← Back to Home

Privacy Policy

Last updated: February 9, 2026

This Privacy Policy explains how PromoLink collects, stores and processes personal data in accordance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Meta Platform Terms and other applicable laws. By using PromoLink, you agree to the practices described in this document.

1. About PromoLink

PromoLink is a music promotion platform used by music labels, artists and agencies to send release campaigns via email and Instagram direct messages, manage Instagram comment engagement, and provide analytics for promotional activity. PromoLink acts primarily as a technical provider that routes and monitors campaigns on behalf of its users.

PromoLink is operated by:
IAMT Music 2021 SCP
c/ Suissa 8, 2-1
Barcelona, Spain
VAT ESJ05494513

If you have any questions regarding this Policy, you can contact us at: support@promolink.app

2. Definitions

User
A registered individual with a PromoLink account who creates campaigns and uploads contact data.
Sender
A profile created by a User for sending campaigns. One User may have multiple Sender profiles, each optionally connected to an Instagram Business Account.
Receiver
A contact who opens a campaign via MagicLink and becomes an active participant on the platform.
Contact
A personal email address and optional Instagram username uploaded by the User into their private contact database. These contacts may or may not be Users or Receivers.
Campaign
A promotional message containing music releases and related information, delivered via email or Instagram direct message.

3. Data We Collect

PromoLink collects only the data required to provide the service. This includes:

3.1 User Account Data

  • name
  • email address
  • password (hashed)
  • profile settings
  • sender profiles created by the User

3.2 Contact Data Uploaded by Users

Users upload their own contact lists. This data may include:

  • email addresses
  • first and last names
  • Instagram usernames
  • genre tags
  • country or city
  • notes provided by the User
  • mailing list assignments
  • contact temperature classification (cold, warm, hot)

Users are solely responsible for ensuring that contact data is collected lawfully under GDPR.

PromoLink never sells, shares or uses contact data for its own purposes.

3.3 Receiver Data (Created on Interaction)

When a contact opens a campaign via MagicLink, the following is collected:

  • email address
  • IP address and approximate geolocation
  • device and browser information
  • open events
  • play events
  • download events
  • trust score signals
  • date and time of each interaction

The Receiver may optionally set a password and become a User.

3.4 Campaign Data

  • release title
  • artwork
  • metadata provided by the Sender
  • uploaded audio files (WAV)
  • automatically generated MP3 320, MP3 192, AIFF files
  • analytics events related to the campaign

3.5 Instagram Data

When a User connects their Instagram Business Account to PromoLink, we access and store the following data through the Instagram Graph API:

3.5.1 Account Information

  • Instagram user ID
  • Instagram username
  • profile picture URL
  • follower count
  • long-lived access token (encrypted at rest)

3.5.2 Media and Comment Data

When the User activates comment synchronization, we access:

  • media posts (ID, caption, permalink, media URL, thumbnail, like count, timestamp, media type)
  • comments on those posts (comment ID, text, username, timestamp, commenter ID)
  • reply threads on comments

This data is used to display comments in PromoLink's dashboard and to enable AI-assisted reply management.

3.5.3 Direct Message Data

When the User uses PromoLink's DM outreach feature, we access and store:

  • Instagram-scoped user IDs (IGSIDs) of message participants
  • conversation metadata (conversation ID, participant info, timestamps)
  • message content sent through PromoLink (outbound messages composed by the User)
  • message delivery status (sent, delivered, failed)
  • inbound message content received via webhook (for conversation continuity)

PromoLink sends direct messages only on explicit instruction from the User. Messages are sent to contacts whose Instagram usernames have been provided by the User.

3.5.4 Webhook Data

PromoLink receives real-time notifications from Instagram via webhooks for:

  • incoming direct messages
  • new comments on posts

Webhook data is processed to update conversation threads and comment feeds within the platform.

3.6 Cookies and Tracking Technologies

PromoLink uses cookies strictly for:

  • authentication
  • security
  • session management
  • analytics to measure open, play and download events

PromoLink does not use cookies for advertising, retargeting or cross-site tracking.

4. How We Use Personal Data

PromoLink processes data only for the purposes described below:

4.1 Delivering Campaigns

PromoLink sends emails and Instagram direct messages on behalf of the User to the selected contacts.

4.2 Providing MagicLink Access

MagicLink allows contacts to view the release landing page and interact with the content without initial registration.

4.3 Instagram Comment Management

PromoLink synchronizes comments from the User's Instagram posts and provides tools to review, reply to or hide comments. AI-assisted replies may be generated as suggestions, but all replies require explicit User approval before being posted.

4.4 Instagram DM Outreach

PromoLink enables Users to send personalized direct messages to their contacts via Instagram. This includes:

  • resolving Instagram usernames to Instagram-scoped user IDs
  • sending messages through the Instagram Graph API on behalf of the User
  • tracking message delivery status
  • receiving and displaying inbound replies for conversation continuity

4.5 Analytics and Reporting

PromoLink tracks opens, plays, downloads, trust signals, geographic information and Instagram engagement metrics to provide aggregated analytics to the Sender.

4.6 Service Functionality and Improvements

We analyse usage patterns to improve the platform, performance and reliability.

4.7 Security and Fraud Prevention

We track unusual or abusive behaviour to protect our users and infrastructure.

5. Lawful Basis for Processing

As required by GDPR, PromoLink processes data under the following legal grounds:

5.1 Performance of a Contract

For Users who create campaigns and use the platform's features, including Instagram integration.

5.2 Legitimate Interest

For operating the platform, security and performance.

