Privacy Policy

Last Updated: July 2, 2026

Summary

CommentKeyword helps businesses automate Instagram comment replies, DMs, analytics, and optional AI follow-up. We collect the account, Instagram, billing, message, and usage data needed to provide the Service. We do not currently sell personal information.

1. Who We Are

NextGen Marketing and Automation LLC, operating under the brand name CommentKeyword ("CommentKeyword," "we," "our," or "us"), provides a SaaS platform for Instagram comment-to-DM automation, campaign management, analytics, and optional AI-powered conversation features.

This Privacy Policy explains how we collect, use, disclose, and protect information when you visit our website, create an account, connect Instagram or Meta services, use AI features, contact support, or otherwise use the Service.

2. Customer and Instagram User Roles

Our customers decide how they use CommentKeyword to communicate with Instagram users. For personal data in customer Instagram comments, DMs, campaign settings, and conversation records, the customer is generally the controller or business, and CommentKeyword acts as a service provider or processor. For account, billing, security, website, and product operations data, CommentKeyword may act as an independent controller or business.

3. Information We Collect

3.1 Account and Workspace Data

  • Email address, name, password hash, authentication provider, profile image, timezone, and account settings
  • Workspace, team, role, invitation, preferences, webhook, and API token configuration
  • Support tickets, feedback submissions, contact form messages, and related communications

3.2 Instagram and Meta Integration Data

  • Connected Instagram account IDs, usernames, profile information, access tokens, token status, and connection health
  • Comments, comment IDs, post IDs, public reply activity, DM delivery activity, and conversation records needed to run automations
  • Instagram user IDs, usernames, profile names, profile pictures where available, message content, timestamps, and engagement metrics

3.3 Automation, Analytics, and AI Data

  • Keywords, reply templates, DM templates, campaign status, usage limits, billing usage, and export data
  • AI agent configuration, including hooks, instructions, objectives, required fields, handoff rules, reminders, test chats, and selected model
  • Conversation content and recent conversation history sent to AI providers when an AI agent, test chat, reminder, or setup assistant is used
  • AI usage metadata such as model name, generation identifiers, costs, completion status, and error information

3.4 Technical, Billing, and Website Data

  • IP address, browser, device, request logs, session cookies, security events, and approximate location inferred from technical data
  • Subscription, invoice, checkout, payment status, and billing portal data processed through Stripe
  • Cookie and similar technology preferences. See our Cookie Policy.

4. How We Use Information

  • Provide, maintain, secure, and troubleshoot the Service
  • Authenticate users, manage workspaces, enforce plan limits, and process billing
  • Connect to Meta and Instagram APIs with your authorization
  • Detect keywords, send public replies and DMs, route conversations, and provide analytics
  • Generate AI setup drafts, AI replies, reminders, summaries, and structured completion data when AI features are enabled
  • Send transactional, security, billing, onboarding, usage, support, and product communications, subject to your email preferences where applicable
  • Prevent abuse, investigate security incidents, enforce our Terms, and comply with legal obligations
  • Improve the Service using aggregated, de-identified, or operational data where appropriate

5. AI Processing

CommentKeyword uses OpenRouter and model providers available through OpenRouter for AI functionality. Depending on the selected model and feature, conversation content, customer instructions, objectives, required fields, and related context may be sent to OpenRouter and routed to an underlying model provider to generate outputs.

  • AI outputs are generated automatically and may be inaccurate, incomplete, delayed, or inappropriate for a specific use case
  • Customers are responsible for configuring, testing, reviewing, and supervising AI agents before and after enabling them
  • We do not use AI features to provide legal, tax, financial, medical, or other regulated professional advice
  • We do not represent that conversation content is always anonymized before AI processing; some context may be necessary for the feature to work

6. How We Share Information

We share information with service providers and platforms needed to operate CommentKeyword, including:

  • Meta: Instagram and Facebook authentication, Instagram Business API, webhooks, and data deletion flows
  • Stripe: checkout, subscriptions, payment status, invoices, billing portal, tax and fraud prevention
  • OpenRouter and AI model providers: AI setup assistant, AI replies, reminders, test chats, and cost tracking
  • Hosting, database, queue, and infrastructure providers: application hosting, storage, database, logs, queues, and monitoring
  • Email providers: transactional, billing, support, usage, and permitted product emails
  • Analytics, advertising, and support tools: only if enabled and subject to your cookie preferences where consent or opt-out applies

We may also disclose information if required by law, to protect rights and safety, to prevent fraud or abuse, in connection with a business transaction, or with your direction or consent.

7. Cookies and Tracking

We use essential cookies and local storage for authentication, security, OAuth state, timezone capture, and basic product behavior. Optional analytics, marketing, or support cookies are controlled by our cookie consent tool where required. Visitors can reopen preferences from the footer link labeled "Privacy Choices."

We honor Global Privacy Control signals as an opt-out of marketing cookies intended for cross-context behavioral advertising.

8. Meta and Instagram Data Deletion

You can disconnect Instagram from your workspace, revoke access from your Meta account settings, or contact us through the contact page to request deletion. We also maintain Meta data deletion callback endpoints for Facebook Login and Instagram-related app deletion requests.

When we receive a valid Meta signed data deletion request, we remove or disconnect the associated Meta OAuth data and Instagram connection data we can identify from the request, and return a confirmation URL and confirmation code to Meta. Additional account data may be retained only where required for security, billing, dispute, legal, or operational reasons.

9. Data Retention

  • Account and workspace data: retained while your account is active and for a reasonable period afterward for security, legal, and operational needs
  • Instagram connection tokens: retained while the integration is active and removed or invalidated when disconnected or deleted
  • Conversation and automation records: retained as needed to provide inbox, analytics, export, support, and audit functionality
  • Billing records: retained as required for accounting, tax, chargeback, and legal obligations
  • Logs and security records: retained for a limited period appropriate to security, debugging, and abuse prevention

10. Security

We use technical and organizational safeguards designed to protect personal information, including access controls, encrypted transport where supported, token protection, rate limiting, logging, and operational monitoring. No internet service can guarantee absolute security.

11. Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, export, restrict, object to, or withdraw consent for certain processing of your personal information. You may also have the right to appeal a privacy request decision. Submit requests through the contact page.

11.1 European Economic Area, United Kingdom, and Similar Regions

Where GDPR, UK GDPR, or similar laws apply, you may have rights to access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. You may also lodge a complaint with your local supervisory authority.

11.2 California and Other US State Privacy Rights

California residents may have rights to know, access, delete, correct, limit use of sensitive personal information, opt out of sale or sharing, and not be discriminated against for exercising privacy rights. We do not currently sell personal information for money. If we enable advertising pixels that constitute "sharing" for cross-context behavioral advertising, you can opt out through "Privacy Choices" and through Global Privacy Control.

12. International Transfers

We operate from the United States and use service providers that may process information in the United States and other countries. Where required, we rely on appropriate safeguards for international transfers.

13. Children

CommentKeyword is intended for business users and is not directed to children under 16. We do not knowingly collect personal information from children under 16.

14. Changes to This Policy

We may update this Privacy Policy as the Service, providers, legal requirements, or data practices change. The updated version will be posted on this page with a new "Last Updated" date. Material changes may also be communicated by email or in-product notice.

15. Contact

For privacy questions, deletion requests, or data rights requests, use our contact page and select the relevant privacy or legal category.