Overview & Key Commitments
MRG ("we," "us," or "our") operates the MRG mobile application and website at themrg.app (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, and protect information about you when you use our Service.
By using MRG, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
- We do not sell, rent, or trade your personal information to anyone, ever.
- We do not use your data for advertising or ad targeting.
- Your Instagram content is used only to generate your personal Tracks — never analyzed for any other purpose.
- Instagram media (posts, images, captions) is processed and then discarded. We keep only the AI-generated insights and action plans, not the raw Instagram content.
- You can delete your account and all associated data at any time.
- We are not affiliated with, endorsed by, or a partner of Meta Platforms, Inc. or Instagram.
Effective Date: June 24, 2026
Last Updated: June 24, 2026
Governing Law: United States
Information We Collect
We collect only the information necessary to provide the Service. Here is a full breakdown:
| DATA TYPE | WHAT IT IS | WHY WE COLLECT IT |
|---|---|---|
| Instagram User ID | A numeric identifier assigned by Instagram to your account | Used as your unique MRG account identifier |
| Instagram Username | Your @handle on Instagram | Displayed in the app to confirm the correct account is connected |
| Instagram Access Token | An encrypted credential issued by Meta that allows MRG to read your saved posts on your behalf | Required to fetch your saved content when you initiate a sync |
| Saved Post Content | Captions, transcriptions, and metadata from your Instagram saved posts — imported when you tap "Sync" | Processed by AI to extract insights and generate your Track action plans. Raw content is discarded after processing. |
| Track Data | The AI-generated insights, action items, and schedules MRG creates for you | Stored in your account so you can access your Tracks across sessions |
| Device Information | iOS version, device model, app version, crash logs | Used to diagnose bugs and improve app stability |
| Usage Data | Which features you use, session length, tap events (anonymized) | Used to understand how people use MRG so we can improve it |
| Support Communications | Messages you send us via support channels | Used to respond to your requests and improve the Service |
What we do NOT collect: We do not collect your Instagram password. We do not access your Instagram DMs, Stories, followers/following lists, or any content you have not explicitly saved. We do not collect your precise GPS location. We do not access your contacts, microphone (unless you use a voice feature), or camera (unless you use an import feature).
Instagram Data — Special Section
Because Instagram integration is central to how MRG works, we want to be completely transparent about exactly how your Instagram data is handled.
When you connect your Instagram account to MRG, we receive access to your saved posts. Here is the precise lifecycle of that data:
- Fetch: When you tap "Sync," MRG fetches the captions and media metadata from your Instagram saved posts using the official Instagram API.
- Process: The fetched content is sent to our AI system, which extracts topics, key insights, and generates action steps. This processing happens on our secure servers.
- Discard: After processing is complete, the raw Instagram content (captions, media URLs, post IDs) is deleted from our servers. We do not store your Instagram media, images, or videos.
- Keep: We retain only the AI-generated output — the insights, action plans, and habit schedules that make up your Tracks. This is your MRG data, not Instagram's data.
Access Token Storage
Your Instagram access token is stored encrypted in our database. It is used only to fetch your saved posts when you initiate a sync. We never use your token to perform any action on your behalf other than reading saved posts. The token expires after 60 days and must be refreshed — you will be prompted to reconnect if it expires.
No Posting, No Following, No Reading DMs
MRG requests only the minimum permissions needed to read your saved content. We cannot and do not post to your Instagram, follow or unfollow accounts, read your messages, or access your Stories.
Your Instagram data — including your username, saved post content, access token, and any metadata from your account — is never sold, licensed, rented, bartered, or transferred to any third party for any commercial purpose. It is used solely to provide MRG's features to you, the authenticated user.
Disconnecting Instagram
You can disconnect your Instagram account from MRG at any time via Settings → Instagram → Disconnect. When you disconnect:
- Your Instagram access token is immediately deleted from our servers and revoked.
- Any unprocessed raw Instagram content is deleted.
- Your Tracks (the AI-generated output) remain in your account unless you also choose to delete them, because that content is yours — it is MRG data, not Instagram data.
MRG's use of data retrieved from Instagram APIs complies with Instagram's Platform Policy. MRG is not affiliated with, sponsored by, or endorsed by Instagram or Meta Platforms, Inc.
How We Use Your Information
We use the information we collect for the following purposes only:
- To provide the Service: Authenticate your account, generate Tracks from your synced content, deliver habit schedules and reminders, and sync your data across sessions.
- To improve the Service: Analyze anonymized, aggregated usage patterns to identify bugs, improve features, and prioritize development. This analysis is never tied to your identity.
- To communicate with you: Send transactional emails (account confirmations, password resets), respond to support requests, and — only if you opt in — send product update emails.
- To protect the Service: Detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities.
- To comply with law: Respond to lawful requests from public authorities, including to meet national security or law enforcement requirements.
