Legal
Chrome Extension Privacy Policy
Last updated: June 9, 2026
Chatsona Instagram DM Assistant ("Chatsona", "we", "us") is a Chrome extension that helps a Chatsona user work with an already-open Instagram browser session, connect an Instagram profile, bind selected DM conversations, prepare recent conversation context, generate AI-assisted reply drafts, optionally send replies through the Instagram page, train reply preferences, create conversation summaries, and ask questions about a selected conversation.
Chatsona.app is currently operated as a pre-launch product under the Chatsona.app brand. Until a formal legal entity is established, privacy and data requests may be sent to info@chatsona.app. When a formal operating entity is established, this Privacy Policy will be updated with the legal entity name, registered address, and other legally required business information.
1. Scope and Our Role
This Privacy Policy applies only to the Chatsona Instagram DM Assistant Chrome extension, the extension popup, the extension options page, the floating panel injected into Instagram pages, and the Chatsona API services used by the extension.
This Privacy Policy does not describe unrelated Chatsona products or account areas with different data practices. If Chatsona later publishes separate products with different data practices, those products may have their own notices.
For personal data that we process for account access, entitlement checks, security, support, and extension operation, Chatsona acts as a data controller or equivalent role under applicable privacy laws.
For Instagram DM content, conversation participant information, bot settings, and related conversation context imported, entered, or made available by a user through the extension, Chatsona processes that data to provide the extension features requested and configured by that user.
Users are responsible for ensuring that their use of Chatsona, including processing conversations involving other people, complies with applicable laws, Instagram rules, privacy notices, consent requirements, confidentiality obligations, and any other legal basis requirements that apply to them.
Chatsona is not affiliated with, endorsed by, or sponsored by Meta, Instagram, or their affiliates.
2. Extension Permissions and Why We Need Them
The extension requests only the permissions needed for its stated purpose:
- storage: used to keep extension state in the browser, such as Chatsona authentication state, selected account metadata, selected Instagram profile metadata, bound DM metadata, bot/profile selection, panel position, temporary reply drafts, language placeholder state, and automation state.
- tabs: used to find, open, focus, and update relevant Instagram or Chatsona tabs, verify that an Instagram page is available, route a DM tab to a bound conversation URL when a user requests binding or automation, and open the Chatsona settings page. The tabs permission does not by itself let us read every web page you visit.
- alarms: used for scheduled checks when a bot is active for a bound conversation. This allows the extension to periodically refresh recent message context for active bot conversations.
- host permission for https://api.chatsona.app/*: used so the extension can send authenticated API requests to Chatsona for login state, plan details, DM ingestion, bot settings, summary, Q&A, training feedback, reply generation, and related extension features.
- content script access on https://www.instagram.com/*: used to display the floating Chatsona panel on Instagram and read the Instagram profile, selected DM, visible/available message text, participant names/usernames, timestamps, and thread metadata needed for the features you request.
The extension does not request <all_urls>. The extension does not load or execute remote JavaScript, CDN scripts, or externally hosted executable code. The extension does not use eval to run downloaded code.
3. Information We Collect Through the Extension
The information we collect depends on how you interact with Chatsona. We may collect the following categories of information:
- Chatsona account information, such as e-mail address, user/account identifiers, login state, extension access token, account status, plan name, entitlement status, usage limits, remaining allowances, and authentication/security metadata.
- Instagram profile information, such as the Instagram username, display name, profile URL, and account metadata visible or available in the Instagram page after you choose to connect the profile.
- DM and conversation information, such as participant names, usernames, thread URLs, external conversation identifiers, message text, message timestamps, message direction, message previews, message metadata, latest conversation context, and conversation status for DMs you choose to bind or run with the bot.
- Bot and reply information, such as selected bot profile, language settings, style settings, tone/profile configuration, generated replies, temporary reply drafts, send status, bot timer state, training comments, correction instructions, user feedback, summaries, user questions about a conversation, and generated answers.
- Local extension state, such as panel size, panel position, minimized/open state, selected conversation, selected bot assignment, local draft cache, context preparation progress, and UI preferences.
- Technical and security information, such as extension version, API request metadata, error logs, browser/runtime metadata needed for debugging, server logs, abuse-prevention events, and IP-derived information in API logs.
