Privacy Policy

Last updated: 2026-04-17

This Privacy Policy explains how CleanMyAss.ai ("we") handles your data. It complies with Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) and applies to all users regardless of billing region.

1. Data we collect

  • Account data: email (for magic-link login), optional display name, Stripe customer ID, plan.
  • Instagram session data: encrypted session token necessary to operate on your own account. Your Instagram password is never stored.
  • Operational data: your own Instagram messages, comments, likes, and follows β€” indexed while we classify and purge them on your request.
  • Usage telemetry: job history, error classification, anonymous analytics events (pages visited, funnel steps).

2. Legal basis (LGPD Art. 7)

  • Contract performance β€” to deliver the scan/purge service you subscribe to.
  • Consent β€” for marketing emails and optional analytics cookies; revocable at any time.
  • Legitimate interest β€” fraud prevention, service monitoring, and debugging proxied requests (minimized and pseudonymized).

3. How we store and protect data

  • Data is stored on MongoDB (application data) and PostgreSQL (Instagram session tokens, encrypted). Both are hosted on AWS servers in the USA.
  • Proxy and session secrets are encrypted at rest using AES-256-GCM.
  • Access to production data is limited to the CleanMyAss operator.
  • Stripe processes payment details directly; we never receive or store card numbers.

4. Retention

  • Message bodies scanned by the pipeline are kept only while a job needs them and then minimized β€” only metadata (counts, risk scores, purge logs) is retained for audit.
  • You can request full deletion at any time via Settings β†’ Delete Account, or by emailing privacy@cleanmyass.ai. Deletion is completed within 30 days and cascades across MongoDB, PostgreSQL sessions, and (where possible) our logs.

5. Your rights (LGPD Art. 18 / GDPR Art. 15-22)

You have the right to:

  • Confirm whether we process your data.
  • Access, correct, or port your data.
  • Request deletion or anonymization.
  • Revoke consent for marketing or analytics.
  • File a complaint with ANPD (Brazil) or your local DPA.

Exercise any right by emailing privacy@cleanmyass.ai. We respond within 15 days.

6. Cookies

We use essential cookies for authentication and billing region. Analytics cookies are opt-in; you can revoke anytime via the cookie banner.

7. Children

The Service is not directed at minors under 18. If we discover we collected data from a minor we delete it on confirmation.

8. International transfers

If you are in Brazil, your data may be transferred to the USA (AWS, Stripe USD). The transfer is covered by contract clauses compliant with LGPD Art. 33-III.

9. Changes

Material changes are announced by email at least 14 days in advance. The latest version is always at /legal/privacy.

10. Contact / Data Protection Officer

Email privacy@cleanmyass.ai.