Privacy Policy

Last updated 28 May 2026

This Privacy Policy explains how AFP.MONSTER (“AFP.MONSTER”, “we”, “us” or “our”) collects, uses, shares and protects personal data when you use our website and our automated comment-management and messaging service for Facebook and Instagram (the “Service”).

The Service is operated by AFP.MONSTER LTD, a private limited company registered in England and Wales. We are the “controller” of your personal data for the purposes of the UK GDPR and the EU GDPR.

We are based in the United Kingdom and serve customers in the United Kingdom, the European Union and worldwide. Where we process the personal data of individuals in the UK, we do so under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. Where we process the personal data of individuals in the European Economic Area (“EEA”), we do so under the EU General Data Protection Regulation (“EU GDPR”).

1. Who this policy applies to

This policy applies to (a) visitors to our website, (b) registered users of the Service, and (c) individuals whose personal data we process on behalf of our users — for example, the public Facebook and Instagram users who comment on or message the pages our users manage.

2. Personal data we collect

We collect and process the following categories of personal data:

  • Account data — your name, email address and, where you sign in with Facebook, your Facebook user ID and the list of Facebook Pages and Instagram accounts you manage.
  • Connected page content — in order to provide the Service we process content from the pages you connect, including public comments and posts and, where you enable it, private messages and the names/IDs of the people who send them.
  • Subscription and payment data — your chosen plan, billing status and transaction records. Payments are processed by our payment provider (see section 6); we do not store full payment-instrument details on our servers.
  • Technical and usage data — IP address, device and browser type, operating system, and the dates, times and pages of your activity on the Service, collected through cookies and similar technologies.
  • Communications — the content of any support requests, feedback or correspondence you send us.

3. How we use your data and our lawful bases

Under the UK and EU GDPR we must have a lawful basis for each processing purpose. Our purposes and bases are:

  • To create and operate your account and provide the Service — lawful basis: performance of our contract with you.
  • To process the comments, messages and page content the Service is configured to act on — lawful basis: performance of our contract with you and our legitimate interests in delivering the features you have enabled.
  • To take payment and manage subscriptions — lawful basis: performance of our contract and compliance with our legal obligations (for example, tax and accounting records).
  • To secure, maintain, debug and improve the Service, including analytics — lawful basis: our legitimate interests in running and improving a reliable service, and your consent where required for non-essential cookies.
  • To send service-related and, where permitted, marketing communications — lawful basis: our legitimate interests or your consent, which you can withdraw at any time.
  • To comply with legal obligations and to establish, exercise or defend legal claims — lawful basis: legal obligation and legitimate interests.

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You can ask us for more information about this balancing exercise using the contact details below.

4. Facebook and Instagram permissions

When you connect your account, Meta asks you to grant the permissions the Service needs to function. The Service will not work correctly without them. We use these permissions only to provide the features you enable and in line with Meta's Platform Terms and Developer Policies:

  • pages_show_list — to access the list of Pages you manage.
  • pages_manage_engagement — to remove or hide a comment on a page post.
  • pages_read_user_content — to read post content so the Service can remove comments and privately reply to them.
  • pages_messaging — to privately reply to comments and messages.
  • pages_manage_metadata — to subscribe to the page webhook feed so we can receive comments in real time.

5. Cookies and similar technologies

We use strictly necessary cookies to keep you signed in and to operate the Service — without these you cannot log in. We also use non-essential analytics cookies, but only where you have given consent through our cookie banner. You can change or withdraw your cookie choices at any time via the cookie settings on our site.

6. Sharing your data and processors

We do not sell your personal data. We share it only with service providers who process data on our behalf under written contracts, and where required by law. Our key processors include:

  • Meta Platforms — the Facebook/Instagram Graph API, which is the source of the page content we act on.
  • Google Analytics — website and product analytics (only with your consent).
  • Cryptomus — our cryptocurrency payment provider, which handles payment processing.
  • Cloud hosting and storage providers — we host the Service and store data with reputable infrastructure providers in [HOSTING REGION], including object storage for any files you upload.

7. International data transfers

Some of our processors may store or process personal data outside the UK or the EEA. Where we transfer personal data to a country that is not covered by UK or EU ‘adequacy’ rules, we put appropriate safeguards in place — typically the UK International Data Transfer Agreement (IDTA) or Addendum, or the European Commission's Standard Contractual Clauses — so that your data continues to receive an equivalent level of protection. You can request a copy of the relevant safeguards using the contact details below.

8. How long we keep your data

We keep your personal data only for as long as necessary for the purposes set out above. In general:

  • We retain your account and connected-page data for as long as your subscription is active.
  • If your subscription ends and is not renewed, we may delete the associated data automatically after 60 days.
  • If you ask us to delete your data and stop using the Service, we will action your request within 30 days, subject to any data we must keep to meet legal, tax or accounting obligations.

9. Your rights

Under the UK and EU GDPR you have the following rights in respect of your personal data:

  • the right to be informed about how we use your data;
  • the right of access to a copy of your data;
  • the right to rectification of inaccurate or incomplete data;
  • the right to erasure (the ‘right to be forgotten’);
  • the right to restrict processing;
  • the right to data portability;
  • the right to object to processing based on our legitimate interests or to direct marketing;
  • rights relating to automated decision-making and profiling; and
  • the right to withdraw consent at any time, where we rely on consent.

To exercise any of these rights, contact us using the details in section 13. We will respond within one month. Exercising your rights is free of charge in most cases.

10. Complaints

If you are unhappy with how we have handled your personal data, please contact us first so we can try to resolve the matter. You also have the right to lodge a complaint with a data protection authority. In the UK, that is the Information Commissioner's Office (ICO), ico.org.uk. If you are in the EEA, you may complain to the supervisory authority in your country of residence.

11. Security

We use appropriate technical and organisational measures to protect your personal data, including encryption in transit, access controls and the principle of least privilege. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Children

The Service is not directed at children. We do not knowingly collect personal data from children under the age of 13 (or under the minimum age of digital consent in your country, which may be up to 16 in some EU member states). If we learn that we have collected such data without appropriate consent, we will delete it. If you believe a child has provided us with personal data, please contact us.

13. Contact us and our representatives

If you have any questions about this Privacy Policy or wish to exercise your rights, contact us at [email protected].

For data protection matters, including any request to exercise your rights, please contact us using the details above.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the ‘last updated’ date at the top of this page and, where appropriate, notify you. Please review this page periodically.