Privacy Policy

Last updated: March 2026

Overview

FeedEmbed (“we”, “our”, or “us”) is operated by Ola Berger Consulting (company registration no. 37655791), incorporated in Denmark. We provide a service that lets website owners embed their public Instagram feed on any website. This policy explains what information we collect, how we use it, and what rights you have over it. We aim to be straightforward — if something isn’t clear, email us at hello@feedembed.io.

Information we collect

Account information

When you create an account, we collect your email address and a password (stored securely via Supabase Auth). If you sign up using a social login (e.g. Google), we may also receive your name and profile photo from that provider.

Instagram data

When you connect an Instagram account, we receive an OAuth access token from Meta (Instagram) and use it to fetch your public posts (images, captions, timestamps, and permalinks). We cache this content on our servers solely to serve your embedded feed without calling Instagram on every page load. We do not collect your direct messages, follower lists, story content, or any private content.

We request only the minimum permission required to operate the service:

  • instagram_business_basic — to read your public profile information and media (posts, images, captions). We use this to build and display your embedded feed.

We do not request permissions to post, delete, comment, reply to messages, or perform any action on your behalf. Access tokens are encrypted at rest using AES-256-GCM before being stored in our database and are never transmitted to third parties.

Payment information

Payments are handled by Stripe. We never see or store your full card number — only a non-sensitive token and the last four digits that Stripe provides us for display purposes.

Usage data

We track aggregate view counts on embedded feeds (how many times a feed was loaded per hour) so we can enforce plan limits and show you analytics. We also collect basic server logs (IP address, request path, timestamp) for security and debugging, which are retained for up to 30 days.

Website analytics

Our marketing site uses Cloudflare Web Analytics, a privacy-first analytics tool that does not use cookies and does not track individuals across sites.

How we use your information

  • To provide and operate the FeedEmbed service
  • To authenticate you and keep your account secure
  • To fetch and cache your Instagram posts for display on your site
  • To process payments and manage your subscription
  • To send transactional emails (e.g. receipts, password resets)
  • To send product updates and occasional announcements (you can unsubscribe at any time)
  • To enforce plan limits (view counts, feed limits, refresh intervals)
  • To detect and prevent fraud or abuse

Data sharing

We do not sell your personal data. We share information only with the third-party service providers that help us run FeedEmbed:

  • Supabase — database and authentication (hosted on AWS)
  • Cloudflare — CDN, Workers hosting, DDoS protection, and analytics
  • Stripe — payment processing
  • Meta / Instagram — OAuth and Instagram Graph API access
  • Trigger.dev — background job orchestration (used internally; does not receive personal data beyond what is necessary for job execution)

We may also disclose information if required by law, court order, or to protect the rights and safety of our users or the public.

Your Instagram data

When you disconnect an Instagram account from FeedEmbed (either from our dashboard or by revoking access directly from Instagram’s app settings), we delete the associated OAuth access token immediately. Cached post data (images, captions) associated with that account is deleted within 7 days. Embedded feeds referencing that account will return an empty result until a new account is connected.

Meta Platform data deletion

FeedEmbed complies with Meta’s Platform Terms regarding data deletion. If you remove FeedEmbed from your connected Instagram apps (via Instagram Settings → Apps and Websites), Meta will notify us automatically via a secure callback and we will delete all data associated with your Instagram account within 24 hours.

Our data deletion callback URL is: https://api.feedembed.io/v1/instagram/data-deletion

Our deauthorize callback URL is: https://api.feedembed.io/v1/instagram/deauthorize

You can also verify the status of a deletion request at feedembed.io/data-deletion using the confirmation code provided at the time of deletion.

We do not transfer, sell, or use Instagram data obtained through the Meta API for any purpose other than displaying your feed on your own website. Data obtained via the Instagram API is not used for advertising, profiling, or shared with any third parties beyond what is described in the “Data sharing” section above.

Your rights

You can access, correct, or delete your account and associated data at any time from your dashboard settings. If you’d like to request a full data export or have your account permanently deleted, email us at hello@feedembed.io and we’ll take care of it within 30 days.

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to lodge a complaint with your local supervisory authority. International data transfers from the EEA are covered by Standard Contractual Clauses.

Data retention

We retain your account data for as long as your account is active. If you cancel and close your account, we delete your personal data within 30 days, except where we are required to retain it for legal or tax purposes (e.g. billing records, which may be kept for up to 7 years in some jurisdictions).

Security

All data is encrypted in transit via TLS. Instagram access tokens are encrypted at rest with AES-256-GCM. We follow security best practices for credential management and access control. That said, no system is 100% secure — if you discover a vulnerability, please reach out to us privately before disclosing it publicly.

Children

FeedEmbed is not intended for anyone under the age of 13 (or 16 where required by local law). We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a child, please contact us and we will delete it promptly.

Changes to this policy

If we make material changes to this policy, we’ll notify you by email or by a prominent notice in the dashboard at least 14 days before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision.

Contact

Questions about this policy? Reach us at hello@feedembed.io.