Overview
Instanto ("we", "us") is a website builder that turns Instagram feeds into live business websites. We act as a data controller for account owners, and as a data processor when we collect analytics on behalf of businesses using our platform.
If you are a visitor to a customer site built with Instanto: The business that built that site controls your data. We process page views and click events solely on their behalf. Contact that business for their privacy notice.
If you are an Instanto account owner: This policy applies fully to you. Read on.
Account owner data we collect
When you create an account or use Instanto, we collect:
- Account credentials: Email address (for sign-in and support)
- Instagram connection: Your Instagram username, user ID, access token (stored encrypted), and follower/post counts — to build and keep your site updated
- Business profile: Name, tagline, phone, email, address, hours, booking URL, and template choice — you control the public visibility of each field
- Site configuration: Subdomain, post visibility, feature integration connections (Calendly, SevenRooms, etc.)
- Billing: If you upgrade to a paid plan, billing email and subscription state. Stripe retains payment method data separately — we never see or store card details.
Operational and security logs
To keep the service reliable and secure, our servers record operational log data on every request. This data is used solely for troubleshooting, abuse prevention, and platform health monitoring — it is never used for advertising or sold.
Each log entry may include:
- Request metadata: HTTP method, URL path, response status code, and response time in milliseconds
- Browser/client identifier: User-agent string (browser name, version, and OS — e.g. "Chrome 124 on macOS")
- Country: Country code derived from your IP address at the network edge (e.g. "DE" for Germany). Your IP address itself is not stored.
- Referring page: The URL of the page that linked to us, if any — stripped of any sensitive query parameters (access tokens, codes, email addresses) before storage
- Cloudflare data centre: A two-letter code indicating which Cloudflare edge server handled your request (e.g. "AMS" for Amsterdam) — used for latency diagnostics only
Operational logs are retained for 30 days, then automatically deleted. They are processed in Axiom (see Data Processors below).
When our operators perform administrative actions (force-refreshing your Instagram token, adjusting your plan, accessing system settings), the operator's email address, action taken, and timestamp are recorded in an admin audit log. This log is retained for 180 days. It is never visible to end users and is accessible only to authorised Instanto operators.
Visitor analytics on your site
When visitors view your Instanto-hosted site, we collect on your behalf:
- Page view and CTA (call-to-action) click events
- Device type (mobile or desktop)
- General region (country level only — no city or precise location)
- Coarse traffic source (direct, social, search, other — not raw referrer URL)
In EU/EEA, UK, and Switzerland: We only record this data after your visitor consents via the analytics consent banner shown on your site. If they decline, we do not track them.
Outside regulated regions: We collect this data based on our legitimate interest in helping you understand your site traffic. No consent banner is shown.
What we do not collect: Visitor IP addresses, full referrer URLs, or individual visitor profiles.
How we use your data
We use your data to:
- Build and serve your Instanto website
- Keep your Instagram content synchronised and your site up to date
- Send authentication and transactional emails (sign-in links, billing receipts, subscription updates)
- Provide analytics dashboards to you (visitor counts, CTA clicks)
- Detect and prevent fraud, abuse, and security incidents
- Diagnose and resolve technical issues
We do not sell your data, use it for advertising, or share it with third parties for their own marketing purposes.
Data storage and security
Your account and site data is stored in Supabase (PostgreSQL, EU region — Frankfurt, Germany). Operational and audit logs flow to Axiom (US — see Data Processors). Cached media files are stored in Cloudflare R2 (globally distributed).
Instagram access tokens are encrypted at rest using industry-standard encryption. All data is transmitted over HTTPS. Access to the production database is restricted to authorised operators and is audit-logged. We apply row-level security policies to prevent cross-account data access.
Cookies and tracking on our platform
We use a session cookie issued by Supabase Auth to keep you signed in to your Instanto dashboard. This is a strictly necessary cookie — no consent is required. We do not use third-party advertising or tracking cookies on our platform (dashboard, signup, or login pages).
Mobile application
When you use the Instanto mobile app (iOS or Android), in addition to the account data described above, we collect:
- Push notification token: If you grant notification permission, your device generates a push token. We store this token in our database and use it solely to deliver product notifications (e.g. sync completion alerts, Instagram connection warnings). You can revoke permission at any time in your device Settings → Notifications. Revoking permission does not affect your account.
