elevion.
Legal

Privacy Policy

How we collect, use, and protect your personal information — including data we access via Instagram's API.

Effective: April 14, 2026Last updated: April 14, 2026

This Privacy Policy describes how Frost Software LLC ("we", "us", "our", or "Elevion") collects, uses, discloses, and protects personal information when you use our website at elevion.cc and our application at app.elevion.cc (collectively, the "Service").

Controller / business of record: Frost Software LLC, 626 Wilshire Blvd, Suite 410-L44, Los Angeles, CA 90017, United States. Contact: privacy@elevion.cc.

1. Information we collect

1.1 Information you provide directly

  • Account info: name, email address, password (stored as a salted Argon2id hash — never in plaintext).
  • Billing info: name, billing address, VAT/tax ID (optional), and payment method details. Card numbers and bank details are collected and stored by our payment processors (Mollie B.V. and PayPal) — we never see or store full card numbers.
  • Content you create: campaign names, keywords, message templates, automation schedules, and any data you input while configuring the Service.
  • Communications: emails you send us for support, feedback, or legal inquiries.

1.2 Information we receive from Meta Platforms (Instagram)

When you connect your Instagram account, you authorize us (via OAuth) to access data from Meta's Instagram Graph API. We request the minimum permissions necessary for the Service to function. Specifically:

  • instagram_business_basic — we receive your Instagram user ID, username, profile picture URL, follower count, media count, and account type (Business or Creator). Used to identify your account and display your profile within the Service.
  • instagram_business_manage_comments — we read comments on your posts (including the commenter's username and comment text) to detect keywords you've configured, and we reply to those comments on your behalf when a match is found. Required to deliver the keyword-DM automation feature.
  • instagram_business_manage_messages — we send private Direct Messages from your Instagram account to users who commented on your posts (in response to keyword matches you configured), and we receive DMs users send back to you so you can track responses. Required to deliver automated outreach.
  • instagram_business_manage_insights — we read aggregate analytics for your account and posts (reach, impressions, profile views, engagement, follower count over time). Used to power the analytics dashboard in the Service.

We also store an access token issued by Meta so we can perform these operations on your behalf. The token is stored encrypted at rest and is revoked whenever you disconnect your Instagram account or request data deletion.

1.3 Information collected automatically

  • Device & session: IP address, user agent, device type, browser, OS, approximate geolocation (country, region, city — derived from IP).
  • Usage: pages visited, features used, clicks, error logs, timestamps.
  • Cookies: see our Cookie Policy for the full list.

2. How we use your information

  • To operate the Service (authenticate you, process payments, deliver automation features, generate analytics).
  • To detect keyword matches in Instagram comments and send Direct Messages + comment replies on your behalf, per your campaign configuration.
  • To respond to your support requests and communicate about your account (billing, security alerts, service changes).
  • To improve the Service (debugging, performance monitoring, product analytics).
  • To prevent fraud, abuse, and violations of our Terms of Service or Meta's platform policies.
  • To comply with legal obligations (tax records, responding to subpoenas, enforcing rights).

We do not sell your personal information, nor do we use your Instagram data or content to train any machine-learning model that is not strictly necessary to operate the Service for you.

3. How we share your information

We share personal information only with the following categories of recipients:

  • Meta Platforms, Inc. — we send API requests to Meta's Instagram Graph API to fetch the data described above and to send DMs/comment replies on your behalf. Meta processes this data under their own privacy policy.
  • Payment processors — Mollie B.V. (Netherlands) and PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) collect and store your payment details to process subscription billing.
  • Email delivery — Resend, Inc. (US) sends transactional email on our behalf (verification links, password resets, trial reminders, invoices).
  • Infrastructure & hosting — our servers are operated under our direction; tokens and database records are stored on dedicated infrastructure we control.
  • Error tracking (optional) — we may use Sentry (Functional Software, Inc.) to capture anonymized error telemetry for debugging. Personally identifying data in error reports is scrubbed where possible.
  • Legal & safety — if required by law, subpoena, or to protect the rights, property, or safety of Frost Software LLC, our users, or others.
  • Business transfers — if we merge with, are acquired by, or sell assets to another company, we may transfer your information as part of that transaction, subject to this Policy.

4. How long we retain your data

  • Account data: for as long as your account is active, plus up to 30 days after deletion request (during which your account is reversibly deactivated).
  • Instagram API tokens: deleted immediately on disconnect or account deletion.
  • Campaign activity logs: retained up to 12 months, then deleted automatically.
  • Billing records: retained for 7 years to comply with US tax and accounting rules.
  • Deleted accounts: we permanently delete personal data within 90 days of deletion, except where legally required to retain it.

5. Security

We protect your information with industry-standard safeguards: HTTPS (TLS 1.2+) for all traffic, Argon2id hashing for passwords, encrypted database at rest, strict access controls, HMAC-signed webhooks, rate limiting on sensitive endpoints, and security-hardened HTTP headers. No system is 100% secure; please use a strong unique password and report suspicious activity to privacy@elevion.cc.

6. Your privacy rights

6.1 California residents (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know what personal information we collect, use, disclose, and sell/share.
  • Right to delete personal information we hold about you.
  • Right to correct inaccurate personal information.
  • Right to limit use of sensitive personal information.
  • Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
  • Right to non-discrimination — we will not deny service, charge differently, or reduce quality because you exercised a privacy right.

To exercise any of these rights, email privacy@elevion.cc or visit our Data Deletion page. We will verify your identity and respond within 45 days (extendable by 45 additional days if necessary, with notice to you).

6.2 European Economic Area, UK, and Switzerland (GDPR)

If you are in the EEA, UK, or Switzerland, you have these rights under the GDPR and UK GDPR:

  • Right of access to your personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure ("right to be forgotten").
  • Right to restrict processing.
  • Right to data portability — receive your data in a machine-readable format.
  • Right to object to processing.
  • Right to lodge a complaint with your local supervisory authority.

Our lawful basis for processing is typically: (a) performance of contract (to provide the Service you subscribed to), (b) consent (for marketing emails and certain cookies), or (c) legitimate interests (fraud prevention, service improvement). Where we rely on consent, you can withdraw it at any time.

International transfers: our servers are located in the United States. When we transfer personal data from the EEA/UK/Switzerland to the US, we rely on Standard Contractual Clauses approved by the European Commission and (where applicable) the EU-US Data Privacy Framework.

7. Meta Platform-specific disclosures

In accordance with Meta's Developer Platform Terms and Instagram API policies, we make the following disclosures regarding data received from Meta Platforms, Inc.:

  • We use Meta Platform Data solely to provide the keyword-DM automation, analytics, and Instagram account management features of the Service to you.
  • We do not sell, license, lease, or otherwise transfer Meta Platform Data to any data broker, advertiser, or third party for their own use.
  • We do not use Meta Platform Data to build user profiles, enable discriminatory practices, or for any purpose prohibited by Meta's Platform Terms.
  • We delete all Meta Platform Data upon request, upon your disconnection of the Instagram account from the Service, or upon the expiration or revocation of the applicable access token.
  • You may revoke Elevion's access at any time via Instagram Settings → Apps and Websites → Active → remove Elevion, or by disconnecting the account within the Service.

8. Children's privacy

The Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via email to the address on your account at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

10. Contact us

Frost Software LLC
Attn: Privacy Officer
626 Wilshire Blvd, Suite 410-L44
Los Angeles, CA 90017
United States
Email: privacy@elevion.cc
Phone: +1 (213) 776-3157

Questions about this document? Email legal@elevion.cc or write to us at the address on our legal notice.