Privacy Policy — FleyRadar

Effective date: 27 April 2026

FleyRadar is a brand- and competitor-monitoring SaaS operated by FleyLab LLC at radar.fleylab.com. This policy explains what data the product handles and why.

1. Who we are

FleyLab LLC (“Fleylab”, “we”) is a software company registered in Baku, Azerbaijan. FleyRadar is a product we build and operate. Privacy questions: privacy@fleylab.com. Legal questions: legal@fleylab.com.

2. What this policy covers

This policy applies to radar.fleylab.com, the FleyRadar API at api.fleylab.com, the FleyRadar Telegram bot, and any FleyRadar email or browser notifications. It does not cover third-party platforms you connect (Instagram, Facebook, Telegram, Google, 2GIS, etc.) — those are governed by their own policies.

3. Data we collect

3.1 Account data

  • Email address and password hash (Supabase Auth)
  • Name and language preference if you provide them
  • Subscription and billing identifiers from Paddle (see §5)

3.2 Workspace configuration

  • Brand and competitor keywords you choose to monitor
  • Telegram channels, RSS feeds, and review sources you add
  • Connected social accounts (Instagram Business, Facebook Pages, Google Business Profile)
  • Notification settings (email recipients, Telegram chat IDs, Slack webhook URLs)
  • Bot scripts and automated reply rules you author

3.3 Monitored content

  • Public mentions retrieved from public Telegram channels, RSS, web crawl targets, Google Reviews, 2GIS reviews
  • Posts and comments fetched from connected Instagram Business accounts via the official Meta Graph API
  • Direct messages received by connected Instagram Business accounts (only with your explicit OAuth consent for the relevant scope)
  • AI-generated summaries, sentiment labels, and clusters derived from the items above

3.4 Operational telemetry

  • Sign-in events, session timestamps, IP address (kept up to 30 days for security audit)
  • Server-side request logs (request path, response code, latency)
  • Error traces (Sentry) — text payloads scrubbed of secrets

4. Instagram Business messaging and comments

If you connect an Instagram Business account, FleyRadar uses the official Meta Graph API with these scopes:

  • instagram_business_basic — read your account id and username so we can route data to your workspace.
  • instagram_business_manage_comments — read public comments under your posts and reply, hide, or delete them on your behalf when you instruct the product to do so (manually or via a bot script you authored).
  • instagram_business_manage_messages — receive direct messages sent to your Business account and send replies from FleyRadar's inbox.

We store the message text, comment text, sender id, sender username (if Meta exposes it), Instagram message id (mid) or comment id, timestamps, attachments metadata, and the bot script id or operator user id that produced any outbound reply. We do not use this content for advertising, do not share it with brokers, and do not feed full message text into general-purpose AI training datasets. Embeddings of your own bot scripts are computed via OpenAI for matching purposes (see §5); the customer messages themselves are not sent to OpenAI in MVP.

Inbound Instagram data is retained while your workspace is active and for up to 12 months after you delete the connection or close the workspace. You can request earlier deletion at privacy@fleylab.com. Disconnecting your Instagram account in FleyRadar settings, or revoking the integration in your Meta Business Settings, stops all further ingestion immediately.

5. Sub-processors and third parties

We share the minimum required to operate the product:

  • Supabase (Postgres, Auth, Storage; AWS eu-central-1, Frankfurt) — stores account, workspace, monitored content, Instagram messages and comments.
  • Cloudflare — DNS, CDN, Web Analytics (no cookies, no cross-site tracking).
  • Meta (Instagram, Facebook) — source of inbound data when you connect those accounts.
  • Telegram — inbound monitoring of public channels and our outbound notifications bot.
  • Google — Google Business Profile integration (reviews) when you connect it.
  • Anthropic, OpenAI, Google AI — LLM providers used to summarize mentions, classify sentiment, generate digests, and compute embeddings of your bot scripts. We send the items to be analyzed and receive the analysis back. These providers do not train on our API data per their commercial terms.
  • Resend — outbound transactional email.
  • Paddle — payment processing, invoicing, subscription state. Card data never reaches our servers.
  • Sentry — error reporting (scrubbed payloads).

We do not sell your data. We do not share it with advertising networks or data brokers.

6. Retention

  • Account data — for the life of the account.
  • Monitored mentions and AI summaries — by default 12 months from creation; configurable per workspace, lower on smaller plans.
  • Instagram messages and comments — 12 months from receipt or until you delete the connection (whichever is earlier).
  • Sign-in events and security logs — up to 30 days.
  • Backups — up to 30 days before being overwritten.

7. Your rights

  • Access and export — request a copy of your data via privacy@fleylab.com.
  • Correction — edit your profile and workspace settings inside the app, or write to us.
  • Deletion — delete a connection or close your workspace from settings; we remove associated data within 30 days, except where retention is required by law (e.g. invoicing records).
  • Object or restrict — write to us; we will explain the legal basis we rely on and stop where appropriate.
  • Complaint — you may complain to the data protection authority where you live.

8. Security

  • All traffic uses HTTPS / TLS 1.2+.
  • Postgres row-level security (RLS) isolates each workspace.
  • Secrets are encrypted at rest and never logged.
  • Access tokens for connected social accounts are stored encrypted; only the FleyRadar backend can use them.
  • We use 2FA on operator accounts and apply principle-of-least-privilege for engineering access.

No system is perfectly secure. If we ever detect a breach affecting your data, we will notify you within 72 hours of confirmation, in line with applicable law.

9. Children

FleyRadar is a B2B product. It is not intended for children under 16 and we do not knowingly collect children's data.

10. International transfers

We are based in Azerbaijan; our infrastructure (Supabase, Cloudflare, sub-processors) is mainly hosted in the European Union and the United States. Where data crosses borders, we rely on standard contractual clauses or equivalent mechanisms with our sub-processors.

11. Changes to this policy

We may update this policy. The current version is always at https://fleylab.com/privacy/radar, with the effective date at the top. Substantive changes will be announced inside the product before they take effect.

12. Contact

Privacy: privacy@fleylab.com
Legal: legal@fleylab.com
Support: support@fleylab.com
Mailing address: FleyLab LLC, Baku, Azerbaijan.