This Privacy Policy explains how Ing. Jakub Havej, a sole trader (OSVČ)
registered in the Czech Republic, IČO 01491563, with registered place of
business at Lužice 115, 435 24 ("Maketio", "we", "us",
"our"), collects, uses, shares, and protects personal data in connection
with the Maketio service available at maketio.com and related subdomains (the
"Service").
We are committed to processing personal data in accordance with Regulation (EU) 2016/679 (the "GDPR") and Czech Act No. 110/2019 Coll., on the Processing of Personal Data.
If you have any questions about this Policy or your personal data, contact us at legal@maketio.com.
1. Who this Policy is for
Maketio lets creators and small businesses ("Merchants") run an online store and automatically respond to comments on their Instagram posts by sending the commenter a direct message with a product link. This Policy covers three groups of people:
- Merchants — people who create a Maketio account to sell products.
- Instagram users — people who comment on a Merchant's Instagram post and receive an automated direct message from the Merchant via Maketio ("Commenters").
- Buyers — people who purchase a product through a Merchant's Maketio storefront.
Where we act differently towards each group, we say so below.
2. Our role (controller / joint controller)
Depending on the data, we act either as a data controller (we alone decide why and how data is processed) or, for Buyer data, as a joint controller with the Merchant (we and the Merchant together determine the processing — see the Article 26 arrangement below):
| Data | Our role | Controller | | --------------------------------------------------------------------------------------- | ----------------------- | ---------------------------- | | Merchant account, usage and billing data | Controller | Maketio | | Instagram Commenter data (username, comment, media info, direct messages) | Controller | Maketio | | Buyer / checkout data on a Merchant's storefront (name, email, shipping, order history) | Joint controller | Maketio and the Merchant | | Payment and card data | Independent controllers | Stripe and the Merchant |
Joint controllership for Buyer data (Article 26 GDPR)
For personal data of Buyers who purchase through a Merchant's storefront, Maketio and the Merchant are joint controllers. So that you always know where to turn, the essence of our arrangement is:
- Maketio is responsible for the storefront and checkout technology, for providing this Privacy Policy to Buyers, for information security, for data retention and deletion, and for being the single point of contact for Buyers exercising their rights. Maketio handles data-subject requests and the Data Deletion process.
- The Merchant is the seller of record and is responsible for the sale, for any use of Buyer data for its own commercial or marketing purposes, and for ensuring it has a lawful basis for such use.
Regardless of this allocation, you may exercise your rights against either Maketio or the Merchant (Article 26(3) GDPR). Contact us at legal@maketio.com and we will handle your request or coordinate with the Merchant.
3. Data we collect
3.1 Merchant account data (we are controller)
- Identity and contact data: name, email address, Instagram username, profile picture, and (where you connect one) Google account identifiers.
- Store data: store name, handle, custom domain, product listings, prices, and images you upload.
- Billing data: subscription tier, invoices, and the Stripe account identifiers needed to bill you and to route your sales (we do not receive or store your full card number — see §5).
- Support and communications: messages you send us.
Sources: you, and the Instagram Login / Meta APIs you authorize.
3.2 Instagram data obtained via the Meta APIs (we are controller)
When a Merchant connects their Instagram professional account and enables comment automation, we obtain the following through the Instagram Platform, strictly to provide the Service. Each item maps to a permission the Merchant grants:
| Permission | Data obtained | Purpose |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------- |
| instagram_business_basic | Merchant's Instagram account ID, username, and the captions/metadata of their media | Identify the account and read the #maketio-{product} hashtag in a post caption to match a comment to a product |
| instagram_business_manage_comments | Comment events on the Merchant's posts: the Commenter's Instagram-scoped user ID and username, the comment text, and the associated media ID | Detect a comment that should trigger an automated reply |
| instagram_business_manage_messages | The ability to send and record direct messages to the Commenter | Deliver the product card and checkout link in a direct message |
For Commenters, we therefore process: Instagram username and scoped user ID, the text and timestamp of the comment, the media the comment relates to, the messages we send in response, and a record of the last interaction time (used to respect Instagram's 24-hour messaging window).
