Privacy Policy
Last updated: May 15, 2026
This Privacy Policy explains how Lyncly ("we", "us", "our") collects, uses, and protects information about you when you use our Instagram DM automation service at www.lyncly.io.
1. Information We Collect
We collect information you provide directly: your email address and account credentials when you sign up; your Instagram Business account details (username, user ID, follower count) when you connect an account; campaign settings, keywords, and message templates you configure; and payment information processed by Stripe (we never store card numbers). We also collect information automatically: usage data (pages visited, features used, timestamps), log data (IP address, browser type, referring URL), and performance metrics from our servers.
2. How We Use Your Information
We use your information to: • Provide and operate the Lyncly service • Send automated Instagram DMs on your behalf as instructed by your campaigns • Process payments and manage your subscription • Send transactional emails (receipts, alerts, token expiry notices) • Monitor system health, detect errors, and prevent abuse • Comply with legal obligations We do not sell your personal data. We do not use your data to train AI models.
3. Instagram & Meta Data
To deliver our core service, we store your Instagram access token in encrypted form (AES-256-GCM) with a unique random initialization vector (IV) per token, prepended to the ciphertext. Encryption keys are stored only as environment variables and are never logged or transmitted. This token allows us to send DMs, read comments, and subscribe to webhooks on your behalf. We request only the permissions necessary for the service: • instagram_business_basic — read your Instagram profile and account details • instagram_business_manage_messages — send and receive direct messages on your behalf • instagram_business_manage_comments — read comments on your posts to trigger automation We subscribe to the following Instagram webhook fields on your behalf: comments, live_comments, messages, and message_echoes. Incoming messages are monitored solely to detect opt-out keywords (e.g. "STOP") so that users can stop receiving automated replies at any time. Automated DMs sent by Lyncly are triggered by user actions (commenting on your post). Recipients can opt out at any time by replying "STOP" to any automated message. We comply with Meta's Platform Terms, Developer Policies, and Responsible Platform Initiatives. Data received from Meta's APIs is used solely to provide the service you requested and is not shared with third parties beyond what is required to operate the service.
4. Data Storage & Security
Your data is stored in a PostgreSQL database hosted by Supabase in the United States. Access tokens are encrypted at rest using AES-256-GCM. All data in transit is encrypted via TLS 1.2+. We use Upstash Redis for rate-limiting state (no personally identifiable information is stored in Redis beyond account identifiers). We retain your data for as long as your account is active. Upon account deletion, your data is purged within 30 days.
5. Data Sharing
We share data only with service providers necessary to operate Lyncly: • Supabase — database and authentication • Vercel — hosting and edge functions • Stripe — payment processing • Upstash — rate limiting • Inngest — background job processing • PostHog — product analytics (anonymized) • Resend — transactional email Each provider is contractually bound to process data only as directed by us and in compliance with applicable privacy law.
6. Your Rights
You have the right to: • Access the personal data we hold about you • Correct inaccurate data • Request deletion of your data • Export your data in a machine-readable format • Withdraw consent at any time (which may affect your ability to use the service) To exercise any of these rights, email us at support@lyncly.io. We will respond within 30 days.
7. Automated Messaging Disclosure
Lyncly sends direct messages on behalf of Instagram Business account holders in response to user-initiated actions (e.g. commenting a keyword on a post). These messages are automated. In compliance with Meta's Platform Terms, all automated interactions should be disclosed to recipients at the start of a conversation. We recommend including a disclosure in your campaign message templates, for example: "This is an automated reply from [Your Name]." Recipients may opt out of automated messages at any time by replying "STOP", "UNSUBSCRIBE", or similar keywords. Lyncly will immediately mark the user as opted-out and no further automated DMs will be sent to them on that account.
8. Cookies
We use only essential cookies required for authentication (Supabase session cookie) and analytics (PostHog, which respects Do Not Track). We do not use advertising cookies or sell data to ad networks.
9. Children's Privacy
Lyncly is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.
10. Changes to This Policy
We may update this policy from time to time. We will notify you by email or in-app notice at least 14 days before material changes take effect. Continued use of the service after the effective date constitutes acceptance.
11. Contact
Lyncly Email: support@lyncly.io Website: www.lyncly.io