01 — OVERVIEW

Overview & Key Commitments

MRG ("we," "us," or "our") operates the MRG mobile application and website at themrg.app (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, and protect information about you when you use our Service.

By using MRG, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

OUR CORE COMMITMENTS
  • We do not sell, rent, or trade your personal information to anyone, ever.
  • We do not use your data for advertising or ad targeting.
  • Your Instagram content is used only to generate your personal Tracks — never analyzed for any other purpose.
  • Instagram media (posts, images, captions) is processed and then discarded. We keep only the AI-generated insights and action plans, not the raw Instagram content.
  • You can delete your account and all associated data at any time.
  • We are not affiliated with, endorsed by, or a partner of Meta Platforms, Inc. or Instagram.

Effective Date: June 24, 2026
Last Updated: June 24, 2026
Governing Law: United States

02 — WHAT WE COLLECT

Information We Collect

We collect only the information necessary to provide the Service. Here is a full breakdown:

DATA TYPE WHAT IT IS WHY WE COLLECT IT
Instagram User ID A numeric identifier assigned by Instagram to your account Used as your unique MRG account identifier
Instagram Username Your @handle on Instagram Displayed in the app to confirm the correct account is connected
Instagram Access Token An encrypted credential issued by Meta that allows MRG to read your saved posts on your behalf Required to fetch your saved content when you initiate a sync
Saved Post Content Captions, transcriptions, and metadata from your Instagram saved posts — imported when you tap "Sync" Processed by AI to extract insights and generate your Track action plans. Raw content is discarded after processing.
Track Data The AI-generated insights, action items, and schedules MRG creates for you Stored in your account so you can access your Tracks across sessions
Device Information iOS version, device model, app version, crash logs Used to diagnose bugs and improve app stability
Usage Data Which features you use, session length, tap events (anonymized) Used to understand how people use MRG so we can improve it
Support Communications Messages you send us via support channels Used to respond to your requests and improve the Service

What we do NOT collect: We do not collect your Instagram password. We do not access your Instagram DMs, Stories, followers/following lists, or any content you have not explicitly saved. We do not collect your precise GPS location. We do not access your contacts, microphone (unless you use a voice feature), or camera (unless you use an import feature).

03 — INSTAGRAM DATA

Instagram Data — Special Section

Because Instagram integration is central to how MRG works, we want to be completely transparent about exactly how your Instagram data is handled.

WHAT WE DO WITH YOUR INSTAGRAM DATA

When you connect your Instagram account to MRG, we receive access to your saved posts. Here is the precise lifecycle of that data:

  • Fetch: When you tap "Sync," MRG fetches the captions and media metadata from your Instagram saved posts using the official Instagram API.
  • Process: The fetched content is sent to our AI system, which extracts topics, key insights, and generates action steps. This processing happens on our secure servers.
  • Discard: After processing is complete, the raw Instagram content (captions, media URLs, post IDs) is deleted from our servers. We do not store your Instagram media, images, or videos.
  • Keep: We retain only the AI-generated output — the insights, action plans, and habit schedules that make up your Tracks. This is your MRG data, not Instagram's data.

Access Token Storage

Your Instagram access token is stored encrypted in our database. It is used only to fetch your saved posts when you initiate a sync. We never use your token to perform any action on your behalf other than reading saved posts. The token expires after 60 days and must be refreshed — you will be prompted to reconnect if it expires.

No Posting, No Following, No Reading DMs

MRG requests only the minimum permissions needed to read your saved content. We cannot and do not post to your Instagram, follow or unfollow accounts, read your messages, or access your Stories.

WE DO NOT SELL INSTAGRAM DATA

Your Instagram data — including your username, saved post content, access token, and any metadata from your account — is never sold, licensed, rented, bartered, or transferred to any third party for any commercial purpose. It is used solely to provide MRG's features to you, the authenticated user.

Disconnecting Instagram

You can disconnect your Instagram account from MRG at any time via Settings → Instagram → Disconnect. When you disconnect:

  • Your Instagram access token is immediately deleted from our servers and revoked.
  • Any unprocessed raw Instagram content is deleted.
  • Your Tracks (the AI-generated output) remain in your account unless you also choose to delete them, because that content is yours — it is MRG data, not Instagram data.

MRG's use of data retrieved from Instagram APIs complies with Instagram's Platform Policy. MRG is not affiliated with, sponsored by, or endorsed by Instagram or Meta Platforms, Inc.

04 — HOW WE USE IT

How We Use Your Information

We use the information we collect for the following purposes only:

  • To provide the Service: Authenticate your account, generate Tracks from your synced content, deliver habit schedules and reminders, and sync your data across sessions.
  • To improve the Service: Analyze anonymized, aggregated usage patterns to identify bugs, improve features, and prioritize development. This analysis is never tied to your identity.
  • To communicate with you: Send transactional emails (account confirmations, password resets), respond to support requests, and — only if you opt in — send product update emails.
  • To protect the Service: Detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities.
  • To comply with law: Respond to lawful requests from public authorities, including to meet national security or law enforcement requirements.

We do not use your data for behavioral advertising, profiling for third parties, or any purpose beyond what is listed above.

05 — SHARING

Information Sharing & Disclosure

We do not sell or rent your personal information. We share your information only in the following limited circumstances:

RECIPIENT WHAT IS SHARED WHY
AI Processing Provider (OpenAI / Anthropic) Text content extracted from your saved posts To generate insights and action plans. These providers process data under strict confidentiality agreements and do not use your content to train their models.
Cloud Infrastructure (Railway) Encrypted account data and Track data To host and serve the MRG backend. Data is encrypted at rest and in transit.
Analytics (Crash reporting) Anonymized crash logs and device information To identify and fix bugs. No personal information is included.
Law Enforcement / Legal Process Only what is legally required When compelled by a valid court order, subpoena, or applicable law. We will notify you when permitted by law.
Business Transfer All data in the event of a merger or acquisition If MRG is acquired, your data would transfer to the successor company under the same privacy terms. You will be notified before any transfer occurs.

