Privacy Policy

MySalesFlow — Automotive Lead Operations Hub · Operated by TheCarCo

1. Introduction

This Privacy Policy describes how MySalesFlow, operated by TheCarCo ("we", "our", or "us"), collects, uses, and protects information when you connect your Instagram Business Account or interact with our platform through our Meta / Instagram integration.

By connecting your Instagram account or using our services, you agree to the practices described in this policy. If you do not agree, please disconnect the integration from your settings.

2. Information We Collect

When you authorise our app through Instagram Business Login, we collect:

  • Your Instagram Business account profile information (name, username, account ID)
  • All incoming Direct Messages (DMs) received in your Instagram Business inbox — including the full message text, the sender's Instagram-scoped user ID (IGSID), and the timestamp
  • Outgoing replies sent from our platform — the message text, recipient IGSID, and timestamp are stored to keep conversation threads coherent
  • Basic profile information of senders (Instagram username and display name), fetched from the Graph API to label conversations in our dashboard
  • Phone numbers extracted from incoming messages, stored separately as sales leads together with the source message text and sender identifier

We store the full text of every incoming and outgoing DM processed through our platform in order to display complete conversation threads and enable your sales team to reply. Message data is retained for as long as the Instagram integration remains connected; it is deleted upon disconnection or upon request.

3. Permissions Used

Our application requests only the following two Instagram permissions, which are the minimum required to operate our features:

Permission Purpose
instagram_business_basic Read the basic profile information of the connected Instagram Business account (name, username, account ID) to identify and associate the account within our platform.
instagram_business_manage_messages Receive real-time webhook notifications for every Direct Message that arrives in your Instagram Business inbox, store the full conversation thread in our platform, and send replies back to customers on behalf of the connected Instagram Business account — all from within our sales dashboard. We also scan incoming messages for phone numbers and save any found as sales leads for follow-up.

We request only the minimum permissions necessary. No other permissions are requested or used.

4. How We Use Your Information

  • To identify which Instagram Business account is connected to our platform
  • To receive real-time notifications of incoming DMs via Meta's webhook system
  • To store and display complete DM conversation threads in our internal dashboard, enabling your sales team to read and respond to messages
  • To send replies to customers directly from our platform on behalf of the connected Instagram Business account
  • To scan incoming message text for phone numbers and store any found as sales leads
  • To display captured phone leads and full conversation histories in our admin dashboard for sales team follow-up
  • To cache sender profile information (username, display name) to make conversations easier to identify
  • To authenticate and maintain a secure connection to the Meta Graph API

We do not sell, rent, or share your Instagram data with any third party for marketing, advertising, or profiling purposes.

5. Data Storage & Security

Access tokens obtained during the OAuth flow are encrypted at rest using AES-256 encryption before being stored in our database. We use HTTPS/TLS for all data in transit.

We retain access tokens and associated account data only for as long as the Instagram integration remains connected. Disconnecting the integration immediately removes all stored tokens from our system.

6. Data Sharing

We do not share your Instagram or Facebook data with third parties except:

  • Where required by law or a valid legal order
  • With service providers acting on our behalf who are bound by confidentiality agreements and who process data only as instructed by us

We do not use Instagram or Facebook data to train AI models or for any purpose outside the stated scope of this policy.

7. Your Rights

You may at any time:

  • Disconnect the Instagram integration via our platform settings, which deletes all stored tokens immediately
  • Revoke access directly in your Instagram or Facebook account settings under "Apps and Websites"
  • Request deletion of any data we hold about your account by contacting us at the address below
  • Request a copy of the data we process on your behalf

8. Cookies

Our platform uses session cookies solely to maintain your authenticated session and to store temporary OAuth state parameters during the Instagram login flow. We do not use tracking or advertising cookies.

9. Children's Privacy

Our services are intended for business use only and are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the bottom of this page will reflect the most recent revision. Continued use of the integration after a change constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or your data, please contact:

Last updated: 13 June 2026