- Crash and performance data (Sentry): We use Sentry to collect crash reports and performance traces. Each report contains stack traces, device OS version, app version, and device model category (e.g. “iPhone 15”). No personally identifiable information — name, email address, Instagram handle, or business details — is attached to crash events. We do not collect your device’s advertising identifier (IDFA or GAID); Apple’s App Tracking Transparency (ATT) prompt is therefore not required or shown.
- App-open counter (on-device only): We store a counter of how many times you have opened the app using on-device storage (AsyncStorage). This counter is used solely to decide whether to show a one-time “Rate the app” prompt after 3 opens. It is never transmitted to our servers.
Account deletion from the mobile app: You can delete your account from the Account tab → Delete Account within the app. Deletion is permanent and removes all data as described under “Your data rights” above.
Instagram data and revocation
We access your Instagram media and profile via the official Instagram Graph API under your authorisation. Your access token is automatically refreshed every 60 days to remain valid. You can revoke our access at any time:
- From Instagram: Settings → Apps and Websites → Instanto → Remove access
- From Instanto: Delete your account (Account tab → Delete Account), which revokes the token immediately
Once revoked, we cannot sync new Instagram posts. Existing published posts on your site remain until you delete them or delete your account.
Instagram preview trial (account-less)
When you choose “Connect Instagram & see your site” without creating an account, we temporarily process the following data under an anonymous session:
- What we process: your Instagram public profile, recent posts, and the Meta access token — held in a temporary anonymous account solely to build your live preview.
- Purpose: to build your site preview at your request, before any account is created.
- Legal basis: Article 6(1)(b) GDPR — processing is necessary for steps taken at your request prior to entering a contract.
- Retention: if you do not claim the site (by adding an email or signing in), the trial and all associated data are deleted within 24 hours and the Meta access token is revoked. You can also discard it immediately by clicking “This isn’t me” on the preview screen.
- Meta data-deletion: we honour Meta’s data-deletion callback — any data associated with your Instagram connection is deleted upon receipt of a deletion request from Meta.
- Your rights: even during a trial you can exercise the right to erasure immediately using “This isn’t me” on the preview, or by contacting privacy@instanto.site.
Your data rights (GDPR, UK GDPR, Swiss nDSG)
If you are in the EU/EEA, UK, or Switzerland, you have the right to:
- Access: Receive a copy of all personal data we hold about you — request from the Account tab in your dashboard or by emailing privacy@instanto.site
- Rectification: Correct inaccurate personal data — you can update most data directly in your dashboard settings
- Erasure ("right to be forgotten"): Request permanent deletion of your account and associated data. Initiate this from Account tab → Delete Account. We will delete your account, sites, analytics, and stored Instagram connection data within 7 days of a confirmed request. Operational logs (30-day rolling) and admin audit logs (180-day rolling) are purged on their regular schedule; references to your user ID in those logs are deleted within 30 days of your request.
- Portability: Receive a copy of your data in a portable, machine-readable format — email privacy@instanto.site
- Restriction and objection: Restrict or object to specific processing activities — email privacy@instanto.site
- Withdraw consent: Where processing relies on your consent (e.g. visitor analytics on your site), you may withdraw it at any time without affecting the lawfulness of prior processing
We aim to respond to all rights requests within 15 working days. Complex or high-volume requests may take up to 30 days; we will notify you of any extension.
Analytics on our own website (instanto.site)
We collect lightweight analytics on the Instanto marketing pages (the homepage and related pages on instanto.site) to understand traffic sources, popular pages, and which calls-to-action visitors interact with. This data does not leave our infrastructure: events are sent directly to our edge runtime and stored in Axiom for 30 days. No third-party advertising or tracking is involved.
- What we collect: page path, referrer, coarse traffic source (search / social / direct), device type (mobile / desktop), country (and city/region outside regulated regions), CTA click identifiers, scroll milestones.
- What we do not collect: IP address, full referrer URL, individual visitor identifiers, third-party cookies, ad-network signals.
- Cookie: we set a single first-party cookie named
_marketing_consentto remember your consent choice (1 year,Secure,SameSite=Lax). This cookie is strictly necessary to record your decision and is exempt from consent under ePrivacy. - Consent: in the EU/EEA, UK, and Switzerland, no analytics events are recorded until you click Okay on the consent banner. The No thanks button is presented with equal visual prominence. You can withdraw consent at any time by clearing the
_marketing_consentcookie in your browser. - Legal basis: consent (Art. 6(1)(a) GDPR) in regulated regions; legitimate interest (Art. 6(1)(f)) elsewhere.