- Billing and entitlement metadata, such as plan name, subscription status, provider subscription identifiers, renewal/cancellation status, and usage limits needed to decide whether extension features are available. The extension does not collect payment card numbers.
4. How the Extension Collects Information
We may collect personal data in the following ways:
- Directly from you when you log in to Chatsona, choose settings, connect an Instagram profile, bind a DM box, select a bot profile, generate a reply, send a reply, add training feedback, ask a question, or request a summary.
- From the Instagram pages where the content script is active, only for the extension's stated Instagram DM assistant purpose.
- From the already-open Instagram browser session. The extension does not ask you to log in to Instagram through Chatsona, does not collect your Instagram password, and does not store Instagram access tokens or Instagram refresh tokens.
- From the Chatsona API when the extension retrieves your plan details, bot profiles, DM assignments, summaries, and other account-level extension data.
- Automatically through API logs, security systems, error reporting, and browser extension storage where necessary to operate and secure the extension.
When you first bind a DM conversation, the extension may prepare recent context by reading and syncing recent messages from that conversation. The extension may show progress such as "18/50" while context is being prepared. Manual reply generation may refresh recent messages before generating a reply. When a bot is active for a conversation, the extension may periodically check that active conversation and sync recent messages so replies remain context-aware.
To perform requested binding, syncing, and bot features, the extension may focus, open, or navigate an Instagram DM tab to a bound conversation URL. If you stop the bot, remove the DM box, disconnect the Instagram profile, log out of Chatsona, or uninstall the extension, this processing stops.
5. How We Use Information
We use information to:
- Authenticate the Chatsona account and keep the extension connected to the correct account.
- Show plan details, entitlement status, and remaining usage allowances.
- Connect the Instagram profile selected by the user and display connection status.
- Bind selected Instagram DM conversations and store conversation metadata for later use.
- Prepare, save, and refresh message context for selected conversations.
- Generate AI-assisted reply drafts based on selected bot settings and conversation context.
- Write or send a generated reply through the Instagram page when the user clicks send, starts a bot flow, or enables an automated send flow.
- Save bot profile assignments, style/tone preferences, language settings, training notes, correction instructions, summaries, and conversation Q&A.
- Display the floating panel, popup, options page, progress overlays, countdowns, cancellation controls, and related extension UI.
- Prevent fraud, abuse, unauthorized access, spam, security incidents, and misuse of the extension.
- Debug issues, provide support, improve reliability, maintain audit logs, and enforce usage limits.
- Comply with legal obligations, enforce agreements, resolve disputes, and protect the rights, privacy, safety, and property of Chatsona, users, and others.
We do not sell DM content. We do not use your conversations to train our own model unless we separately ask for and receive explicit permission.
6. Local Browser Storage
The extension may store limited data locally in the browser using Chrome extension storage, browser local storage, or similar browser storage. Local storage helps the extension continue working across browser sessions.
Local extension data may include your Chatsona access token, Chatsona account metadata, selected Instagram profile metadata, bound DM metadata, bot profile assignments, selected conversation, generated draft text, unsent draft text, panel position, minimized/open state, context-preparation progress, automation state, countdown state, and UI preferences.
Local browser storage is not sold and is not used for advertising. Clearing extension data, logging out, removing connected accounts, or uninstalling the extension may remove some or all locally stored extension data. Some data already synced to the Chatsona API may also need to be deleted from server-side systems using in-product deletion controls or by contacting us.
7. AI Features and AI Providers
When you use reply generation, summaries, conversation questions, training feedback, or related AI features, Chatsona may send relevant conversation context, message content, participant metadata, bot profile settings, language settings, style instructions, schedule context, blocked topics, memory notes, correction instructions, and user questions to third-party AI providers such as OpenAI, Anthropic/Claude, xAI/Grok, or another configured provider.
This means that, when AI features are used, DM content and related context may be transmitted to and processed on servers operated by third-party AI providers. These providers process the data to generate, evaluate, moderate, secure, or deliver the requested AI-assisted feature.
We aim to send only the information reasonably needed for the selected AI feature. Where technically and commercially available, we prefer AI provider configurations that offer no-training commitments, zero-retention, reduced-retention, or similar privacy-protective settings. Provider availability, configurations, retention practices, abuse monitoring practices, and terms may vary and may change over time.
AI-generated outputs may be inaccurate, incomplete, or inappropriate. Users are responsible for reviewing AI-assisted replies where manual review is enabled and for configuring automation carefully where bot or auto-send features are enabled.
