Privacy Policy
This Privacy Policy explains what data the Extension collects, how it is used and handled, where it is stored, and every party it is shared with. It applies to the IG Outreach Pro browser extension distributed through the Chrome Web Store and to its companion licensing backend.
1. What the Extension does (single purpose)
The Extension is a side panel that runs only on instagram.com. It helps you send personalized direct messages from your own, already-logged-in Instagram account: you create outreach campaigns targeting a custom list, a profile's followers, or a hashtag; the Extension sends your templated messages with rate limits and safety delays, scans your DM inbox for replies, and can send scheduled follow-ups. A paid tier ($29.99/month) removes the free daily limit and adds AI-assisted message drafting and reply classification.
2. Data the Extension collects and handles
a) Information you provide
- Campaigns you configure (name, targeting type โ custom list, followers, or hashtag โ and targeting criteria).
- Message templates and follow-up messages you write.
- Settings you choose (daily limits, delays, warm-up, follow-up rules, and similar controls).
- Imported contact lists. You may import custom target lists from PDF or Excel files. These files are parsed entirely inside your browser; the files and their contents are never uploaded anywhere.
- Google account information (paid tier / sign-in). If you sign in with Google, the Extension uses Chrome's built-in identity system (
chrome.identity, with theopenid,email, andprofilescopes) to obtain an OAuth access token. The Extension retrieves your Google account ID ("sub") and email address once and caches them locally. The Extension never sees or stores your Google password.
b) Information the Extension reads from Instagram pages
- Usernames and target lists visible on the Instagram pages you use it on (e.g., follower lists, accounts posting under a hashtag), read only to determine who a campaign should message.
- Reply detection and reply text. To power the reply/follow-up features, the Extension periodically scans your own DM inbox for replies from people you previously messaged, and may open a conversation thread to read the latest incoming message. Scanned reply text is stored locally so you can review and triage replies as leads.
The Extension does not access your Instagram password or login credentials โ it operates inside your existing signed-in Instagram session. It does not read your browsing history or the content of any website other than instagram.com.
c) Information generated automatically
- Daily message counter and send statistics, used to enforce your limits.
- Send memory (a local list of usernames you have already messaged), used to prevent duplicate messaging.
- Run state and activity log (campaign progress, queues of sent/failed sends), used so campaigns can resume after a page reload and so you can review what happened.
d) Payment information
Subscription payments are processed entirely by Stripe through Stripe Checkout and the Stripe Billing Portal, in a separate browser tab outside the Extension. The Extension never sees, collects, or stores your card number or other payment details. Stripe's handling of your payment data is governed by Stripe's own privacy policy.
3. How your data is used
All data described in Section 2 is used exclusively to provide the Extension's single purpose โ running your Instagram DM outreach. Specifically: campaigns, templates, settings, and target lists are used to compose and send the messages you configure; scanned reply text is used to show you replies, suggest which are worth saving as leads, and schedule follow-ups; counters, send memory, and run state enforce your limits and prevent duplicates; and your Google account ID, email, and access token are used only to verify your subscription tier and to create or manage your Stripe subscription.
We do not use any of this data for advertising, profiling unrelated to the Extension's features, credit assessment, resale, or any purpose unrelated to the Extension's single purpose.
4. Where data is stored
On your device. Your campaigns, templates, settings, imported lists, daily counters, send memory, run state, activity log, scanned replies, saved leads, and cached Google account ID/email are stored locally in your browser using the Chrome storage API. This local data is not transmitted to us except in the specific cases in Section 5, and it remains on your device until you clear it or uninstall the Extension.
On our server. Our licensing backend (hosted on Vercel, with data stored in Upstash Redis) keeps a minimal license record keyed to your Google account ID. This record contains your Google account ID, your email address, your subscription status (active/inactive), and โ if you have subscribed โ your Stripe customer ID so we can link subscription events to your license. We do not store your campaigns, templates, target lists, messages, or reply text on our server. IP addresses are processed transiently for rate limiting and abuse prevention and are not used to build profiles.
