Summary. We analyze your ownInstagram data to give you insights — accessed only through Meta's official API, never by scraping, and never including your password. We use your Instagram data only to provide the Service to you; we do not sell your data or your Instagram data, and we handle it in line with Meta's Platform Terms and Developer Policies (see §6). You can access, export, disconnect, or delete your data at any time.
1. Introduction
This Privacy Policy explains how Clariturn ("Clariturn", "we", "us", "the Service") collects, uses, shares, and protects personal data when you use our analytics and content-strategy tool for Instagram Business and Creator accounts. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Czech Act No. 110/2019 Coll. on the Processing of Personal Data.
Please read it together with our Terms of Service and Cookie Policy. By creating an account you confirm that you have read and understood this policy.
2. Who we are (data controller)
The controller responsible for your personal data is:
- Clariturn — operated by [Operator legal name], with registered office at [address], company ID (IČO) [IČO], registered in [register].
- Privacy contact: privacy@clariturn.com
We have not appointed a statutory Data Protection Officer, as we are not required to; privacy questions are handled at the address above.
3. Data we collect
3.1 Account data (provided by you)
- Your name and email address
- Your password, stored only as a salted hash (we never store or see the plaintext)
- Optional security data: two-factor authentication secret (encrypted) and recovery codes (hashed)
- Your communication and notification preferences
3.2 Instagram data (with your explicit authorization via Meta OAuth)
- Your Instagram profile information (username, display name, biography, follower/following counts, profile picture)
- Your own posts, Reels, and carousels — their captions, media type, timestamps and identifiers
- Performance metrics on your own content (reach, impressions, engagement, likes, comments, saves, shares, video views, watch time)
- Comments on your own content, only where you grant that permission
We access an encrypted Meta access token to retrieve the above on your behalf. We never receive your Instagram password, and we never access content of accounts you do not own.
3.3 Usage and technical data (collected automatically)
- Product usage: pages visited, features used, actions taken, and session duration
- Device and log data: IP address, browser type and version, operating system, and timestamps
- Cookies and similar technologies (see our Cookie Policy)
3.4 Billing data
If you subscribe to a paid plan, payment is processed by our payment provider. We receive limited transaction data (plan, status, last four digits, invoices) but not your full card number.
4. How we use your data
- To provide and operate the Service — authentication, connecting your Instagram account, and computing your analytics
- To generate insights, audit scores, recommendations, and content plans from your own performance data
- To send service communications and, where you opt in, weekly reports and product updates
- To maintain security, prevent fraud and abuse, and keep an audit log of security-relevant events
- To improve, debug, and develop the product, including by analysing usage patterns (your Instagram Platform Data is used only to serve you — see §6)
- To create aggregated, anonymized statistics that operate and improve the Service, as described in §6
- To comply with our legal obligations and to establish, exercise, or defend legal claims
5. Legal bases for processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Service and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Connecting and reading your Instagram data | Your consent, given through Meta's OAuth flow (Art. 6(1)(a)) |
| Security, fraud prevention, product improvement | Our legitimate interests (Art. 6(1)(f)) |
| Optional analytics & marketing cookies | Your consent (Art. 6(1)(a)) |
| Keeping billing and accounting records | Legal obligation (Art. 6(1)(c)) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests, you may object (see §10).
6. Instagram (Meta) Platform Data
Data we obtain through Meta's APIs — your Instagram profile, content, and performance metrics ("Platform Data") — is handled in accordance with Meta's Platform Terms and Developer Policies, in addition to the GDPR. Specifically:
- Limited use. We use Platform Data only to provide the Service to you — to compute and display your own analytics, audit, recommendations, forecast, growth tracking and content plans. We do not use it for any unrelated purpose.
- No selling. We do not sell, license, rent, or trade Platform Data, or any data derived from it, to anyone.
- No advertising or data brokers. We do not use Platform Data for advertising, and we never share it with data brokers, ad networks, or for any third party's own marketing.
- No unnecessary sharing. We share Platform Data only with the processors strictly needed to run the Service (see §7), who act solely on our instructions.
- Deletion. When you disconnect Instagram, delete your account, or revoke our access in Instagram (Settings → Apps and websites), we delete your Platform Data and stored access token — see §8 and our Data Deletion page.
- Security. Your Meta access token is encrypted at rest, and we never receive your Instagram password.
6.1 Aggregated and anonymized insights
We may create aggregated, anonymized statistics — for example, "the median engagement rate for creators with 10–50k followers is 3.1%" — to operate and improve the Service and to power benchmarks shown inside the product. Such statistics describe groups, never individuals, and cannot reasonably be linked back to you, your account, or your Instagram profile (GDPR Recital 26). We do not sell Platform Data or data derived from it, in either identifiable or aggregated form.
What we never do: we do not sell, rent, or trade your personal data or your Instagram data; we do not share your raw Instagram data, contact details, or individual metrics with third parties for their own purposes; and we do not use your data to train third-party AI models.
8. Data storage and retention
- Account data: kept while your account is active.
- Instagram Platform Data: cached only as long as needed to provide the Service (up to 12 months for trend analysis), then refreshed or removed. If you disconnect Instagram or revoke our access, your Platform Data and stored access token are deleted promptly (within 30 days).
- Security and log data: up to 90 days, longer only where needed for an active investigation.
- Billing records: retained for the period required by tax and accounting law.
- On account deletion, personal data is removed within 30 days (see Data Deletion), except records we must keep by law.
- Anonymized and aggregated data (§6) is not personal data and may be retained indefinitely.
9. International data transfers
We aim to store and process personal data within the European Economic Area (EEA). Some processors (for example Meta or AI providers) may process data outside the EEA. Where that happens, we rely on an adequacy decision or on the European Commission's Standard Contractual Clauses with appropriate safeguards.
10. Your rights
Under the GDPR you have the right to:
- Access — obtain a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — have your data deleted ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a structured, machine-readable format (export is built into Settings)
- Objection — object to processing based on legitimate interests
- Withdraw consent — at any time, e.g. by disconnecting Instagram or changing cookie preferences
To exercise any right, contact privacy@clariturn.com. You also have the right to lodge a complaint with your local supervisory authority — in the Czech Republic, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, uoou.gov.cz).
11. Security
- Passwords are hashed; Instagram access tokens and 2FA secrets are encrypted at rest.
- Transport is encrypted with HTTPS/TLS; sessions use signed, HTTP-only cookies.
- We offer optional two-factor authentication and maintain a security audit log.
- Access to production data is limited to what is necessary to operate the Service.
No system is perfectly secure, but we work to protect your data using appropriate technical and organisational measures.
12. Children
Clariturn is not directed to children and is intended for users aged 16 or older (or the age of digital consent in your country). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
13. Automated processing & profiling
Our analytics and recommendations are produced automatically from your data (e.g. scoring posts, suggesting posting times). These are advisory only and do not produce legal or similarly significant effects on you within the meaning of GDPR Art. 22. You are always free to ignore any recommendation.
Where we describe a feature as "AI", we mean automated statistical analysis and data-mining of your own metrics — proven methods such as robust statistics, cross-validated models, and pattern detection. The core scores, insights, and recommendations are produced by these methods, not by a generative AI model. Any optional natural-language summary is generated only from your already-computed metrics; we do not use your personal data to train third-party AI models, and we do not make automated decisions with legal or similarly significant effects.
14. Changes to this policy
We may update this policy from time to time. We will post the new version here with an updated date and, for material changes, notify you by email or in-app notice. Continued use after the effective date constitutes acceptance.
15. Contact
For any privacy question or request, contact us at privacy@clariturn.com.