Confirmo Privacy Policy

Effective date: March 1, 2026 · Last updated: March 31, 2026 · Data retention update: March 31, 2026

1. Who We Are

Confirmo is operated by Confirmo Software ("Confirmo," "we," "us," or "our"). We are the data controller responsible for your personal data. For privacy inquiries, contact us at legal@confirmoapp.io.

2. What This Service Does

Confirmo is an order management tool for small and mid-sized Instagram sellers. It connects to your Instagram Business or Creator account via the official Instagram API and helps you detect, track, and manage customer orders received through Instagram Direct Messages.

3. Instagram Permissions We Request

We request the minimum permissions required to operate the service:

  • instagram_business_basic — Read-only access to your Instagram Business account information (username, profile ID). Used to identify your account.
  • instagram_business_manage_messages — Read-only access to your Instagram Direct Message conversations. Used to detect and extract order details from customer messages.

We do not post content, follow accounts, like posts, or take any actions on your behalf on Instagram.

4. Data We Collect

4a. Data from Instagram API

  • Instagram account information (username, profile ID)
  • Instagram Direct Message conversations and message content
  • Instagram OAuth access tokens (encrypted at rest)

4b. Data extracted from conversations

  • Customer name, phone number, and delivery address
  • Product name, quantity, and price
  • Order status and confirmation signals

4c. Account data

  • Email address and password (hashed)
  • App usage data and settings preferences

5. How We Use Your Data

  • Detect and extract order details from Instagram DM conversations
  • Display structured, trackable orders in the Confirmo app
  • Provide order management features (status tracking, notes)
  • Improve order detection accuracy

6. AI and Automated Processing

Confirmo uses artificial intelligence (AI) and large language models (LLMs) to analyze your Instagram DM conversations and automatically extract structured order information (such as product names, quantities, prices, and customer details).

This processing is performed by third-party AI providers (see Section 8). Conversation content is sent to these providers solely for the purpose of order extraction. We do not use your data to train AI models. The AI providers process data according to their own privacy policies and data processing agreements, and do not retain your data beyond what is necessary to complete the processing request.

7. Data Storage and Security

  • All data is encrypted at rest using AES-256 encryption
  • Instagram OAuth tokens are encrypted with AES-256-GCM and stored with key versioning for rotation support
  • Customer personal information (PII) is encrypted at the database level
  • All data transmission uses HTTPS/TLS
  • Webhook payloads are verified with HMAC-SHA256 signatures
  • OAuth state parameters use HMAC-SHA256 with CSRF protection

8. Third-Party Service Providers (Sub-Processors)

We use the following third-party services to operate Confirmo. These providers only process your data as instructed by us and are contractually bound to protect it:

  • Supabase — Database hosting, authentication, and serverless functions (data stored in the EU/US)
  • Anthropic (Claude) — AI-powered conversation analysis for order detection
  • OpenAI — AI-powered conversation analysis for order detection (fallback provider)
  • Vercel — Web application hosting
  • Meta / Instagram — Instagram API for DM access (per your authorization)

9. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes. We only share data with the sub-processors listed in Section 8, solely for operating the service. We may disclose data if required by law, regulation, or legal process.

10. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion.
  • Instagram DM message content: Automatically deleted after 90 days. Conversation metadata (participant IDs, timestamps, linked orders) is retained while your account is active. You can view older conversations on-demand via the Instagram API. All message data is immediately deleted when you disconnect your Instagram account or delete your Confirmo account.
  • Extracted orders: Retained while your account is active. Deleted upon account deletion.
  • Instagram OAuth tokens: Automatically expire after 60 days and are refreshed or deleted. Immediately deleted on account disconnection.

11. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access — Request a copy of the personal data we hold about you
  • Right to rectification — Request correction of inaccurate personal data
  • Right to erasure — Request deletion of your personal data
  • Right to restrict processing — Request that we limit how we use your data
  • Right to data portability — Request your data in a structured, machine-readable format
  • Right to object — Object to processing of your personal data
  • Right to withdraw consent — Withdraw consent at any time by disconnecting your Instagram account or deleting your Confirmo account

Lawful basis: We process your data based on your explicit consent (connecting your Instagram account) and our legitimate interest in providing the order management service you requested. You may withdraw consent at any time.

To exercise these rights, contact legal@confirmoapp.io. We will respond within 30 days.

12. Your Rights Under CCPA / CPRA (California)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know — Request disclosure of the categories and specific pieces of personal information we collect
  • Right to delete — Request deletion of your personal information
  • Right to opt-out — We do not sell or share your personal information for cross-context behavioral advertising
  • Right to non-discrimination — We will not discriminate against you for exercising your privacy rights

To exercise these rights, email legal@confirmoapp.io.

13. International Data Transfers

Your data may be processed and stored in countries outside your country of residence, including the United States and the European Union. When we transfer data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the data recipient's participation in recognized data protection frameworks.

14. Children's Privacy

Confirmo is designed for business use and is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at legal@confirmoapp.io and we will promptly delete it.

15. Cookies and Tracking

The Confirmo web application uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that track you across websites. The mobile app does not use cookies.

16. Data Deletion

You can delete your data in three ways:

  1. In the app: Disconnect your Instagram account (reversible) or delete all data permanently from Account settings.
  2. Via Instagram: Remove Confirmo from your Instagram account settings. We will automatically receive a deauthorization callback and delete your stored tokens and Instagram-related data.
  3. By email: Send a request to legal@confirmoapp.io with subject "Data Deletion Request." We will process and confirm within 30 days.

For full instructions, visit our Data Deletion Instructions page.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. Continued use of Confirmo after changes constitutes acceptance of the updated policy.

18. Contact Us

For any privacy-related questions, data requests, or concerns: