Privacy Policy for DM Spark

Effective Date: September 10, 2025

Last Updated: February 21, 2026

NS Media LLC, operating as DM Spark ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect information when you use our Instagram and Facebook automation service.

By using DM Spark, you agree to the collection and use of information as described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

Account Information:

  • Name
  • Email address
  • Profile picture (from Instagram or Facebook)
  • Password (encrypted)

Subscription Information:

  • Subscription plan details
  • Billing information (processed by Stripe - we do not store payment card details)

Service Configuration:

  • Automation rules ("Sparks") you create
  • Response templates and triggers
  • Business hours settings
  • Welcome messages and quick replies

1.2 Instagram and Facebook Data We Store

Important: When you connect your Instagram and/or Facebook account, we store the following data to provide our automation services:

  • Instagram username, account ID, and account type (to identify and manage your connected Instagram account)
  • Facebook Page name, page ID, and profile picture (to identify and manage your connected Facebook Page)
  • Profile picture (synced to your DM Spark profile)
  • Automation trigger logs: when a comment or message on Instagram or Facebook triggers one of your automations, we store the trigger text, the commenter/sender username, and a record of the automated message sent (to track usage limits, prevent duplicates, and show activity history)

Data we process but do not permanently store:

  • Instagram and Facebook post content and media (fetched on-demand, not cached)
  • Full message conversation history (we only log the automated messages we send, not the full thread)

This data is accessed through Meta's Graph API (including the Instagram Graph API and Facebook Graph API) in accordance with Meta's Platform Terms and is only used to execute and track your configured automations.

1.3 Automatically Collected Information

  • IP address
  • Browser type and version
  • Device information
  • Usage data (features used, time spent)
  • Error logs and performance data

2. How We Use Your Information

2.1 Primary Uses

  • Service Delivery: To provide Instagram and Facebook DM automation services
  • Account Management: To manage your account and subscription
  • Customer Support: To respond to your inquiries and provide assistance
  • Service Improvement: To analyze usage patterns and improve our platform
  • Communications: To send service updates, security alerts, and billing notifications

2.2 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our services
  • Legitimate Interests: For service improvements and security
  • Legal Obligations: To comply with applicable laws
  • Consent: For marketing communications (where applicable)

3. Data Sharing and Third-Party Services

We work with trusted third-party services to provide our platform:

Supabase: Database hosting, authentication, and file storage

Stripe: Payment processing (PCI-compliant)

Meta/Instagram/Facebook: Social media integration via Meta's Graph API (Instagram Graph API and Facebook Graph API)

Vercel: Frontend application hosting

Render: Backend API and worker hosting

Upstash: Redis message queue for real-time automation processing

Resend: Transactional email delivery (account notifications)

Datadog: Performance monitoring and error tracking (14-day log retention)

We do not sell, rent, or trade your personal information to third parties.

Meta Platform Terms: DM Spark uses Meta's Graph API (including the Instagram Graph API and Facebook Graph API) to provide its automation features. Your use of Instagram and Facebook features through our service is also subject to Meta's Privacy Policy and Meta's Platform Terms. We access Instagram and Facebook data only as authorized by the permissions you grant during the connection process and in accordance with Meta's platform policies.

4. Your Privacy Rights

4.1 GDPR Rights (European Users)

If you are in the European Economic Area, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a portable format
  • Restriction: Limit how we process your data
  • Object: Object to certain processing activities
  • Withdraw Consent: Where processing is based on consent
  • Lodge a Complaint: With your local supervisory authority

4.2 CCPA Rights (California Residents)

California residents have the right to:

  • Know what personal information we collect
  • Request deletion of personal information
  • Opt-out of the sale of personal information (Note: We do not sell personal information)
  • Non-discrimination for exercising privacy rights

Do Not Sell My Personal Information

We do not sell your personal information to third parties.

To exercise any of these rights, please contact us at [email protected]

5. Data Retention

We retain your data for different periods depending on the type:

  • Account Data: Retained while your account is active and deleted upon account deletion
  • Automation Settings: Deleted upon account deletion
  • Automation Logs: Trigger and message records are retained while your account is active and deleted upon account deletion
  • Billing Records: Retained as required by tax laws (typically 7 years)
  • Error Logs: Retained for 14 days via our monitoring provider (Datadog)
  • Access Tokens: Encrypted Instagram and Facebook access tokens are stored while your accounts are connected and deleted immediately upon disconnection or account deletion

5.1 Meta Data Deletion Requests

If you remove DM Spark from your Instagram or Facebook account settings, Meta will notify us via a data deletion callback. Upon receiving this notification, we will delete all Instagram and Facebook data associated with your account from our systems, including account IDs, usernames, access tokens, automation trigger logs, and message records.

6. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS/SSL)
  • Encrypted data storage
  • Secure authentication
  • Regular security updates
  • Access controls and monitoring

While we strive to protect your data, no method of transmission over the internet is 100% secure.

7. Data Breach Notification

In the unlikely event of a data breach that may affect your personal information, we will:

  • Notify affected users via email within 72 hours of discovery
  • Provide details about what information was affected
  • Explain steps we've taken to address the breach
  • Offer guidance on protective measures you can take
  • Notify relevant authorities as required by law

8. Cookies and Analytics

We use limited cookies and analytics technologies to improve our service:

8.1 Analytics and Performance Monitoring

We use Datadog Real User Monitoring (RUM) to:

  • Monitor application performance and identify technical issues
  • Track page load times and user interface interactions
  • Detect and diagnose errors to improve service reliability
  • Analyze feature usage to optimize user experience

Data Collected by Datadog RUM:

  • Page views and navigation paths
  • Browser type and version
  • Device type and screen resolution
  • Geographic location (country/region level)
  • Session duration and interaction patterns
  • Performance metrics (load times, API response times)
  • Error logs and crash reports

This data is aggregated and does not identify you personally. Datadog processes this data as our service provider under strict confidentiality agreements.

8.2 Essential Cookies

  • Authentication Cookies: Required to keep you logged in securely
  • Session Cookies: Maintain your preferences during your visit
  • Security Cookies: Protect against cross-site request forgery

You can disable cookies through your browser settings, but this may affect the functionality of our service.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses where required.

10. Children's Privacy

DM Spark is not intended for users under 13 years of age (or 16 in the EU). We do not knowingly collect information from children. If we discover we have collected data from a child, we will promptly delete it.

11. Third-Party Links

Our service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or through our service. Continued use after changes constitutes acceptance of the updated policy.

We retain all prior versions of this Privacy Policy and will make them available upon request. You may request previous versions by contacting us at [email protected].

13. Contact Information

NS Media LLC (DM Spark)

Email: [email protected]

1255 Trinity Dr, Menlo Park, CA 94025

For privacy-related inquiries or to exercise your rights, please email us with "Privacy Request" in the subject line.

14. Jurisdiction and Governing Law

This Privacy Policy is governed by the laws of California, United States. Any disputes will be resolved in the courts of California.