Privacy Policy

Effective date: July 2025

DMMASTER.ai (“DMMASTER”, “we”, “us”) respects your privacy. This Privacy Policy describes how we collect and use personal data when you use our AI assistant, which responds to Instagram Direct messages on behalf of brands.

1. What We Collect

• Instagram account data: Instagram account ID, username, and profile information (for authorization and service provision)
• Message content: Messages exchanged through Instagram Direct Messages between users and the connected Instagram account
• Technical data: IP addresses, device information, timestamps, error logs, and usage analytics
• Interaction data: User engagement patterns, response times, and service usage statistics

2. Data Controller

The data controller is:
MagicStone LLC
Registered in the United States

MagicStone LLC determines the purpose and means of the processing of user data collected via this application.

3. Legal Basis for Processing

We process your personal data based on:

• Consent: When you authorize our app through Instagram, you provide explicit consent for automated messaging
• Legitimate interests: For service improvement, technical support, and fraud prevention
• Contract performance: To provide the AI assistant service as requested

4. User Consent and Authorization

How Consent is Obtained:

• When you connect your Instagram account to DMMASTER, you explicitly authorize our service
• You consent to receiving automated AI-generated responses to messages sent to the connected account
• Authorization is clearly presented during the Instagram OAuth process
• You acknowledge that an AI assistant will handle incoming messages

What You're Consenting To:

• Processing of your message content to generate appropriate AI responses
• Automated replies sent within 24 hours of user initial message (in compliance with Meta's messaging policies for business accounts)
• Storage of conversation data for service continuity and improvement
• Technical processing required to maintain the service

5. How We Use the Data

We use your data exclusively to:

• Generate AI responses: Process incoming messages to create contextually appropriate automated replies
• Maintain service quality: Ensure technical stability, debug issues, and prevent service interruptions
• Improve functionality: Analyze usage patterns to enhance the AI assistant's performance (in aggregate form only)
• Provide support: Assist with technical issues and respond to user inquiries
• Comply with legal obligations: Meet regulatory requirements and respond to lawful requests

Important: We do not use your personal messages for training external AI models or for any commercial purposes beyond providing the agreed service.

6. Types of Messages We Send

Automated Response Types:

• Informational responses: Answers to frequently asked questions about products/services
• Acknowledgment messages: Confirmations that messages have been received
• Support guidance: Directing users to appropriate resources or human support
• Business hours notifications: Informing about availability and response times

Message Timing:

• Responses are sent within 24 hours of receiving your message (in compliance with Meta's messaging policies for business accounts)
• We do not send unsolicited marketing messages or promotional content
• All automated messages are clearly related to your initial inquiry

Prohibited Message Types:

We do not send:

• Spam or unsolicited promotional content
• Messages unrelated to your original inquiry
• Marketing content outside the 24-hour response window without proper authorization
• Messages that violate Meta's Community Standards

7. Sharing of Data

We do not sell, rent, or trade your personal data. We may share data only in the following limited circumstances:

Authorized Sharing:

• Brand account owners: The business that owns the connected Instagram account may access conversation data for customer service purposes
• AI processing services: OpenAI processes message content solely to generate responses. OpenAI is contractually prohibited from using your data for model training (see their policy at openai.com/policies)
• Technical infrastructure: n8n Cloud (n8n.io) processes data for message routing between Meta's API and OpenAI, in compliance with applicable data protection laws
• Service providers: Hosting, security, and technical support providers under strict data processing agreements

Legal Requirements:

• Law enforcement agencies when required by law, court order, or legal process
• Regulatory authorities for compliance purposes
• Protection of our legal rights and user safety

8. Data Security

We implement industry-standard security measures:

• Encryption: Data is encrypted in transit and at rest
• Access controls: Limited access to authorized personnel only
• Regular audits: Security practices are regularly reviewed and updated
• Compliance monitoring: Ongoing assessment of data processing activities

9. Data Retention

• Message data: Retained only as long as necessary to provide the service or until deletion is requested
• Technical logs: Kept for up to 90 days for security and troubleshooting purposes
• Account information: Maintained while the service authorization remains active
• Deleted data: Permanently removed within 30 days of deletion request processing

10. Your Rights

Under applicable data protection laws, you have the right to:

Access and Control:

• Access: Request information about what personal data we store about you
• Rectification: Correct inaccurate or incomplete information
• Deletion: Request removal of your personal data (see our Data Deletion page)
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data in certain circumstances

How to Exercise Your Rights:

• Email: Contact us at [email protected]
• Instagram settings: Revoke app authorization through your Instagram account settings

Opt-Out Options:

• Immediate: Revoke app permissions
• Partial: Request limitation of specific data processing activities
• Complete: Request full data deletion through our data deletion process

11. Third-Party Services

Meta/Facebook/Instagram:

Our service operates under Meta's Developer Policies and Terms of Service. By using our service, you acknowledge that Meta's own privacy policies and terms also apply to the underlying Instagram messaging functionality.

OpenAI:

We use OpenAI's services solely for generating AI responses. OpenAI's processing is governed by their privacy policy and our data processing agreement, which prohibits using your data for model training.

12. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Additional safeguards as required by law

13. Children's Privacy

• This service is not intended for users under 18 years of age
• We do not knowingly collect personal data from children
• If we become aware of data collection from a child, we will delete it immediately
• Parents/guardians may contact us to request deletion of any child's data

14. Business Transfers

In the event of a merger, acquisition, or sale of business assets, user data may be transferred as part of the transaction. We will notify users of any such transfer and ensure the acquiring party commits to protecting data according to this Privacy Policy.

15. Updates to This Policy

• We may update this Privacy Policy to reflect changes in our practices or legal requirements
• Notice: Significant changes will be communicated via email and/or prominent notice on our website
• Effective date: Changes take effect 30 days after notification unless immediate compliance is required by law
• Continued use: Using our service after changes become effective constitutes acceptance of the updated policy

16. Compliance and Oversight

We comply with:

• Meta Developer Policies and Instagram Platform requirements (required for all users)
• Other applicable data protection and privacy laws where our service is offered

17. Contact Information

Data Protection Inquiries:

• Email: [email protected]
• Subject line for data requests: Include “Privacy Request” or “Data Deletion Request”
• Response time: We respond to all privacy inquiries within 3 business days

Data Controller Contact:

MagicStone LLC
United States
Email: [email protected]

Support and Technical Issues:

For technical support, service questions, or to report issues with automated responses, contact us using the same email address with “Technical Support” in the subject line.

This Privacy Policy was last updated on July 22, 2025, and is designed to comply with Meta's Platform requirements and other applicable privacy regulations.