Privacy Policy

Last updated: May 20, 2026 (v2)

1. Information We Collect

Murmur ("we", "our", "the Service") collects the following information when you use our platform:

• Account information: your name, email address, and password (hashed) when you register.
• Facebook & Instagram data: when you connect a Facebook Page or Instagram Business account via OAuth, we receive and store page access tokens, page / post / comment data, and the public profile information for the connecting user. Access tokens are encrypted at rest using AES-256-GCM.
• Marketing API data: when you connect a Facebook Ad Account, we receive and store the authorizing user's Facebook user ID, the ad account access token (encrypted), and ad / ad creative metadata for posts you have tagged as sponsored.
• Usage data: audit logs of actions you take within the Service (e.g., replying to comments, changing settings, login events with IP). Audit logs are retained indefinitely for forensic and compliance purposes and are append-only.

2. Meta Platform Permissions We Request

When you connect a Facebook Page or Instagram account via OAuth, Murmur requests the following Meta permissions. Each permission is used solely for the purpose described below; we do not request or use any other permissions:

• business_management — to list Business assets you manage so you can pick which Pages to connect.
• pages_show_list — to enumerate the Pages you administer.
• pages_read_engagement, pages_read_user_content — to sync posts and comments from your connected Pages.
• pages_manage_engagement, pages_manage_metadata — to reply to and hide comments on your behalf and to subscribe to Page webhooks.
• instagram_basic, instagram_manage_comments — to read media and manage comments on the Instagram Business account linked to your Page.
• ads_read (Ad Account connection only) — to read ad / ad creative metadata via the Marketing API for posts you tag as sponsored.

3. How We Use Your Information

• To provide the core Service: syncing posts and comments from Facebook / Instagram Pages and enabling you to manage and reply to comments.
• To match ad posts to their underlying Page posts via the Marketing API, so sponsored comments can be surfaced alongside organic ones.
• To send transactional emails (e.g., password resets, team invitations, security alerts).
• To improve the reliability and performance of the Service.

We do not use your Meta Platform data for advertising, for training machine-learning models, or for any purpose other than operating the Service for you.

4. Data Sharing

We do not sell, rent, or share your personal data or Facebook / Instagram data with third parties, except:

• As required by law or legal process.
• With service providers that help us operate (Hetzner for hosting, Cloudflare for DNS / CDN, Resend for transactional email, Telegram for operational alerts), under strict confidentiality obligations and Data Processing Agreements where applicable.

5. Data Retention & Deletion

There are four paths to remove your data from Murmur:

• Automatic — Meta deletion request: Murmur implements Meta's Data Deletion Request Callback. When Meta sends us a valid signed deletion request on your behalf, we process it within seconds and you can verify the result using the confirmation code Meta provides. The exact circumstances under which Meta sends a deletion request are determined by Meta.
• Automatic — Meta deauthorize: Murmur implements Meta's Deauthorize Callback. When you remove Murmur from your Facebook account or revoke its permissions (e.g., via "Apps and Websites" or "Business Integrations"), Meta notifies us and we perform the same cascade deletion as for an explicit deletion request, in line with Meta Platform Terms §3.d.i.2(d).
• Manual, by email: email [email protected] from your registered address and we will process the request within 30 days.
• Disconnect inside Murmur: removing a KOL connection via the Murmur dashboard revokes our stored access tokens for that KOL and queues deletion of the associated cached posts, comments, and replies.

Security and compliance audit logs are append-only and retained only as long as necessary for forensic, security, and legal-compliance purposes. They record administrative actions (such as logins, configuration changes, KOL connections) and may reference Meta identifiers (e.g., a Page ID) as part of those records, but they do not contain the content of synced posts or comments. Audit log entries are not automatically scrubbed by Meta's data-deletion callback. If you need specific audit log entries reviewed or removed, please contact us at [email protected] and we will handle the request consistent with applicable law and our legitimate forensic / compliance interests.

6. Data Security

We protect your data using industry-standard measures including encrypted token storage (AES-256-GCM), HTTPS-only transport, and access controls. However, no method of electronic storage is 100% secure.

7. Your Rights

You may access, correct, or delete your personal data at any time through the Service or by contacting us. You may also disconnect your Facebook / Instagram pages, which revokes our access to those pages.

8. Facebook Platform Data

Our use of information received from Facebook APIs adheres to the Meta Platform Terms and Developer Policies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email.

10. Contact Us

If you have questions about this Privacy Policy, please contact us at [email protected].