Privacy Policy

1. Who this policy applies to

"instanbul" (the "Application") is a personal-use automation tool operated by an individual ("the Operator") to publish content to Instagram Business accounts that the Operator owns or is explicitly authorized to manage. This privacy policy describes what data the Application processes when the Operator authenticates Instagram and Facebook accounts through Meta's official login flows.

The Application is not offered as a public service. Account holders other than the Operator do not interact with the Application directly.

2. Information we process

When the Operator connects an Instagram or Facebook account through Meta's OAuth flow, the Application receives:

• Account identifiers — Instagram Business Account ID, username, display name, profile picture URL.
• Connected Facebook Page — Page ID, Page name, and a Page Access Token used to publish on the Operator's behalf.
• Public profile metadata — follower count, media count, biography, account type (only what Meta exposes via the Graph API for the connected account).
• Media uploaded by the Operator — videos, images, and captions that the Operator chooses to publish through the Application.

The Application does not receive or store passwords, two-factor codes, direct messages, follower lists, or any data about other users beyond what is publicly attached to a published post.

3. How information is used

The data described above is used solely to:

• Authenticate API requests to Meta's Graph API on the Operator's behalf.
• Publish photos, videos (Reels), and carousels selected by the Operator.
• Display connected accounts in the Application's local interface.
• Track per-account publishing limits required by Meta's platform policies (e.g., 25 posts per 24h).

4. Where data is stored

All authentication tokens and account metadata are stored as JSON files on the Operator's local computer, inside the Application's installation directory (specifically: accounts/<username>.graph.json). Media files reside in the Operator's local downloads/ directory.

The Application does not transmit this data to any server controlled by instanbul. The operator may optionally route media files through a personal Cloudflare tunnel solely so Meta's API can fetch them during the publishing process; the tunnel is endpoint-to-endpoint and does not retain content.

5. Sharing with third parties

The only third party the Application communicates with is Meta (Facebook, Instagram, and Cloudflare, when the Operator chooses Cloudflare for tunneling). Specifically:

• Meta Graph API — receives publish requests, OAuth callbacks, and read calls for connected accounts.
• Cloudflare — optionally relays media files between the Operator's machine and Meta's content fetcher during a publish operation.

Account data, tokens, or media are never sold, rented, or shared with advertisers, analytics providers, or any other third party.

6. Data retention

Account tokens remain on the Operator's machine until the Operator removes them via the Application's "Disconnect" action, which deletes the corresponding .graph.json file. The Operator can also revoke the Application's access at any time from Facebook Business Integrations; revocation immediately invalidates the stored token.

7. Your choices

The Operator can:

• Disconnect any account from within the Application (deletes local token + metadata).
• Revoke the Application's access in Facebook settings (invalidates the token at the source).
• Request deletion of any data described in this policy by contacting the Operator (see Section 9).

For step-by-step removal instructions, see Data deletion.

8. Children's privacy

The Application is not intended for use by individuals under 13, and is not directed at children. Meta's API access is restricted to accounts that comply with Meta's age requirements.

9. Contact

Questions or data requests: contact@instanbul.app

10. Changes to this policy

If this policy changes materially, the updated version will be posted at https://instanbul.app/privacy with a revised "Last updated" date. Continued use of the Application after changes means acceptance of the revised policy.