Privacy Policy
Last updated: 2026-06-14
What we collect
When you sign in, we store your email address and an authentication identifier from your sign-in provider (Google or magic-link email). We do not request your Instagram password, ever.
When you use an Instagram data export with Unfollio, the ZIP is parsed locally on your device: in your browser for web uploads or in the native iOS app for app imports. We send your Instagram handle, the export timestamp, your followers and following lists (usernames only), and — when present in your export — your pending follow requests, blocked accounts, and recently-unfollowed lists. The original ZIP file is not uploaded or stored by Unfollio.
The full list of fields sent is:
- Your Instagram handle — To associate this audit with your Instagram account so we can compare future uploads.
- The export timestamp — To order audits chronologically and detect duplicate uploads of the same export.
- Usernames who follow you — To compute who unfollowed you since your last upload.
- Usernames you follow — To compute who doesn't follow you back.
- Pending follow requests (usernames) (optional — only if Instagram included it) — Only when the file is present in your export; surfaced in the Pending requests section.
- Blocked accounts (usernames) (optional — only if Instagram included it) — Only when the file is present in your export; surfaced in the Blocked section.
- Recently unfollowed (usernames) (optional — only if Instagram included it) — Only when the file is present in your export; surfaced as a separate list.
- The original ZIP filename (optional — only if Instagram included it) — Used in your audit history list (e.g. "instagram-yourhandle-2026-05-19.zip"). Stored as text only; the ZIP itself is not uploaded or stored by Unfollio.
- A "followed at" timestamp per follower (optional — only if Instagram included it) — Only when Instagram included it in the export; powers the 'earliest followers' feature.
See the literal HTTP request on the privacy proof page for the web upload flow. The native iOS app sends the same audit payload shape after parsing the ZIP locally.
What we don't collect
- Your Instagram password
- Your Instagram session cookie or access token
- The original ZIP file as a stored upload
- Any image, profile photo, or avatar URL
- Any direct message (DM) content or metadata
- Any post, story, reel, or comment
- Engagement data (likes, views, saves)
- Bio text, location, or business information
- Your Instagram-registered email or phone number
- Cookies for advertising or third-party tracking
How we use your data
We use the followers/following usernames to compute audits (who unfollowed, who doesn’t follow back, etc.) and store them so you can track changes over time. We do not sell, share, or rent your data to any third party.
Product analytics
For product analytics and abuse debugging, we store page/event metadata such as route path, source, referrer, anonymous/session IDs, coarse region, browser/tool family, bot detection, and privacy-safe request fingerprints. Route paths are stored without query strings or hash fragments. The request fingerprints are keyed hashes of IP address and user agent; raw IP addresses and raw user-agent strings are not stored.
We use this to understand launch traffic, debug failed flows, remove QA/bot traffic from reporting, and protect the service from abuse.
Authentication providers
We use Supabase Auth for sign-in. If you sign in with Google, Google may share your name, email address, and profile photo with us. If you sign in with magic link, only your email address is shared. If Sign in with Apple is enabled, Apple may share your name and email address according to the choices you make in Apple's sign-in sheet.
Data retention & deletion
Your audit history and account states are kept for as long as you have an account. You can delete your account and all associated data at any time from the Settings page.
Contact
Questions about this policy? Email privacy@unfollio.com.