1. Who we are and what this policy covers
DmBot is operated by Amaran LLC, doing business as DmBot, a Delaware limited liability company in the United States. This Privacy Policy applies to dmbot.co, the DmBot application, related dashboards, support interactions, and services that link to this policy (collectively, the “Service”).
For account, website, billing, security, and product-improvement data, DmBot generally acts as the business or data controller. When a customer uses DmBot to process Instagram comments, direct messages, contacts, or lead information through a workspace, the customer generally decides why and how that data is used, and DmBot processes it as a service provider or processor on the customer’s behalf.
Customer responsibility: Businesses and creators using DmBot must provide their own notices and obtain any consent required for their campaigns, lead collection, and marketing communications.
2. Information we collect
Account and workspace information
We may collect your name, email address, authentication identifiers, workspace name, role, plan, settings, support requests, and records of your agreement to our terms.
Instagram integration information
When you connect an eligible Instagram Professional account through Meta’s supported authorization flow, we may receive and process information permitted by the permissions you approve, such as your Instagram account identifier, username, profile details, media or post identifiers, comments, direct messages, message participants, timestamps, and related metadata needed to run automations. We do not ask for or store your Instagram password.
Access tokens and connection identifiers are used to maintain the integration. DmBot’s production architecture is designed to keep tokens server-side and protect them using encryption and access controls.
Automation, contact, and lead information
We process workflow triggers, keywords, message content, response steps, delivery status, tags, usage counters, and event logs. If a person voluntarily provides an email address, phone number, or other information during a customer’s conversation flow, that information may be stored in the customer’s workspace.
Billing information
Paid subscriptions are processed through Stripe or another disclosed payment processor. DmBot receives transaction details such as plan, amount, status, billing contact, and payment method type, but we do not directly store complete payment-card numbers.
Device, usage, cookie, and log information
We may collect IP address, browser and device type, operating system, pages viewed, referral information, approximate region, timestamps, error logs, security events, and feature usage. We use necessary cookies or similar technologies for authentication, preferences, security, and reliable operation. Any optional analytics or advertising technology will be disclosed and, where required, offered only after an appropriate consent choice.
3. How we use information
- Provide, authenticate, maintain, and improve the Service.
- Connect Instagram accounts and execute customer-configured automation workflows.
- Measure usage, enforce Free, Pro, and Enterprise limits, and prevent duplicate or abusive activity.
- Process subscriptions, invoices, renewals, cancellations, and billing support.
- Respond to support, security, legal, and data-rights requests.
- Detect fraud, spam, unauthorized access, platform misuse, and violations of our Terms.
- Send service notices and, where permitted, product communications. You may opt out of non-essential marketing email.
- Comply with law, enforce agreements, and protect users, DmBot, Meta, and the public.
4. Legal bases for EEA and UK users
Where European or UK data-protection law applies, we rely on one or more of these legal bases:
- Contract: processing needed to provide the Service you request.
- Legitimate interests: operating, securing, supporting, and improving DmBot in ways that do not override your rights.
- Consent: where you make an optional choice or the law requires consent. You may withdraw consent prospectively.
- Legal obligation: processing needed to satisfy tax, accounting, fraud-prevention, law-enforcement, or other legal requirements.
5. How we disclose information
We may disclose information only as reasonably necessary to the following categories:
- Customer workspace owners and authorized members who control access to workspace data.
- Meta and Instagram to operate the customer-authorized integration and comply with platform requirements.
- Infrastructure and service providers, which may include Vercel, Supabase, Upstash, Inngest, Stripe, communications vendors, security vendors, and professional advisers, subject to contractual and security obligations appropriate to their roles.
- Authorities or affected parties when reasonably necessary to comply with law, respond to valid process, protect safety or rights, investigate abuse, or enforce agreements.
- A successor organization in a merger, financing, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality protections.
DmBot does not sell personal information or share it for cross-context behavioral advertising. If that practice changes, we will update this policy and provide required choices before the change applies.
6. Retention and deletion
We retain personal information for only as long as reasonably necessary for the purposes described here, including providing the Service, following customer instructions, maintaining security and audit records, resolving disputes, and meeting legal obligations. Retention depends on the data type, account status, workspace settings, platform rules, and legal requirements.
- Account and workspace information is generally retained while the account is active and for a limited period afterward.
- Instagram tokens and active connection data are deleted or disabled when the account is disconnected, access is revoked, or deletion is completed, subject to technical and legal requirements.
- OAuth state values and similar security artifacts are short-lived.
- Automation events, contacts, and lead information are retained according to customer instructions, product settings, and reasonable operational limits.
- Backups are overwritten on a controlled cycle and are not used for ordinary business purposes after deletion.
- Billing, tax, fraud-prevention, and legal records may be retained longer where required.
See our Data Deletion page for request methods and what happens after a request.
7. Security
We use administrative, technical, and organizational safeguards designed to protect information, such as encrypted transport, server-side token handling, access restrictions, logging, webhook verification, and data-separation controls. No service can guarantee absolute security, and you are responsible for protecting your credentials, devices, workspace permissions, and connected Instagram account.
8. International transfers
DmBot is operated from the United States and may use providers in the United States and other countries. Where required, we use recognized transfer mechanisms and contractual protections for cross-border transfers, such as standard contractual clauses or providers participating in an applicable data-transfer framework.
9. Your privacy rights and choices
Depending on where you live and subject to legal exceptions, you may have the right to:
- Know or access personal information we hold about you.
- Correct inaccurate information.
- Delete personal information.
- Receive a portable copy of certain information.
- Restrict or object to certain processing.
- Withdraw consent where processing relies on consent.
- Opt out of certain sale, sharing, targeted-advertising, or profiling practices if they occur.
- Appeal a denied request where local law provides that right.
- Complain to a data-protection authority.
Submit a request through our deletion page or email privacy@dmbot.co. We may verify your identity and authority before acting. Authorized agents may submit requests where permitted by law. We will not discriminate against you for exercising a privacy right.
10. California notice at collection
In the preceding 12 months, we may have collected the categories described above, including identifiers, customer records, commercial information, internet or electronic-network activity, approximate geolocation inferred from IP address, professional information provided for a business account, and inferences about product usage. We collect and disclose these categories for the business purposes described in Sections 3 and 5. We do not knowingly sell or share personal information for cross-context behavioral advertising.
If DmBot becomes legally required to honor a browser-based Global Privacy Control for an applicable practice, we will process that signal as required.
11. Children
DmBot is a business and creator automation service intended for users who are at least 18 years old. It is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Contact us if you believe a child has provided information improperly so we can investigate and delete it where required.
12. Third-party services
The Service connects with third parties such as Instagram, Meta, and Stripe. Their privacy practices are governed by their own policies. DmBot is not responsible for third-party products, accounts, websites, or policies.
13. Changes to this policy
We may update this policy to reflect product, legal, or operational changes. We will post the updated policy and revise the effective date. Where required, we will provide additional notice or obtain consent before a material change applies.
14. Contact us
Privacy questions and rights requests: privacy@dmbot.co
General support: support@dmbot.co
Operator: Amaran LLC d/b/a DmBot, Delaware, United States.