Privacy Policy
Last updated: 26 June 2026
This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use the Boomly service and tells you about your privacy rights and how the law protects you.
We use your personal data to provide and improve the service. By using the service, you agree to the collection and use of information in accordance with this Privacy Policy.
Definitions
- Account means a unique account created for you to access our service.
- Company (referred to as “We”, “Us” or “Our”) refers to Boomly, operated as a sole proprietorship registered in India.
- Cookies are small files placed on your device by a website, containing details of your browsing history.
- Country refers to: India.
- Personal Data is any information that relates to an identified or identifiable individual.
- Service refers to the Boomly website, dashboard and the Instagram, Facebook Messenger and YouTube automation features.
- Third-party Social Media Service refers to any website or social network through which a user can log in or connect their account.
- Usage Data refers to data collected automatically, generated by the use of the service.
- You means the individual accessing or using the service.
Personal Data We Collect
While using our service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you, including:
- Email address
- First name and last name
- Phone number (optional)
- Address, state, ZIP/postal code, city
- Usage data
Usage Data
Usage data is collected automatically when using the service. It may include information such as your device's IP address, browser type, browser version, the pages of our service that you visit, the time and date of your visit, time spent on those pages, unique device identifiers and other diagnostic data.
Information from Instagram & Meta Platforms
When you connect an Instagram Business or Creator account to Boomly via the Meta “Instagram API with Instagram Login” product, we collect — strictly for delivering the automation features youconfigure — the following data from the Meta Graph API:
- Instagram username, user ID, profile picture and account type
- Comments on your posts that match your trigger keywords
- Direct messages your followers send to your business inbox
- Story replies and @mentions
- Basic insights (follower counts, engagement metrics) shown only to the connected user
We collect this data through Meta Webhook events (comments, messages, messaging_postbacks, messaging_referral, mentions, story_insights) only after you explicitly authorize Boomly during the OAuth flow. Boomly requests three Meta permissions: instagram_business_basic (read profile), instagram_business_manage_comments (read & reply to comments) and instagram_business_manage_messages(read & send DMs). We use no other Meta permissions.
We never sell or rent your Instagram data, and we never use it for advertising, profiling, training AI models, or any purpose unrelated to executing the automations you create. All access and refresh tokens are encrypted at rest using AES-256-GCM and decrypted only at the moment of an outgoing Graph API call. Webhook payloads are stored for up to 30 days for delivery debugging and then permanently deleted.
Boomly's use of Meta Platform data is subject to and complies with the Meta Platform Terms and Meta Developer Policies.
Information from Facebook Pages & Messenger
When you connect a Facebook Page to Boomly, we collect — strictly to deliver the Messenger automations you configure — your Page name and ID, the Page access token, and the messages and comments people send to your Page that match your triggers. We request only the Meta permissions required to read and reply to Page messages and comments (such as pages_messaging, pages_manage_metadata and pages_read_engagement). This data is handled under the same Meta Platform Terms and Developer Policies referenced above, encrypted at rest, and never sold, rented, or used for advertising or model training.
Information from YouTube & Google
When you connect a YouTube channel to Boomly using Google OAuth, we access — strictly to deliver the comment-automation features youconfigure — the following via the YouTube Data API:
- Your YouTube channel ID, title, handle and thumbnail
- Comments on your videos that match your trigger keywords
- The replies Boomly posts to those comments on your behalf
Boomly requests two Google OAuth scopes: youtube.readonly (to read your channel and the comments on your videos) and youtube.force-ssl(to post, edit or delete the comment replies you have configured). We request no other Google or YouTube scopes — we do not access your videos, uploads, analytics, or any other Google service.
Boomly's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We use YouTube data only to execute the automations you create; we never sell or transfer it, use it for advertising, or use it to train AI/ML models. By connecting a channel you also agree to the YouTube Terms of Service and acknowledge the Google Privacy Policy. Google OAuth access and refresh tokens are encrypted at rest using AES-256-GCM and decrypted only at the moment of an outgoing YouTube Data API call. You can revoke Boomly's access at any time at Google Account → Third-party access.
Third-Party Social Media Services
Boomly allows you to log in or connect your account through Google, Facebook, and Instagram. If you decide to register through a third-party service, we may collect personal data already associated with that account.
Cookies & Tracking
We use cookies and similar tracking technologies to track activity on our service:
- Essential / Session cookies — required for authentication and security.
- Functionality cookies — remember your preferences (theme, language, login).
- Analytics cookies — help us understand how the service is used.
How We Use Your Personal Data
- To provide and maintain our service
- To manage your account and registration
- To execute the Instagram automations you configure
- To contact you about updates, security alerts and product news
- To process payments via Razorpay
- To detect, prevent and address fraud or abuse
- To comply with legal obligations
Sharing Your Information
We may share your personal information with:
- Service providers — Supabase (database), Razorpay (payments), Vercel (hosting), email providers (transactional email).
- Meta Platforms — limited to the data needed to deliver the Instagram and Facebook Messenger features you have configured.
- Google / YouTube — limited to the data needed to deliver the YouTube comment-automation features you have configured.
- Affiliates — required to honor this Privacy Policy.
- Law enforcement — when required by valid legal process.
- With your consent — for any other purpose disclosed at the time.
Retention of Your Personal Data
We retain your personal data only for as long as necessary for the purposes set out in this Privacy Policy. Specific retention periods:
- Account profile (name, email, hashed password) — for the lifetime of your account; deleted within 7 days of account deletion request.
- Instagram, Facebook and YouTube/Google access & refresh tokens — until you disconnect that channel from Boomly or delete your account; deleted immediately on disconnect.
- Automation rules & logs — retained while your account is active; logs older than 90 days are auto-purged.
- Raw webhook event payloads — retained for up to 30 days for delivery debugging, then auto-deleted.
- Lead / contact data captured by your automations — retained until you delete the automation rule or your account, whichever is sooner.
- Audit deletion records (timestamp + hashed user ID, no PII) — up to 90 days after account deletion to satisfy security and compliance obligations.
- Billing & tax records — up to 7 years as required by India tax law, even after account deletion.
Security
The security of your personal data is important to us. We use industry-standard practices including bcrypt password hashing, AES-256 encryption for tokens, HTTPS-only transit, and Postgres row-level security. However, no method of transmission over the internet is 100% secure.
Delete Your Personal Data
You have the right to delete your personal data at any time. There are three deletion paths:
- From the app — sign in, open Settings → Account and click Delete my account.
- By email — write to hello@boomly.bio from your registered address with subject “Boomly data deletion”.
- From Instagram — revoke Boomly's access at Instagram → Apps and Websites. Meta will send a Data Deletion Request callback to our endpoint
POST /api/data-deletion, which automatically queues your data for deletion within 7 days. - From YouTube / Google — revoke Boomly's access at Google Account → Third-party access. We immediately stop polling your channel and delete the stored Google tokens.
See our complete Data Deletion Instructions for verification steps and exact retention timelines after deletion. We may retain limited information (billing records for 7 years, audit hashes for 90 days) where required by India law.
Children's Privacy
Our service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13.
Links to Other Websites
Our service may contain links to other websites that are not operated by us. We strongly advise you to review the Privacy Policy of every site you visit. We assume no responsibility for the practices of third-party sites.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date.
Contact Us
If you have any questions about this Privacy Policy:
- By email: hello@boomly.bio
- By visiting: boomly.bio/contact