5. What leaves your device, and every party it is shared with
The Extension transmits data only as follows, and to no other parties:
- Google (Google LLC). Sign-in is performed through Chrome's identity system with Google's OAuth service. On sign-in, the Extension fetches your account ID and email from Google's userinfo endpoint. On sign-out, the token is revoked with Google. Google's processing is governed by Google's privacy policy.
- Our licensing backend (hosted by Vercel Inc., data stored with Upstash, Inc.). To check your subscription tier, the Extension sends your Google access token to our server, which re-verifies it directly with Google and looks up your license. To start a subscription, the Extension sends your Google account ID and email so Stripe Checkout can be created for you. Vercel (hosting) and Upstash (managed Redis database) process this data on our behalf as infrastructure providers.
- Stripe, Inc. When you subscribe, your Google account ID is attached to the Stripe Checkout session as a reference, and Stripe collects your payment details directly. Stripe notifies our server of subscription events (payment succeeded/failed, subscription canceled, etc.) so your license stays in sync.
- Anthropic, PBC (paid tier, AI features only). If you use the AI features: (a) when you click "Generate with AI," the campaign context you provide (niche/product, tone, goal) and, where applicable, a small sample of scraped public target data (such as usernames or bio text) is sent to our server, which forwards it to Anthropic's Claude API to draft message variants; (b) after reply scans, the text of an Instagram reply and minimal contact context is sent to our server, which forwards it to Anthropic's Claude API to classify whether the reply looks like a promising lead. These requests are processed to provide the feature and are not used by us for any other purpose. Under Anthropic's commercial API terms, API inputs and outputs are not used to train Anthropic's models. If you never use the AI features, no message or reply content is ever sent to our server.
- Instagram / Meta Platforms, Inc. The DMs you choose to send are delivered through Instagram using your own account, and are therefore visible to Instagram and your recipients. This is inherent to sending an Instagram DM and is governed by Instagram's own terms and privacy policy.
We do not share data with analytics providers, advertising networks, or data brokers. We do not sell your data. We do not transfer your data except as described above.
6. Data we do NOT collect
- Your Instagram password or login credentials.
- Your browsing history or activity on non-Instagram sites.
- Payment card details (handled solely by Stripe).
- Cookies or trackers for advertising or analytics.
- Your messages, templates, campaigns, or contact lists on our servers โ with the sole, user-initiated exception of the AI-feature requests described in Section 5(4), which are processed transiently and not retained as a message database.
7. Data retention and deletion
Local data: delete individual items with the Extension's own controls, or remove the Extension from your browser โ uninstalling clears its local storage. Server data: your license record (Google account ID, email, subscription status, Stripe customer ID) is retained while you have an account or active/renewable subscription and for as long as needed for tax, accounting, and fraud-prevention obligations. To request deletion of your license record, email Ahmedkarrar432@gmail.com from the Google account email on file; we will delete it unless we are legally required to retain parts of it (e.g., payment records held by Stripe). Signing out revokes the Extension's Google token.
8. Data security
All communication with our backend, Google, Stripe, and Anthropic occurs over encrypted HTTPS. Your Google token is re-verified server-side on every license check rather than trusting the client. API keys for Stripe and Anthropic exist only on the server and never ship inside the Extension. Requests to our backend are rate-limited to deter abuse.
9. Google user data and Limited Use
The Extension's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements, and to the Chrome Web Store User Data Policy, including its Limited Use requirements. We use Google user data (your account ID and email) only to authenticate you and manage your subscription; we do not transfer it except as necessary to provide that function (Sections 4โ5), to comply with applicable law, or as part of a merger/acquisition with prior notice to you; and we never use or transfer it for advertising, creditworthiness, or lending purposes. No human reads this data except with your consent, for security purposes, to comply with law, or in aggregated/anonymized form.
10. Children's privacy
The Extension is intended for users aged 18 and older and is not directed to children. We do not knowingly collect data from children.
11. Changes to this policy
We may update this Privacy Policy โ for example, if we add a permission or change how data is handled. We will revise the "Last updated" date above and, where the change is material, disclose it prominently before it takes effect. The current version is always available at this URL.
12. Contact
For any questions about this Privacy Policy or your data:
Email: Ahmedkarrar432@gmail.com