We do not use your data for behavioral advertising, profiling for third parties, or any purpose beyond what is listed above.
Data Storage & Security
We take the security of your data seriously and employ industry-standard safeguards:
- Encryption in transit: All data transmitted between the app, our servers, and third-party services is encrypted using TLS 1.2 or higher (HTTPS).
- Encryption at rest: Sensitive data, including your Instagram access token and account credentials, is encrypted at rest in our database using AES-256 encryption.
- Access control: Access to production data is strictly limited to authorized personnel and requires multi-factor authentication.
- Token storage on device: Your MRG authentication token is stored in the iOS Keychain, the most secure storage available on the device, not in UserDefaults or plain storage.
- No passwords stored: MRG uses Instagram OAuth for authentication. We never see or store your Instagram password.
No method of transmission over the internet or method of electronic storage is 100% secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.
Data Retention
We retain your data only as long as necessary to provide the Service or as required by law.
| DATA | RETENTION PERIOD |
|---|---|
| Raw Instagram post content (captions, media) | Deleted immediately after AI processing is complete — within minutes of a sync. |
| Instagram access token | Retained until you disconnect your Instagram account or delete your MRG account. Expires after 60 days and must be refreshed. |
| Instagram username & user ID | Retained while your account is active. Deleted when you delete your MRG account. |
| Track data (insights, action plans, schedules) | Retained while your account is active. Deleted immediately upon account deletion request. |
| Usage analytics (anonymized) | Retained for up to 24 months in aggregated, anonymized form. |
| Support communications | Retained for 3 years for customer service and legal purposes. |
| Backups | Deleted from backup systems within 30 days of account deletion. |
Your Rights & Choices
You have the following rights regarding your personal information. To exercise any of these rights, contact us at dmvjams.abadeu@gmail.com or use the in-app Settings.
- Right to Access: You can request a copy of all personal information we hold about you. We will provide it within 30 days.
- Right to Correction: You can update your account information at any time via Settings.
- Right to Deletion: You can delete your entire MRG account and all associated data from Settings → Account → Delete Account. We will permanently delete your data within 30 days.
- Right to Disconnect: You can disconnect Instagram from MRG at any time without deleting your account. Your Tracks will remain; only Instagram-linked credentials are removed.
- Right to Data Portability: You can export your Track data (insights and action plans) as a JSON or CSV file from Settings → Export.
- Right to Opt Out of Marketing: We only send marketing emails if you have explicitly opted in. You can unsubscribe at any time via the unsubscribe link in any marketing email.
- California Residents (CCPA): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of the "sale" of personal information. MRG does not sell personal information. To exercise your CCPA rights, contact us using the information below.
- European Residents (GDPR): If you are located in the European Economic Area, you have additional rights including the right to restrict processing and the right to lodge a complaint with your local supervisory authority. Our lawful basis for processing is legitimate interests and, for Instagram data, your explicit consent provided during the OAuth authorization flow.
We will respond to all verified requests within 30 days. In some cases, we may need additional time (up to 60 days) for complex requests, and we will notify you if this is the case.
Children's Privacy
MRG is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at dmvjams.abadeu@gmail.com and we will delete that information promptly.
Users between the ages of 13 and 18 should obtain parental consent before using MRG. By using MRG, users represent that they are 13 years of age or older.
Third-Party Services
MRG integrates with the following third-party services. Each has its own privacy policy that governs how they handle data.
| SERVICE | PURPOSE | DATA SHARED |
|---|---|---|
| Instagram (Meta) | Authentication and saved post retrieval | OAuth flow — we receive your username, user ID, and access token |
| OpenAI / AI Provider | Generate insights and action plans from your saved content | Text content of your synced posts. Not used for model training. |
| Railway | Backend hosting and database | Encrypted account and Track data |
| Apple (iOS) | Calendar, Reminders, and Notification integrations | Habit schedule data, only when you grant permission in iOS Settings |
MRG is not responsible for the privacy practices of these third-party services. We encourage you to review their privacy policies.
International Data Transfers
MRG is operated in the United States. If you are accessing MRG from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where our servers are located and our central database is operated.
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, the transfer of your data to the United States is governed by our use of standard contractual clauses approved by the European Commission, or other appropriate safeguards as permitted by applicable law.
By using MRG, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:
- Update the "Last Updated" date at the top of this policy.
- Send an in-app notification for material changes that affect how we use your data.
- For significant changes, provide at least 30 days' notice before the new policy takes effect.
Your continued use of MRG after we post changes constitutes your acceptance of the revised policy. If you do not agree to the changes, you should stop using MRG and may request deletion of your account.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:
Email: dmvjams.abadeu@gmail.com
Subject Line: MRG Privacy Request
Response Time: Within 5 business days for general questions; within 30 days for formal data requests.
Website: themrg.app
Support: themrg.app/support