5.3 Consent

When a User connects their Instagram Business Account to PromoLink, they explicitly authorize PromoLink to access their Instagram data through the Meta authorization flow. This consent can be revoked at any time by disconnecting the Instagram account from PromoLink or by removing the app from Instagram settings.

5.4 User Provided Contact Data

The User is the Data Controller for their own contact lists and must have a lawful basis (such as consent or legitimate interest) for contacting these individuals via email or Instagram.

PromoLink is the Data Processor for contact data uploaded by Users.

6. Responsibility for Contact Lists and Messaging

PromoLink does not collect or source email addresses or Instagram usernames. Users upload their own contacts and act as the Data Controller.

The User is solely responsible for:

  • ensuring all contacts were collected legally
  • maintaining records of consent or lawful basis
  • respecting GDPR and applicable regulations
  • determining who receives campaigns via email or Instagram DM
  • ensuring the content of campaigns and messages is lawful
  • complying with Instagram's Terms of Use and Community Guidelines when sending direct messages

PromoLink does not verify, review, validate or approve contact lists, campaign content or direct message content.

PromoLink assumes no liability for any communication made by the User, whether via email or Instagram.

7. Sharing of Data

PromoLink does not sell or trade personal data.

Data may be shared only with:

  • Email infrastructure providers used to deliver campaigns
  • Meta Platforms, Inc. (Instagram Graph API) for delivering direct messages and managing comments on behalf of Users
  • OpenAI for generating AI-assisted email content and comment reply suggestions (no personal identifiers are sent to OpenAI)
  • Cloud hosting providers
  • Payment processors (Stripe) for subscription management
  • Security and monitoring tools
  • Legal authorities if required by law

All third party partners comply with GDPR. Instagram data is used solely for the purposes described in this policy and in compliance with the Meta Platform Terms.

8. Instagram Data Use and Meta Platform Compliance

PromoLink's use of Instagram data is governed by the Meta Platform Terms and the Meta Developer Policies.

8.1 Data We Access

PromoLink requests the following Instagram permissions:

  • instagram_business_basic — to read account profile information (username, profile picture, follower count)
  • instagram_business_manage_comments — to read, reply to and moderate comments on the User's posts
  • instagram_business_manage_messages — to send and receive direct messages on behalf of the User

8.2 How We Use Instagram Data

  • Display the User's Instagram posts and comments in the PromoLink dashboard
  • Enable AI-assisted comment reply suggestions (with mandatory User approval before posting)
  • Send direct messages to contacts on explicit User instruction
  • Track DM conversation threads for reply management
  • Resolve Instagram usernames to scoped user IDs for message delivery

8.3 Data Retention for Instagram Data

  • Instagram access tokens: stored encrypted for the duration of the account connection. Deleted immediately when the User disconnects their Instagram account.
  • Comments and media data: cached locally and refreshed on sync. Deleted when the User disconnects their Instagram account.
  • DM conversations and messages: retained as long as the User account remains active. Deleted upon User account deletion or on explicit request.
  • Instagram-scoped user IDs (IGSIDs): retained for message delivery functionality. Deleted when the associated conversation data is deleted.

8.4 Revoking Instagram Access

Users can disconnect their Instagram account from PromoLink at any time through:

  • The PromoLink dashboard Instagram settings
  • The Instagram app (Settings → Apps and Websites → Remove PromoLink)

Upon disconnection, PromoLink will delete the stored access token and cease all API access to the User's Instagram account. Cached comment and media data will be removed. DM conversation history will be retained for the User's records unless explicit deletion is requested.

9. Data Deletion

9.1 User-Initiated Deletion

Users can request deletion of their account and all associated data by contacting support@promolink.app. Upon receiving a deletion request, we will:

  • Delete the User account and all sender profiles
  • Delete all contact data uploaded by the User
  • Delete all campaign data including audio files and artwork
  • Delete all Instagram data including access tokens, cached comments, DM conversations and messages
  • Delete all analytics data associated with the account

Deletion will be completed within 30 days of the request.

9.2 Meta Data Deletion Requests

In compliance with Meta Platform Terms, PromoLink provides a data deletion callback endpoint. When a User removes PromoLink from their Instagram account settings, Meta notifies PromoLink and we automatically:

  • Delete the stored Instagram access token
  • Delete cached Instagram media and comment data
  • Delete Instagram-scoped user IDs
  • Delete DM conversation data linked to the disconnected account

Users can also check the status of a deletion request by visiting: promolink.app/api/meta/data-deletion-status

10. Data Retention

  • WAV files, MP3 files, AIFF files: retained during the active campaign and for up to 30 days after expiration.
  • Campaign analytics: retained as long as the User account remains active.
  • Contact lists: stored until deleted by the User.
  • User accounts: stored until deletion.
  • Instagram data: see Section 8.3 for specific retention periods.

11. Data Subject Rights

Under GDPR, individuals have the right to:

  • access their data
  • correct inaccuracies
  • request deletion
  • object to processing
  • withdraw consent (including revoking Instagram access)
  • request portability

Requests can be made at any time by contacting support@promolink.app.

12. Security

PromoLink uses industry standard security measures including encryption, access controls, logging and authentication systems to protect data.

Instagram access tokens are encrypted at rest. All API communications with Instagram use HTTPS. Access to Instagram data is restricted to authenticated Users who own the connected account.

No system is entirely secure, but we take reasonable steps to safeguard information.

13. International Transfers

Data may be stored or processed outside the EU, but always with GDPR compliant safeguards such as Standard Contractual Clauses.

14. Changes to This Policy

PromoLink may update this Privacy Policy as needed. Significant changes will be communicated to Users.

15. Contact Information

For privacy related questions, please contact: support@promolink.app

← Back to HomeTerms of Service →