This Privacy Policy describes how Comments Studio ("we", "us", "our") collects, uses, stores, and shares information when you use our Instagram and YouTube comment moderation service available at commentsstudio.com (the "Service"). We are committed to protecting your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable Indian laws.
1. Who we are
Comments Studio is operated from India. For the purposes of the DPDP Act, 2023, we act as a Data Fiduciary in relation to personal data of our users (creators) and as a processor of comment data submitted by Instagram and YouTube users who interact with your content.
You can reach us at:
- General: hello@commentsstudio.com
- Support: support@commentsstudio.com
- Legal & Grievance: legal@commentsstudio.com
2. Information we collect
2.1 Account information
When you sign up via Meta OAuth, we receive your name, email address, profile picture, and the list of Instagram Business or Creator accounts and Facebook Pages you manage. We also receive an access token that allows us to read and moderate comments on your behalf.
2.2 Instagram comment data
When new comments are posted on your content, Meta sends us the comment text, the commenter's username and public profile data, the parent post or media ID, and timestamp metadata via webhooks. We process this data to classify, hide, like, or reply to comments according to your settings.
2.3 Configuration data
We store the moderation settings you configure: auto-like sensitivity, auto-reply rate, reply tone, custom blocked keywords, and per-post overrides.
2.4 Payment information
If you subscribe to our paid plan, payment is processed by Razorpay Software Private Limited. We do not store your full card number, UPI PIN, or netbanking credentials on our servers. We receive limited transaction metadata (amount, status, payment method type, last 4 digits of card if applicable) from Razorpay for record-keeping.
2.5 Usage and technical data
We collect standard server logs including IP address, browser type, device information, pages accessed, and timestamps. These are used for security, fraud prevention, and product improvement.
2.6 YouTube channel and comment data
If you connect a YouTube channel, you authorize us through Google OAuth using the youtube.force-ssl scope. We receive your channel's ID, title, thumbnail and the list of your uploaded videos, and — for the videos you opt in — the public top-level comments on them (comment text, the commenter's public display name and channel ID, and timestamps). We also store an encrypted access and refresh token so we can hide or restore comments on your behalf. We do not access your videos' content, analytics, monetization, subscriber lists, or any private data.
3. How we use your information
- Comment moderation: classifying incoming Instagram comments as genuine, vulgar, predatory, spam, or matching your custom blocked keywords, and hiding them on your behalf.
- AI-generated replies: using large language models to draft reply text in the tone you select, which is then sent as a reply from your Instagram account.
- Auto-likes: liking genuine comments at the sensitivity threshold you configure.
- Audience insights: clustering comments by topic to produce aggregate analytics (e.g. percentage of comments asking for specific content).
- Account management: creating and maintaining your Comments Studio account, processing payments, sending service-related emails.
- Security & compliance: detecting fraud, abuse, and policy violations; complying with legal obligations.
- Service improvement: analyzing aggregate usage patterns to improve features. We do not use the content of your individual comments to train external machine-learning models.
4. Important notes on how we moderate
We hide comments — we never delete them. Hidden comments remain visible to the original commenter and to you, but are removed from public view. You can review and restore any hidden comment from your Comments Studio dashboard. We do not block, mute, or report Instagram users on your behalf without your explicit action.
AI classification is not perfect. False positives and false negatives can occur. You retain ultimate authority over what appears on your Instagram account.
5. Third parties we share data with
We share limited data with carefully chosen service providers ("Data Processors") strictly for the purposes of operating the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Meta Platforms, Inc. | Instagram Graph API access; comment hide/reply actions | Access tokens, comment IDs, actions taken |
| Google LLC (YouTube Data API) | Connecting your YouTube channel; reading comments; hiding/restoring comments | OAuth tokens, channel ID, comment IDs and text, moderation actions |
| OpenAI, L.L.C. | Comment classification and AI reply generation | Comment text, your selected reply tone (no PII attached) |
| Razorpay Software Pvt. Ltd. | Subscription billing and payment processing | Name, email, billing details |
| MongoDB, Inc. (Atlas) | Database hosting | All stored account and comment data (encrypted at rest) |
| Vercel, Inc. | Web application hosting | Request logs, IP addresses |
| Railway / Modal | Background workers and machine-learning service hosting | Comment text during processing |
We do not sell your personal data. We do not share data with advertisers. We do not use comment content for any purpose other than delivering the Service.
6. Google API Services and YouTube data
When you connect a YouTube channel, Comments Studio accesses certain Google user data through the YouTube Data API using the youtube.force-ssl scope. This section explains that access and how we comply with Google's requirements. It supplements, and does not replace, the rest of this Policy.
