LEGAL

Privacy Policy

February 13, 2026

At Aspen.ai ("we", "our", or "the Company"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

By using Aspen.ai, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password. If you sign up using a third-party service (e.g., Google), we receive your name, email address, and profile picture from that provider.

Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, timestamps, device type, browser type, IP address, and referring URLs.

Organization Data

If you create or join an organization, we store organization names, member roles, and any content you create within that organization (boards, posts, analytics data, integrations configuration).

Third-Party Integrations

When you connect third-party services (e.g., social media accounts, advertising platforms), we collect and store the data necessary to provide our services, including access tokens, analytics metrics, and campaign data. We only access the data you explicitly authorize.

InstaFlow — Instagram DM Automation Data

When you use InstaFlow, our Instagram DM automation feature, we collect and process data about Instagram users ("leads") who interact with your Instagram account. This includes:

This data is collected on behalf of the organization operating the Instagram account. The organization acts as the data controller for lead data, and Aspen.ai acts as the data processor.

  • **Instagram identifiers:** Instagram user ID, username, and profile picture URL as provided by the Instagram Messaging API.
  • **Contact information:** Email address or phone number, only when voluntarily provided by the lead during an automated conversation flow.
  • **Conversation data:** Messages exchanged between your Instagram account and the lead, including automated responses, collected form data, and conversation status.
  • **Behavioral data:** Link clicks, opt-in status for recurring messages, tags, and segment memberships assigned by the organization.
  • **Custom fields:** Any additional data collected through conversation flows configured by the organization (e.g., preferences, interests).

2. How We Use Your Information

We use the information we collect to:

We do not sell your personal data to third parties. We do not use your data to train AI models.

  • Provide, operate, and maintain our platform
  • Personalize and improve your experience
  • Process transactions and manage your account
  • Send administrative communications (service updates, security alerts)
  • Provide analytics, dashboards, and reporting features
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

3. InstaFlow — Lead Data Processing

Legal Basis (GDPR Art. 6)

Lead data collected through InstaFlow is processed on the following legal bases:

  • **Legitimate interest (Art. 6(1)(f)):** The lead initiates a conversation with the Instagram account, expressing interest in the organization's services. Processing is necessary to respond to and manage this interaction.
  • **Consent (Art. 6(1)(a)):** When leads opt in to recurring messages or provide personal data through consent-gated form fields, explicit consent is obtained and recorded.

Purpose of Processing

  • Responding to Instagram Direct Messages on behalf of the organization
  • Executing automated conversation flows configured by the organization
  • Collecting data provided voluntarily by the lead (email, phone, preferences)
  • Segmenting leads for targeted follow-up communications
  • Providing analytics and reporting to the organization
  • Sending recurring messages only when the lead has opted in

Data Retention

Lead data is retained according to the organization's configured retention policy. By default, leads inactive for more than 3 years (1,095 days) are automatically purged, in accordance with CNIL recommendations for commercial prospection data. Organizations can customize this duration in their settings. Leads who have opted in to recurring messages are excluded from automatic purge.

Lead Rights

Instagram users whose data is processed through InstaFlow have the following rights under GDPR:

To exercise these rights, leads or their representatives may contact the organization operating the Instagram account, or reach out to us at privacy@aspen.ai.

  • **Right of access (Art. 15):** Request a copy of all personal data held. Organization admins can export individual lead data at any time.
  • **Right to data portability (Art. 20):** Lead data can be exported in structured JSON format.
  • **Right to erasure (Art. 17):** Leads can be permanently deleted, which cascades to all conversations, messages, and segment memberships.
  • **Right to withdraw consent (Art. 7(3)):** Leads who opted in to recurring messages can be opted out at any time by the organization.

Audit Trail

All lead data deletions, exports, and automated purges are logged in an immutable audit trail, recording who performed the action, when, and what data was affected. This ensures traceability and accountability in compliance with GDPR Art. 5(2).

4. Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember your preferences, and understand how you use our platform. Specifically:

We do not use third-party advertising trackers.

  • **Essential cookies:** Required for authentication and core functionality. Cannot be disabled.
  • **Analytics cookies:** Help us understand usage patterns to improve our product. You can opt out via your browser settings.

5. Data Sharing and Disclosure

We may share your information in the following circumstances:

  • **Service providers:** We use trusted third-party services for hosting (Vercel), database (Supabase), email delivery, and payment processing. These providers only access data necessary to perform their services.
  • **Organization members:** Data within an organization is accessible to its members based on their assigned roles and permissions.
  • **Legal requirements:** We may disclose information if required by law, regulation, or legal process.
  • **Business transfers:** In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction.

6. Data Security

We implement industry-standard security measures to protect your data, including:

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

  • Encryption in transit (TLS/HTTPS) and at rest
  • Row Level Security (RLS) policies on our database
  • Regular security audits and monitoring
  • Access controls and authentication mechanisms

7. Data Retention

We retain your data for as long as your account is active or as needed to provide our services. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or legitimate business purposes.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

To exercise any of these rights, contact us at privacy@aspen.ai. We will respond within 30 days.

  • **Access:** Request a copy of your personal data.
  • **Rectification:** Request correction of inaccurate data.
  • **Deletion:** Request deletion of your personal data.
  • **Portability:** Request your data in a structured, machine-readable format.
  • **Objection:** Object to certain processing of your data.

9. International Transfers

Your data may be processed and stored in countries outside your own. We ensure appropriate safeguards are in place to protect your data in accordance with applicable data protection laws, including GDPR standard contractual clauses where applicable.

10. Children's Privacy

Our platform is not intended for users under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the platform after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Email: privacy@aspen.ai
  • Company: [company name to be added]
  • Address: [address to be added]