Privacy Policy

Last updated: 21 April 2026

The short version: we only collect what we need to run Mosafeed. We never sell your data, never train AI on your content, and you can delete everything with one email. The long version explains all of the above in plain language. No dark patterns. No small print.

1. Who we are

Mosafeed (“Mosafeed,” “we,” “us”) is a software-as-a-service platform that helps brands plan their Instagram content, available to customers worldwide.

For residents of the European Economic Area, United Kingdom, and Switzerland, Mosafeed acts as the data controller for personal data we collect about you. For questions about this policy or to exercise any of your rights, contact us at privacy@mosafeed.com.

2. What data we collect

We only collect what we need to run the service. Specifically:

Account data you give us

  • Your name and email address (for signup and login)
  • A hashed password (never stored in plain text)
  • Billing information (handled entirely by Stripe — we never see card numbers)

Content you upload

  • Photos and videos you upload to plan your Instagram feed
  • Captions, hashtags, notes, and other text you create inside the app

Instagram data (if you connect)

When you authorize Mosafeed to access your Instagram Business account via Meta's Graph API, we receive:

  • Your Instagram handle and business profile info
  • Recent media from your live feed (for context — we don't store full copies)
  • An access token (encrypted at rest, refreshed periodically)

We never post on your behalf without explicit action. We never read your DMs. We never read content from accounts other than yours, except public posts from accounts you explicitly add as “inspiration” via our Business Discovery integration.

Automatically collected

  • Hashed IP address at signup (for abuse prevention — never linkable to you)
  • Session cookies (required for login — strictly functional, no tracking)
  • Basic usage logs (what you clicked, when — for debugging and quota accounting)

3. How we use your data

  • To provide the service — store your content, run AI analyses, schedule posts, sync your Instagram
  • To bill you — via Stripe, for subscription fees
  • To communicate — transactional emails (welcome, trial reminders, payment receipts) and, if you opt in, occasional product updates
  • To improve the product — aggregated, anonymized usage data only
  • To prevent abuse — rate limiting, blocking disposable emails, detecting bot signups
  • To comply with the law — respond to valid legal requests, meet tax obligations

We do not sell your data. Ever. We do not use your data or your uploaded content to train public AI models. We do not share your data with advertisers.

4. Who we share data with

We use a small number of carefully selected sub-processors to run the service. Each is bound by a data processing agreement and is compliant with GDPR:

  • Vercel — hosting and CDN (SOC 2, GDPR)
  • Neon / Supabase — encrypted database storage
  • Cloudflare R2 / Vercel Blob — file storage
  • Stripe — payment processing (PCI-DSS Level 1)
  • Resend — transactional email delivery
  • Groq / Anthropic / OpenAI — AI inference (content sent is processed in real-time, not retained for training)
  • Meta (Instagram Graph API) — only when you explicitly authorize
  • Sentry — error tracking (no user-identifiable data in errors)
  • Plausible — privacy-friendly analytics (no cookies, no cross-site tracking)

An up-to-date list is available on request at privacy@mosafeed.com.

5. Where your data lives

Our primary servers are in the United States (Vercel, Neon). For EU customers, data transfers to the US are covered by Standard Contractual Clauses approved by the European Commission and additional safeguards required under the Data Privacy Framework.

6. How long we keep your data

  • Active account: as long as you use the service
  • Canceled / downgraded account: 30 days after cancellation, then archived
  • Deleted account: removed within 30 days, except backup copies (retained up to 90 days)
  • Billing records: 7 years (legal requirement in most jurisdictions)
  • Email logs: 12 months for deliverability compliance, then deleted

7. Your rights (GDPR, CCPA, and beyond)

Under GDPR, UK GDPR, and CCPA, you have the right to:

  • Access your data
  • Correct inaccurate data
  • Export your data in a portable format
  • Delete your data (“right to be forgotten”)
  • Object to or restrict processing
  • Withdraw consent at any time
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@mosafeed.com. We respond within 30 days.

8. Security

Security measures we have in place:

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Passwords hashed with bcrypt (never stored in plain text)
  • Instagram access tokens encrypted at rest
  • No secrets in code or logs
  • Rate limiting and abuse detection on sensitive endpoints
  • SOC 2 Type II compliance inherited from infrastructure providers

9. Children's privacy

Mosafeed is not intended for anyone under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, email us and we'll delete it.

10. Changes to this policy

We'll notify active users by email at least 14 days before any material change takes effect. The “last updated” date at the top of this page always reflects the current version.

11. Contact

Mosafeed
Email: privacy@mosafeed.com
General: hello@mosafeed.com

This policy is written in plain English. If the legal phrasing in any sub-processor's agreement conflicts with a plain reading of this page, we will interpret in favor of the privacy protection that benefits you.