Privacy Policy

Last updated: June 8, 2026 -- Effective immediately

Phoenix Branding, a sole proprietorship registered in Bangalore, Karnataka, India ("Company", "we", "us", "our"), operates LoopFuel (accessible at loopfuel.in, and any successor URLs), an Instagram DM automation platform ("Service"). This Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard your information when you access or use the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, you must discontinue use of the Service immediately.

1. Who We Are

For the purposes of applicable data protection laws (including GDPR, CCPA, and the Information Technology Act, 2000 as amended by the IT Rules, 2011 of India), Phoenix Branding is the data controller for personal information collected directly through the Service (account registration, billing, support). When you use the Service to manage Instagram DMs on behalf of your end users, you act as the data controller of your end users' data, and we act as the data processor on your instructions.

2. Information We Collect

2.1 Account Information

When you register, we collect your name, email address, and a hashed password. We may also collect your timezone, business niche, and display preferences.

2.2 Billing Information

Payment card numbers, bank details, and billing addresses are collected and processed exclusively by our payment processors (Stripe, Inc. and/or Razorpay Software Private Limited). We do not store, access, or transmit your full payment card number, CVV, or bank account credentials. We receive only a tokenized customer ID and subscription status.

2.3 Instagram Account Data

When you connect an Instagram Business or Creator account via Meta's OAuth flow, we receive:

  • Instagram user ID, username, profile picture URL, and account type
  • OAuth access tokens and page access tokens (encrypted at rest)
  • Direct messages sent and received through our automation flows
  • Contact/follower information for users who interact with your account via DM
Important: We access Instagram data only through Meta's official Graph API and Messaging API, using permissions you explicitly grant during the OAuth consent flow. We never scrape, crawl, or use unofficial, undocumented, or reverse-engineered methods to access any Meta platform data.

2.4 Usage & Log Data

We automatically collect IP addresses, browser type, device identifiers, operating system, referral URLs, pages visited, timestamps, and feature usage patterns. This data is used for security monitoring, abuse prevention, and service improvement.

2.5 AI-Generated Content

When you use AI-powered features (reply suggestions, caption generation, hashtag recommendations), the prompts and generated outputs may be temporarily processed by third-party AI providers. See Section 7 for details.

3. How We Use Your Information

We use collected information strictly for the following purposes:

  • Service operation: To operate, maintain, and deliver the automation features you configure
  • Message processing: To send and receive Instagram DMs on your behalf as defined in your automation flows
  • Analytics: To generate performance reports and usage analytics for your dashboard
  • AI features: To power AI-generated reply suggestions, captions, and content tools
  • Billing: To process subscription payments and manage your plan
  • Support: To respond to your inquiries and provide technical support
  • Security: To detect, prevent, and address fraud, abuse, and security threats
  • Compliance: To comply with applicable legal obligations and enforce our Terms
  • Service notifications: To send transactional emails about your account (password resets, billing alerts, security notices)

We do not sell, rent, lease, or trade your personal information or Instagram data to any third party for any purpose. We do not use your data for advertising, profiling, or behavioral targeting beyond the Service itself.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract: Processing necessary to perform our contract with you (providing the Service)
  • Consent: Where you explicitly consent (e.g., connecting your Instagram account, enabling AI features)
  • Legitimate interest: For fraud prevention, security, and service improvement, where these interests do not override your rights
  • Legal obligation: Where processing is necessary to comply with applicable law

You may withdraw consent at any time by disconnecting your Instagram account or deleting your LoopFuel account. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.

5. Instagram & Meta Platform Data

Our use of data received from Meta APIs complies with the Meta Platform Terms, Instagram Platform Policy, and Meta Developer Policies. Specifically, we:

  • Only access data through officially documented and authorized API endpoints
  • Only request permissions essential to deliver the features you configure
  • Never sell, license, or sublicense Instagram data to any third party
  • Never use Instagram data for surveillance, tracking, or building independent user profiles
  • Never use Instagram data for advertising, marketing, or monetization beyond the Service
  • Enforce the 24-hour messaging window for non-Human Agent conversations
  • Enforce rate limits of 180 API calls per hour per Instagram account (with a 10% safety buffer)
  • Immediately process opt-out requests (STOP keyword) by ceasing all automated messaging to that user
  • Delete all stored data derived from Meta APIs within 30 days of account disconnection or deletion

6. Third-Party Sub-Processors

To deliver the Service, we engage the following categories of third-party sub-processors. Each sub-processor processes data only as necessary for their specific function and is bound by their own data processing terms:

Provider Purpose Data Shared
Meta Platforms, Inc. Instagram API, OAuth, Messaging Account tokens, DM content (per API contract)
OpenAI, Inc. AI reply generation, content tools Message snippets, prompts (no PII unless in message body)
Stripe, Inc. Payment processing Billing name, email, payment method (directly to Stripe)
Razorpay Software Pvt. Ltd. Payment processing (India) Billing name, email, payment method (directly to Razorpay)
Cloud hosting provider Infrastructure, data storage All Service data (encrypted at rest and in transit)

We may update this list as sub-processors change. Material changes will be communicated via email or Service notification at least 14 days before the change takes effect. We are not responsible or liable for the privacy practices, security measures, data handling, or any acts or omissions of any third-party sub-processor. Each sub-processor operates under its own privacy policy and terms of service, and you acknowledge that your use of the Service necessarily involves data processing by these third parties.

7. AI & Automated Processing

When you enable AI-powered features, message content and context may be transmitted to third-party AI providers (currently OpenAI) for processing. Specifically:

  • AI reply suggestions: The inbound message text and your configured persona/FAQs are sent to the AI provider
  • Caption/hashtag generation: Your prompt text is sent to the AI provider
  • We do not send your Instagram access tokens, passwords, or billing information to AI providers
Disclaimer: AI-generated content is produced by third-party machine learning models and may contain errors, inaccuracies, inappropriate language, or hallucinated information. LoopFuel provides AI features on an "as-is" basis and makes no warranties regarding the accuracy, completeness, fitness, legality, or suitability of any AI-generated output. You are solely responsible for reviewing, approving, and assuming all liability for any AI-generated content sent from your account. We disclaim all liability for any damages, losses, claims, or consequences arising from AI-generated content, including but not limited to reputational harm, regulatory penalties, loss of account access, or third-party claims.

8. Data Storage & Security

We implement commercially reasonable administrative, technical, and physical security measures to protect your data, including:

  • Encryption at rest: OAuth access tokens and page tokens are encrypted using AES-256-CBC encryption
  • Encryption in transit: All data transmission between your browser and our servers uses TLS 1.2 or higher
  • Access controls: Internal access to production data is restricted to authorized personnel on a need-to-know basis, using multi-factor authentication and audit-logged sessions
  • Password hashing: User passwords are hashed using bcrypt with a work factor of 12 and are never stored in plaintext
  • Regular audits: We conduct periodic security reviews of our codebase, infrastructure, and access logs
No Absolute Guarantee: Despite our commercially reasonable efforts, no method of electronic storage or transmission over the Internet is 100% secure. We cannot and do not guarantee the absolute security or the integrity, availability, or recoverability of your data. You acknowledge and accept that any data transmission or storage carries inherent risks, and you transmit data to our Service at your own risk. We shall not be liable for any unauthorized access, disclosure, alteration, or destruction of your data that occurs despite our reasonable security measures, including but not limited to breaches caused by sophisticated cyberattacks, zero-day vulnerabilities, acts of employees or contractors acting outside the scope of their authorization, failures of third-party infrastructure or service providers, or force majeure events.

8.1 Data Loss During Service Operations

The Service undergoes periodic maintenance, software updates, database migrations, infrastructure upgrades, scaling operations, and other routine and non-routine technical operations. You acknowledge and agree that data loss, corruption, or temporary unavailability may occur during or as a result of:

  • Planned or unplanned maintenance windows
  • Database migrations, schema changes, or version upgrades
  • Software deployments, patches, hotfixes, or rollbacks
  • Infrastructure provider migrations, region transfers, or hardware replacements
  • Backup restoration, disaster recovery operations, or failover events
  • Third-party tool, library, framework, or dependency upgrades or deprecations
  • Operating system, runtime, or platform-level updates applied by hosting providers
  • Database engine bugs, replication lag, index corruption, or storage failures
  • Cache invalidation, queue processing errors, or background job failures
  • DNS propagation, SSL certificate renewal, or CDN configuration changes
  • Any other technical operation necessary for the continued operation, improvement, or security of the Service

We make commercially reasonable efforts to minimize disruption and data loss during such operations, including maintaining backups where feasible. However, we do not guarantee that backups will be available, complete, current, or recoverable, and we accept no liability for any data loss, corruption, or inaccuracy that occurs during or as a result of any service operation, regardless of whether the operation was planned or unplanned, routine or exceptional, or performed by our personnel, automated systems, or third-party providers.

Your Responsibility: You are solely responsible for maintaining independent backups of any data that is critical to your business. You should not rely on the Service as your sole repository for any data, content, configuration, or business record. We strongly recommend exporting your data regularly using the features provided in your account settings.

9. Data Retention & Deletion

We retain your data for as long as your account is active and as needed to provide the Service. Specifically:

  • Account data: Retained until you delete your account
  • Message data: Retained for 12 months from the date of sending/receiving, then automatically purged
  • Analytics data: Retained in aggregated, de-identified form indefinitely; individual records purged after 24 months
  • Billing records: Retained for 7 years as required by Indian tax and accounting laws
  • Audit logs: Retained for 12 months for security and compliance purposes

Upon account deletion, we will delete or de-identify all personal data within 30 days, except where retention is required by applicable law, regulation, or legitimate legal obligation (e.g., tax records, fraud prevention, dispute resolution, or compliance with court orders). Data processed by third-party sub-processors is subject to their respective retention policies, which we do not control.

