Privacy Policy — The Trigger Agents
1. Summary
The Trigger Agents is an internal customer-engagement automation tool that Trigger LLC operates on its own Instagram Business account to respond faster to enquiries posted in comments and Direct Messages.
We integrate with Instagram exclusively through the official Meta APIs (Instagram Login API + Webhooks). We collect data only from interactions posted to our own media — never from third-party accounts.
2. Who we are
| Controller | Trigger LLC (MChJ) |
|---|---|
| Address | Tashkent, Uzbekistan |
| Contact email | info@triger.uz |
| Instagram Business account | @elyor_sabirov (Meta App ID 1522962702507550) |
3. What data we collect
We process the following data, received from Meta's Instagram Platform:
3.1 Comment data
- Comment ID
- Comment text
- Author Instagram username
- Author Instagram user ID (when provided by Meta)
- Parent media ID and URL
- Timestamp
3.2 Direct Message data
- Conversation ID
- Message text exchanged between our account and the user
- Author user ID and username
- Timestamp
3.3 Aggregated engagement metrics (our own media)
- Like counts, comment counts, reach / impression counts
3.4 Automatically generated logs
- The action our system took (public reply, DM sent, emoji reaction)
- Whether a trigger keyword matched
- Timestamp of each action
We do not collect: photos/videos of users, email or phone numbers not voluntarily shared, data from accounts other than our connected Business account, location data, payment data.
4. Source of the data
All Instagram-related data is received through Meta's official APIs:
- Instagram Graph API (HTTPS, authenticated with an access token issued by Meta)
- Instagram Webhooks (HTTPS POST events signed by Meta's app secret)
We do not scrape Instagram, do not use unofficial APIs, and do not buy data from third parties.
5. Why we process this data
| Purpose | Legal basis |
|---|---|
| Reply automatically to a comment on our own media containing a configured trigger keyword | Legitimate interest (responding to enquiries directed at our business) |
| Send a single one-time Direct Message in response to such a comment | Legitimate interest + the user's explicit interaction with our content |
| Track which comments we've already replied to (idempotency) | Operational necessity |
| Compute aggregated engagement analytics shown only to admin staff | Legitimate interest |
| Audit logging for security and abuse prevention | Legal obligation, security |
We do not use this data for profiling, targeted advertising, selling/sharing to third parties, or training machine-learning models.
6. Who we share it with
| Recipient | What is shared | Why |
|---|---|---|
| Meta Platforms, Inc. | The original event data (already theirs) | API integration |
| Anthropic PBC (Claude API) | Text content of comments/DMs when our admin invokes the AI agent to compose a reply | Natural-language response generation. Anthropic does not retain prompts long-term and does not train on customer data per their policy. |
| Uzbek law-enforcement | Specific records, only on legally binding order | Legal obligation |
No advertising networks, no analytics SDKs, no marketing platforms.
7. Retention
| Data | Retention period |
|---|---|
| Comment metadata | 90 days |
| Direct Message transcripts | 180 days |
| Aggregated analytics | 24 months |
| Audit logs | 12 months |
| User opt-out / STOP records | Indefinitely (so we never message you again) |
8. Your rights
You have the right to:
- Access — request a copy of all records associated with your Instagram username
- Correction — request correction of any inaccurate records
- Deletion — request immediate deletion (see Section 9)
- Object — opt out of all automated messaging from us
- Lodge a complaint with the relevant Uzbek data-protection authority
Email info@triger.uz with the subject "Privacy Request — @your_username". We respond within 7 business days.
9. How to delete your data
Option A — One-click opt-out (fastest)
Reply with the word STOP to any automated Direct Message from us. Our system marks your record as opt-out immediately and excludes you from all future automated replies and DMs.
Option B — Full deletion request
Email info@triger.uz with the subject "Instagram Data Deletion — @your_username". We verify ownership (one-time verification phrase), delete all records, and send confirmation within 7 business days.
Dedicated deletion page: /data-deletion
10. Security
- Data stored in PostgreSQL with at-rest encryption.
- Backend runs on infrastructure controlled by Trigger LLC inside Uzbekistan.
- Access restricted to two named admin accounts protected by 2FA.
- API tokens (Meta, Anthropic, Telegram) stored as encrypted environment variables, never in source control.
- Webhook payloads verified via HMAC-SHA256 signatures issued by Meta.
- HTTPS-only for all external communication (TLS 1.2+).
In the event of a data breach affecting your data, we will notify you within 72 hours of becoming aware of it.
11. Children
The service is intended for the 18+ business audience of our Instagram Business account. If we discover that we have inadvertently processed data of a person under 16, we will delete it immediately upon discovery.
12. International transfers
Our infrastructure is located in Uzbekistan. Two cross-border processors are involved:
- Meta Platforms, Inc. (USA) — the source of the data
- Anthropic PBC (USA) — used only when the admin invokes the AI agent to compose a reply
In both cases, transfer is necessary for the performance of the service you have initiated by commenting on our public posts.
13. Changes to this Policy
We will update this Policy when our practices change. Material changes are:
- Indicated by updating the "Last updated" date at the top
- Announced on our public Instagram account at least 7 days before they take effect
- Archived in version-controlled history available on request
14. Contact
Trigger LLC
Tashkent, Republic of Uzbekistan
Email: info@triger.uz