Privacy Policy

Last updated: April 12, 2026

Key Highlights

1

Your data is yours. When you connect Instagram, we store your data in a private database that only you can access. We never sell, rent, or share your personal information with third parties for their own purposes.

2

Instagram access is secure. We connect through Instagram's official API using OAuth. We never ask for or store your Instagram password.

3

AI processes, not trains. We use AI to analyze your content and answer your questions. Your data is not used to train any AI models.

4

You can delete anytime. You can disconnect Instagram, delete your data, or close your account at any time from your account settings.

Information We Collect

Account Information

When you create an account, we collect your email address and name. Authentication is handled through Supabase Auth using secure, server-side sessions.

Onboarding Information

During onboarding, you may provide your content niche, Instagram handle, creator inspirations, and topic keywords. This helps us personalize your analytics experience.

Usage Data

We automatically collect standard usage data such as your IP address, browser type, device information, pages visited, and access times. This is used to maintain and improve the service.

AI Conversation Data

When you use our AI assistant, your questions, uploaded documents, and AI responses are stored to provide the service. Conversations are isolated to your account — no other user can access them.

Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full billing details. We receive only a confirmation of your subscription status and a truncated card identifier from Stripe.

Instagram Data

How We Connect

Marshmallow connects to Instagram through Meta's official Instagram API using the OAuth 2.0 protocol. When you authorize the connection, Instagram grants us a secure access token. We never see or store your Instagram password.

Permissions We Request

During the OAuth consent flow, we request the following Instagram Graph API permissions from you:

  • instagram_business_basic — to read your professional account profile and media
  • instagram_business_manage_insights — to read performance insights for your own posts

These permissions only grant access to your own connected Instagram professional account. We do not request, and cannot access, insights or private data for any other Instagram account.

Profile Data We Access

Under the instagram_business_basic permission, we read the following fields from your own account via the Instagram Graph API:

  • Instagram user ID
  • Username
  • Name
  • Account type (we only accept Business and Creator accounts)
  • Profile picture URL
  • Follower count
  • Following count
  • Media count

Media Data We Access

For each of your own posts, we read the following media metadata:

  • Media ID
  • Caption
  • Media type (image, video, or carousel album)
  • Media URL and thumbnail URL
  • Permalink
  • Timestamp
  • Like count
  • Comments count
  • Media product type

Performance Insights We Access

Under the instagram_business_manage_insights permission, we read the following performance metrics for your own posts:

  • Views
  • Reach
  • Saves
  • Shares
  • Total interactions
  • Average watch time (Reels only)

How We Store It

Your Instagram data is stored in a secure, encrypted database. It is associated exclusively with your account and is not accessible to any other user. We use this data solely to power your analytics dashboard and AI insights.

How We Share It With AI Providers

To generate the analytics, insights, and AI chat responses that Marshmallow provides, we transmit portions of your Instagram data — including post captions, hashtags, engagement metrics (views, likes, comments, saves, reach, shares), media metadata, and video transcripts — to our third-party AI service providers for real-time processing:

  • Anthropic (Claude) — receives your post content and metrics to generate content analysis, hook breakdowns, script analysis, and answer questions in the AI chat
  • OpenAI — receives post text to generate vector embeddings used for content search and retrieval

This transmission happens only when you use a feature that requires it (for example, opening an analytics breakdown, asking the AI chat a question, or triggering post analysis). Data is sent in real time, processed, and a response is returned — it is not used to train any AI model by Anthropic, OpenAI, or Marshmallow, per our data processing agreements with these providers. We do not send your Instagram data to any other third party for any other purpose.

What We Do Not Do

  • We do not sell or share your Instagram data with third parties
  • We do not use your Instagram data for advertising or profiling
  • We do not post, comment, or take actions on your Instagram account
  • We do not attempt to re-identify anonymized or aggregated data

Revoking Access

You can disconnect your Instagram account at any time from your account settings. You can also revoke access directly from Instagram's settings under Apps and Websites. When you disconnect, we stop fetching new data. You may also request deletion of all stored Instagram data.

