kite

Privacy Policy

Last updated: April 29, 2026

1. Information We Collect

1.1 From your Instagram connection

When you sign in with Instagram using the Instagram Business Login API, we receive and store:

  • Your Instagram Business account ID, username, and display name
  • Your Instagram profile picture URL
  • A long-lived access token, which we encrypt at rest using AES-256-GCM

1.2 From your Instagram activity

After connecting, we receive (via Instagram webhook subscriptions and the Instagram Graph API):

  • Public comments posted on your Instagram media
  • Author username and Instagram User ID of each comment
  • Comment timestamps and any threaded replies
  • Media metadata (caption, media type, permalink) for context
  • Replies you send through kite (we store the final text you approved)

1.3 From your use of the service

  • Reply suggestions you accept, edit, or reject — used to improve future AI suggestions for your account only
  • Settings such as reply templates and "avoid words" you configure
  • Push notification subscription endpoints, if you enable browser notifications

We do not collect your Instagram password (we use OAuth), private DMs, account-level analytics, or any data not displayed in the kite UI.

2. How We Use This Information

  • To display your pending Instagram comments inside the kite app
  • To generate AI-drafted reply suggestions tailored to your past writing style. Drafts are produced by Google Gemini, with your past comment replies and a small profile summary sent as context
  • To post a reply on your behalf when you tap "Send"
  • To improve future suggestions when you edit a draft (we store the edits to learn your style)
  • To send push notifications about new comments, only if you opted in

We do not use your data for advertising, training third-party AI models on a pooled corpus, or sharing with marketing partners.

3. Third-Party Service Providers

The following processors handle your data on our behalf:

  • Cloudflare (infrastructure): hosts kite servers and stores your data in Cloudflare D1 (SQLite), Vectorize (embeddings), and Workers AI. See Cloudflare's Privacy Policy.
  • Google Gemini API: generates AI reply suggestions. The text we send includes your past comment replies and the comment you are replying to. Per Gemini API terms, paid-tier requests are not used to train Google's models.
  • Meta (Instagram Graph API): all comment retrieval and reply posting uses Meta's official API. Meta's privacy policy applies separately.

4. Where Your Data Is Stored

Your data is stored in Cloudflare's global edge network. Encrypted access tokens, comments, replies, and learned profile data live in Cloudflare D1 (SQLite) databases; embedding vectors live in Cloudflare Vectorize indexes.

5. How Long We Keep Your Data

We retain your data while your kite account is active. When you disconnect Instagram from kite or request deletion, we remove:

  • Your access tokens (immediately)
  • Your stored comments, media metadata, and reply history (within 7 days)
  • Your AI personality profile and learned patterns (within 7 days)
  • Your embedding vectors tied to the account (within 7 days)

For deletion requests outside the in-app flow, see our Data Deletion page.

6. Your Rights

  • Access the data we hold about you (contact us)
  • Request deletion (see Data Deletion page or use the in-app option)
  • Export your data (contact us)
  • Withdraw consent by disconnecting Instagram from kite at any time

7. Security

  • Access tokens are encrypted at rest with AES-256-GCM.
  • All connections use HTTPS / TLS 1.3.
  • Session cookies are httpOnly, Secure, SameSite=Lax, and signed with HMAC-SHA-256.

8. Children's Privacy

kite is not directed at children under 13. If we learn that we have collected information from a child, we will delete it promptly.

9. Changes to This Policy

See section 10 for analytics on our public marketing pages (cookie-less, no PII, used to improve the LP only).

We may update this policy. We will notify users of material changes via the kite app and update the "Last updated" date above.

10. Analytics on Marketing Pages

On our public marketing pages (such as /lp/creator), we run a lightweight, cookie-less analytics setup so we can understand which sections lead visitors to sign up. We do not use cookies, fingerprints, IP addresses, user agents, or any cross-site identifiers for this purpose.

What we collect on these pages:

  • Cloudflare Web Analytics: privacy-first page view and Core Web Vitals data, served by Cloudflare without cookies. See Cloudflare Web Analytics.
  • First-party event beacons: a small JSON payload sent from your browser to our own servers when you (a) load the landing page, (b) click a sign-up CTA, (c) submit the waitlist form, (d) scroll past 25/50/75/100% of the page, or (e) open an FAQ entry. The payload contains only the event name, the page path, an optional source label from the URL, the originating referrer host, and a few UTM parameters. No identifier, cookie, IP, or user agent is stored.

These signals are aggregated and used solely to improve the marketing page (which messages resonate, which CTA position converts best). They are not shared with advertisers, are not joined to any logged-in account data, and are not used for retargeting.

11. Contact

Questions or requests: tomo1208.japan@gmail.com