The exact data we see — and how to verify it yourself
Every Instagram unfollower app claims to be “safe” and “private.” That word has become meaningless because everyone uses it. This page shows you the literal HTTP request our app sends when you upload an export, and gives you the exact steps to confirm it yourself in your browser's DevTools.
This is the request we send
When you upload your Instagram ZIP, your browser parses it locally, extracts only the follower / following lists, and POSTs the JSON below to /api/audits. That's it. There is no second request, no analytics pixel attached to the upload, no third-party service the data is sent to.
POST /api/audits HTTP/1.1
Content-Type: application/json
{
"parsed": {
"ig_username": "yourhandle",
"exported_at": "2026-05-19T00:00:00.000Z",
"followers": [
{ "username": "alice" },
{ "username": "bob", "followed_at": "2024-03-15T12:00:00.000Z" }
],
"following": [
{ "username": "alice" },
{ "username": "charlie" }
],
"pending_requests": [{ "username": "dave" }],
"blocked_profiles": [],
"recently_unfollowed": []
},
"filename": "instagram-yourhandle-2026-05-19.zip"
}The /api/audits route is server-side validated with a strict schema (Zod) — any field outside this shape is rejected. The source is at apps/web/src/app/api/audits/route.ts; once the repo is public, you'll be able to read it line by line.
What we do see
Every field below is derived from the ZIP you uploaded. Fields marked optional only appear if Instagram included them in your export.
| We see | Why |
|---|---|
| Your Instagram handle | To associate this audit with your Instagram account so we can compare future uploads. |
| The export timestamp | To order audits chronologically and detect duplicate uploads of the same export. |
| Usernames who follow you | To compute who unfollowed you since your last upload. |
| Usernames you follow | To compute who doesn't follow you back. |
| Pending follow requests (usernames)optional | Only when the file is present in your export; surfaced in the Pending requests section. |
| Blocked accounts (usernames)optional | Only when the file is present in your export; surfaced in the Blocked section. |
| Recently unfollowed (usernames)optional | Only when the file is present in your export; surfaced as a separate list. |
| The original ZIP filenameoptional | Used in your audit history list (e.g. "instagram-yourhandle-2026-05-19.zip"). Stored as text only — the file itself never leaves your browser. |
| A "followed at" timestamp per followeroptional | Only when Instagram included it in the export; powers the 'earliest followers' feature. |
Last verified against the live API schema on 2026-05-28.
What we never see
Even though all of this is in the Instagram export ZIP you downloaded, none of it is sent to our server.
- Your Instagram password
- Your Instagram session cookie or access token
- The original ZIP file (it never leaves your browser)
- Any image, profile photo, or avatar URL
- Any direct message (DM) content or metadata
- Any post, story, reel, or comment
- Engagement data (likes, views, saves)
- Bio text, location, or business information
- Your Instagram-registered email or phone number
Verify it yourself in 60 seconds
Don't trust this page — trust your own browser. Here's exactly how to confirm what we send before you click “upload.”
- 1
Open your browser's DevTools (⌘⌥I on Mac, Ctrl+Shift+I on Windows / Linux) and click the Network tab.
- 2
In the Network tab, check the “Preserve log” box so the requests don't clear when the page navigates.
- 3
Go to the upload page and drop your Instagram ZIP.
- 4
In the Network tab, click the request named
audits. Then click the Payload (or Request) tab. - 5
You'll see the exact JSON we send. It will look identical in shape to the example above. That's everything we receive.
Bonus: right-click the request → Copy → Copy as cURL. That's the entire payload, reproducible from your terminal. Nothing hidden.
What happens to that data once it arrives
The usernames are stored in our managed Postgres database (Supabase) so we can compare future uploads and tell you who unfollowed since the last audit. The database has disk-level encryption and per-user row-level security policies — meaning even a misconfigured query cannot return another user's rows.
You can delete your account and every row associated with it at any time from the Settings page. Deletion cascades through every table. It's a single SQL transaction; there's no soft-delete or recovery period.