Privacy Policy

Last updated: 2026-05-03 · Effective date: 2026-05-03

This Privacy Policy explains how MyInstaWeb (“MyInstaWeb,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects your information when you use our website, dashboard, generated subdomain sites, and related services (collectively, the “Service”).

This policy applies to all users of the Service worldwide. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Quick Summary

• What we collect: your email (for sign-in), the photos and captions you upload or import from Instagram, your Instagram handle and bio, and (only if you connect Instagram) a long-lived access token and your Instagram user ID and account type. We collect basic technical data (IP address, user agent) for security and rate limiting.
• What we don't do: we don't sell your personal information, we don't train AI models on your content, we don't track you across other websites, and we don't use third-party advertising trackers.
• How to delete your data: email us at privacy@myinstaweb.com or use the self-serve site delete in your dashboard. We delete account data within 7 days of request.

2. Information We Collect

2.1 Information you provide

• Account information: your email address, used solely for authentication via magic link or Google OAuth.
• Identity information: your Instagram handle, display name, and one-line bio. This is the “label” for your generated site; we do not verify ownership of any Instagram handle you enter.
• User content: photos, captions, and any text you provide when building or editing your site. Photos are stored in private object storage; processed (resized, format-converted) versions are stored in a public bucket only when you publish.
• Editing actions: any changes you make to the AI-generated site (headline edits, photo swaps, archetype changes, vibe hints supplied for regeneration) are persisted so we can render your latest site state.

2.2 Information from Instagram (only if you connect)

If you choose to use the “Connect Instagram” feature, we receive and store the following from Instagram via the official Instagram Business API:

• Your Instagram user ID and username;
• Your Instagram account type (Business, Creator, or Personal);
• A long-lived access token (valid up to 60 days, used to fetch your media on your request);
• On your explicit “Import” action: up to your 20 most recent media items, including the image data, caption text, posted timestamp, and like count.

We do not read your DMs, comments, followers, or any data outside the scopes you grant. You may disconnect Instagram at any time, which revokes the token on our side and severs our access.

2.3 Information collected automatically

• Technical data: IP address, user agent string, and request metadata, used for rate limiting, fraud prevention, and debugging.
• Cookies: a single first-party session cookie (set by Supabase Auth) to keep you signed in. We don't use any third-party advertising or cross-site tracking cookies.
• Analytics: anonymous, cookieless page-view counts via Vercel Analytics. No cross-site tracking or fingerprinting.

2.4 What we do NOT collect

• We do not collect your phone number, postal address, payment information (no payments today), government ID, or biometric data.
• We do not collect data about you from data brokers, social-listening tools, or third-party advertising networks.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide the Service: hosting your generated site, allowing you to edit and publish, and importing your Instagram content on your request.
• To generate your site: photos and captions are sent to a large language model (Anthropic Claude or Azure OpenAI, see Section 5) to extract design signals (color palette, mood, voice) and produce a site configuration. This is the core feature of the Service.
• To authenticate you: email is used to send magic-link sign-in emails.
• To secure the Service: rate limiting, abuse detection, preventing fraudulent account creation.
• To communicate with you: transactional emails about your account (sign-in links, account changes). We do not send marketing email without your explicit opt-in.
• To comply with legal obligations: respond to lawful requests from authorities, enforce our Terms, and protect our rights.

4. Legal Bases (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract (Article 6(1)(b)): processing necessary to provide the Service you signed up for, hosting your site, generating your content, importing from Instagram on your request.
• Consent (Article 6(1)(a)): for optional features like connecting your Instagram account. You can withdraw consent at any time.
• Legitimate interest (Article 6(1)(f)): for security, anti-abuse, and basic anonymous usage analytics.
• Legal obligation (Article 6(1)(c)): when required by applicable law.

5. Sub-processors and Third Parties

We use the following service providers to operate MyInstaWeb. Each is bound by data-protection terms and processes your data only to provide services to us.

• Supabase, Inc., authentication, database, and object storage. Data hosted in the AWS region you select. (Privacy)
• Vercel, Inc., application hosting, edge network, and anonymous analytics. (Privacy)
• Anthropic, PBC, large language model (Claude) used to generate your site, when configured as our LLM provider. Anthropic does not train on inputs sent through their API. (Privacy)
• Microsoft Corporation (Azure OpenAI), large language model used to generate your site, when configured as our LLM provider. Azure OpenAI does not train on inputs sent through their API. (Privacy)
• Meta Platforms, Inc., only invoked if you choose to connect your Instagram account. We send Instagram a request to fetch your media on your behalf; we do not share data with Meta beyond what Instagram's OAuth flow requires. (Meta privacy)
• Google LLC, only if you choose to sign in with Google OAuth. Used solely for authentication. (Privacy)

We use only one LLM provider at a time (whichever is configured for the deployment you're using). We will update this list if we add or change providers and notify users of material changes per Section 14.

5.1 AI processing disclosure

To generate your site, we send the following to the configured LLM provider: (a) reduced-resolution thumbnails of up to 6 of your photos; (b) the bio you provided; (c) caption text from your posts (truncated to 200 characters each, up to 30 captions); (d) your display name and Instagram handle. The provider returns a JSON design configuration which we use to render your site. Neither Anthropic nor Microsoft Azure OpenAI uses API inputs to train their foundation modelsper their published policies. We do not store the AI's raw responses beyond the validated configuration for your site.

