Data Deletion Policy
Last updated: 1 May 2026
This policy explains how to delete your data from Communitae and what we delete in each case. It supplements the Privacy Policy and is required by Meta Platform Terms for apps that integrate with Instagram.
1. How to request deletion
You have four ways to request deletion of your data:
1.1 In-app account deletion (full erase)
Go to Settings → Account → Delete account. This erases your entire Communitae account.
1.2 Disconnect a single Instagram account
Go to Settings → Integrations → Instagram → Disconnect. This removes only the data associated with that Instagram account.
1.3 Email request
Email [email protected] with subject “Data deletion request”. Include the email address you registered with so we can locate your account.
1.4 Trigger from Instagram
Open instagram.com → Settings → Apps and Websites → Communitae → Remove. Meta will send us a signed deletion request that we honor automatically.
2. What gets deleted
When you delete your entire account:
| Data category | When deleted |
|---|---|
| Account record (name, email, hashed password) | Immediately marked deleted; purged within 30 days |
| Brand profile data (voice, target audience, hashtags, etc.) | Within 30 days |
| Connected Instagram account records | Soft-deleted immediately; access tokens cleared from the database immediately |
| Posts, scheduled content, drafts | Within 30 days |
| AI generation history | Within 30 days |
| Comments and direct messages received via webhooks | Within 30 days |
| Uploaded media in object storage | Within 30 days |
| Application logs containing your account ID | Within 90 days (rotation cycle) |
| Backups containing your data | Within 90 days |
| Billing records (invoices, payment history) | Retained for 6 years as required by Spanish tax law (Ley 58/2003 General Tributaria), then deleted |
When you disconnect a single Instagram account:
- The Instagram account is soft-deleted (status set to
REVOKED). - The encrypted access token is cleared from the database immediately.
- Comments, direct messages, mentions, and media synced from that Instagram account are deleted within 30 days.
- Your Communitae user account, brand profile, and other connected accounts are unaffected.
When Meta sends a signed deletion request (Instagram → Apps and Websites → Remove):
- We verify the HMAC signature using our App Secret.
- On successful verification, we soft-delete the affected Instagram account and clear its tokens immediately.
- We delete associated webhook-derived data (comments, direct messages, mentions) within 30 days.
- We respond to Meta with a status URL confirming the request was received.
3. Status of your deletion request
You can check the status of an in-progress deletion request at:
communitae.ai/data-deletion-status
The page shows whether a request is queued, in progress, or completed, along with the timestamp.
4. What we are required to retain
Some data is retained even after deletion to comply with legal obligations:
- Invoices and billing records — 6 years (Spanish General Tax Law, Art. 70).
- Records relating to legal claims — until the relevant statute of limitations expires.
- Records of the deletion request itself — to demonstrate compliance with GDPR Art. 17 and Meta Platform Terms.
These retained records are minimized to what is strictly necessary and are not used for any other purpose.
5. Data shared with third parties
Communitae shares some data with processors (Meta, Stripe, OpenRouter, Google, Railway, Tigris). When you delete your account:
- Meta: we revoke our access tokens for your Instagram accounts and stop receiving webhooks for them. Data already published to Instagram remains on Instagram and is governed by Instagram's own deletion processes.
- Stripe: subscription is cancelled. Stripe retains transaction records for its own compliance obligations.
- AI providers (OpenRouter, Google): prompts and outputs are not stored by Communitae after generation. Provider-side caches (where they exist) are governed by the provider's data retention policies and our DPA with them.
- Railway / Tigris: uploaded media are deleted from object storage within 30 days.
We cannot guarantee deletion from third-party systems beyond what their terms permit, but we choose providers that offer GDPR-compliant deletion or anonymization.
6. Response time
- In-app deletions and Instagram disconnects: immediate (token clearance and soft-delete are synchronous; full purge completes within 30 days).
- Email requests: we acknowledge within 5 business days and complete within 30 days (extendable by 60 days for complex cases under GDPR Art. 12(3), with notice to you).
- Meta signed deletion requests: processed automatically; status is queryable at the URL in Section 3.
7. If something goes wrong
If you believe your data has not been deleted as requested, contact [email protected] with subject “Deletion follow-up” and reference the date of your original request.
You may also lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
8. Contact
- Deletion requests and follow-ups: [email protected]
- DPO: Not appointed. Privacy queries are handled by Communitae Solutions, S.L. directly (see the Privacy Policy, Section 1).
- Postal: Communitae Solutions, S.L. — C/ Doctor Roux, n.º 36, 6º, 08017 Barcelona, Spain