Privacy Policy

1. Who We Are

SendItPlease is operated by TechAppDev LLP, a limited liability partnership registered in Hyderabad, Telangana, India. When this policy refers to "we", "us", or "our", it means TechAppDev LLP and the SendItPlease platform.

For privacy questions, contact us at senditpleasesupport@gmail.com.

2. Data We Collect

We collect the minimum data required to provide the service:

Account & Identity

• Email address and full name (on signup)
• Google account ID (if you sign in with Google)
• Profile photo URL (from Google or Meta, display only)

Instagram & Facebook OAuth Tokens

• OAuth access tokens from Instagram and Facebook (via Meta Login)
• Instagram Business Account ID and Facebook Page ID
• Token expiry timestamps and refresh tokens
• All tokens are encrypted with AES-256-GCM before storage

Automation & Usage Data

• Automation configurations you create (keywords, DM templates, settings)
• Comment event logs (commenter username, timestamp, keyword matched)
• DM delivery status and timestamps
• Lead data you collect through automations (email addresses, names)
• Monthly DM usage counts

Payment Information

• Subscription plan and billing cycle
• Payment processor transaction IDs (Stripe or Razorpay)
• Last 4 digits of card and card brand (stored by payment processor, not us)
• UPI virtual payment address (stored by Razorpay, not us)
• Billing address and GST number (if provided)

Technical Data

• IP address (for rate limiting and fraud prevention)
• Browser type and device information
• Page view and click events (via PostHog analytics)
• Error logs and performance traces (via Sentry)

3. How We Use Your Data

• To authenticate you and maintain your session
• To connect your Instagram and Facebook accounts to the platform
• To execute comment-to-DM automations on your behalf
• To track DM delivery, link clicks, and conversion analytics
• To enforce per-account DM quotas based on your plan
• To process subscription payments and send billing receipts
• To send transactional emails (DM quota warnings, token expiry alerts)
• To detect and prevent abuse, spam, and API misuse
• To improve the product via aggregated, anonymised usage analytics

4. Meta API Data Usage Policy

SendItPlease uses the Meta Graph API to interact with Instagram and Facebook on your behalf. By connecting your accounts, you authorise us to use the following Meta permissions:

• instagram_basic — to read your profile, account type, and media count
• instagram_manage_comments — to read comments on your Instagram posts
• instagram_manage_messages — to send Instagram DMs in response to comments
• pages_read_engagement — to read engagement on your Facebook Page posts
• pages_messaging — to send DMs via your connected Facebook Page
• pages_manage_metadata — to subscribe to webhook events for your Page

We access Meta data only to provide the automation service. We do not sell, share, or use Meta user data for advertising, profiling, or any purpose other than delivering the specific automation you configured.

Comment data received via webhooks (commenter username, comment text, timestamp) is stored in our database for deduplication purposes and to power your analytics. This data is retained for 90 days and then automatically deleted.

You can revoke our access to your Meta accounts at any time from your Instagram or Facebook security settings. Revoking access will pause all active automations.

5. Data Storage & Security

All data is stored on Google Cloud Platform in the asia-south1 (Mumbai, India) region. We do not transfer your personal data outside India except where required by our sub-processors (see below).

Security measures in place:

• Meta OAuth tokens encrypted with AES-256-GCM; encryption keys stored in Google Cloud Secret Manager
• All data in transit protected with TLS 1.3
• Firestore database with Firebase Security Rules — no direct public access
• API rate limiting via Cloudflare to prevent abuse
• Sentry error monitoring with PII scrubbing enabled

Sub-processors: Google Cloud (infrastructure), Firebase Auth (authentication), Stripe (global payments), Razorpay (India payments), Brevo (transactional email), PostHog (product analytics), Sentry (error tracking), Cloudflare (CDN, DDoS protection, and rate limiting).

6. Data Retention

• Account data — retained while your account is active, deleted within 30 days of account deletion
• Automation event logs — 90 days rolling window
• Lead data you collect — retained until you delete it or your account is closed
• Payment records — 7 years (as required by Indian GST law)
• Error and security logs — 30 days

7. Your Rights

Under the Information Technology Act, 2000 and applicable Indian privacy law, you have the right to:

• Access — request a copy of all personal data we hold about you
• Correction — ask us to fix inaccurate or incomplete data
• Deletion — request deletion of your account and associated data
• Export — download your leads, analytics, and automation data in CSV/JSON format
• Portability — receive your data in a machine-readable format
• Objection — object to specific processing activities

To exercise any of these rights, email senditpleasesupport@gmail.com with the subject line "Privacy Request". We will respond within 30 days.

To delete your account and all associated data immediately, go to Dashboard → Settings → Delete Account.

8. Cookies & Tracking

We use essential cookies for authentication (Firebase Auth session cookies). We do not use advertising cookies or third-party tracking pixels.

PostHog collects anonymised page view and click data to help us improve the product. You can opt out by enabling "Do Not Track" in your browser.

9. Children

SendItPlease is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

10. Governing Law & Jurisdiction

This Privacy Policy is governed by the laws of India. Any disputes arising from or relating to this policy shall be subject to the exclusive jurisdiction of courts in Hyderabad, Telangana, India.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date above. Continued use of the platform after changes take effect constitutes acceptance of the revised policy.