Privacy Policy
1. Who we are and how to contact us
This Privacy Policy describes how the ScoutLoop service (hereinafter — "ScoutLoop", "we", "us") collects, uses, stores, and protects personal data.
The data controller is AlCom Engineering Group LLP (hereinafter — the "Company"), a limited liability partnership registered in the Republic of Kazakhstan, Almaty.
- Registered address: Asemtau str., bld. 7, Nur Alatau microdistrict, Bostandyk district, Almaty, Republic of Kazakhstan
- Business ID (BIN): 060940009284
- Data protection contact: aan@scoutloop.io
- Website: https://scoutloop.io
By using ScoutLoop, you agree to the terms of this Policy. If you disagree with any of the provisions, please do not use the service.
2. What data we collect
2.1. Data you provide directly
- Name and contact details (email, Telegram, phone) provided when filling out the access request form or entering into a contract.
- Information about your business and Instagram account that you voluntarily share with us.
- ScoutLoop service credentials (login, hashed password).
- Messages and inquiries to our support team.
2.2. Technical data
- IP address and session identifier — for security and abuse prevention.
- User-agent (browser and device type) — for interface compatibility.
- ScoutLoop API request logs — for error diagnostics and security auditing.
2.3. Data about your Instagram Business Account
Once you connect your Instagram Business Account and the associated Facebook Page to ScoutLoop via the official Facebook Login for Business mechanism, we receive access to a limited set of data via Instagram Graph API and Meta Marketing API. The full list is in Section 3.
3. Data from Meta (Facebook and Instagram)
ScoutLoop requests only the permissions necessary for the service to function. Each permission is explicitly displayed on the OAuth consent screen at the moment of connection, and you can revoke it at any time.
| Meta permission | What data we receive | Purpose |
|---|---|---|
instagram_basic |
ID, username, avatar, profile description, follower count, and post count of your IG Business Account. | Account identification and profile display inside ScoutLoop. |
instagram_manage_insights |
Post and account statistics: reach, impressions, saves, website clicks, aggregated audience demographics. | Content performance analytics and content plan creation. |
instagram_manage_comments |
Comments on your posts, mentions, replies. | Comment moderation, replying to clients, negative-feedback control. Not used for mass messaging or spam. |
instagram_content_publish |
Permission to publish content (photos, videos, Reels, Stories) on behalf of your IG Business Account. | Auto-publishing according to a content plan you have approved. |
pages_show_list |
List of Facebook Pages you manage. | Selecting the Facebook Page to link with your Instagram Business Account. |
pages_read_engagement |
Data about the Facebook Page linked to your Instagram: followers, metadata. | Required for Instagram Graph API to function. |
pages_manage_posts |
Permission to publish and edit posts on the linked Facebook Page. | Synchronous publishing to Facebook (at the client's option). |
pages_manage_metadata |
Subscription to Meta webhooks for events on your Page and linked IG. | Timely response to new comments, mentions, and post status changes. |
ads_management |
Managing ad campaigns, creating / running / pausing ads in Meta Ads. | Launching ads against organically performing posts. |
ads_read |
Reading ad campaign statistics (spend, reach, clicks, conversions). | Transparent ad reporting and budget optimization. |
business_management |
Adding client assets (Pages, IG accounts, ad accounts) to ScoutLoop Business Manager via Partner Request. | Secure multi-tenant mode: ScoutLoop as Tech Provider, without exposing logins or passwords. |
If we request additional permissions in the future, we will update this Policy in advance and request your separate consent on the OAuth screen.
3.1. Data we do NOT process
- Instagram Direct private messages.
- Content of personal accounts not connected to ScoutLoop.
- Bank-card payment data (we do not accept payments inside Instagram).
- Data of users under 18 years of age.
3.2. Public market data analytics
ScoutLoop provides a "Market Trends" analytics module that works on publicly available data from open social-media sources. This module:
- USES only public posts that are accessible without authentication and without circumventing platforms' technical restrictions.
- DOES NOT use the Meta Graph API, Meta Marketing API, or any Meta access tokens for this analysis.
- DOES NOT process data from private accounts or private audiences.
- Processes only aggregated post metadata (media type, generalized engagement signals, textual patterns).
- Does not link analysis results to specific individuals.
Technically this functionality is delivered through a third-party processor (EU, GDPR-compliant). See more in the "Who we share data with" section.
3.3. Clear separation of ScoutLoop modules
ScoutLoop consists of two functionally independent modules that process different types of data and DO NOT overlap:
- (A) Account management module — publishing posts, reading metrics of your own account, managing comments and ads. This module EXCLUSIVELY uses the official Meta Graph API and Meta Marketing API. All data is obtained with the account owner's explicit permission.
- (B) Market-trend analytics module — analysis of public social-media posts to understand content formats that work in your niche. This module DOES NOT use the Meta API, has NO access to your Meta tokens, and operates on public data from open sources via a third-party processor.
These modules are technically separated: a compromise of one does not lead to data leakage from the other.
