DM Hero Privacy Policy

DM Hero ("we", "us", or "the Service") is operated by DM HERO spółka z ograniczoną odpowiedzialnością, a Polish limited liability company registered with the Sąd Rejonowy dla m.st. Warszawy in Warsaw, KRS 0001241535, NIP 5253090444, REGON 544773198, registered office at ul. Twarda 18, 00-105 Warszawa, Poland.

DM Hero is an outreach workflow tool for Instagram business and creator accounts, operated at dmhero.ai (marketing site) and app.dmhero.ai (web application). This policy covers both the web application and the DM Hero Chrome extension.

For GDPR / RODO purposes, DM HERO sp. z o.o. is the data controller. You can contact us at [email protected].

2.1 Account data (web app)

• Instagram profile information obtained via the official Instagram Login for Business: username, display name, profile picture URL, follower counts, account type.
• OAuth access tokens issued by Meta, stored encrypted at rest. Used only to call the Instagram Graph API on your behalf.
• Session cookies to keep you signed in (httpOnly, SameSite=Lax).
• Billing identifiers when you subscribe: Stripe Customer ID, subscription ID, and billing status. Payment card details and bank information are handled directly by Stripe and never touch our servers.

2.1a Instagram data accessed via Meta-granted scopes

With your consent at the Instagram Login screen, we request the following scopes. Each is tied to a single feature in the application and can be revoked at any time from your Instagram Settings → Apps and Websites.

• instagram_business_basic — profile information and media list. Used to display your account in the app dashboard and to identify you as the sending account during outreach.
• instagram_business_manage_messages — read your direct messages and send messages on your behalf. Used to populate the inbox view, detect replies to your outreach, and let you respond from the app. We never read or store messages from threads you did not start through DM Hero.
• instagram_business_manage_comments — read and manage comments on your posts. Used for comment-to-DM automation triggers (e.g., when a follower comments "DM me", the app sends them the matching DM).
• instagram_business_manage_insights — read account-level metrics like reach, impressions, profile views. Used only to populate the Analytics page in your dashboard. We do not share these metrics with third parties.

We do not request instagram_business_content_publish: DM Hero never publishes posts or stories on your behalf.

2.2 Workflow data you create

• Leads, tags, notes, campaigns, templates, and quick replies you add yourself.
• Messages you draft or send through the Service, and their delivery status.
• Analytics events needed to show progress, reply rates, and activity summaries.

2.3 Extension activity

• Heartbeat pings from the extension: a timestamp and the extension version string. Used only to show "extension installed" status in your dashboard.
• Extension settings (daily limit, quiet hours, pacing) — stored in your browser via chrome.storage.local, never transmitted to us.
• DM delivery logs — after a message is delivered via Instagram, the extension reports success/failure back to your DM Hero account so the queue stays accurate.

2.4 What we do NOT collect

• Your Instagram password — we never see it; authentication goes through Meta.
• Content of Instagram conversations you did not initiate through DM Hero.
• Browsing history outside of instagram.com and dmhero.ai.
• Any data from tabs other than the ones the extension explicitly automates.
• Personally identifiable information about third parties who did not opt in.

• storage — saves your pacing, quiet-hours, and API-URL preferences locally. Never transmitted.
• alarms — schedules the next queue tick and the heartbeat ping (once per minute).
• tabs + scripting — opens an Instagram tab when you start the queue, and injects the content script that fills the DM composer on your behalf. Only activates when you press Start.
• notifications — shows desktop notifications when the queue starts, finishes, or hits a block. You can disable these in settings.
• host_permissions on instagram.com and dmhero.ai — required to send DMs and to report results back to your account.

• To operate the Service features you explicitly use (outreach queue, analytics, follow-ups).
• To display accurate install status for the Chrome extension.
• To debug issues and prevent abuse (rate limits, error logs).
• To comply with legal obligations.

We do not sell your data, do not share it with advertisers, and do not use it to train third-party AI models.

We share data only with the following processors, each under a Data Processing Agreement:

• Meta Platforms (Instagram) — limited to the API calls needed to read your profile, send messages, manage comments, and read insights on your behalf.
• Railway (hosting + database) — runs our servers and SQLite volumes. Located in the European Union (EU-West).
• Stripe Payments Europe, Ltd. — processes subscription payments. They receive your email, billing address, and card data directly from your browser (we never touch raw card numbers). Subject to Stripe's own privacy policy and DPA.
• Sentry — error monitoring. Receives stack traces, request paths, and pseudonymous user IDs (your ig_account.id) when something breaks. No message content, no Instagram tokens.
• Anthropic, PBC — only when you explicitly enable AI message suggestions or AI lead scoring, and only for the specific prompt you submit. Anthropic does not use API data for model training.

We do not sell your data, do not share it with advertisers, do not use it to train AI models, and do not transfer it outside the EU/EEA without standard contractual clauses or an equivalent transfer mechanism.

• Account data: kept while your account is active.
• Session cookies: 60 days rolling, or until you log out.
• OAuth tokens: until they expire or you disconnect the Instagram account.
• Deleted leads/templates/messages: removed from the database within 30 days; database backups are rotated out within 90 days.

Under GDPR / RODO you have the following rights, and you can exercise any of them at any time:

• Access and portability — export all your data in JSON via Settings → Database → Export.
• Disconnect your Instagram account — revokes our OAuth token and stops all API access. Available in Settings → Instagram → Disconnect.
• Uninstall the Chrome extension — immediately stops heartbeats and the outreach queue.
• Erasure via Instagram — open Instagram → Settings → Apps and Websites → Active → DM Hero → Remove. Meta sends us a signed deletion request, we delete all data tied to that Instagram account within minutes, and you receive a confirmation URL at app.dmhero.ai/deletion-status?code=<confirmation_code> to verify the deletion completed. This is the canonical Meta App Review deletion path.
• Erasure of the entire account — email [email protected] and we will erase your DM Hero account, all connected Instagram data, and all billing records within 30 days. Stripe records that the law requires us to keep (invoices, tax records) are retained per Polish accounting regulations.
• Rectification, restriction, and objection — email [email protected] with the request and any relevant context.
• Complaint to a supervisory authority — you can file a complaint with the Polish data protection authority (Prezes Urzędu Ochrony Danych Osobowych, uodo.gov.pl) or your local EU data protection authority.

All traffic is served over HTTPS. Access tokens are stored server-side and never exposed to the browser. The extension sends data only to dmhero.ai and instagram.com.

The Service is not intended for users under 18. We do not knowingly collect data from minors.

If we make material changes, we will update the "Last updated" date above and notify active users by email at least 14 days before the changes take effect.

Questions about this policy or your data:

• Email: [email protected]
• Postal address: DM HERO sp. z o.o., ul. Twarda 18, 00-105 Warszawa, Poland
• Company register: Sąd Rejonowy dla m.st. Warszawy, XII Wydział Gospodarczy KRS, KRS 0001241535