1. Overview

Comment Kro Technologies Pvt. Ltd. ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy describes what personal data we collect, how we use it, and your rights under applicable data protection laws, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (India), as well as the General Data Protection Regulation (GDPR) for users in the European Economic Area, and the California Consumer Privacy Act (CCPA) for California residents.

By using the Platform at commentkro.in, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Platform.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

When you register, we collect your name, email address, password (stored as a hashed value), and profile information you choose to provide.

2.2 Payment Data

When you subscribe to a paid plan, payment information (such as card number, billing address) is collected and processed by our third-party payment processor. We do not store raw card numbers on our servers.

2.3 Meta / Instagram Account Data

When you connect your Instagram or Facebook account via Meta OAuth, we receive and store:

Your Instagram/Facebook User ID and display name
Page/Business Account access tokens (encrypted using AES-256-GCM)
Instagram media metadata (post IDs, reel IDs) required to set up automations
Comment content from posts where you have enabled automations
The Instagram usernames of users who trigger your automations (commenters)

2.4 Automation & Usage Data

We store the keyword rules, DM templates, and automation configurations you create. We also log automation activity, including which comments matched a keyword, whether a DM was sent, and the timestamp of each event.

2.5 Technical & Log Data

We automatically collect IP addresses, browser type, device identifiers, referring URLs, pages visited, and timestamps when you use the Platform. This data is used for security monitoring, debugging, and analytics.

2.6 Communications Data

If you contact our support team, we retain records of that correspondence including the content of your messages and any files you share.

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

Purpose	Legal Basis
Provide and operate the Platform	Performance of contract
Process payments and manage subscriptions	Performance of contract
Send transactional emails (account, alerts)	Performance of contract
Execute Instagram automation on your behalf	Performance of contract
Improve and develop Platform features	Legitimate interests
Detect and prevent fraud or abuse	Legitimate interests
Comply with legal obligations	Legal obligation
Send marketing communications (with consent)	Consent
Analytics and performance monitoring	Legitimate interests

4. Meta / Instagram Data

Our Platform uses the Meta Graph API. The use of data obtained from Meta's APIs is governed by Meta's Platform Policy in addition to this Privacy Policy. Specifically:

We access your Instagram data only to the extent necessary to provide the automation services you have configured.
Access tokens are stored encrypted (AES-256-GCM) in our database and are used solely to send DMs and read comment webhooks on your behalf.
We do not sell, rent, or share data received from Meta APIs with third parties for advertising purposes.
Comment data (including commenter usernames and comment text) is retained only as long as necessary to process automation events and for your review in the contacts/analytics dashboard.
You may disconnect your Meta account at any time from your account settings, which will revoke our access tokens and stop all automations.

We comply with Meta's data deletion requirements. Upon account deletion, all Meta API data associated with your account is permanently deleted within 30 days.

5. Data Sharing & Third Parties

We do not sell your personal data. We share your data only in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party service providers to help operate the Platform, including:

Cloud Hosting: Infrastructure hosting (e.g., AWS, Vercel, DigitalOcean)
Payment Processing: Secure payment gateway (e.g., Razorpay, Stripe)
Email Delivery: Transactional email service (e.g., SendGrid, Resend)
Analytics: Product analytics (e.g., Vercel Analytics — cookie-free)
Job Queue: Redis/Bull for background automation processing

All service providers are contractually bound to process your data only on our instructions and to maintain appropriate security measures.

5.2 Legal Requirements

We may disclose your data if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.

6. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this Policy:

Account Data: Retained for the lifetime of your account plus 90 days after deletion.
Automation Logs & Contact Data: Retained for 12 months from creation, or until you delete them from the dashboard.
Meta Access Tokens: Deleted immediately upon account disconnection or account deletion.
Payment Records: Retained for 7 years as required by Indian accounting and tax laws.
Server Logs: Retained for 90 days for security monitoring and debugging.

You may request early deletion of your personal data subject to our legal retention obligations (see Your Rights below).

7. Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

TLS/HTTPS encryption for all data in transit.
AES-256-GCM encryption for sensitive data at rest (including Meta access tokens).
Bcrypt hashing for passwords; raw passwords are never stored.
JWT authentication with short-lived access tokens (15 minutes) and secure refresh token rotation (7 days).
Role-based access controls limiting employee access to personal data.
Regular security reviews and penetration testing.

While we take all reasonable steps to protect your data, no system is completely secure. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you as required by applicable law.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 For All Users

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Portability: Receive your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Withdraw consent for consent-based processing (e.g., marketing emails) at any time.

8.2 California Residents (CCPA)

California residents have the right to know what personal information is collected, to opt out of the sale of personal information (we do not sell personal information), and to non-discrimination for exercising these rights.

8.3 EEA/UK Residents (GDPR)

EEA and UK residents have the additional right to lodge a complaint with a supervisory authority and to restrict processing in certain circumstances.

To exercise any of these rights, email us at privacy@commentkro.in. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Cookies & Tracking

We use the following categories of cookies and tracking technologies:

Strictly Necessary Cookies: Required for the Platform to function (e.g., session authentication tokens stored in httpOnly cookies). These cannot be disabled.
Analytics Cookies: We use Vercel Analytics, which is cookie-free and privacy-preserving by design. No cross-site tracking occurs.

We do not use third-party advertising cookies or tracking pixels. You can control cookie preferences through your browser settings, though disabling strictly necessary cookies will affect Platform functionality.

10. Children's Privacy

The Platform is not directed to individuals under the age of 18 ("children"). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at privacy@commentkro.in and we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by:

Posting the updated Policy on this page with a revised "Last Updated" date.
Sending an email notification to the address associated with your account.
Displaying a prominent notice on the Platform dashboard.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy. If you disagree with the changes, you must stop using the Platform and may request account deletion.

12. Contact & Data Protection Officer

For any privacy-related questions, requests, or concerns, please contact us:

Company: Comment Kro Technologies Pvt. Ltd.

Website: commentkro.in

Privacy Email: privacy@commentkro.in

Support Email: support@commentkro.in

Data Protection Officer: dpo@commentkro.in

Jurisdiction: India

We aim to respond to all legitimate requests within 30 calendar days. For complex requests, we may extend this to 60 days and will notify you accordingly.