Privacy Policy

KrewHub ("we", "our", or "us") operates the website krewhub.ai and the KrewHub application (the "Service"). This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

By using the Service you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

Account information. When you register we collect your email address, display name, and a hashed password (or an OAuth identifier if you sign in via Google or Facebook).

Instagram account data. When you connect an Instagram Business or Creator account we receive your Instagram User ID, username, and a long-lived access token issued by Meta. We use this token solely to send automated replies on your behalf.

Comment and messaging data. We receive and store the content of comments posted on your Instagram posts (comment text, commenter ID, commenter username) and records of direct messages sent by the Service. This data powers the automation rules you configure.

Usage data. We collect standard server logs including IP addresses, browser type, pages visited, and timestamps. This data is used for security, debugging, and service improvement.

Payment data. Billing is handled by Stripe. We do not store full card numbers. We receive and store a Stripe Customer ID and Subscription ID to manage your plan.

• To provide and operate the Service, including sending automated Instagram DMs on your behalf.
• To authenticate you and keep your account secure.
• To process payments and manage your subscription plan.
• To display analytics about your automations (DMs sent, comments triggered, contacts).
• To send transactional emails (account confirmations, billing receipts).
• To investigate abuse, enforce our Terms of Service, and comply with legal obligations.

KrewHub uses the Instagram Graph API and complies with Meta's Platform Terms. We request only the permissions necessary to deliver the Service:

• instagram_business_basic — read your account profile and media.
• instagram_business_manage_comments — receive comment webhooks.
• instagram_business_manage_messages — send automated DM replies.

We do not sell Instagram data to third parties, use it for advertising, or share it with third parties except as required to operate the Service (e.g. cloud hosting providers under strict data processing agreements).

We retain your data for as long as your account is active or as needed to provide the Service.

When you delete your account all personal data is permanently removed within 30 days. Comment and messaging data linked to your Instagram account is deleted at the same time.

Aggregated, anonymised analytics data that cannot identify you may be retained indefinitely.

We do not sell your personal data. We share data only with:

• Meta Platforms — to deliver messages via the Instagram Graph API.
• Fly.io — cloud hosting for our backend and database.
• Vercel — hosting for our web application.
• Stripe — payment processing.
• Law enforcement — when required by applicable law or to protect the safety of users.

We use a single session cookie (ck_token) to keep you signed in. It is an HTTP-only cookie and cannot be accessed by JavaScript. We do not use advertising or tracking cookies.

Depending on your jurisdiction you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (see our Data Deletion page).
• Object to or restrict certain processing.
• Data portability.

To exercise any of these rights, email us at privacy@krewhub.ai.

We use industry-standard safeguards including HTTPS encryption in transit, hashed passwords (bcrypt), HTTP-only cookies, and access tokens stored encrypted at rest. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

The Service is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

We may update this policy from time to time. We will notify you of material changes by updating the "Last updated" date above and, where appropriate, by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

Questions about this policy? Email us at privacy@krewhub.ai.