Privacy Policy — Social Media Widget

Last updated: December 17, 2024

Summary (30-second read)
Social Media Widget is a service that allows displaying an Instagram grid and profile information on a website. To do this, we use the Meta (Facebook/Instagram) API after the user has authorized our application. We store an access token and a technical cache to avoid overloading the API and to make the widget fast and stable. You can revoke access at any time from Facebook/Instagram.

1) Data Controller and Contact

The data controller is: DIGIT'ALL SERVICES (hereinafter "We").
Legal Information:
SASU with a capital of 100.00 €
SIREN: 983 212 382 | RCS Nantes
Address: 1 RUE MARION CAHOUR, 44800 SAINT-HERBLAIN, FRANCE
Director: Cottard Matiss

Privacy Contact: contact@matisscottard.com
Phone / SMS: +33 7 84 74 36 25
Site: widget-insta.matiss-cottard.com

2) Scope

This Policy applies to the Social Media Widget service ("the Service"), including:

The onboarding/connection (OAuth) mini-site allowing the connection of a professional Instagram account (Business/Creator) via Meta.
The technical endpoints of the Service (e.g., /connect, /callback, /widget).
The widget embedded on the client's site (JavaScript script) that retrieves data from our endpoints.

We are not affiliated, associated, authorized, endorsed by, or in any way officially connected with Meta Platforms, Inc.

3) Data We Collect

3.1 Data retrieved from Meta (upon authorization)

When you connect your account via Meta, we may access:

Instagram Profile Information: IG user ID, name, username, profile picture, bio, website, counters (followers, media count).
Posts: ID, media type (image/video), thumbnail URL, permalink, caption, date/time, and potentially counters (likes/comments) if available.
Linked Facebook Page Information (if necessary for the IG/FB link): page ID, page name.

3.2 Technical Data

Access Token (OAuth token): necessary to call the Meta API on behalf of the connected account.
Technical Identifiers: client slug (e.g., matiss), ig_user_id, page_id.
Response Cache: technical copy of displayed data (profile + latest posts) to speed up display and prevent outages.
Technical Logs (diagnostic): API errors, HTTP codes, execution information (no intention to collect private content).

3.3 What We Do NOT Collect

We do not request access to private messages (DMs).
We do not collect Facebook/Instagram passwords.
We do not sell your data and do not use it for targeted advertising.

4) Purposes of Processing

Service Provision: display an Instagram widget (posts grid + profile) on the client's site.
Performance and Stability: caching, API call reduction, prevention of temporary unavailability.
Security: abuse prevention, protection against spam and unauthorized usage.
Support: incident diagnosis (e.g., expired token) and reconnection assistance.

5) Legal Basis (GDPR, if applicable)

Depending on the case, our legal bases may include:

Contract Execution: the Service must access certain data to display the widget.
Legitimate Interest: ensuring the security, stability, and performance of the Service.
Consent: via the authorization granted in the Meta screen (OAuth) to connect the account.

6) Data Retention

Access Token: retained as long as the account remains connected and necessary for operation, or until revocation/deletion.
Feed Cache: retained to speed up display. Typically updated periodically, and deleted upon request or service termination.
Logs: limited duration (e.g., a few days/weeks) solely for diagnosis and security.

Note: Meta tokens may expire or be revoked. In this case, reconnection may be required to reactivate widget updates.

7) Sharing and Recipients

We share data only to the extent necessary:

Meta Platforms: data access is done via the Meta API, according to their terms.
Hosts/Infrastructure: we use hosting services (e.g., Cloudflare Workers/KV) to run the Service and store the cache.
No Data Brokers: we do not sell or rent your data.

8) International Transfers

Depending on the infrastructure used, certain technical data may be processed on servers located outside your country. We implement reasonable measures to protect data during these processes.

9) Security

We apply appropriate security measures, including:

Secret storage via secure mechanisms (server variables/secrets).
Minimization: requests only fields necessary for the widget.
Controlled Cache: limitation of endpoints and returned data.
Abuse Protection (e.g., CORS, limitation of certain actions, monitoring).

No system is invulnerable. In the event of a major incident, we will take reasonable measures to limit the impact.

10) Your Rights

Depending on your situation and applicable regulations, you may request:

Access, rectification, deletion.
Limitation or opposition (in certain cases).
Portability (if applicable).

Contact: contact@matisscottard.com
Phone / SMS: +33 7 84 74 36 25
To speed up processing, please indicate: your Facebook User ID (visible in Facebook), the IG account, and the slug (if known).

11) Access Revocation (Uninstallation)

You can revoke access at any time by removing the application in Facebook/Instagram settings. After revocation, the widget may continue to display an old cache temporarily, but it will no longer update until reconnection is performed.

12) Cookies / Trackers

The Service is not intended to place advertising cookies. Some pages may use strictly necessary technical mechanisms for operation (e.g., technical session for authentication). Client sites where the widget is integrated may have their own cookies.

13) Modifications

We may update this Policy. The "Last updated" date at the top of the page reflects the current version.