Privacy Policy

Last updated: May 20, 2026

Storylink ("we", "the service") helps you schedule Instagram Stories, Posts, and Reels and optionally cross-post them to a linked Facebook Page. This policy explains what we collect, why, and your rights.

Identity of the data controller

Storylink is operated by Gal Be as a sole proprietor. Gal Be is the sole data controller for personal data processed through Storylink (no separate incorporated entity exists). Contact: admin@storylink.pro.

What we collect

• Your email address and name (from Clerk during sign-up)
• For each Instagram account you connect: the username, account ID, and an encrypted access token. You can connect up to five accounts per company.
• Images you upload — and images you generate via the AI feature — stored on Vercel Blob
• Schedule metadata for Stories, Posts, and Reels — dates, times, statuses, FB cross-post settings, and ad campaign settings when you use the Ads feature
• Prompts you submit to the AI generator. Prompts are passed to our AI providers (see below) for the duration of the request and are not retained by us beyond it.
• Your phone number, when you complete the optional phone-verification step during onboarding. Storage and verification SMS are handled by our authentication provider (Clerk) and an SMS provider; we use the number for verification and abuse prevention only.
• Videos you upload for Reels (and Stories that include video). Stored on Vercel Blob alongside your images.
• Contact data you upload via the customer-import feature — typically name, optional company, and an Instagram or email handle for matching audience engagement. You can delete an upload at any time.
• Anti-abuse signals — moderation events and risk counters tied to your account. We store the signal, not the content that triggered it.
• Anonymous web analytics — Vercel Web Analytics records page views and custom events without identifying cookies. We use it to measure traffic and feature usage.
• Ad campaign metadata — when you use the Ads feature, we store the linked ad-account ID, the audience configuration you set, and the spend totals reported by Meta. We do not store ad-network credentials beyond what's needed to attribute the campaign back to you.
• Aggregate counts read from your connected accounts — currently your Instagram and Facebook Page follower counts. The current value is fetched live when you open the analytics page; one daily snapshot per connection is stored on our side so the page can show how the total has changed over the selected range (7 / 30 / 90 days). Snapshots are deleted automatically when the connection is disconnected or your account is deleted.
• Waitlist signups — when Storylink isn't yet available in your country, you can submit your email address to be notified at launch. We store the email along with the country (derived from your IP at submit time) and the interface language you used. We use it only to send the launch notification and to estimate demand by region. Email admin@storylink.pro to be removed.
• API keys you create — when you mint a key on /developers, we store an SHA-256 hash of the key (we cannot recover the plaintext after you copy it), the key name and prefix, and a timestamp of the last time it was used. Anyone holding a plaintext key can act on your behalf via our REST API or MCP server; treat keys like passwords and rotate or revoke them on /developers if compromised.
• API request logs — for every authenticated call to our REST API and Model Context Protocol (MCP) server, we record the request timestamp, HTTP method, endpoint path (no query string or request body), response status, response latency, and the IP and User-Agent of the calling client. We use these only to render the per-key usage panel on /developers (so you can monitor your own usage and spot a compromised key) and for security and abuse investigations. Rows are deleted automatically 30 days after the request.
• Insights Assistant conversations — when you use the Insights Assistant at /assistant (Business plan), we store the chat messages you send, the assistant's replies, the conversation title, and per-message token counts. Conversations are scoped to your company and shared among all teammates in that company. Your messages and the assistant's replies are passed to our AI provider (Anthropic, via the Vercel AI Gateway) at request time to generate each reply; they are not used by the provider to train models. You can delete any conversation from the assistant page at any time.

How we use it

• To authenticate you and authorize Instagram (and optional Facebook Page) publishing on your behalf
• To publish Stories at your scheduled times
• To show you your scheduling history and account status
• To generate images and parse scheduling intent when you use the AI feature
• To power the Insights Assistant — analyzing your published content and engagement metrics to answer your questions about performance when you use the /assistant page

Who we share with

• Meta — when publishing Stories to Instagram, and when cross-post is enabled, to your linked Facebook Page
• Clerk (authentication provider)
• Neon (database)
• Vercel (hosting and image storage)
• Vercel AI Gateway, OpenAI, Anthropic, and Black Forest Labs (BFL) — only when you use AI features. OpenAI and BFL receive prompts when you generate images. Anthropic receives your Insights Assistant chat messages along with summaries of your published content and metrics needed to answer your question. We do not include identifying account info in any of these requests. None of these providers use the data to train their models.
• Sentry (error and crash reporting). We strip access tokens, codes, and other secrets from URLs before sending.
• Upstash (rate-limit counters keyed by your user id; no personal content is sent)
• We do not sell or share your data with advertisers or third parties beyond the providers above
• An SMS provider — only the phone number you submit during verification, only for delivering the verification code. The SMS provider is contracted by Clerk.
• Vercel Web Analytics — anonymous page views and custom events. No personally identifying data is sent.
• OpenAI (content moderation) — when you upload an image or video, we send the media URL (and, for videos, a few sampled frames) to OpenAI's moderation endpoint to detect prohibited content before publishing. We store the moderation decision and category scores on our side; we do not send your account identifiers with the request.
• Vercel BotID — on public forms exposed to unauthenticated visitors (currently the pre-signup waitlist), anonymous device and network signals are sent to Vercel for bot detection. No personal content is sent.

Your rights

• Disconnect any Instagram account at any time from Settings — its token is deleted and its scheduled stories are canceled
• Request full account deletion by emailing the address below
• Export your scheduled stories on request

Questions or requests? Email us at admin@storylink.pro.