Kotonaut

Privacy Policy

Last updated: February 16, 2026

1. Introduction

Kotonaut ("we," "our," or "us") operates the kotonaut.com website and the Kotonaut SaaS platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and name as provided through your authentication provider (e.g., Google or email/password sign-up).

2.2 Meta Platform Data

When you connect your Instagram or Facebook account, we receive an access token from Meta. We use this token solely to perform actions you configure within Kotonaut, such as reading comments and sending direct messages on your behalf. We store your page/account identifiers and the encrypted access token.

2.3 Usage Data

We collect analytics about how you use the platform, including the number of DMs sent, triggers configured, and feature usage. This data helps us improve the service and enforce plan limits.

2.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card number or full payment details on our servers. We receive and store your Stripe customer ID and subscription status.

3. How We Use Your Information

  • To provide and maintain the Kotonaut service
  • To send automated DMs and comment replies on your behalf via the Meta API
  • To track usage for plan limits and billing
  • To send you service-related communications (e.g., limit warnings, plan changes)
  • To improve and develop new features
  • To detect and prevent abuse or fraud

4. Meta API Usage & Compliance

Kotonaut uses Meta's official APIs (including the Private Reply API and Conversations API) in compliance with Meta's Platform Terms. We only access data necessary to provide the comment-to-DM automation you configure. We do not sell, share, or use Meta platform data for advertising purposes.

5. Data Storage & Security

Your data is stored on secure, encrypted infrastructure provided by Supabase (hosted on AWS). Meta access tokens are encrypted at rest using AES-256-GCM encryption. We implement Row Level Security (RLS) policies to ensure users can only access their own data.

6. Data Sharing

We do not sell your personal information. We may share data with:

  • Stripe — for payment processing
  • Meta (Facebook/Instagram) — only the API calls necessary to perform actions you configure
  • Supabase — as our database and authentication provider
  • Law enforcement — if required by applicable law

7. Data Retention & Deletion

We retain your data for as long as your account is active. When you delete your account, we delete all associated data, including Meta tokens, trigger configurations, and DM logs, within 30 days. Meta may require us to delete platform data upon user request or deauthorization, which we comply with via our data deletion callback endpoint.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion of your data
  • Withdraw consent for data processing
  • Export your data in a portable format
  • Object to automated decision-making

To exercise any of these rights, contact us at support@kotonaut.com.

9. Cookies

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

11. Contact Us

If you have questions about this Privacy Policy, contact us at: