Privacy Policy

1. What we collect

We only collect what we need to moderate comments and run your account. There are three sources: data you give us directly, data Meta sends us through the Graph API after you authorize the integration, and a small amount of technical data generated when you use the dashboard.

• Account data — name, work email, password hash, billing details. You provide this at sign-up.
• Meta integration data — Page IDs, ad account IDs, IG Business profile IDs, posts and ads attached to them, and access tokens issued by Meta when you authorize Sweep Inbox.
• Comment data — the public comments left on your Pages, ads, and IG posts, including the commenter's public Meta profile name and ID. We need this to classify and hide them.
• Moderation decisions — every hide, restore, and manual override you make, plus the confidence score and reason our model returned. We use these to retrain on your specific overrides.
• Usage telemetry — log-in times, dashboard pages visited, error reports, IP and user-agent. Used for security and product debugging.
• Support correspondence — messages you send us, including screenshots you attach.

2. How we use it

We use the data above to run the service you signed up for, improve our moderation models, keep the platform secure, and meet our legal obligations. We do not sell personal data, and we do not use Meta Platform data for advertising or to build profiles of commenters.

• Run moderation — classify comments in real time, hide what your profile flags, and surface decisions in your inbox.
• Improve the model — your overrides train a private fine-tune that biases our model toward your tolerance. Aggregate signals across customers improve the base model; we strip personal identifiers first.
• Account operations — billing, support, account recovery, abuse prevention, security monitoring.
• Legal — comply with Meta Platform Terms, applicable data-protection law, and lawful requests from authorities.

3. Meta Platform data

Sweep Inbox is built on the official Meta Graph API and was reviewed under Meta App Review. We only request the permissions strictly required to read public comments and hide or restore them on your behalf — typically pages_manage_engagement, pages_read_engagement, pages_read_user_content, instagram_manage_comments, ads_read, and business_management.

We do not scrape, automate logins, or use unofficial APIs. We do not message users, post on your behalf, or alter your ad creative. Access tokens are encrypted at rest. You can revoke our access at any time from your Meta Business Settings; your account here will stop receiving comments within seconds.

4. Where data lives, and how long

Data is hosted on managed infrastructure in the EU (Frankfurt) and the US (Virginia), with US fallback used only for redundancy. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

• Comments and moderation decisions — kept for 24 months by default so you can audit and override historical decisions, then permanently deleted. You can shorten the window to 30, 90, or 365 days from Settings → Data.
• Aggregated training signals — retained indefinitely in a form stripped of commenter identifiers (no Meta user ID, no comment text containing identifiable PII).
• Account, billing, and support records — kept while your account is active, plus up to 7 years after closure where required by tax and accounting law.
• Backups — encrypted backups roll over every 35 days.

5. Who we share data with

We share data only with vendors that help us run the service, and only what they need to do their job. Each vendor is bound by a written data-processing agreement.

• Cloud infrastructure — AWS (hosting, storage, networking).
• Database and queue — managed Postgres and Redis providers.
• Email — Resend for transactional email (sign-ups, alerts, receipts).
• Payments — Stripe and Paddle for subscription billing.
• Analytics — PostHog for product analytics and Sentry for error monitoring.
• Customer support — a help-desk provider for ticketing.
• Authorities — when we receive a binding legal request, narrowly scoped to what the law requires.

6. Your rights

Whatever jurisdiction you sit in, you can ask us to show, correct, export, or delete the personal data we hold about you. Under GDPR (EU/UK), you also have the right to restrict or object to certain processing, withdraw consent, and lodge a complaint with your local supervisory authority.

Request from Settings → Privacy → Data requests, or email legal@sweep-inbox.com. We respond within 30 days. We verify identity before acting on any request that involves personal data.

7. Cookies and similar technologies

We use first-party cookies to keep you signed in, remember your locale, and protect against CSRF. We use a small set of third-party cookies for product analytics (PostHog) and error monitoring (Sentry). We do not run advertising cookies or cross-site trackers. You can clear cookies in your browser at any time; doing so will sign you out.

8. Children

Sweep Inbox is a B2B product for businesses running paid ads. It is not directed at anyone under 16, and we do not knowingly collect data from anyone under that age. If you believe a minor has created an account, email legal@sweep-inbox.com and we will remove it.

9. Changes to this policy

We will update this policy as the product evolves or the law changes. Material changes — anything that expands what we collect, who we share with, or how long we retain it — are announced at least 14 days in advance via email to the account owner. The date at the top of this page always reflects the current version.

10. Contact

Privacy questions, access requests, data-subject requests, and general legal contact: legal@sweep-inbox.com.