Privacy Policy

Last updated: April 20, 2026

1. Introduction

Instroom Post Tracker ("Instroom", "we", "us") is a product of Armful Media. We run a platform at posttracker.instroom.io that helps marketing agencies automatically track, download, and report on influencer posts. This policy covers what data we collect while operating it, why we need it, and what we do with it.

2. Information We Collect

Account information: When you sign up, we collect your name, email address, and password (hashed). If you sign up via Google OAuth, we receive your name, email, and profile picture from Google.

Workspace and campaign data: We store information you enter into the Service, including workspace names, campaign names, influencer handles (Instagram, TikTok, YouTube), campaign tracking configurations (hashtags and mentions), and campaign dates.

Post data: We collect publicly available influencer post metadata including post URLs, captions, thumbnail images, media URLs, publication dates, and performance metrics (views, likes, comments, shares, engagement rate).

Google Drive integration: Instroom uses its own server-side Google service account to upload downloaded influencer media to your workspace's designated Drive folder. Workspace administrators configure the target folder by entering a Drive folder ID in workspace settings. No individual user OAuth tokens for Google Drive are collected or stored — the service account operates independently of your personal Google account and writes only to the configured folder.

Usage data: Our hosting providers (Vercel for the web app, Railway for background workers) capture standard server logs — IP addresses, request timestamps, and response codes — as part of normal infrastructure operation. Instroom itself does not run separate behavioral analytics.

3. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To automatically detect and download influencer posts on your behalf
  • To upload downloaded media files to your workspace's configured Google Drive folder
  • To calculate engagement metrics and estimated media value (EMV)
  • To send transactional emails (account verification, trial reminders, team invitations) via SendGrid
  • To process subscription payments via LemonSqueezy
  • To respond to support requests

4. Google API Services

Instroom Post Tracker's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google OAuth solely to:

  • Authenticate users who choose to sign in with Google (email and profile information only)
  • Upload influencer media files to workspace-designated Google Drive folders via a server-side service account (no Google Drive OAuth tokens are collected from users)

We do not share Google user data with third parties except as necessary to provide the Service. We do not use Google user data for advertising purposes.

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — database hosting, authentication, and file storage
  • Google Drive API — storing downloaded influencer media in your workspace's Drive folder
  • EnsembleData — social media data API for detecting influencer posts
  • SendGrid — transactional email delivery
  • LemonSqueezy — subscription billing and payment processing
  • Vercel — application hosting
  • Railway — background worker hosting

Each third party has its own privacy policy governing its use of data.

6. Data Sharing

We don't sell your data. We don't use it for advertising. The only reason your information touches a third party is to operate the platform:

  • With service providers listed above, as necessary to operate the Service
  • With other members of your workspace, to the extent you have invited them
  • If required by law or to protect our rights and safety
  • In connection with a business transfer or acquisition

7. Data Retention

We retain your account and workspace data for as long as your account is active. If you delete your account, we will delete your personal information within 30 days, except where retention is required by law or for legitimate business purposes (e.g. billing records).

Downloaded media files stored in your Google Drive are owned and managed by you — we do not retain copies on our servers beyond the download process.

8. Security

We implement security measures including hashed password storage, row-level security on all database tables, HTTPS-only access, and encrypted storage of sensitive credentials.

We can't guarantee perfect security — no internet service can. In practice: passwords are hashed and never stored in plain text, all database access uses row-level security, the app is HTTPS-only, and sensitive credentials are encrypted at rest. If we become aware of a security incident affecting your data, we'll notify you promptly.

9. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Revoke Google OAuth access at any time via your Google Account settings
  • Export your data upon request

To exercise any of these rights, contact us at hello@armfulmedia.com.

10. Children's Privacy

Instroom is built for professional marketing teams — it's not for people under 16. If a child's data ended up in our system, email us at hello@armfulmedia.com and we'll delete it promptly.

11. Changes to This Policy

We'll update this policy when our data practices change. For meaningful changes, we'll send an email or show an in-app notice at least 14 days before they take effect. If you continue using Instroom after that, we'll take that as acceptance.

12. Contact Us

Questions about this policy? Email us at hello@armfulmedia.com.