Data retention
- Account and site data: Retained while your account is active. Deleted promptly upon confirmed account erasure.
- Visitor analytics events (customer sites): Retained for 90 days from collection, then automatically deleted.
- Marketing-site analytics (instanto.site homepage): Retained for 30 days in Axiom, then automatically deleted by Axiom's dataset retention policy. Stored under sentinel identifier
subdomain=marketing, plus a session-scoped pseudonymous ID (visitor_session_id) used to compute unique-visitor counts. The session ID lives in browsersessionStorageonly — it is regenerated when you close the tab and never persisted across visits or written to a cookie. - Operational logs (Axiom): Retained for 30 days, then automatically deleted by Axiom's dataset retention policy.
- Admin audit logs: Retained for 180 days, then automatically deleted.
- Stripe billing records: Stripe retains transaction records for 7 years as required by financial regulations. Our internal billing event records are deleted 90 days after account deletion, except where needed for open dispute resolution.
- Database backups: Supabase maintains automated point-in-time recovery backups for 30 days. These are managed by Supabase. Deleted accounts are excluded from new backups immediately; they age out of existing backups within 30 days.
Data processors and international transfers
We rely on the following sub-processors to operate Instanto. All processors are bound by data processing agreements and are required to handle personal data in compliance with GDPR.
- Supabase, Inc. (US entity, EU region — Frankfurt) — Account database, authentication, and row-level security. Data residency in the EU; transfer governed by Standard Contractual Clauses (SCCs). — DPA
- Cloudflare, Inc. (US) — Edge compute (Worker functions), R2 object storage (cached media), and global CDN. Cloudflare participates in the EU-US Data Privacy Framework (DPF). — Cloudflare Trust Hub
- Axiom, Inc. (US) — Operational log analytics and platform health monitoring. Stores operational logs, security events, and admin audit logs for 30 days. Axiom participates in the EU-US Data Privacy Framework (DPF), providing an adequacy-equivalent transfer mechanism for data flows from the EU/EEA. No raw personal data (name, email, business details) is sent to Axiom; logs contain technical identifiers only (request paths, status codes, country code, user-agent, sanitised referrer). — Axiom Privacy Policy
- Stripe, Inc. (US) — Payment processing and subscription management. Stripe participates in the EU-US Data Privacy Framework (DPF) and has SCCs in place. We share only your billing email and subscription state with Stripe; we never transmit card details. — Stripe Privacy Policy
- Resend, Inc. (US) — Transactional email delivery (sign-in magic links, billing receipts, account notifications). We pass your email address and relevant message content to Resend solely to deliver these messages. Resend retains delivery logs for 30 days. — Resend Privacy Policy
- Sentry, Inc. (US) — Crash reporting and performance monitoring for the Instanto mobile app. Sentry receives anonymised crash traces containing stack traces, app version, and device OS. No PII (name, email, or business details) is transmitted to Sentry; advertising identifiers (IDFA/GAID) are not collected. — Sentry Privacy Policy
- Meta Platforms Ireland Ltd / Instagram — OAuth provider for Instagram connection. After the initial OAuth grant, we store your access token (encrypted); Meta does not receive ongoing data from us. — Instagram Privacy Center
Transfer mechanisms: For data transfers outside the EU/EEA, we rely on one or more of the following: (1) EU-US Data Privacy Framework (DPF) certification held by the recipient (Cloudflare, Axiom, Stripe); (2) Standard Contractual Clauses (SCCs) (EU Commission Decision 2021/914, modules 1–4 as applicable); or (3) the data subject's explicit consent. We do not transfer data to countries without an EU adequacy decision or a recognised transfer mechanism.
Children
Instanto is not directed at individuals under 16 (or the applicable age of digital consent in your region). We do not knowingly collect personal data from minors. If we become aware that an account belongs to a user under 16, we will delete it promptly. If you believe a minor has created an account, please contact privacy@instanto.site.
Changes to this policy
We may update this policy as the product evolves or regulations change. When we make material changes, we will notify you by email to your registered account address at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of Instanto after a material change constitutes acceptance of the updated policy.
Questions or complaints?
Contact us at privacy@instanto.site. We will acknowledge your message within 2 working days and aim to resolve it within 15 working days.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:
- EU/EEA: Your country's national supervisory authority — EDPB member list
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch