← Back

Privacy Policy

Last updated: 17 April 2026

1. Who we are

ReelPlan ("we", "us") provides a scheduling service for Instagram content. This Privacy Policy applies to the dashboard at dashboard.reelplan.app and explains how we handle the personal data of registered users.

For any privacy matter you can contact us at privacy@reelplan.app.

2. What we collect

When you use ReelPlan we process the following categories of data:

  • Account data: email, name and password (the password is stored only as a bcrypt hash, never in cleartext).
  • Instagram/Meta tokens: long-lived access tokens obtained via Meta OAuth. Tokens are encrypted at rest with AES-256-GCM on our servers.
  • Content you upload: images, videos, captions and hashtags for the posts you schedule.
  • Publishing metadata: scheduled date and time, post status, API errors if any.
  • Minimal technical data: IP address and user-agent only in API security logs, kept for a maximum of 30 days.

3. Purposes and legal basis

  • Performance of the contract (Art. 6(1)(b) GDPR): account management, publication of scheduled posts, operation of the dashboard.
  • Legal obligation (Art. 6(1)(c) GDPR): retention of accounting and tax records where applicable.
  • Legitimate interest (Art. 6(1)(f) GDPR): abuse prevention, platform security, error logging.

4. Third parties and transfers

To publish your posts we must communicate with Meta Platforms, Inc. via the Instagram Graph API. Meta acts as an independent controller for the data underlying your Instagram account. The captions, hashtags and media you schedule are sent to Meta only at the moment of publication.

Our infrastructure is hosted in the European Union. We do not sell or transfer your data to third parties for marketing purposes.

5. Cookies

The dashboard uses only strictly-necessary cookies, which under Art. 5(3) of the ePrivacy Directive do not require consent:

  • accessToken: session JWT (15-minute lifetime).
  • refreshToken: session refresh token (7 days, rotated on use).
  • i18n_locale: stores the chosen language (it/en).

We do not use profiling, analytics or advertising cookies. No third-party tracking pixels are loaded by the dashboard.

6. Retention

  • Account data is kept while the account is active; upon deletion it is removed within 30 days.
  • Meta tokens are deleted immediately when you disconnect an Instagram account.
  • Uploaded media is automatically removed after publication or when you delete the scheduled post.
  • Technical logs are kept for a maximum of 30 days.

7. Your rights

Under the GDPR you may at any time:

  • access your personal data;
  • request correction or deletion;
  • request restriction of processing or object to it;
  • receive a copy in a structured format (portability);
  • lodge a complaint with a supervisory authority (in Italy: Garante per la protezione dei dati personali).

To exercise these rights, email privacy@reelplan.app from the address associated with your account. We respond within 30 days.

8. Security

We adopt adequate technical and organisational measures: TLS in transit, AES-256-GCM encryption of Meta tokens at rest, bcrypt hashing of passwords, restricted and authenticated database access, audit logs. In the event of a personal data breach we will notify the relevant authority and affected users as required by law.

9. Changes

If we change this policy we will update the date above and, for material changes, email registered users before the changes take effect.