Skip to main content

How Inrō Handles Your Data & Privacy

How Inrō stores and secures your data, complies with GDPR and the EU AI Act, encrypts sensitive data, and deletes accounts with a 24-hour grace window.

When you use Inrō, you're trusting us with two kinds of data: your own account data, and your contacts' data (the Instagram users who interact with your automations). Here's how both are stored, secured, and deleted.

What data Inrō collects and stores

Your account data includes your name, email, billing information, and anything you create in Inrō: scenarios, campaigns, contact properties, and so on.

Contact data includes information about the Instagram users who interact with your automations: their username, name, profile picture, follower count, and anything you collect through scenarios (email addresses, phone numbers, custom properties, survey responses).

Every organization's data is fully isolated. One Instagram account maps to one organization, and no other customer can see your data.

How your data is secured

A few measures protect your account and your contacts' information:

  • Encryption in transit and at rest. Traffic between you and Inrō is encrypted over HTTPS. Sensitive tokens (your Instagram and Facebook connection, Stripe, Shopify, and your API token) are stored encrypted, and the database itself is encrypted at rest.

  • Modern authentication. Passwords are hashed with bcrypt, never stored as plain text. Your login session uses an encrypted, tamper-proof cookie, and changing your password signs out your other sessions.

  • Independently tested. Inrō's platform was reviewed by an external security penetration test, most recently in November 2025, which found zero critical and zero high-risk issues and rated overall risk as low.

  • Meta-approved vendor. Inrō meets Meta's platform requirements for data security and privacy.

How Inrō uses your data

Inrō uses your data to run the service: sending messages, running automations, tracking metrics, and syncing with your connected integrations (Shopify, Stripe, Calendly, and others).

Inrō does not sell your data or your contacts' data to anyone.

GDPR compliance

If you're in the EU or serve EU users, GDPR applies to the contact data you collect through Inrō. In practice:

  • You are the data controller. You decide what data to collect and why. Inrō processes it on your behalf as a data processor.

  • Opt-out support. Inrō has built-in opt-out detection. When a contact asks to stop, Inrō marks them as opted out and stops sending. You can see and manage opt-out status on the contact's profile.

  • Data deletion. If a contact asks to be deleted, you can delete their contact record in Inrō, which removes their data. Reach out to support for help with bulk deletions.

  • Data export. You can export your contacts and their data from the Contacts section. See Contact profiles & custom properties for the export format and limits.

Inrō also honors the mandatory data-deletion and data-request callbacks that Meta and Shopify require.

EU AI Act

Inrō's AI features (the AI Agent, AI-detected intents, AI conditions) are built to comply with the EU AI Act, and Inrō operates them as low-risk. The design keeps a human in control: the agent answers when it has the information to do so and a human hasn't already replied, and you decide when it's allowed to respond at all.

To write replies, the agent draws on what you give it: the knowledge and personality you set in its training, plus the history of your DM conversations so it can match your tone. It isn't trained on other customers' data.

Your account security

A few things keep your account safe:

  • Use a strong, unique password. You can update it at Accounts → My account. Inrō doesn't offer two-factor authentication yet, so a strong password matters.

  • Only add team members you trust. Admins have full access, including billing.

  • If your API token is ever exposed, regenerate it at Accounts → Integrations & API. The old token stops working the moment you do.

Data retention and deletion

If you delete your Inrō account, your data is removed from the system: contacts, scenarios, campaigns, conversation history, and uploaded files, including the files in cloud storage. This is permanent, not a hide.

Account deletion has a 24-hour grace window. When you request it, Inrō schedules the deletion 24 hours out and lets you cancel within that window. After 24 hours, the deletion runs and can't be undone.

See How to deactivate or delete your account for the steps.

🐾 Netsuke's Tips

  • If a contact asks you to delete their data or stop messaging them, handle it promptly. Deleting the contact record in Inrō removes their data with it.

  • The opt-out system handles most "stop" requests automatically. If someone replies "stop" or similar, Inrō detects it and stops sending without you doing anything.

  • For agencies and teams handling client data at scale, review which custom properties you collect and why. Less data stored means less to protect.

  • You'll find Inrō's Privacy Policy and Terms of Service linked at the bottom of the Accounts panel.

What's next

Related Articles
How to Deactivate or Delete Your Account
Integrations Overview: What Connects to Inrō
How Are Contacts Added to Inrō?
Inrō Glossary
Make: Connect Inrō to 8,000+ Apps
Did this answer your question?