Privacy Policy

Last updated: April 27, 2026

This policy describes how HITCH (“HITCH”, “we”, “us”) collects, uses, retains, shares, and deletes personal data, with specific detail about our Instagram integration.

1. Who we are (Data Controller)

HITCH is operated by HITCH Inc., a registered business contactable at privacy@hitchme.live. For the purposes of GDPR / UK GDPR / CCPA, HITCH is the data controller for personal data collected through our website, app, and Instagram integration.

2. Data we collect

We try to collect as little data as possible. The exact fields we store, by source, are:

2.1 Account data (Creators & Buyers)

  • Email address, display name, role (creator or buyer), avatar URL, short bio, and (for creators) booking URL slug.
  • Hashed authentication tokens, managed by Supabase Auth. We never store passwords in plain text.
  • Time-zone and locale (inferred from the browser to render booking times correctly).

2.2 Instagram connection data (Creators only)

Only after a Creator explicitly clicks “Connect Instagram” in the dashboard and completes Meta's Instagram Business Login OAuth flow, we receive and store:

  • Instagram user id (IGSID), username, display name, and profile picture URL of the Creator's Professional account.
  • A long-lived access token (60-day TTL) issued by Meta. We encrypt this token at rest using AES-256-GCM with a key held in an environment variable separate from the database.
  • The Creator's custom auto-reply template text (otherwise a HITCH default template is used).

2.3 Instagram DM & comment event metadata (Creators & their fans)

When a third party sends a Direct Message to the Creator's connected Instagram account, orpublicly comments on one of the Creator's posts, Meta delivers a webhook to HITCH. For each event we record:

  • The connection id, the event timestamp, the message id (MID) or comment id, the event type (message, comment, echo, edit, opt_out, unknown), and the reply outcome (sent, skipped_optout, skipped_filter, etc.).
  • The sender's Instagram-Scoped User ID (IGSID) and a SHA-256 hash of that IGSID combined with a per-connection salt (used in dashboards so a Creator can see opt-out volume without the raw IGSID being surfaced everywhere).
  • We do not persist the textual contentof Instagram DMs or comments after the reply has been processed. Message and comment text are held in volatile memory only for the duration of the webhook handler (typically <1 second) to determine whether to send the auto-reply or treat the message as a STOP request.

2.4 Booking, payment & session data

  • Bookings (creator, buyer, time slot, status, credits spent), completed-session records (room name, duration), buyer ratings, and post-session written follow-ups.
  • Payment metadata via Stripe (Customer id, Payment Intent id, amount, currency, last 4 of card and brand). We do not store full card numbers.

2.5 Operational logs

  • Request logs at the hosting provider (Netlify) for up to 30 days for security and uptime monitoring.
  • Error traces (stack traces, request ids) — never message bodies or tokens.

3. How we use the data

We use the data above only for the purposes below:

  • Provide the service: deliver auto-replies, host booking pages, run video sessions, deliver paid feedback.
  • Honour user choice: permanently opt-out any Instagram sender who replies STOP, STOP ALL, UNSUBSCRIBE, or END to one of our auto-replies.
  • Show analytics to the connected Creator: aggregate counts of DMs received, replies sent, and opt-outs.
  • Security & abuse prevention: rate-limit, detect spam, verify webhook signatures.
  • Comply with law and respond to lawful requests.

We do not use Instagram data for advertising, build profiles for resale, train any AI model, or transfer Instagram data outside the purposes above.

4. Instagram-specific disclosures

  • HITCH uses the Instagram API with Instagram Login (Meta Graph API v25.0) with three scopes: instagram_business_basic (to identify the connected account), instagram_business_manage_messages (to send the auto-reply DM with a HITCH booking link, both in response to a fan DM and as a private reply to a public comment), and instagram_business_manage_comments(to subscribe to the comments webhook so we can detect when a fan comments on the Creator's post and trigger the private-reply DM). We do not publish, edit, hide, or delete Instagram comments or posts.
  • Auto-replies are only sent in responseto a Direct Message that the third party initiated to the Creator's account, or as a private DM reply to a public comment that the third party left on the Creator's post. We do not send unsolicited or broadcast messages.
  • Every auto-reply contains an opt-out instruction (“Reply STOP to opt out of automated messages”).
  • Creators can disconnect their Instagram account at any time from the HITCH dashboard. Disconnect deletes the connection row and stored encrypted token immediately.
  • If a Creator removes HITCH from Instagram → Settings → Apps and Websites, Meta calls our deauthorize / data-deletion callback at /api/data-deletionand we cascade-delete that Creator's connection, DM events, and opt-outs.

5. Data retention

  • Account data: retained for the life of your account, then deleted within 30 days of account closure.
  • Instagram access tokens: retained while the connection is active. Deleted on disconnect, deauthorize, or Meta-issued token invalidation.
  • Instagram DM event metadata: retained for 90 days from the event timestamp, then purged automatically by a daily database job (purge_old_dm_events()).
  • Opt-out list: retained indefinitely — this is the mechanism by which we honour STOP requests forever.
  • Booking, payment, and session records: retained for 7 years to satisfy financial-record obligations.
  • Operational logs: 30 days at the hosting provider.

6. Sharing & sub-processors

We share data with the following sub-processors, under contract:

  • Meta Platforms, Inc. — Instagram Messaging API (governed by Meta Platform Terms).
  • Supabase, Inc. — Postgres database, auth, and storage.
  • Netlify, Inc. — application hosting and CDN.
  • Stripe, Inc. — payment processing.
  • Twilio, Inc. — video session infrastructure.

We do not sell personal data, and we do not share Instagram data with anyone outside the list above.

7. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data — see Data Deletion
  • Opt out of automated Instagram message replies forever by replying STOP to any HITCH auto-reply
  • Withdraw Instagram authorization from your Instagram → Settings → Apps and Websites at any time
  • Lodge a complaint with your local data protection authority

8. Security

We use TLS 1.2+ in transit, AES-256-GCM at rest for Instagram tokens, Supabase Row Level Security policies that restrict each Creator to their own rows, and a service-role key that never leaves the server. Webhook payloads from Meta are verified using HMAC-SHA256 with our App Secret on every request.

9. International transfers

Our infrastructure is hosted in the United States. By using HITCH you consent to the transfer of your data to the United States. We rely on Standard Contractual Clauses with our sub-processors where required.

10. Changes

We will update the “Last updated” date at the top of this page when this policy changes. Material changes will also be announced by email to Creators with active Instagram connections.

11. Contact

For privacy questions, requests, or complaints contact privacy@hitchme.live.