Legal · Privacy

Privacy policy

Last updated: April 28, 2026 · Effective: April 28, 2026

DOMs_DMs (“we,” “us”) builds AI-assisted direct-message tooling for fitness coaches. This policy explains what data we collect from coaches and their Instagram audiences, what we do with it, and the choices you have. We collect only what we need to operate the service, we don’t sell your data, and you can request deletion at any time.

1. Who this policy covers

This policy applies to coaches who sign up to use DOMs_DMs and the public-facing prospects whose Instagram conversations flow through the product. It covers data we process at app.getdoms.co and any subdomain we operate.

2. Data we collect

From coaches who sign up

  • Account information. Name, email, password hash, IP address at signup, and Supabase auth identifiers.
  • Profile + business settings. Business name, timezone, working hours, voice prompt, tone configuration, and booking calendar metadata that you supply during onboarding.
  • Instagram OAuth grant. Page access token, Instagram business account ID, page metadata, and the scopes you authorize when you connect via Meta or our channel rail.
  • Billing data. Subscription status and invoice metadata when paid plans are active. Card data is held by our payment processor; we do not store full card numbers.

From the prospects in your inbox

  • Direct-message content sent to or from your connected Instagram business account, including text, attachments, reactions, read receipts, and conversation metadata.
  • Public profile fields Meta exposes for the conversation participant: handle, display name, avatar URL, follower count, follow relationship, and verified badge.
  • AI-derived facts. Structured facts our language models extract from conversation history (interests, goals, objections) to make replies in your voice possible.
  • Comment and post metadata on your connected account where the comment thread becomes a DM-routed conversation.

Automatically

  • Service logs. Request paths, status codes, durations, error stack traces, and a per-request trace ID. Logs include tenant and trace identifiers so we can debug, but we redact obvious credit card, social security, and phone patterns from message bodies before they enter logs.
  • AI inference traces. Every AI reply produces a trace row with the prompt, model identifier, latency, token cost, and guardrail decisions for audit and quality review.
  • Cookies. A first-party Supabase session cookie keeps you logged in; a CSRF cookie protects the OAuth handshake. We do not use third-party advertising cookies.

3. How we use it

  • Operate the inbox: read, classify, and route incoming conversations.
  • Draft AI replies in your configured voice and apply your guardrails before any reply leaves the system.
  • Build memory and context so the agent remembers prior conversations with the same prospect.
  • Show analytics and reporting to you, scoped to your tenant only — we never aggregate one coach’s data into another coach’s view.
  • Operate, secure, and improve the service. Detect abuse, debug issues, and prevent automated misuse.
  • Send transactional email about your account: password resets, billing notices, security alerts, and incident postmortems.

We do not sell your data. We do not use your messages or your prospects’ messages to train third-party foundation models. Inference traces stay scoped to your tenant.

4. Sub-processors we share data with

We use a small number of vendors to operate the service. Each gets only the data needed for its job. The current list:

  • Supabase (US/EU regions) — Postgres database, authentication, file storage.
  • Vercel (US) — application hosting, serverless compute, edge network.
  • Anthropic (US) — Claude language models for draft generation, classification, and fact extraction. Per Anthropic’s commercial terms our prompts are not used to train their models.
  • Meta Platforms, Inc. — Instagram messaging APIs for read and send.
  • Zernio (transitional) — Meta API gateway during the migration to direct Meta integration. This vendor is being decommissioned per our migration roadmap.
  • Voyage AI (US) — vector embeddings for semantic memory.
  • Google Calendar (optional) — when you connect your calendar to schedule consultations from the inbox.

We disclose data to law enforcement only when compelled by valid legal process, and only to the extent the request requires.

5. How long we keep your data

  • Account data is retained for the life of your account plus 30 days after closure.
  • Conversation messages are retained for the life of your account. You can delete a thread or the whole inbox at any time from settings.
  • AI inference traces are retained for 90 days in hot storage, then archived to cold storage for up to 12 months for audit, then permanently deleted.
  • Webhook event logs are retained for 14 days for debugging and replay-protection.
  • Backups follow our database provider’s schedule (typically rolling 7-30 days) and are deleted on that cycle.

6. Your rights

You have the right to access, correct, export, or delete the data we hold about you. The fastest paths:

  • Self-service deletion. Sign in → /settingsDisconnect Instagram removes the OAuth grant and the connected account. Close account deletes your tenant, conversations, and traces within 30 days.
  • Email request. Send a deletion or access request to privacy@domsdms.ai from the email address tied to your account. We respond within 30 days.
  • Meta-initiated deletion. If a prospect deletes your app from their Instagram permissions, Meta sends us a signed deletion notice and we purge that user’s data from your inbox automatically. The full instructions live at /data-deletion.

California, EU, and UK residents have additional rights under CCPA and UK/EU GDPR — including the right to lodge a complaint with a supervisory authority. Contact us first; we’d rather hear about it directly.

7. Security

All traffic uses TLS in transit. Secrets at rest are encrypted by our database provider. Access tokens for connected accounts are encrypted with a per-environment key. Application access is gated behind Supabase auth with HttpOnly session cookies and CSRF state for OAuth flows. We log every administrative action and we run automated tests on every change.

8. International transfers

Our infrastructure is primarily hosted in the United States. If you access the service from outside the US your data is transferred to the US. We rely on standard contractual clauses with our sub-processors to protect transfers from the EU and UK.

9. Children

The service is not directed to children under 13 (or the equivalent minimum age in your country). We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@domsdms.ai and we’ll delete it.

10. AI disclosure

DOMs_DMs drafts and may automatically send replies on a coach’s behalf using AI. Some jurisdictions (including California under AB 2905, and Texas) require disclosing automated agents to consumers. We support a configurable first-reply disclosure that coaches can enable per tenant. Operating the service in jurisdictions that mandate disclosure without enabling it is the operating coach’s responsibility.

11. Changes to this policy

We will update this page when our practices change. Material changes will be announced inside the product and to the email tied to your account at least 14 days before they take effect. The effective date at the top of this page is the binding date.

12. Contact

For privacy questions, deletion requests, or to exercise any of the rights described above, email privacy@domsdms.ai. For Meta App Review and platform-related questions, reference the data-deletion callback documented at /data-deletion.