01 Who we are
Instagram Hub (“the Service”, “we”, “us”) is a service operated by Nebas, the data controller for the limited personal data described in this policy. The Service is hosted at ig-hub.nebas.dev.
The Service lets a business connect its own Instagram professional account once, then displays that account’s latest public posts on the business’s own websites. It is read-only: it never publishes content, reads messages, or accesses private data.
02 What data we collect
We deliberately collect the minimum required to display your feed. Specifically:
| Data | What it is |
|---|---|
| Access token | A single Instagram API access token that authorises read-only access to your own public media. Stored encrypted at rest. |
| Public media | Your recent public posts — image/video URL, caption, timestamp, media type, and permalink — cached so we can serve them to your site. |
| Account identifiers | Your Instagram account ID and username, used to label the connection. |
| Operational logs | Minimal technical logs (e.g. token-refresh success/failure, timestamps) to keep the connection healthy. |
We do not collect direct messages, follower lists, comments, insights, or any data belonging to other users.
03 Why we collect it
Each item above exists for one purpose: to display your own public Instagram posts on your own websites and to keep that connection working without manual re-authentication. We do not use your data for advertising, profiling, or analytics about individuals.
04 Legal basis (GDPR)
Where the EU/UK GDPR applies, our legal bases are:
- Consent (Art. 6(1)(a)) — you explicitly authorise the connection when you approve access through Instagram. You can withdraw it at any time by disconnecting.
- Legitimate interests (Art. 6(1)(f)) — keeping the token refreshed and the feed available, which is the service you asked us to provide.
05 Retention
We keep your access token and cached feed only while your account is connected. When you disconnect — by removing the app in Instagram settings or by requesting deletion — we erase the token and cached media within 30 days. Minimal operational logs are retained for a short period for security, then deleted.
06 Instagram & Meta as the data source
The data we process originates from the Instagram Platform, provided by Meta Platforms, Inc. Your use of Instagram is governed by Meta’s own terms and privacy policy. Our access is granted by you through Instagram’s official authorisation flow and is limited to read-only access to your own public media. Instagram Hub is not affiliated with, endorsed by, or sponsored by Instagram or Meta.
08 Your rights
Subject to applicable law, you have the right to access, correct, export, restrict, or delete your data, and to withdraw consent at any time. Because the only personal data we hold is your token and your own public media, exercising these rights is usually as simple as disconnecting.
- Access & portability — request a copy of what we store about your connection.
- Erasure — disconnect or request deletion (see below).
- Withdraw consent — remove the app in Instagram settings at any time.
09 Deleting your data
You can remove everything we store in two ways: automatically by removing the app from your Instagram settings, or by sending us a manual request. In both cases we delete your token and cached feed within 30 days.
For full step-by-step instructions and a manual request form, see the Data Deletion page →
10 Contact
Questions about this policy or your data? Email us at privacy@ig-hub.nebas.dev and we’ll respond promptly. If you believe we have not resolved a concern, you may also lodge a complaint with your local data protection authority.