How We Use Your Information

  • Provide, maintain, and improve the Marshmallow analytics dashboard
  • Display your Instagram performance data and generate AI-powered insights
  • Process your AI chat messages and return relevant answers about your data
  • Process subscription payments and manage your account
  • Send transactional emails (account confirmations, billing receipts, security alerts)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

AI & Machine Learning

How AI Is Used

Marshmallow uses AI to analyze your Instagram content, generate performance insights, and answer your questions through our chat interface. This includes analyzing post captions, engagement metrics, video transcripts, and content patterns to produce hook breakdowns, script analysis, carousel reviews, and strategy recommendations.

Third-Party AI Providers

Marshmallow transmits your Instagram post data and chat messages to the following third-party AI providers for real-time processing:

  • Anthropic (Claude) — processes post captions, metrics, transcripts, and chat messages to power the AI chat assistant and all content analysis features
  • OpenAI — processes post text to generate vector embeddings for content retrieval and search

See the Instagram Data section above for the full list of Instagram fields we transmit to these providers.

Your Data Is Not Used for Training

Your Instagram data, chat conversations, and uploaded documents are not used to train any AI models — neither ours, nor Anthropic's, nor OpenAI's. Data is sent to AI providers only in real-time to generate responses, and is subject to data processing agreements that prohibit training use.

AI Limitations

AI-generated insights and recommendations may contain inaccuracies. They are provided for informational purposes only and should not be treated as professional marketing, legal, or business advice.

Data Sharing

We do not sell, rent, or share your personal information with third parties for their own marketing or commercial purposes.

We may share information only in these limited circumstances:

  • Service providers — With the third-party services listed below, solely to operate Marshmallow
  • Legal requirements — When required by law, subpoena, or court order
  • Safety — To protect the rights, safety, or property of Marshmallow, our users, or the public
  • Business transfer — In connection with a merger, acquisition, or sale of assets, with notice to you

Third-Party Services

We use the following services to operate Marshmallow. Each processes data only as necessary to provide its specific function:

ServicePurpose
SupabaseAuthentication, database hosting, file storage
StripePayment processing, subscription management
AnthropicAI chat assistant, content analysis
OpenAIText embeddings for knowledge retrieval
VercelApplication hosting, blob storage
UpstashRedis caching
InngestBackground job processing
PostmarkTransactional email delivery

Data Security

We implement industry-standard security measures to protect your information:

  • All data is encrypted in transit (TLS) and at rest
  • Database access is protected by row-level security — each user can only access their own data
  • Authentication uses secure, server-side sessions with HTTP-only cookies
  • Payment data is handled entirely by Stripe (PCI DSS Level 1 compliant)
  • Instagram tokens are securely stored and automatically refreshed
  • Infrastructure is hosted on SOC 2 compliant providers (Vercel, Supabase)

While we take reasonable measures to protect your data, no system is 100% secure. If we discover a data breach that affects your personal information, we will notify you and relevant authorities as required by law.

Data Retention

We retain your information only as long as necessary to provide the service:

Data TypeRetention Period
Account dataWhile your account is active, plus 30 days after deletion
Instagram dataWhile connected, deleted upon disconnect or request
AI conversations90 days, or until you delete them
Uploaded documentsUntil you delete them
Payment recordsAs required by tax law (up to 7 years)
Server logs90 days

Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal information:

  • Access — Request a copy of your personal data
  • Correction — Update inaccurate or incomplete information
  • Deletion — Request deletion of your personal data and account
  • Portability — Export your data in a machine-readable format
  • Restriction — Limit how we process your data
  • Objection — Object to processing based on legitimate interests
  • Disconnect Instagram — Revoke Instagram access and delete stored Instagram data

To exercise any of these rights, contact us here. We will respond within 30 days.

California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

  • Right to Know — You can request details about the categories and specific pieces of personal information we have collected
  • Right to Delete — You can request deletion of your personal information
  • Right to Opt-Out — We do not sell or share your personal information, so there is nothing to opt out of
  • Non-Discrimination — We will not discriminate against you for exercising any of these rights

Categories of personal information we collect (per CCPA definitions): identifiers (name, email), commercial information (subscription data), internet activity (usage data), and professional information (content niche).

Children's Privacy

Marshmallow is not directed at children under 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the service. We encourage you to review this policy periodically. The “Last updated” date at the top indicates when this policy was last revised.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Marshmallow

Contact us here

We respond to all requests within 30 days.

Related policies

Terms of ServiceCookie Policy