Vol. I · Issue 01 · June 19, 2026
austa

03 The Brief, on data

Privacy policy.

Austa is a single-purpose tool: when someone comments a keyword on your Instagram post, we check if they follow you, and send a DM with your link — gating it behind a follow if they don't. This policy describes the data we need to do that, the data we deliberately do not touch, who else sees it, how long it lives, and what you can ask us to do with it. We have written it in plain English. Where the law requires something precise, we say so directly.

Who runs austa

austa is operated by Bhushan Gaikwad, a sole proprietor based in India, trading as “austa”. Postal and legal contact: support@austa.in. Under the EU GDPR and the India Digital Personal Data Protection Act, 2023 (“DPDP”), we are the data controller (in DPDP terms, the “Data Fiduciary”) for the data described below.

Data we collect

We only collect what we need to run the service. There are five categories.

  1. Account data from Meta Login. When you sign in, Meta hands us your Instagram user ID, username, account type (Creator or Business), profile picture URL, and an OAuth access token scoped to the permissions you granted. We do not receive your password and we do not receive your email at sign-in (Meta does not return it under the permissions we ask for).
  2. Automation configuration. The rules you create: trigger keywords, target post or story IDs, reply message text, match mode, follow-gate settings.
  3. Event log. Each comment that Meta pushes to our webhook for your account, plus the follow-check we performed, the action we took (DM sent, skipped, follow-gate triggered, failed), and any error returned by Meta. This populates your analytics dashboard.
  4. Payment records. When you subscribe through Razorpay we receive a customer ID, subscription ID, plan, status, current period dates, and invoice references. We do not store your card number, UPI ID, or netbanking credentials at any point. Those stay with Razorpay.
  5. Diagnostic and security logs. Standard server logs: IP address at sign-in, request paths, response status, timestamps, and a session cookie identifier. Used to keep the service up and to investigate abuse or outages.

Data we deliberately do not collect

Legal basis (GDPR)

We rely on three lawful bases. Performance of a contract (you signed up for an automation service; we need account, rule, and event data to deliver it). Legitimate interest (security logs and aggregated analytics, balanced against your rights). Consent (the OAuth permissions you grant Meta on our behalf; you can withdraw at any time by disconnecting). For DPDP, processing relies on your consent given at sign-in and the contractual necessity described above.

How we use it

We do not use your data to train machine-learning models, build audience profiles, or sell to anyone. Ever.

Who we share data with

We use three sub-processors. Each operates under their own privacy terms and processes only what is necessary to do their job.

  1. Cloudflare, Inc. Hosts the application (Workers), the primary database (D1), and key-value storage (KV). Data is stored at rest in Cloudflare's global edge infrastructure. See Cloudflare's privacy policy.
  2. Meta Platforms, Inc. We call the Instagram Graph API on your behalf using the access token you granted at sign-in. Read calls fetch your account and event data; write calls deliver the replies you configured. See Instagram's privacy policy.
  3. Razorpay Software Pvt. Ltd. Processes payments, subscriptions, refunds, and tax-invoice generation in INR. Razorpay sees the payment instrument; we do not. See Razorpay's privacy policy.

We have written data-processing agreements (or equivalent terms) in place with each of these. We do not engage further sub-processors without updating this policy first.

International transfers

austa is operated from India, hosted on Cloudflare's global network, and integrates with US-based Meta and India-based Razorpay. When data crosses borders, the transfer relies on Standard Contractual Clauses (for EU/UK data subjects) and on the consent and contract bases described above.

Retention

Your rights

Regardless of where you live, we extend the following rights to every austa user (combining GDPR, the California Consumer Privacy Act, and DPDP into a single set).

To exercise any of these, write to support@austa.in from the email associated with your account. We respond within 30 days, and faster if we can.

Cookies and tracking

austa uses two cookies, both first-party and strictly necessary: a temporary state cookie during OAuth (lives for a few minutes, prevents CSRF attacks on the sign-in flow), and a session cookie that keeps you signed in. We do not use advertising cookies, analytics cookies, fingerprinting, third-party trackers, or pixels. The marketing site at austa.in is fully static and ships without any tracking script.

Children

austa is not intended for anyone under the age of 16. We do not knowingly collect data from people under 16. If you believe a minor has signed up, write to us and we will delete the account. For DPDP purposes, processing of children's data requires verifiable parental consent which we do not solicit.

Security

All traffic is served over HTTPS. Meta access tokens and other sensitive secrets are encrypted at rest. Access to production data is restricted to the operator and limited to what is needed for support and debugging. If we discover a breach affecting your personal data, we notify you and the relevant supervisory authority within 72 hours, as required.

Changes to this policy

If we materially change how we collect, use, or share your data, we notify subscribers by email and bump the version number at the top of this page. Continued use after a notified change means you accept the revised policy. The current version is always at austa.in/privacy.

Contact

For privacy questions, deletion requests, complaints, or anything else covered by this policy, write to support@austa.in. We treat the inbox seriously and reply.