8. Conversation Participant Data
When you bind an Instagram DM conversation, Chatsona may process information relating to the person or people you communicate with, including usernames, display names, message content, message metadata, conversation summaries, and other conversation-related information. We refer to this as conversation participant data.
Chatsona does not have a direct relationship with most conversation participants. If a conversation participant wants to access, correct, delete, or restrict the use of information that a Chatsona user has imported or processed through the extension, the participant should generally contact that Chatsona user first. If a participant contacts us directly, we may ask for information needed to identify the relevant Chatsona account and may forward or refer the request to the applicable user where appropriate.
Users must not use Chatsona to collect, monitor, store, process, profile, or automate conversations in a way that violates applicable law, Instagram rules, confidentiality obligations, privacy rights, or the rights of other individuals.
9. Sensitive Personal Data
Chatsona is not designed for the intentional collection or processing of sensitive personal data. You should not intentionally submit sensitive personal data to Chatsona, including information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, sex life or sexual orientation, criminal records, precise location data, or similar special-category information under applicable law.
Because DM content may contain free-text messages, sensitive personal data may appear incidentally in conversations. Where this occurs, Chatsona processes such information only as necessary to provide the requested extension feature, secure the service, comply with law, or protect rights and safety. We do not intentionally use sensitive personal data to infer sensitive characteristics or for advertising purposes.
10. Sharing and Service Providers
We may share information only as described in this Privacy Policy, as needed to operate the extension, as instructed by the user, with consent, or as required or permitted by law.
Current provider categories include:
- Chatsona API and backend infrastructure: extension authentication, plan checks, DM ingestion, bot settings, reply generation, summaries, Q&A, training feedback, logs, and security controls.
- Supabase or similar database provider: database hosting, backups, authentication-related infrastructure where configured, storage, and service reliability.
- Railway, Cloudflare, Infisical, or similar infrastructure, network, secret-management, logging, or security providers: API hosting, DNS, traffic routing, security controls, secret management, logs, monitoring, and service reliability.
- AI providers such as OpenAI, Anthropic/Claude, xAI/Grok, or another configured provider: AI-assisted reply drafting, summaries, Q&A, and related AI features.
- Patreon: early access subscription status, plan entitlement, membership events, cancellation or renewal metadata, and related billing metadata. Patreon may process payment and membership information under its own terms and privacy policy.
- E-mail or support providers where needed: account, support, security, or service messages.
- Professional advisors, authorities, courts, or successors where necessary for legal compliance, security, dispute resolution, corporate transactions, or protection of rights and safety.
We do not knowingly sell personal information. We do not sell DM content or conversation participant personal information. We do not share DM content for cross-context behavioral advertising.
Meta/Instagram receives messages only through the normal Instagram page and session when the user sends or authorizes sending a reply. Chatsona does not provide your Chatsona account database to Meta/Instagram.
11. Security
Chatsona is designed to protect sensitive DM-related data. We use infrastructure and database-level encryption at rest where provided by our hosting and database providers. Certain sensitive application fields may also be encrypted at the application level where implemented, including message text, participant names/usernames, conversation previews, memory summaries, pending reply drafts, and sensitive conversation metadata.
Some operational identifiers, timestamps, relationship keys, usage records, indexing metadata, configuration metadata, and service logs may be stored separately or in non-encrypted form where necessary to operate, secure, debug, enforce limits, maintain integrity, or comply with legal obligations.
Passwords are stored as cryptographic hashes and are not stored in plain text. Password reset, account reactivation, and e-mail change tokens are stored as hashed tokens.
Access to sensitive DM data is limited to what is necessary to operate, secure, debug, and support the service. We do not sell DM content or the personal information of conversation participants.
No method of transmission or storage is completely secure. We use reasonable administrative, technical, and organizational safeguards designed to protect personal data, but we cannot guarantee absolute security.
12. Retention
We keep personal data for as long as reasonably necessary to provide the extension, comply with legal obligations, resolve disputes, enforce agreements, maintain security, preserve backups, prevent fraud and abuse, and protect rights and service integrity.
Our current target retention periods are:
- Local extension data: until you log out, remove connected data, clear extension data, or uninstall the extension.
- Chatsona account and entitlement data: for the life of the account and up to 24 months after closure, unless longer retention is required for legal, security, billing, audit, or dispute purposes.
