Privacy policy.

Leadflowly is a software service operated by an independent developer based in Dubai, United Arab Emirates. The service connects to your Instagram account via Meta's Instagram Login API, runs a short conversation with people who message your inbox, and hands you the leads that result.

In data-protection language, we are the controller of data about you (our subscriber) and the processor of data about your customers. You decide what your inbox bot says; we faithfully run the script you save and store the replies.

From you, the subscriber

• Your name and email address, when you sign up.
• A salted, hashed password — never the plain text.
• Sign-in metadata: timestamps and IP addresses of recent sessions, used to keep your account secure.

From Meta, when you connect Instagram

• Your Instagram user ID, username, and account type.
• A long-lived Instagram access token (typically valid for 60 days) so we can read DMs and send replies on your behalf. We never see your Instagram password.
• A token expiry timestamp, so we can warn you before a reconnect is needed.

From your customers (people who message you)

• The Instagram-scoped sender ID assigned to them by Meta. This is not their public username.
• The text of the messages they send to your inbox while a conversation flow is in progress, plus the timestamps.
• The structured details they share when the flow asks — typically a name, a phone number, and a short description of what they're looking for.

Service logs

• Server logs of webhook deliveries, errors, and outbound API calls, retained for short periods to debug failures and detect abuse.

• To run your inbox bot. We listen for new DMs via Meta's webhooks, run them through the conversation flow you saved, and reply through the Instagram Graph API.
• To deliver leads to you. Once a flow completes, we save the captured details to your dashboard and let you export them.
• To keep the account working. We use your email to send transactional notices: receipts, security alerts, and warnings before your Instagram token expires.
• To improve and secure the service. Aggregate, non-personal usage signals are reviewed to fix bugs and prevent abuse.

We do not sell personal data. We do not use your customers' messages to train AI models or any other product.

We rely on a small set of vendors to operate the service. Each receives only the data they need.

• Meta Platforms — to receive webhooks, send replies, and refresh your Instagram access token.
• Our database and hosting providers — to store account, flow, and lead data, and to serve the web application. Data lives encrypted at rest.
• A payment processor — when paid plans launch, billing details are handled directly by the processor. We never see or store full card numbers.
• An email delivery provider — only the recipient address and the message body are passed.
• Authorities — only when legally required to disclose. We will push back on overbroad requests.

The service runs on infrastructure that may store and process data outside the United Arab Emirates, including in the European Union and the United States. By using Leadflowly you consent to the transfer of your data to those regions for the purposes described above.

• Active leads are kept indefinitely while your subscription is active.
• Conversation sessions are deleted as soon as the conversation ends, or after 24 hours of inactivity.
• Webhook event logs are kept for up to 30 days for debugging.
• Account data is kept until you delete your account, after which it is removed within 30 days.
• Disconnecting an Instagram account immediately deletes the saved access token, the conversation flow for that account, in-progress sessions, and the leads captured through it.

Depending on where you live you may have rights to access, correct, export, or delete personal data we hold about you. We honour these rights for every subscriber regardless of jurisdiction.

• Access & export. Your dashboard exposes your account profile, connected Instagram accounts, conversation flows, and a CSV export of your leads.
• Correction. Edit your name and email from the dashboard.
• Deletion. See the section below.
• Objection & withdrawal. You can stop using the service at any time. Customers can stop the bot mid-conversation by sending stop, cancel, or unsubscribe.

You can request deletion in three ways:

• Disconnect an Instagram account from your dashboard. The token, the flow, the in-progress sessions, and the leads tied to that account are deleted immediately.
• Delete your subscriber account by emailing support@leadflowly.in from the address on file. Everything we hold about you is removed within 30 days.
• End-customer deletion. If you messaged a Leadflowly-powered inbox and want your record removed, email the same address with the Instagram username of the business and the phone number you shared.

Passwords are stored hashed with a modern algorithm. Access tokens are encrypted at rest. All traffic between your browser, our servers, and Meta is encrypted with TLS. Access to production systems is restricted and protected by two-factor authentication.

Leadflowly is a business tool. We do not knowingly collect data from anyone under the age of 16. If you believe a child has interacted with our service, write to us and we will remove the data.

We may update this policy as the product evolves. Material changes will be announced by email and reflected in the Effective date at the top of the page.

Privacy questions, data requests, and complaints reach a real human at support@leadflowly.in.

Or write through the contact page.