can read and reply from the app.
• Auto-reply rules: match incoming DMs/comments against keyword rules you defined and send the reply you authored.
• Scheduled posts: hold queued media until your chosen publish time, then submit it to Meta.
• Analytics: snapshot daily metrics so you can see trends over time.

4.3 How long we hold it

• Direct messages: 90 days after the 24-hour window closes, or until you delete the conversation, whichever comes first.
• Comments: 90 days after creation.
• Scheduled posts: until the scheduled publish time + 7 days for retry/audit, then deleted.
• Analytics snapshots: 24 months.
• Access tokens: stored encrypted at rest; rotated by Meta's 60-day refresh; revoked if you disconnect.

4.4 What we never collect from iOS

• Your Instagram password (Meta handles authentication; we never see it).
• Followers' contact info, location, payment data, or anything beyond what Meta returns for the features you enable.
• Content from accounts you don't own (except the comments and DMs people send to your account).

5. How we share data

We do not sell or rent your data. We only share it with:

• Meta Platforms, Inc. — to send the actions you authorize (post a scheduled post, reply to a DM, etc.) back to Instagram on your behalf.
• Infrastructure providers we use to run BotPilot Creator's backend: DigitalOcean (hosting), and Firebase Cloud Messaging (push notifications). These providers process data on our behalf under standard data processing agreements.
• Payment processors if you subscribe: Apple (via in-app purchase) or Stripe (via web-billing). They handle billing data; we receive only the subscription status.
• Legal obligations — if compelled by valid legal process, we will disclose narrowly and notify you when permitted.

6. Your rights

• Disconnect: revoke our access from your Instagram settings or the in-app "Disconnect" action; we delete tokens immediately and your stored data within 30 days.
• Export: email us at email@jonathanprivat.com for a copy of the data tied to your account.
• Delete: email us at the same address to erase your account and all associated data within 30 days.
• EU/UK residents: you have GDPR rights to access, rectify, port, erase, restrict, or object. Contact us with the request type and we'll respond within 30 days.
• California residents: under CCPA/CPRA, you have rights to know, delete, correct, and opt out of "sale" or "sharing". We do not sell or share your data for cross-context behavioral advertising.

7. Security

We store access tokens encrypted at rest, transmit all backend traffic over TLS, and limit access to operators on a need-to-know basis. No system is perfectly secure; if we discover a breach affecting your data, we will notify you and the relevant authorities within the timeframes required by law.

8. Children

BotPilot is not directed at children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect data from children; if you believe a child has provided us data, contact us and we will delete it.

9. International transfers

Our infrastructure is located in the United States. If you use BotPilot from outside the US, your data will be transferred to and processed in the US under standard contractual clauses or equivalent safeguards where required.

10. Changes to this policy

We will update this policy when our products or practices change. The "Last updated" date at the top reflects the most recent change. For material changes, we will notify you in the app or by email at least 7 days before the change takes effect.

11. Contact

Questions, requests, or complaints: email@jonathanprivat.com.