03 The Brief, on data
Privacy policy.
Last updated · 22 May 2026 · Version 1.0
Austa is a single-purpose tool: when someone comments a keyword on your Instagram post, we check if they follow you, and send a DM with your link — gating it behind a follow if they don't. This policy describes the data we need to do that, the data we deliberately do not touch, who else sees it, how long it lives, and what you can ask us to do with it. We have written it in plain English. Where the law requires something precise, we say so directly.
Who runs austa
austa is operated by Bhushan Gaikwad, a sole proprietor based in India, trading as “austa”. Postal and legal contact: support@austa.in. Under the EU GDPR and the India Digital Personal Data Protection Act, 2023 (“DPDP”), we are the data controller (in DPDP terms, the “Data Fiduciary”) for the data described below.
Data we collect
We only collect what we need to run the service. There are five categories.
- Account data from Meta Login. When you sign in, Meta hands us your Instagram user ID, username, account type (Creator or Business), profile picture URL, and an OAuth access token scoped to the permissions you granted. We do not receive your password and we do not receive your email at sign-in (Meta does not return it under the permissions we ask for).
- Automation configuration. The rules you create: trigger keywords, target post or story IDs, reply message text, match mode, follow-gate settings.
- Event log. Each comment that Meta pushes to our webhook for your account, plus the follow-check we performed, the action we took (DM sent, skipped, follow-gate triggered, failed), and any error returned by Meta. This populates your analytics dashboard.
- Payment records. When you subscribe through Razorpay we receive a customer ID, subscription ID, plan, status, current period dates, and invoice references. We do not store your card number, UPI ID, or netbanking credentials at any point. Those stay with Razorpay.
- Diagnostic and security logs. Standard server logs: IP address at sign-in, request paths, response status, timestamps, and a session cookie identifier. Used to keep the service up and to investigate abuse or outages.
Data we deliberately do not collect
- Your direct-message history beyond events that match an active rule
- Your follower list, following list, or contact graph
- The content of posts, stories, or reels you did not configure as a trigger
- Data from Instagram accounts other than the one you connected
- Biometric, health, location, or political-opinion data of any kind
- Browsing data, advertising IDs, or cross-site identifiers
Legal basis (GDPR)
We rely on three lawful bases. Performance of a contract (you signed up for an automation service; we need account, rule, and event data to deliver it). Legitimate interest (security logs and aggregated analytics, balanced against your rights). Consent (the OAuth permissions you grant Meta on our behalf; you can withdraw at any time by disconnecting). For DPDP, processing relies on your consent given at sign-in and the contractual necessity described above.
How we use it
- To run the automations you configured
- To show you the analytics dashboard
- To process payments and renewals through Razorpay
- To send transactional emails when you write to us, when a payment fails, or when the service materially changes
- To investigate abuse, debug errors, and keep the service available
We do not use your data to train machine-learning models, build audience profiles, or sell to anyone. Ever.
Who we share data with
We use three sub-processors. Each operates under their own privacy terms and processes only what is necessary to do their job.
- Cloudflare, Inc. Hosts the application (Workers), the primary database (D1), and key-value storage (KV). Data is stored at rest in Cloudflare's global edge infrastructure. See Cloudflare's privacy policy.
- Meta Platforms, Inc. We call the Instagram Graph API on your behalf using the access token you granted at sign-in. Read calls fetch your account and event data; write calls deliver the replies you configured. See Instagram's privacy policy.
- Razorpay Software Pvt. Ltd. Processes payments, subscriptions, refunds, and tax-invoice generation in INR. Razorpay sees the payment instrument; we do not. See Razorpay's privacy policy.
We have written data-processing agreements (or equivalent terms) in place with each of these. We do not engage further sub-processors without updating this policy first.
International transfers
austa is operated from India, hosted on Cloudflare's global network, and integrates with US-based Meta and India-based Razorpay. When data crosses borders, the transfer relies on Standard Contractual Clauses (for EU/UK data subjects) and on the consent and contract bases described above.
Retention
- Account and automation data: kept while your account is active; removed within 30 days of account closure or disconnection
- Event log: rolling 90 days for individual events; older data is aggregated into anonymous activity counts and retained for trend analytics
- Payment records: retained for 8 years as required by Indian tax law (income tax assessment, GST), with personally identifying fields redacted where compatible with that obligation
- Server and security logs: 30 days
- Backups: at most 30 days; deletion requests cascade into backups on the next rotation
Your rights
Regardless of where you live, we extend the following rights to every austa user (combining GDPR, the California Consumer Privacy Act, and DPDP into a single set).
- Access. Ask for a copy of the data we hold on you
- Correction. Ask us to fix data that is wrong or out of date
- Deletion. Ask us to delete your account and all associated data; see data deletion
- Portability. Ask for a machine-readable export of your data
- Restriction and objection. Ask us to pause processing while a complaint is resolved
- Withdraw consent. Disconnect Instagram at any time from the dashboard, or revoke our app from your Instagram settings
- Non-discrimination. We will not penalise you for exercising any of these rights
- Complain. If we mishandle your data you can complain to the supervisory authority in your jurisdiction (the Data Protection Board of India under DPDP, your national DPA under GDPR, or the California Privacy Protection Agency under CCPA)
To exercise any of these, write to support@austa.in from the email associated with your account. We respond within 30 days, and faster if we can.
Cookies and tracking
austa uses two cookies, both first-party and strictly necessary: a temporary state cookie during OAuth (lives for a few minutes, prevents CSRF attacks on the sign-in flow), and a session cookie that keeps you signed in. We do not use advertising cookies, analytics cookies, fingerprinting, third-party trackers, or pixels. The marketing site at austa.in is fully static and ships without any tracking script.
Children
austa is not intended for anyone under the age of 16. We do not knowingly collect data from people under 16. If you believe a minor has signed up, write to us and we will delete the account. For DPDP purposes, processing of children's data requires verifiable parental consent which we do not solicit.
Security
All traffic is served over HTTPS. Meta access tokens and other sensitive secrets are encrypted at rest. Access to production data is restricted to the operator and limited to what is needed for support and debugging. If we discover a breach affecting your personal data, we notify you and the relevant supervisory authority within 72 hours, as required.
Changes to this policy
If we materially change how we collect, use, or share your data, we notify subscribers by email and bump the version number at the top of this page. Continued use after a notified change means you accept the revised policy. The current version is always at austa.in/privacy.
Contact
For privacy questions, deletion requests, complaints, or anything else covered by this policy, write to support@austa.in. We treat the inbox seriously and reply.