4. Purposes and legal bases of processing
| Purpose | Legal basis |
|---|---|
| Providing the service (publishing, analytics, ads) under a contract with you. | Performance of a contract (GDPR Art. 6(1)(b); Law of the RoK on Personal Data, Art. 7). |
| Connecting to Meta API and processing Instagram data. | User consent expressed via OAuth consent (GDPR Art. 6(1)(a)). |
| Service security, fraud prevention, abuse protection. | Legitimate interests of the Company (GDPR Art. 6(1)(f)). |
| Accounting and tax records, responses to government requests. | Legal obligations (GDPR Art. 6(1)(c); RoK Tax Code). |
| Marketing communications and product updates. | Separate consent that can be withdrawn at any time. |
5. Who we share data with
ScoutLoop does not sell your data. We share it only with service processors needed for the product to function, and only in the minimum necessary scope.
| Service | Jurisdiction | What is processed |
|---|---|---|
| Meta Platforms, Inc. | USA / Ireland | Instagram Graph API, Meta Marketing API — content publishing, reading statistics, managing ads. |
| Third-party public market data analytics processor | EU (GDPR-compliant) | Analysis of public market trends and content formats on social media. |
| OpenRouter, Inc. | USA | Gateway to language models (Google Gemini, OpenAI, DeepSeek) — analyzing post text and generating content plans. |
| OpenAI, L.L.C. | USA | Image and video analysis (Vision), audio transcription (Whisper). |
| Hetzner Online GmbH | Germany (EU) | Server and database hosting. Data is stored in EU data centers. |
| Google Ireland Limited | Ireland (EU) | Corporate email (Google Workspace) on the scoutloop.io domain. |
| Porkbun, LLC | USA | Registrar of the scoutloop.io domain name. |
We have entered into Data Processing Agreements with all processors or rely on their standard privacy terms. Data transfers to the USA are governed by EU Standard Contractual Clauses and the principles of the EU-US Data Privacy Framework where applicable.
6. International data transfers
In accordance with Article 16 of the Law of the Republic of Kazakhstan on Personal Data and Their Protection No. 94-V, cross-border transfers of personal data are carried out to states that ensure an adequate level of protection or with your consent. By connecting ScoutLoop to Instagram, you give your consent to the transfer of data to the partners listed in Section 5.
7. Security
We apply technical and organizational protective measures:
- Encryption in transit (TLS 1.2 / 1.3).
- Encryption of sensitive data at rest in the database.
- Storage of Meta tokens in a secured key vault, separately from the application database.
- Two-factor authentication for all administrative accounts.
- Regular backups and recovery procedure testing.
- Employee access restricted by the principle of least privilege.
- Logging of user and administrator actions.
In the event of a security incident affecting your rights, we will notify you and the competent authority no later than 72 hours after discovery, in accordance with applicable law.
8. Retention periods
| Data category | Retention period |
|---|---|
| ScoutLoop account data, Meta tokens, content plans, analytics. | Term of the contract + 12 months after last use. |
| Security logs, IP addresses. | Up to 12 months. |
| Accounting and tax documents. | 5 years (RoK tax-law requirement). |
| Marketing contacts (people who submitted a request but did not become clients). | Up to 24 months or until consent is withdrawn. |
After the retention period, data is deleted or anonymized. If you request earlier deletion (see Section 10), we delete the data within 30 days, except for information we are required to retain by law.
9. Your rights
Under applicable law (GDPR, CCPA, RoK Law on Personal Data), you have the right to:
- Confirmation of whether your data is being processed, and a copy of the data.
- Correction of inaccurate data.
- Deletion of data (the right to be forgotten) — see Section 10.
- Restriction of processing.
- Objection to processing based on legitimate interests or marketing purposes.
- Receipt of data in a machine-readable format (right to portability).
- Withdrawal of previously given consent.
- Lodging a complaint with a supervisory authority: in Kazakhstan — the Ministry of Digital Development, Innovation and Aerospace Industry of the RoK; in the EU — the corresponding national data-protection authority.
To exercise any of these rights, email aan@scoutloop.io. We respond within 30 days.
10. Data deletion
You can request deletion of your data in one of the following ways:
- Via Instagram / Facebook settings: go to Settings → Apps and Websites, find "ScoutLoop" and revoke access. Meta will automatically notify us through the Data Deletion Callback, and we will initiate deletion within 30 days.
- By email: write to support@scoutloop.io with the subject "Data deletion" and include your Instagram account. We will confirm the request and delete the data within 30 days.
- Detailed instructions: scoutloop.io/en/data-deletion.
Technical endpoint for the Meta Data Deletion Callback:
https://scoutloop.io/api/meta/data-deletion.
11. Cookies and similar technologies
The scoutloop.io landing site does not use advertising cookies and does not transmit data to third-party analytics services without your consent. The ScoutLoop application uses only strictly necessary cookies for session authentication and interface operation. More: Cookie Policy.
12. Age of users
ScoutLoop is intended for use by business owners and employees aged 18 and over. We do not knowingly collect data from minors. If you believe your child has provided us with data, please write to aan@scoutloop.io and we will delete it.
13. Changes to this Policy
We may update this Policy. Material changes take effect no earlier than 14 days after the updated version is published on this page. Active clients receive notice by email. The date of the latest update is shown at the top of the document.
14. Contacts
For any questions related to personal-data protection, please contact:
- Email: aan@scoutloop.io
- Legal entity: AlCom Engineering Group LLP
- Address: Asemtau str., bld. 7, Nur Alatau microdistrict, Bostandyk district, Almaty, Republic of Kazakhstan