Compliance

Compliance overview for agencies & brands

Inflowave is built for agencies managing client data. This page summarizes our approach to GDPR, CCPA, Meta's Platform Terms, and our Data Processing Agreement.

Inflowave CCPA Compliance

CCPA-aligned practices

We do not sell personal data and provide mechanisms for access, deletion, and opt-out consistent with CCPA/CPRA expectations.

Inflowave GDPR alignment

GDPR-focused design

Operated by AIAGS Ltd in the UK, Inflowave is designed to meet GDPR and UK GDPR requirements around lawful bases, rights, and data minimization.

Legal entity & roles

Inflowave is operated by AIAGS Ltd, registered in the United Kingdom. For most use cases:

  • Your organization (agency or business) is the data controller.
  • Inflowave acts as a data processor for Instagram, CRM, and messaging data you send to the platform.

These roles and responsibilities are described in our Data Processing Agreement (DPA).

GDPR

Our Privacy Policy and DPA are written to align with the requirements of GDPR/UK GDPR, including:

  • Defined purposes and lawful bases for processing
  • Clear description of categories of data processed
  • Retention schedules per data category
  • Mechanisms to exercise access, deletion, and portability rights
  • Commitments around sub-processors and international transfers

CCPA & similar laws

We treat the Californian CCPA/CPRA and similar state laws as an important baseline:

  • We do not sell personal data.
  • We provide a Do Not Sell/Share page and mechanisms to exercise relevant rights.
  • Our Privacy Policy includes a dedicated section on US state privacy rights and categories of data processed.

Meta / Instagram Graph API usage

Inflowave uses the official Instagram Graph API and related Meta APIs. We adhere to Meta's Platform Terms and Data Protection requirements:

  • Authentication via Meta OAuth, never by password scraping.
  • Use of only the permissions you explicitly grant.
  • Respect for documented rate limits and usage guidelines.
  • Support for revoking access at any time from Meta account settings.

Data Processing Agreement

For agencies working with client data, a DPA is often required as part of vendor due diligence. Inflowave provides a standardized Data Processing Agreement that covers:

  • Roles (controller vs processor)
  • Sub-processor list and responsibilities
  • Security measures and technical controls
  • Breach notification timelines and communication
  • Data subject request handling
  • International transfer mechanisms

If you need a countersigned copy or custom terms, contact us at support@inflowave.io.

Where to go next

For a full compliance review, we recommend reviewing the following pages: