Политика конфиденциальности
1. Territorial Scope
The Service is targeted at users outside the EU/EEA/United Kingdom/Switzerland. We do not offer or direct the Service to data subjects located in the EU/EEA/UK/Switzerland and do not knowingly monitor their behavior. If identified, we cease processing and delete data in accordance with this Policy.
2. Controller & Contact
Controller: OOO “NE PROSTO STUDIA”, Republic of Belarus (UNP 491382707)Address: 3 Telmana St., Homiel (Gomel), Republic of BelarusWebsite: https://nempl.appContact (privacy & support): info@nempl.app
3. Service Overview
Nempl connects Instagram Professional accounts (Business/Creator) to manage Instagram Direct messages via Meta’s Graph API. Features: authentication via Facebook Login (Meta OAuth); linking a Facebook Page associated with the IG account; ingesting inbound messages and metadata (participants, timestamps, delivery statuses, attachments), rendering conversations; sending replies from the Nempl interface; syncing statuses and integration events using Instagram webhooks. Nempl does not request or store Instagram passwords and requests only the permissions necessary for the functionality.
4. Processing Roles
- IG Direct conversations, participant profiles, conversation metadata — Nempl acts as a processor; the client (the organization connecting its Meta assets) acts as the controller. The client defines the purposes and content of conversations (support, sales, consulting), and Nempl processes data on the client's instructions under the agreement.
- Client's Nempl account, billing, technical telemetry, and website communications — Nempl acts as a controller (service provision, security, product improvement, notifications).
- Client responsibilities — lawful basis, end‑user notices, compliance with applicable law, retention settings, and fulfilment of data‑subject requests. Nempl assists as a processor.
5. Meta Integration & Permissions
Only the permissions necessary for the functionality are used: instagram_basic, pages_show_list, business_management, instagram_manage_messages. A Facebook Page must be linked to the Instagram Professional account and message access enabled (Connected Tools). Use of the Service requires compliance with the Meta Platform Terms, Developer Policies, and Instagram Terms of Use.
6. Categories of Data Processed
- Client account data: name, email, role; IDs of Meta business assets (Page ID, IG Business Account ID).
- Instagram Direct message data: message content, participants (username/ID), timestamps, delivery statuses, attachments metadata (type/size/link), conversation/thread IDs.
- Technical data: IP address, user‑agent, session identifiers, error/audit logs, integration/webhook events.
- Billing (if applicable): tokens/identifiers from the payment provider (no PAN storage).
7. Purposes & Legal Bases
- Provide the Service and perform the client contract.
- Security, abuse prevention, and logging.
- Analytics/marketing — not used (no third‑party trackers/analytics cookies), unless explicitly enabled.
- Compliance with legal obligations, where applicable.
8. Data Retention
- IG DM conversations: while the asset is connected + 60 days after disconnection (unless otherwise required by law/contract).
- Attachments/media: up to 30 days post‑delivery/disconnection or as configured by the client.
- Technical logs: 90 days (unless longer is needed for incident investigations).
- Backups: up to 30 days in rolling backups.
- Accounts: for the term of the agreement + a reasonable period for claims resolution.
9. Sharing & Subprocessors
We may engage subprocessors for hosting, storage, email delivery, and logging. The list, purposes, and countries are available upon request and/or published on our website. Transfers are governed by DPAs and, where required, SCCs.
10. International Transfers
Where data are transferred outside your jurisdiction, appropriate safeguards and technical/organizational measures are applied.
11. Cookies & Tracking
We do not use analytics/marketing cookies or third‑party trackers. The platform may use strictly necessary technical cookies (e.g., sessions, fraud prevention) without which the service cannot function.
12. Data Subject Rights
You may request access, rectification, erasure, restriction, portability, and object to processing by contacting info@nempl.app. We may request additional information to verify your identity and will respond within statutory timeframes.
13. Security
Security measures include TLS in transit, access controls and 2FA for administrators, audit logging, environment isolation, regular backups, and data minimization.
14. Use of AI/LLM (OpenAI)
To generate assistant responses, we transmit conversation content and minimal necessary metadata to an external language‑model service — **OpenAI** (API). Transmission occurs over secure channels; we apply data minimization and, where feasible, masking/redaction of sensitive fragments. Data are used solely to generate the response and are not shared for other purposes. We configure API usage to prevent these data from being used to train the provider’s models. Processing may occur in locations selected by the provider (including the US/EU).
15. Data Deletion
You can disconnect Meta assets at any time. Upon disconnection, related data are deleted within the retention periods above. Deletion instructions and contact are available on the Delete Data page: https://nempl.app/delete-data (see "Data Deletion") or via info@nempl.app.
16. Terms of Service
See our Terms of Service: https://nempl.app/terms-of-service
16. Age
No separate 18+ threshold is imposed. Use by individuals of any age is permitted subject to applicable law. Where parent/guardian consent is required for processing minors’ data, obtaining such consent and ensuring lawful use of conversations are the client’s responsibility (as controller).
17. Changes to this Policy
We may update this Policy. The current version is posted at https://nempl.app/privacy-policy with the effective date. Material changes will be notified within the Service.