6.1 What we access
- Channel information — your channel ID, title, thumbnail and uploads list, to display your channel and let you choose which videos to moderate.
- Comments — public top-level comments on the videos you opt in: comment text, the commenter's public display name and channel ID, and timestamps.
- Moderation status — we set the moderation status of comments to hide ("rejected") or restore ("published") them according to your settings.
We request youtube.force-ssl, the minimum scope that allows reading comments and changing their moderation status. On YouTube we do not post videos, like, reply, send messages, or access analytics, monetization, or subscriber data.
6.2 How we use it
- Comment moderation — classifying comments as toxic, spam, or genuine and hiding the toxic/spam comments you have configured to auto-hide. You can restore any hidden comment from your dashboard.
- Audience insights — producing aggregate, topic-level analytics from comments we have already stored, with no additional API calls and no individual profiling.
6.3 Retention
YouTube channel and comment data follow the retention periods in Section 8 (Data retention): comment data is retained for as long as your account is active and is deleted within 30 days of an account-deletion request, not on a fixed time schedule; aggregate insights contain no personal identifiers. Your encrypted OAuth tokens are deleted when you disconnect the channel, and within 30 days of account deletion — or sooner where you revoke access from your Google account.
6.4 Sharing and sale
We do not sell YouTube data, do not use it for advertising, and do not transfer it to third parties except the Data Processors listed in Section 5 strictly to operate the Service (for example, OpenAI to classify comment text and MongoDB Atlas to store it), or as required by law or with your consent.
6.5 Limited Use & Google policies
Comments Studio's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We use Google user data only to provide and improve the moderation and insights features you enable; we do not transfer or use it for serving advertisements; and we do not allow humans to read it except (a) with your consent, (b) for security purposes, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.
Your use of the YouTube features of the Service is also subject to the YouTube Terms of Service and the Google Privacy Policy. You can review and revoke Comments Studio's access to your Google account at any time at myaccount.google.com/permissions.
7. Cross-border data transfer
Some of the Data Processors listed above (notably OpenAI, MongoDB Atlas, and Vercel) operate servers outside India. Where data is transferred outside India, we ensure it is to jurisdictions that have not been notified as restricted by the Government of India under Section 16 of the DPDP Act, 2023, and that the processor is bound by contractual data protection obligations.
8. Data retention
- Account data: retained for the life of your account, deleted within 30 days of account deletion.
- Comment data: retained for as long as your account is active — so we can show your moderation history, detect repeat commenters, and generate insights — and is not deleted on a fixed time schedule. It is deleted within 30 days of an account-deletion request, and you can request deletion at any time (see Section 9 and our Data Deletion page).
- Aggregate insights: anonymized topic-cluster data may be retained indefinitely as it contains no personal identifiers.
- Payment records: retained for a minimum of 8 years as required under Indian tax and accounting law.
- Server logs: retained for 30 days, then deleted.
9. Your rights under the DPDP Act, 2023
As a Data Principal, you have the following rights:
- Right to access: request a copy of the personal data we hold about you.
- Right to correction: request correction of inaccurate or incomplete personal data.
- Right to erasure: request deletion of your personal data, subject to legal retention requirements.
- Right to withdraw consent: withdraw consent at any time. This may limit your ability to use the Service.
- Right to grievance redressal: raise concerns about how we handle your data.
- Right to nominate: nominate another individual to exercise these rights in the event of your death or incapacity.
To exercise any of these rights, email legal@commentsstudio.com. We will respond within 30 days.
10. Security
We protect your data using industry-standard security measures including AES-256-GCM encryption of access tokens at rest, TLS encryption in transit, role-based access controls, regular security audits, and monitoring for unauthorized access. No system is perfectly secure; we cannot guarantee absolute security but we work hard to maintain a high standard.
In the event of a personal data breach that is likely to cause significant harm to you, we will notify you and the Data Protection Board of India in accordance with the DPDP Act, 2023.
11. Children's privacy
Comments Studio is intended for use by creators aged 18 and above. We do not knowingly collect personal data of individuals under 18 as registered users. If you believe we have collected such data, please contact us and we will delete it.
We are mindful that comments processed by the Service may include those from minors who interact with your content. We do not profile, track, or target minors; comments are processed only for the purpose of moderation actions you have configured.
12. Cookies and similar technologies
We use only essential cookies required for authentication and session management. We do not use advertising cookies or third-party tracking cookies.
13. Grievance officer
In accordance with the DPDP Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, our Grievance Officer can be contacted at:
Grievance Officer
Comments Studio
Email: legal@commentsstudio.com
We respond to grievances within 15 days of receipt.
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email and a notice on the dashboard at least 7 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact us
For any questions about this Privacy Policy, email legal@commentsstudio.com.