- Instagram profile metadata: until you disconnect the profile, delete your account, or request deletion, subject to limited backup, security, and audit retention.
- Bound DM metadata, messages, conversation summaries, training notes, and conversation Q&A: until you delete the relevant DM box, disconnect the Instagram profile, delete your account, or request deletion, subject to limited backup, audit, legal, and security retention.
- Bot profiles, bot assignments, style settings, language settings, schedules, and automation settings: until deleted by the user, the related account is deleted, or no longer needed to provide the extension.
- Billing and entitlement records: up to 7 years or longer where required for tax, accounting, chargebacks, fraud prevention, disputes, or legal obligations.
- Security, audit, and server logs: generally up to 12 months, unless needed longer for security investigation, abuse prevention, compliance, legal claims, or service integrity.
- Backups: generally up to 90 days according to backup rotation and disaster recovery procedures, then deleted or overwritten in the ordinary course, unless preservation is required for security, legal, or disaster recovery reasons.
Deleted data may remain temporarily in backups or logs but will not be used to generate replies, rebuild deleted DM context, or re-create deleted extension experiences.
13. Deletion and Disconnect Controls
You may request deletion of data held by Chatsona by using in-extension controls where available or by contacting info@chatsona.app. We may ask for information needed to verify your identity and identify the relevant account, Instagram profile, DM box, or conversation.
To delete a DM box or tracked conversation, use the DM deletion controls in the extension. This removes the related active conversation data from Chatsona, including stored participant name/username, external conversation identifier, thread URL, message history, message previews, summaries, memory notes, pending reply drafts, bot assignment, conversation logs, reply feedback, and related app-managed runtime artifacts.
To disconnect an Instagram profile, use the profile removal controls in the extension. Removing the connected Instagram profile also clears the associated active DM boxes and related DM workspace data for that profile.
To remove local browser data, log out of Chatsona in the extension, clear extension data in Chrome, or uninstall the extension.
To delete your Chatsona account or request server-side deletion, contact info@chatsona.app.
We may retain limited records where necessary for backups, security, fraud prevention, billing, accounting, legal compliance, dispute resolution, or audit purposes.
14. What We Do Not Do
Chatsona does not:
- Ask for or store your Instagram password.
- Store Instagram access tokens or refresh tokens for the Chrome extension flow.
- Read unrelated websites outside the declared Instagram content script match.
- Request <all_urls>.
- Sell DM content or conversation participant data.
- Use DM content for third-party advertising or retargeting.
- Load remote executable code, CDN JavaScript, or externally hosted extension scripts.
- Intentionally collect sensitive personal data.
15. Cookies, Analytics and Similar Technologies
The extension primarily uses Chrome extension storage and browser storage for extension functionality. The Chatsona API may use server logs, security logs, and request metadata to operate and protect the service.
The extension does not use third-party advertising cookies, retargeting pixels, or cross-site advertising trackers.
16. Legal Bases for Processing
Depending on your location and applicable law, we may process personal data under one or more legal bases, including performance of a contract, legitimate interests, consent, compliance with legal obligations, and protection of rights and safety.
Examples include:
- Extension login, account status, plan details, and core extension features: performance of contract and legitimate interests in security and service operation.
- Instagram profile binding, DM binding, message syncing, reply drafting, summaries, conversation questions, training feedback, and bot automation: performance of contract, user instructions, and legitimate interests in providing requested features.
- Security logs, fraud prevention, abuse detection, audit records, and service integrity: legitimate interests and legal obligations where applicable.
- Billing and entitlement metadata: performance of contract, legal obligations, and legitimate interests.
- Legal requests, disputes, enforcement, and compliance: legal obligations, legitimate interests, and establishment, exercise, or defense of legal claims.
17. International Transfers
Your information may be processed in countries other than where you live, including countries that may have data protection laws different from those in your jurisdiction.
Where required by applicable law, we use appropriate safeguards for international transfers. These may include data processing agreements, Standard Contractual Clauses, adequacy decisions, vendor commitments, technical and organizational safeguards, encryption, access controls, and other lawful transfer mechanisms.
Some service providers, including hosting, AI, infrastructure, e-mail, or subscription providers, may process data in multiple regions. Provider locations may change over time.
