Privacy Policy — InstaAgent Internal Tooling
Effective date: 1 June 2026
Data user / controller: InstaAgent Company Limited ("InstaAgent", "we", "us", "our")
Registered address: 213–217 Queens Road West, Sai Ying Pun, Hong Kong
Contact: hello@instaagent.com
Hosted at: https://internal-docs.instaagent.com/privacy
1. Who we are and what this policy covers
InstaAgent is an Instagram and Facebook marketing agency based in Hong Kong. We operate InstaAgent Internal Tooling (the "internal tooling" or the "Service"). The Service is used only by our authenticated employees and contractors ("Staff") to manage client accounts, draft and schedule social-media posts, store reference media, publish approved posts, and manage and report on advertising for our clients' Facebook Pages, Instagram Business accounts, and advertising accounts on the clients' behalf.
The Service is not a consumer-facing product. Members of the public cannot create accounts, log in, or use the Service.
This Privacy Policy explains what personal data and what Platform Data obtained from the Meta Platforms (Facebook and Instagram) we collect, how and why we process it, who we share it with, how long we keep it, how we secure it, and the rights available to the individuals concerned.
This policy is provided in part to satisfy the Meta Platform Terms and Developer Policies, which require us to maintain and publish a privacy policy describing our use of Platform Data.
We process personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"). Where individuals are located in jurisdictions with additional data-protection laws (for example the EU/UK GDPR), we also seek to honour the equivalent data-subject rights described in Section 8 as a matter of good practice.
2. Whose data is involved
This policy concerns three groups of people and one category of business data:
- Our Staff — agency employees and contractors who hold Service accounts.
- Our business clients and their representatives — the businesses that engage InstaAgent, and the named individuals at those businesses who liaise with us.
- The Meta Business Assets of our clients — the Facebook Pages, Instagram Business accounts, and advertising accounts that clients authorise us to manage. Data about these assets is business/Platform Data, not consumer personal data.
The Service does not offer accounts to, or collect personal data directly from, the end consumers or followers of our clients' Facebook Pages or Instagram accounts through the Service itself.
3. The Meta Platforms and the Platform Data we access
3.1 How access is granted
Our clients assign their Facebook Page, Instagram Business account, and advertising accounts to InstaAgent's Meta Business Manager (Business ID 529778033514936) as partner-shared business assets. We access those assets using a single Business Manager System User access token. We do not use Facebook Login for individual consumers, and we do not ask members of the public to log in with their Facebook or Instagram accounts.
3.2 Permissions we request and why
We request only the following Meta Graph API permissions, each tied to the function it supports:
| Permission | Why we use it |
|---|---|
pages_show_list | To list the Facebook Pages a client has shared with us so Staff can select the correct Page. |
pages_read_engagement | To read basic Page metadata needed to confirm the Page and present it in the Service. |
pages_manage_posts | To create and publish posts (text, images, video, captions) to the client's Facebook Page. |
instagram_basic | To identify the connected Instagram Business account (account ID and username). |
instagram_content_publish | To publish approved posts to the client's Instagram Business account. |
ads_read | To access the client's advertising accounts and read ad performance and audience data. |
ads_management | To create, manage, and optimise advertising campaigns on the client's behalf. |
business_management | To manage the partner-shared business assets within our Meta Business Manager. |
3.3 The specific Platform Data we access and process
Through these permissions we access and process:
- Facebook Page identifiers and metadata — Page ID, Page name, and basic Page attributes required to identify and address the correct Page.
- Connected Instagram Business account data — the Instagram Business account ID and username linked to the Page.
- Content we create on the client's behalf — the post text, captions, images, and video that we publish, and the resulting post/media identifiers returned by Meta.
- Advertising account data — ad account IDs and campaign, ad set, and ad structure and configuration needed to manage client advertising.
- Ad performance data — delivery and results metrics (for example reach, impressions, clicks, spend, and conversion summaries) used to report to clients and optimise campaigns.
- Ad audience data — audience definitions, targeting parameters, and related audience insights used for client campaigns, as permitted by Meta and the client's authorisation.
We use this Platform Data solely to provide the contracted service: to identify the right accounts, schedule and publish approved content, and manage, monitor, and optimise advertising on the client's behalf.
3.4 What we do NOT access
We do not access, collect, or store, through the Meta Platforms:
- end-consumer or follower personal data, profile data, or contact details;
- friends lists or social graph data;
- direct messages, inbox content, comments, follower lists, or follower profile details;
- any data category not listed in Section 3.3.
We do not request permissions beyond those listed in Section 3.2.
4. Other data we collect (outside the Meta Platforms)
In operating the Service we also process:
- Staff account data — name, work email address, and an authentication credential (passwords are hashed and managed by our authentication provider; we do not store plaintext passwords). Includes role/label and team-assignment metadata.
- Client business-profile data — business name, industry, description, assigned InstaAgent team, and related notes provided by us or the client.
- Post content and media — captions, text, images, video, and reference media uploaded by Staff, together with scheduling metadata (intended publish times, status, version history of captions).
- Operational logs and technical data — limited application and security logs needed to run, secure, and debug the service.
5. How we use data (purposes and legal bases)
We use the data above to:
- authenticate Staff and control access to the Service;
- manage client relationships and the content we produce for clients;
- draft, review, schedule, and publish posts to clients' Facebook Pages and Instagram accounts;
- manage, monitor, and optimise advertising campaigns and report on ad performance;
- maintain version history and an audit trail of content;
- secure the service and comply with our legal obligations.
Under the PDPO we process this data to perform our contracts with clients, to pursue our legitimate business interests in operating the agency, and to meet legal and regulatory obligations. Where another applicable law requires a specific legal basis or consent, we rely on the appropriate basis under that law.
6. How we share data
We do not sell personal data or Platform Data, and we do not share it except as needed to provide the service:
- Meta Platforms (Facebook / Instagram). We send the content, instructions, and campaign data necessary to publish posts and manage advertising on the client's authorised assets.
- The relevant client — we make a client's own content and account data available to that client.
- Legal and regulatory disclosure — where required by law, court order, or a lawful request from a competent authority.
We do not transfer Platform Data to any party for advertising, resale, or any purpose unrelated to providing the contracted service, consistent with the Meta Platform Terms.
7. Data retention and deletion
We retain data only as long as needed for the purposes above or as required by law:
- Platform Data (Page/Instagram/ad account identifiers, metadata, published-content references, ad performance data, and ad audience data) is retained for the duration of the client engagement and deleted within 30 days after the engagement ends or upon a valid deletion request, whichever is earlier, except where we must retain it to comply with a legal obligation.
- Post content, media, and scheduling metadata is retained for the engagement and routine operational history, and removed on the same basis.
- Staff account data is retained while the person is engaged and deleted within a reasonable period after they leave, subject to legal record-keeping requirements.
When a client removes an asset from our Meta Business Manager, our System User token can no longer access that asset, and we delete the associated stored Platform Data within the window above.
To request deletion, email hello@instaagent.com with the subject line "Data Deletion Request". Please include your name, the organisation or client you are associated with (if any), the data you want deleted, the relevant Facebook Page name/ID or Instagram username if the request concerns a specific Business Asset, and information we can use to verify that you are entitled to make the request. We acknowledge, verify, and complete valid deletion requests within 30 days.
Detailed instructions are also available in our User Data Deletion Instructions at https://internal-docs.instaagent.com/user-data.
8. Your rights
Subject to the PDPO and any other applicable law, individuals may:
- request access to the personal data we hold about them;
- request correction of inaccurate data;
- request deletion of their data (see Section 7 and our Data Deletion Instructions);
- ask about our policies and practices regarding personal data.
Where the GDPR or a comparable regime applies, individuals may additionally have rights to restriction, portability, objection, and to withdraw consent, and to lodge a complaint with a supervisory authority. In Hong Kong, complaints may be made to the Office of the Privacy Commissioner for Personal Data (PCPD).
To exercise any right, contact hello@instaagent.com. We will respond within the timeframe required by applicable law. Because the Service is an internal tool, requests from a client's end consumers about their Facebook/Instagram data should generally be directed to the client (the operator of that Page/account) and to Meta; we will assist the relevant client as needed.
9. Security
We apply administrative, technical, and physical safeguards appropriate to the data, including:
- access to the Service restricted to authenticated Staff;
- credentials managed by our authentication provider, with passwords stored only in hashed form;
- the Meta System User token and server-side secrets held as protected credentials, never exposed to browsers or to client-side code;
- encryption in transit (HTTPS/TLS) and reliance on our infrastructure providers' encryption-at-rest;
- least-privilege Meta permissions (Section 3.2) and scoped access to client assets;
- routine deletion of data no longer needed (Section 7).
No system is perfectly secure, but we take reasonable steps to protect data and to address incidents promptly.
10. International transfers
Our infrastructure providers may process and store data outside Hong Kong. Where data is transferred across borders, we take reasonable steps to ensure it remains protected to a standard consistent with the PDPO and, where applicable, other relevant data-protection laws.
11. Children
The Service is an internal business tool and is not directed to or used by children. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time. The current version and its effective date are published at https://internal-docs.instaagent.com/privacy. Material changes will be reflected by an updated effective date at the top of this document.
13. Contact
Questions, requests, or complaints regarding this policy or our handling of personal data or Platform Data:
InstaAgent Company Limited
213–217 Queens Road West, Sai Ying Pun, Hong Kong
Email: hello@instaagent.com