Safety/Proof
Verifiable claim

The exact data we save — and how to verify it yourself

Every Instagram unfollower app claims to be “safe” and “private.” That word has become meaningless because everyone uses it. This page shows you the literal HTTP request our web app sends when you save an export, and gives you the exact steps to confirm it yourself in your browser's DevTools. The original ZIP is not uploaded or stored by Unfollio; saved audits store the derived relationship data needed for counts, history, and future comparisons. The native iOS app parses the ZIP locally too, then saves the same audit payload shape.

This is the request we send

In the web upload flow, your browser parses the Instagram ZIP locally, extracts only the relationship data needed for the audit, and POSTs the JSON below to /api/audits. The original ZIP itself is never uploaded or stored by Unfollio. That saved audit data is not sent to any third-party service.

POST /api/audits HTTP/1.1
Content-Type: application/json

{
  "parsed": {
    "ig_username": "yourhandle",
    "exported_at": "2026-05-19T00:00:00.000Z",
    "followers": [
      { "username": "alice" },
      { "username": "bob", "followed_at": "2024-03-15T12:00:00.000Z" }
    ],
    "following": [
      { "username": "alice" },
      { "username": "charlie" }
    ],
    "pending_requests": [{ "username": "dave" }],
    "blocked_profiles": [],
    "recently_unfollowed": []
  },
  "filename": "instagram-yourhandle-2026-05-19.zip"
}

The /api/audits route is server-side validated with a strict schema (Zod) — any field outside this shape is rejected. The source is at apps/web/src/app/api/audits/route.ts; once the repo is public, you'll be able to read it line by line.

What analytics sees

For product analytics and abuse debugging, we store page/event metadata such as route path, source, referrer, anonymous/session IDs, coarse region, browser/tool family, bot detection, and privacy-safe request fingerprints. Route paths are stored without query strings or hash fragments. The request fingerprints are keyed hashes of IP address and user agent; raw IP addresses and raw user-agent strings are not stored.

What we do see

Every field below is derived from the ZIP you uploaded. Fields marked optional only appear if Instagram included them in your export.

We seeWhy
Your Instagram handleTo associate this audit with your Instagram account so we can compare future uploads.
The export timestampTo order audits chronologically and detect duplicate uploads of the same export.
Usernames who follow youTo compute who unfollowed you since your last upload.
Usernames you followTo compute who doesn't follow you back.
Pending follow requests (usernames)optionalOnly when the file is present in your export; surfaced in the Pending requests section.
Blocked accounts (usernames)optionalOnly when the file is present in your export; surfaced in the Blocked section.
Recently unfollowed (usernames)optionalOnly when the file is present in your export; surfaced as a separate list.
The original ZIP filenameoptionalUsed in your audit history list (e.g. "instagram-yourhandle-2026-05-19.zip"). Stored as text only; the ZIP itself is not uploaded or stored by Unfollio.
A "followed at" timestamp per followeroptionalOnly when Instagram included it in the export; powers the 'earliest followers' feature.

Last verified against the live API schema on 2026-06-14.

What we never see

Even though all of this is in the Instagram export ZIP you downloaded, none of it is sent to our server.

  • Your Instagram password
  • Your Instagram session cookie or access token
  • The original ZIP file as a stored upload
  • Any image, profile photo, or avatar URL
  • Any direct message (DM) content or metadata
  • Any post, story, reel, or comment
  • Engagement data (likes, views, saves)
  • Bio text, location, or business information
  • Your Instagram-registered email or phone number

Verify it yourself in 60 seconds

Don't trust this page — trust your own browser. Here's exactly how to confirm what we send before you click “upload.”

  1. 1

    Open your browser's DevTools (⌘⌥I on Mac, Ctrl+Shift+I on Windows / Linux) and click the Network tab.

  2. 2

    In the Network tab, check the “Preserve log” box so the requests don't clear when the page navigates.

  3. 3

    Go to the upload page and drop your Instagram ZIP.

  4. 4

    In the Network tab, click the request named audits. Then click the Payload (or Request) tab.

  5. 5

    You'll see the exact JSON we send. It will look identical in shape to the example above. That's everything we receive.

Bonus: right-click the request → Copy → Copy as cURL. That's the entire payload, reproducible from your terminal. Nothing hidden.

What happens to that data once it arrives

The usernames are stored in our managed Postgres database (Supabase) so we can compare future uploads and tell you who unfollowed since the last audit. The database has disk-level encryption and per-user row-level security policies — meaning even a misconfigured query cannot return another user's rows.

You can delete your account and saved audit rows at any time from the Settings page. Deletion cascades through the product tables in a single SQL transaction; there's no soft-delete recovery flow in the app.

Privacy context

Ready to try it?

Sign up free. Verify the network request yourself. Then decide.

Get started — free