You may request deletion of your data at any time by:

10. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including India and the United States (where our sub-processors are located). These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to such transfers. Where required by GDPR, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data (subject to legal retention requirements)
  • Portability: Request a machine-readable export of your data
  • Restriction: Request that we limit processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw any previously given consent at any time

For CCPA/CPRA residents (California): You have the right to know what personal information we collect, request deletion, opt out of any sale (we do not sell your data), and not be discriminated against for exercising these rights.

For GDPR residents (EU/EEA/UK): You have the right to lodge a complaint with your local supervisory authority if you believe our processing violates applicable data protection law.

To exercise any of these rights, contact us at privacy@loopfuel.in. We will respond within 30 days (or the shorter period required by applicable law).

12. Cookies & Tracking

We use essential cookies required for the Service to function (session management, CSRF protection, authentication). We do not use third-party advertising cookies, behavioral tracking pixels, or cross-site analytics tools. We may use privacy-respecting, first-party analytics in the future, at which point this section will be updated.

13. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a minor, we will delete it promptly. If you believe a child has provided us with personal information, please contact us immediately.

14. Data Breach Notification

In the event of a confirmed data breach that affects your personal data, we will:

  • Notify affected users via email within 72 hours of confirmation (or as required by applicable law)
  • Notify the relevant supervisory authority where required by GDPR
  • Provide a description of the breach, the data affected, and the remediation steps taken

Limitation: Our breach notification obligation is limited to breaches of data under our direct control. We are not responsible for providing notification of breaches that occur within the systems of our third-party sub-processors (Meta, OpenAI, Stripe, Razorpay, cloud hosting providers), each of which is independently responsible for their own breach notification obligations under their applicable laws and their contracts with you. We will, however, make commercially reasonable efforts to communicate any sub-processor breach we become aware of that may affect your data.

15. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

  • We shall not be liable for any unauthorized access to, or alteration, theft, loss, or destruction of your data, whether by accident, unauthorized act of an employee, independent contractor, third-party service provider, hacker, or any other cause beyond our reasonable control.
  • We shall not be liable for any data loss, corruption, truncation, or unavailability arising from or related to: database migrations, schema changes, software updates, version upgrades, infrastructure maintenance, backup failures, backup restoration, disaster recovery, dependency upgrades, hosting provider operations, hardware failures, storage system errors, replication failures, or any other technical operation -- whether planned or unplanned, routine or exceptional, performed by our personnel, automated systems, or third-party providers.
  • We shall not be liable for any data processing performed by third-party sub-processors, including Meta Platforms, Inc., OpenAI, Inc., Stripe, Inc., Razorpay Software Pvt. Ltd., or any cloud infrastructure provider, even where such processing is performed in connection with the Service.
  • We shall not be liable for any loss, damage, or claim arising from AI-generated content, automated message delivery, Instagram account restrictions, or any action taken by Meta in response to your use of the Service.
  • We shall not be liable for any data loss arising from account termination, whether initiated by you, by us for cause, or required by law or third-party platform policy.
  • Our total aggregate liability under this Policy and the Terms of Service, for any and all claims arising out of or related to the Service, shall not exceed the greater of (a) the total fees paid by you to us in the twelve (12) months preceding the claim, or (b) one hundred US dollars (USD $100).
  • In no event shall we be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, business opportunities, reputation, or goodwill, regardless of the theory of liability and even if we have been advised of the possibility of such damages.

16. Third-Party Disclaimer

The Service integrates with and depends upon third-party platforms, APIs, and services that are outside our control. We make no representations or warranties regarding the availability, accuracy, security, privacy practices, or reliability of any third-party service, including but not limited to:

  • Meta Platforms (Instagram, Facebook) and their APIs, policies, and enforcement actions
  • OpenAI and their AI models, outputs, and data handling practices
  • Payment processors (Stripe, Razorpay) and their security measures
  • Cloud hosting and infrastructure providers
  • DNS, CDN, email, and other internet service providers

You acknowledge that: (a) third-party services may change, suspend, or terminate their APIs or services at any time; (b) third-party services may experience data breaches, outages, or security incidents; (c) third-party policy changes may affect the availability or functionality of our Service; and (d) we have no liability for any such third-party actions or failures. Your use of the Service constitutes acceptance of this risk.

17. Changes to This Policy

We reserve the right to update this Policy at any time. Material changes will be communicated via email and/or a prominent notice on the Service at least 14 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree with any changes, you must discontinue use of the Service and delete your account.

18. Governing Law & Disputes

This Policy shall be governed by and construed in accordance with the laws of India, without regard to conflict of law principles. Any dispute arising out of or relating to this Policy shall be subject to the exclusive jurisdiction of the courts of Bangalore, Karnataka, India. You irrevocably consent to the personal jurisdiction and venue of such courts.

19. Contact Us

Phoenix Branding
Bangalore, Karnataka, India

Privacy inquiries: privacy@loopfuel.in
General inquiries: hello@loopfuel.in
Website: loopfuel.in