Legal & compliance
Privacy Policy
Last updated: July 2026
This policy explains what data MsgMaven collects when a business connects Instagram and WhatsApp, how we use and store it, and how it can be deleted.
1. What data we collect
Business account data
- Business name, vertical, country, timezone, website, Instagram handle and WhatsApp number
- Team member accounts (name, email) and their roles
Instagram data (via official APIs)
- Connected Instagram professional account id, username, name and profile picture
- Linked Facebook Page id and name
- Granted permissions and a Page access token (encrypted)
- Inbound direct messages: sender id, message text, attachments, timestamps and message ids
- Referral/story metadata included in the webhook payload where present
WhatsApp data (via WhatsApp Business Platform)
- WhatsApp Business Account id, phone number id, display phone number and verified name
- Access token (encrypted) and webhook subscription status
- Inbound messages: sender phone (wa_id), profile name, message content, media references, timestamps and ids
Message & contact data
- Customer contact records derived from inbound messages (handle/phone, name where provided)
- Conversation state, tags, internal notes, lead score and qualification fields
Operational data
- Raw webhook payloads (stored for debugging and reliability)
- Audit logs of connect/disconnect/send/delete actions
2. How we use data
We use this data solely to provide the MsgMaven service: displaying a unified inbox, classifying enquiry types, suggesting replies, scoring leads, and enabling authorised team members to reply. We do not use it for advertising, resale, mass marketing, or unsolicited outreach.
3. How we store data
- Data is stored in a PostgreSQL database with access scoped per business.
- Access tokens are encrypted at rest using AES-256-GCM; they are never logged or displayed in plaintext.
- Webhook payloads are verified using the Meta app secret signature before processing.
- Role-based access control restricts data to a business's own members.
4. How data is deleted
Businesses can disconnect a channel at any time (which deletes stored tokens) and can request full deletion via the Data Deletion page. We also honour Meta's Data Deletion Request callback. Deletion requests are processed within 30 days.
5. How to request deletion
Email privacy@msgmaven.com or use the in-app controls under Settings → Security. See the Data Deletion page for step-by-step instructions and the callback endpoint.
6. Third-party processors
- Meta Platforms — Instagram Messaging API and WhatsApp Business Platform (source of messages).
- Hosting — Vercel (frontend) and Railway (backend/worker, PostgreSQL, Redis).
- Optional AI provider — only if reply generation is enabled by the business; message text may be processed to generate a suggestion.
7. Security practices
Encryption of tokens at rest, webhook signature verification, RBAC, audit logging, rate limiting on public endpoints, and least-privilege access. See our Security page for details.
8. Contact
Privacy enquiries: privacy@msgmaven.com. General support: support@msgmaven.com.