Legal

Privacy Policy

Last updated: March 6, 2026

1. Introduction

NovaDream.io ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Instagram DM automation and AI-powered messaging platform (the "Service"). By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

We collect information that you provide directly to us and information automatically collected when you use our Service:

  • Instagram Account Information: When you sign up via Instagram OAuth, we collect your Instagram user ID, username, display name, profile picture URL, follower count, and media count. We do not collect or store passwords.
  • Message Data: We access and store Instagram direct messages sent to and from your connected business account, including message content, sender/recipient identifiers, timestamps, and delivery status. Message content is encrypted at rest using user-specific encryption keys.
  • AI Agent Configuration: If you use the AI Agent feature, we store your business name, description, products/services, FAQ knowledge base, tone preferences, escalation keywords, and response settings that you provide.
  • Usage Data: Information about how you interact with our Service, including auto-reply rules, settings, feature usage, and session data.
  • Payment Information: Subscription payments are processed by PayPal. We store your PayPal subscription ID and plan status but do not store credit card or bank account details.
  • Third-Party Sender Data: When individuals send direct messages to your connected Instagram account, we process their message content and Instagram username to generate automated replies. This data is collected from Instagram via its API, not directly from the sender.

3. How We Use Your Information

We use the collected information to:

  • Provide, operate, and maintain our Instagram DM automation Service.
  • Process your messages through our AI Agent (powered by OpenAI) to generate automated replies on your behalf.
  • Apply your auto-reply rules and settings to incoming messages.
  • Process and manage subscription payments via PayPal.
  • Send you technical notices, updates, and support communications.
  • Monitor service performance, detect abuse, and prevent fraud.
  • Comply with legal obligations and enforce our Terms of Service.

4. AI Processing and Third-Party Data Sharing

Our AI Agent feature uses OpenAI's API to generate automated responses to Instagram direct messages. When this feature is active:

  • Data Sent to OpenAI: Your business name, description, products/services, FAQ knowledge base, tone preference, the incoming message content (sanitized), and recent conversation context (last 5 messages). We do not send customer personal information, Instagram access tokens, or credentials to OpenAI.
  • OpenAI's Use of Data: OpenAI processes this data solely to generate the automated response. Per OpenAI's API terms, data submitted via the API is not used to train their models.
  • Security Measures: All messages are sanitized before processing to remove code, HTML tags, and potential injection patterns. Output is filtered to block exposure of API keys, tokens, or system prompts.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or UK, we process your personal data under the following legal bases:

  • Contract (Article 6(1)(b)): Processing necessary to provide the Service you signed up for, including account management, message processing, and automated replies.
  • Legitimate Interests (Article 6(1)(f)): Processing of third-party sender messages to generate automated replies on your behalf. The sender initiated contact with your business account, and processing is limited to generating a relevant response.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, such as tax obligations for payment records.
  • Consent (Article 6(1)(a)): For any marketing communications we may send you, which you can opt out of at any time.

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal data. We share data only with the following categories of service providers, solely to operate the Service:

  • OpenAI (USA): AI processing of messages to generate automated responses.
  • Meta/Instagram (USA): API provider for Instagram message access and delivery.
  • PayPal (USA/EU): Payment processing for subscriptions.
  • Cloud Infrastructure: Database hosting and application hosting for data storage and service delivery.

We may also disclose your information if required by law, subpoena, or other legal process, or to protect our rights, property, or safety.

7. Data Security

We implement industry-standard security measures to protect your data. Instagram OAuth tokens are encrypted at rest using AES-256-GCM encryption with PBKDF2 key derivation (SHA-512, 100,000 iterations). Message content is encrypted using user-specific encryption keys. All authentication sessions use JWT tokens stored in httpOnly, Secure cookies. Instagram webhook payloads are verified using HMAC-SHA256 signatures. While we strive to protect your data, no method of electronic transmission or storage is 100% secure.

8. Data Retention

We retain your data for the following periods:

  • Account data: For the duration of your active subscription plus 90 days after account deletion.
  • Message content: For the duration of your active subscription. Deleted upon account deletion request.
  • AI conversation history: For the duration of your active subscription.
  • Instagram OAuth tokens: Until expiry (60 days) or account disconnection, whichever comes first.
  • Payment records: 7 years, as required for tax and legal compliance.
  • Usage logs: 12 months from the date of collection.

9. Your Data Rights

Depending on your location, you may have the following rights:

  • GDPR Rights (EEA/UK): Right of access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right not to be subject to automated decision-making. You may exercise these rights by contacting us.
  • CCPA/CPRA Rights (California): Right to know what personal information is collected, right to delete, right to opt-out of sale/sharing (we do not sell your data), right to correct, and right to limit use of sensitive personal information. You may exercise these rights by contacting us.
  • All Users: You can disconnect your Instagram account, delete your auto-reply rules and AI configuration, or request complete account deletion at any time.

To exercise any of these rights, please contact us at support@novadream.io

10. Automated Decision-Making

Our AI Agent feature makes automated decisions about how to respond to incoming Instagram messages based on your configuration. These automated responses are sent on your behalf without individual human review. You can disable the AI Agent at any time from your dashboard settings. You are responsible for monitoring and reviewing the automated responses sent from your account.

11. International Data Transfers

Your data may be transferred to and processed in the United States, where our service providers (including OpenAI and Meta) are located. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms. By using the Service, you acknowledge that your data may be processed outside your country of residence.

12. Information for Third-Party Message Senders

If you send a direct message to an Instagram business account that uses NovaDream, your message content and Instagram username may be processed by our AI system to generate an automated reply. This processing is based on the legitimate interest of the business account holder in providing timely customer support. We do not use your data for any purpose other than generating the automated response. We do not profile, aggregate, or sell third-party sender data. You may contact us to request deletion of your message data.

13. Third-Party Websites

Our Service may contain links to third-party websites. We are not responsible for the privacy practices or content of such third-party sites. We encourage you to read the privacy policies of any third-party sites you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

15. Contact Us

If you have questions or comments about this Privacy Policy, or wish to exercise your data rights, please contact us at: support@novadream.io