All third-party service providers are bound by contractual obligations to protect your data and use it only for the specified purpose.

06 — STORAGE

Data Storage & Security

We take the security of your data seriously and employ industry-standard safeguards:

  • Encryption in transit: All data transmitted between the app, our servers, and third-party services is encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at rest: Sensitive data, including your Instagram access token and account credentials, is encrypted at rest in our database using AES-256 encryption.
  • Access control: Access to production data is strictly limited to authorized personnel and requires multi-factor authentication.
  • Token storage on device: Your MRG authentication token is stored in the iOS Keychain, the most secure storage available on the device, not in UserDefaults or plain storage.
  • No passwords stored: MRG uses Instagram OAuth for authentication. We never see or store your Instagram password.

No method of transmission over the internet or method of electronic storage is 100% secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

07 — RETENTION

Data Retention

We retain your data only as long as necessary to provide the Service or as required by law.

DATA RETENTION PERIOD
Raw Instagram post content (captions, media) Deleted immediately after AI processing is complete — within minutes of a sync.
Instagram access token Retained until you disconnect your Instagram account or delete your MRG account. Expires after 60 days and must be refreshed.
Instagram username & user ID Retained while your account is active. Deleted when you delete your MRG account.
Track data (insights, action plans, schedules) Retained while your account is active. Deleted immediately upon account deletion request.
Usage analytics (anonymized) Retained for up to 24 months in aggregated, anonymized form.
Support communications Retained for 3 years for customer service and legal purposes.
Backups Deleted from backup systems within 30 days of account deletion.
08 — YOUR RIGHTS

Your Rights & Choices

You have the following rights regarding your personal information. To exercise any of these rights, contact us at dmvjams.abadeu@gmail.com or use the in-app Settings.

  • Right to Access: You can request a copy of all personal information we hold about you. We will provide it within 30 days.
  • Right to Correction: You can update your account information at any time via Settings.
  • Right to Deletion: You can delete your entire MRG account and all associated data from Settings → Account → Delete Account. We will permanently delete your data within 30 days.
  • Right to Disconnect: You can disconnect Instagram from MRG at any time without deleting your account. Your Tracks will remain; only Instagram-linked credentials are removed.
  • Right to Data Portability: You can export your Track data (insights and action plans) as a JSON or CSV file from Settings → Export.
  • Right to Opt Out of Marketing: We only send marketing emails if you have explicitly opted in. You can unsubscribe at any time via the unsubscribe link in any marketing email.
  • California Residents (CCPA): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of the "sale" of personal information. MRG does not sell personal information. To exercise your CCPA rights, contact us using the information below.
  • European Residents (GDPR): If you are located in the European Economic Area, you have additional rights including the right to restrict processing and the right to lodge a complaint with your local supervisory authority. Our lawful basis for processing is legitimate interests and, for Instagram data, your explicit consent provided during the OAuth authorization flow.

We will respond to all verified requests within 30 days. In some cases, we may need additional time (up to 60 days) for complex requests, and we will notify you if this is the case.

09 — CHILDREN

Children's Privacy

MRG is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at dmvjams.abadeu@gmail.com and we will delete that information promptly.

Users between the ages of 13 and 18 should obtain parental consent before using MRG. By using MRG, users represent that they are 13 years of age or older.

10 — COOKIES

Cookies & Tracking

Mobile App: The MRG iOS app does not use cookies. We use a JWT (JSON Web Token) stored in the iOS Keychain to maintain your session. This token is not used for tracking or advertising purposes.

Website (themrg.app): Our website uses minimal, functional cookies only.

COOKIE TYPE PURPOSE DURATION
Session Maintains your login state on the web dashboard Session (deleted when browser closes)
Preference Remembers your theme or language preferences 1 year

We do not use third-party advertising cookies, tracking pixels, or cross-site tracking technologies. You can control cookie settings through your browser preferences. Disabling cookies may affect certain website functionality.

11 — THIRD-PARTY

Third-Party Services

MRG integrates with the following third-party services. Each has its own privacy policy that governs how they handle data.

SERVICE PURPOSE DATA SHARED
Instagram (Meta) Authentication and saved post retrieval OAuth flow — we receive your username, user ID, and access token
OpenAI / AI Provider Generate insights and action plans from your saved content Text content of your synced posts. Not used for model training.
Railway Backend hosting and database Encrypted account and Track data
Apple (iOS) Calendar, Reminders, and Notification integrations Habit schedule data, only when you grant permission in iOS Settings

MRG is not responsible for the privacy practices of these third-party services. We encourage you to review their privacy policies.

12 — INTERNATIONAL

International Data Transfers

MRG is operated in the United States. If you are accessing MRG from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where our servers are located and our central database is operated.

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, the transfer of your data to the United States is governed by our use of standard contractual clauses approved by the European Commission, or other appropriate safeguards as permitted by applicable law.

By using MRG, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.

13 — CHANGES

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

  • Update the "Last Updated" date at the top of this policy.
  • Send an in-app notification for material changes that affect how we use your data.
  • For significant changes, provide at least 30 days' notice before the new policy takes effect.

Your continued use of MRG after we post changes constitutes your acceptance of the revised policy. If you do not agree to the changes, you should stop using MRG and may request deletion of your account.

14 — CONTACT

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

PRIVACY CONTACT

Email: dmvjams.abadeu@gmail.com
Subject Line: MRG Privacy Request
Response Time: Within 5 business days for general questions; within 30 days for formal data requests.
Website: themrg.app
Support: themrg.app/support