6. Sharing of Information

We do not sell your personal information. We share your information only:

• With the sub-processors listed in Section 5, strictly to operate the Service;
• When you explicitly publish a site to a public subdomain, at that point, the photos, copy, and design choices on that site become publicly accessible via the URL you choose;
• In response to a lawful subpoena, court order, or other valid legal process, where we have a good-faith basis to believe disclosure is required;
• In connection with a merger, acquisition, or sale of assets, in which case the acquirer is bound by this Privacy Policy until it is updated and you are notified.

7. International Data Transfers

MyInstaWeb is operated from servers in the United States and other regions where our sub-processors operate. If you are outside the United States, your information will be transferred to and processed in countries that may have different data protection laws than yours. Our sub-processors implement appropriate safeguards (Standard Contractual Clauses, adequacy decisions where applicable). By using the Service, you consent to such transfers.

8. Data Retention

• Account data: retained for as long as your account is active.
• Generated sites and uploads: retained while the site exists. You can delete an individual site at any time from the dashboard.
• Instagram access tokens: retained until you disconnect Instagram or until the 60-day expiry, whichever comes first.
• Inactive accounts: we may delete accounts that have been inactive for 24+ months after written notice.
• Backups: encrypted backups may retain deleted data for up to 30 additional days as a normal part of operations.

9. Security

We protect your information with reasonable technical safeguards:

• TLS encryption in transit for all requests;
• Encryption at rest for the database and object storage (AES-256);
• Server-only handling of privileged credentials (Instagram access tokens, Supabase secret keys), never exposed to the browser;
• Row-level security on all user-owned data in our database;
• Rate limiting on public endpoints to prevent abuse;
• HMAC-SHA256 signature verification on all incoming webhooks.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you within 72 hours where required by applicable law.

10. Your Rights

10.1 Universal rights

Regardless of where you live, you can:

• Access your data, visible in your dashboard; export available on request.
• Correct your data, edit your site, change your handle, update your bio at any time.
• Delete your data, delete individual sites from the dashboard, or email us at privacy@myinstaweb.com for full account deletion.
• Disconnect Instagram at any time from the dashboard.

10.2 European Economic Area, UK, and Switzerland (GDPR)

If you are in the EEA, UK, or Switzerland, you also have the right to:

• Restriction of processing in certain circumstances;
• Object to processing based on legitimate interest;
• Data portability, receive your data in a machine-readable format;
• Withdraw consent for any processing based on consent (e.g., disconnect Instagram);
• Lodge a complaint with your local data protection authority. A list of EEA authorities is available here.

10.3 California (CCPA / CPRA)

If you are a California resident, you have the right to: know what personal information we collect, delete your information, correct inaccurate information, and opt-out of the sale or sharing of your information. We do not sell or share personal information as defined by California law, so there is nothing to opt out of. To exercise other rights, email us at privacy@myinstaweb.com. We will not discriminate against you for exercising any of these rights.

10.4 Other US states

Residents of Colorado, Connecticut, Virginia, Utah, and other US states with comprehensive privacy laws have rights similar to those described in Section 10.2. To exercise your rights, contact us at privacy@myinstaweb.com.

10.5 How to exercise your rights

For most rights, the dashboard offers self-serve options. For anything not covered there, email privacy@myinstaweb.com from the email address associated with your account. We respond within 30 days (or sooner where required by law). We may need to verify your identity before processing certain requests.

11. Children's Privacy

MyInstaWeb is not directed at children. We do not knowingly collect personal information from anyone under the age of 13 (or under 16 in the EEA). If you believe a child has provided us personal information, please email privacy@myinstaweb.com and we will delete it promptly.

12. Cookies and Similar Technologies

We use the minimum cookies required to operate the Service:

• Authentication cookies, set by Supabase Auth to keep you signed in. First-party, HttpOnly, Secure.
• Functional storage, we may store small values in browser session storage (e.g., your Instagram handle in flight to the wizard) to make the experience seamless.

We do not use advertising cookies, cross-site tracking pixels, or fingerprinting techniques. Our analytics provider (Vercel Analytics) is cookieless.

13. Third-Party Links and Published Sites

Sites you publish through MyInstaWeb may contain links you add (e.g., your Instagram profile, your email). We are not responsible for the privacy practices of those external sites. Our Service is also not affiliated with Instagram or Meta, we use Instagram's public API only with your explicit consent.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent change. For material changes (changes to the categories of data collected, the purposes of processing, or the sub-processors used), we will notify you by email at least 14 days before the change takes effect. Your continued use of the Service after the change constitutes acceptance of the updated Policy.

15. Data Controller / Contact

The data controller for the purposes of GDPR and UK GDPR is MyInstaWeb. To contact us about this Privacy Policy or exercise your rights:

• Email: privacy@myinstaweb.com

We do not currently have an EU representative. EEA users may contact their local data protection authority directly per Section 10.2.

16. Disclaimer

This Privacy Policy describes our actual data practices to the best of our knowledge as of the effective date. It does not constitute legal advice. If you have specific compliance requirements (e.g., HIPAA, PCI-DSS, FERPA), MyInstaWeb is not designed to handle those categories of data and you should not use the Service for them.