Privacy Policy
Last updated: 2026-05-05
1. Who we are
BloomDM is an Instagram DM automation platform operated from India. For the purposes of the Digital Personal Data Protection Act 2023 ("DPDP"), BloomDM is a Data Fiduciary for the personal data of its tenant users, and a Data Processor for the personal data of Instagram end users that tenants choose to capture via our platform.
2. What we collect
- Tenant account data: email, hashed password (via Supabase Auth), workspace name, billing details (via Razorpay).
- Instagram integration data: connected account ID, username, page ID, encrypted access tokens (AES-256-GCM at rest). We never see or store your Instagram password.
- Lead data: Instagram handles and email/phone numbers that end users send to your DMs in response to automations you configure. The lawful basis is your consent on the workspace form confirming you have authority to process this data.
- Operational logs: webhook events, outbound DM attempts, error traces. We never log DM contents in plain text.
3. What we don't collect
- Instagram passwords — we use Facebook Login for Business OAuth.
- End-users' follower lists, DM history outside our automations, or any data Meta does not expose.
- Browsing or behavioural tracking on our marketing site.
4. Where data lives
Postgres database: Supabase, region ap-south-1 (Mumbai). Logs: Axiom (US). Error tracking: Sentry (US). Analytics: PostHog (EU). All personal data of Indian residents stays in India for the primary database; aggregated logs may transit other regions for operational purposes only.
5. Your rights (DPDP §11–§13)
- Right to access: download a JSON copy of all your workspace data anytime via Settings → Privacy → Download my data.
- Right to correction: edit your workspace name, email, and connected accounts directly in the dashboard.
- Right to erasure: request deletion via Settings → Privacy → Delete workspace. Soft-deleted immediately; hard-deleted 30 days later. Email parvinderawal@gmail.com to cancel before the 30-day window closes.
- Right to grievance redressal: our Grievance Officer can be reached at parvinderawal@gmail.com. We respond within 30 days.
6. Sub-processors
We share data with the following sub-processors:
- Supabase (database, auth) — Mumbai, India.
- Upstash (Redis queue) — Mumbai, India.
- Vercel (hosting) — global edge, Mumbai primary.
- Railway (worker hosting) — Asia-Southeast.
- OpenAI (AI replies; only when tenant enables AI mode).
- Razorpay (billing).
- Resend (transactional email).
- Sentry, Axiom, PostHog (operational observability).
7. Cookies
We use first-party cookies for sign-in only. We do not use third-party tracking cookies or fingerprinting on our marketing site. Cookies set by sub-processors (e.g. Supabase Auth) are strictly necessary and cannot be disabled.
8. Retention
Active workspace data is retained for the life of the workspace. Deleted workspaces are hard-deleted 30 days after the deletion request. Operational logs are retained 90 days. Aggregated analytics are retained indefinitely in non-personal form.
9. Security
Tokens are encrypted at rest with AES-256-GCM, with per-row Additional Authenticated Data binding ciphertext to identity. Webhook signatures verified via HMAC-SHA256. Database access is scoped to tenant via three application-layer guards. We disclose breaches to affected tenants and regulators within 72 hours per DPDP §8(6).
10. Changes
We may update this policy. Material changes are emailed to all active workspace owners 14 days before they take effect.
Questions? Email parvinderawal@gmail.com.