18. Your Rights and Choices
Depending on your location and applicable law, you may have rights to request access, correction, deletion, restriction, portability, objection to processing, withdrawal of consent, information about sharing, or opt-out from marketing. You may also have the right to lodge a complaint with a competent data protection authority.
We may ask you to verify your identity before responding to a privacy request. We will respond within the timeframe required by applicable law. Some requests may be limited where we need to retain information for security, billing, legal compliance, dispute resolution, fraud prevention, or service integrity.
You can also control certain information directly through the extension by deleting DM boxes, disconnecting the Instagram profile, stopping bot automation, clearing extension data, logging out, or uninstalling the extension.
19. Regional Privacy Rights
Turkiye / KVKK:
Users located in Turkiye may exercise rights under applicable Turkish data protection law, including rights to learn whether personal data is processed, request information about processing, learn the purpose of processing, know third parties to whom personal data is transferred, request correction or deletion where applicable, object to certain processing, and request compensation for damages where applicable. Requests may be sent to info@chatsona.app.
For users in Turkiye, personal data may be transferred abroad to infrastructure, e-mail, AI, subscription, security, and hosting providers where necessary to provide the extension, subject to applicable legal mechanisms and safeguards.
EEA / UK / Switzerland:
Where applicable, you may have rights under the GDPR, UK GDPR, or similar laws, including access, correction, deletion, restriction, portability, objection, withdrawal of consent, and the right to complain to a supervisory authority. Where we process conversation data on behalf of a Chatsona user, we may need to refer or coordinate your request with that user.
California:
California residents may have rights under the CCPA/CPRA, including the right to know, access, delete, correct, opt out of sale or sharing of personal information where applicable, limit use of sensitive personal information where applicable, and be free from discrimination for exercising these rights.
We do not knowingly sell personal information. We do not knowingly share DM content for cross-context behavioral advertising.
Other regions:
Additional rights may apply depending on your jurisdiction. We will respond to privacy requests in accordance with applicable law.
20. Children and Age Requirements
Chatsona is not intended for children or for individuals below the minimum age required by applicable law. In general, you must be at least 18 years old to use Chatsona.
We do not knowingly collect personal information from children. We may request confirmation of age or take reasonable steps to restrict access if we become aware that a user does not meet the applicable age requirement.
If we learn that we have collected personal information from a child without appropriate consent, we will take reasonable steps to delete that information. Parents or legal guardians may contact us if they believe a child has provided personal data to Chatsona.
21. Security Incidents and Breach Notification
If we become aware of a security incident that results in unauthorized access to personal data and is likely to create a risk to users' rights or privacy, we will take reasonable steps to investigate, mitigate, and notify affected users and/or relevant authorities where required by applicable law.
Where GDPR, KVKK, or similar rules require notification to a competent authority, we will aim to notify without undue delay and, where required and feasible, within 72 hours after becoming aware of the breach. Where notification within that timeframe is not feasible, we may provide reasons for the delay as required by applicable law.
Users are responsible for maintaining the confidentiality of their account credentials, using strong passwords, securing their Instagram account, and promptly notifying us of suspected unauthorized access.
22. Automated Reply Features and User Responsibility
Chatsona may generate AI-assisted reply drafts, summaries, memory notes, and suggested responses based on user settings and conversation context. These features are intended to assist users with messaging workflows.
Where bot or auto-send features are enabled, Chatsona may send replies according to the user's configuration, selected conversation, selected bot profile, timing settings, blocked topics, and automation settings. The extension may also check active bot conversations and sync recent message context while automation is enabled. Auto-reply features may affect interpersonal communications, brand perception, customer relationships, or business outcomes. Users are responsible for configuring these features carefully, monitoring their use, and disabling automation where appropriate.
We do not intend to make decisions that produce legal or similarly significant effects about individuals solely through automated processing. Chatsona's AI features are not intended to determine eligibility for employment, credit, housing, insurance, healthcare, legal rights, public benefits, or similarly significant decisions.
23. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect legal, technical, product, or business changes. If we make material changes, we will take reasonable steps to notify users, such as by updating the effective date, displaying an in-app notice, sending an e-mail, or using other appropriate communication methods.
Your continued use of the extension after an updated Privacy Policy becomes effective means that the updated policy applies to your use of the extension, subject to applicable law.
24. Contact
For privacy requests, questions, or concerns, contact us at info@chatsona.app.