We do not use Instagram data for advertising, we do not sell it, and we do not use it to build profiles beyond what is necessary to send the requested product information.
3.3 Buyer / checkout data (joint controllership with the Merchant)
When a Buyer checks out on a Merchant's storefront, we process: name, email address, shipping/billing address, order contents, and order history. As explained in §2, Maketio and the Merchant are joint controllers of this data. Card details are entered directly into Stripe's hosted checkout and are not accessible to us.
3.4 Technical and usage data (we are controller)
- Device and connection data: IP address, browser type, and similar log data.
- Product usage: pages viewed and actions taken in the app.
- Essential cookies: session and security cookies required to keep you signed in (see §9).
4. Why we use data and our legal bases
| Purpose | Data | Legal basis (GDPR Art. 6) | | ------------------------------------------------------------------------ | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Create and operate Merchant accounts; provide the Service | §3.1, §3.4 | Performance of a contract (Art. 6(1)(b)) | | Detect a comment and send the Commenter a product card by direct message | §3.2 | Legitimate interests (Art. 6(1)(f)) — the Commenter publicly expressed interest by commenting; the direct message is a proportionate response requested through that action | | Operate a Merchant's storefront and process orders | §3.3 | Performance of the sale contract with the Buyer (Art. 6(1)(b)); marketing use by the Merchant relies on consent or legitimate interests as applicable | | Bill subscriptions and route sales | §3.1 | Contract; and legal obligation for tax/accounting records | | Keep the Service secure, prevent abuse, debug errors | §3.4 | Legitimate interests (security and reliability) | | Comply with tax, accounting and other legal obligations | invoices, transaction records | Legal obligation (Art. 6(1)(c)) | | Send you service and, where permitted, product update emails | email | Contract; legitimate interests; consent where required |
Legitimate interests balancing (Commenter data): we only message a person who has actively commented on a post that the Merchant has enabled for automation, we send a single product response per product within a 24-hour window, we do not message people who have not interacted, and we delete Commenter data on the schedule in §7. A Commenter can ask us to stop and to delete their data at any time (see §8, §10).
5. Payments
- Storefront sales are processed through Stripe Connect. Each Merchant creates and connects their own Stripe account and is the merchant of record for their sales; they can access all related data in their own Stripe dashboard. Maketio applies a platform fee on each transaction but does not receive or store raw card data.
- Maketio subscription fees are processed through Maketio's own Stripe account.
- Stripe processes card and payment data as an independent controller under its own Privacy Policy. Stripe, Inc. and Stripe Payments Europe, Ltd. are the relevant entities.
6. Who we share data with (sub-processors and recipients)
We do not sell personal data. We share it only with the service providers below, each bound by a data processing agreement and appropriate safeguards, and where required by law.
| Recipient | Purpose | Location | | -------------------------------------- | ----------------------------------------------------------- | -------- | | Meta Platforms (Instagram) | Source of comment/message data; delivery of direct messages | EU / US | | Vercel Inc. | Application hosting and content delivery | US / EU | | Neon Inc. | Database hosting | US / EU | | Stripe | Payments and subscription billing | US / EU | | Resend | Transactional and store emails | US / EU | | Sentry (Functional Software, Inc.) | Error monitoring and diagnostics | US / EU |
We may also disclose data to professional advisers, or to authorities where legally required, and to a successor in the event of a business transfer.
If we later add analytics (e.g. PostHog), we will update this Policy and, where required, request your consent before enabling non-essential tracking.
7. How long we keep data
- Merchant account data — for as long as your account is active, and up to 30 days after account closure (plus time held in routine backups), except where longer retention is required.
- Instagram Commenter data (username, comment, media info, messages) — a rolling 90 days from the interaction, and deleted sooner on request or when the Merchant disconnects their Instagram account or closes their account.
- Buyer / order data — retained on the Merchant's instructions while they use the Service; deleted or returned on termination, subject to the Merchant's own legal retention duties.
- Invoices and accounting records — retained as required by Czech tax and accounting law (generally up to 10 years).
8. International transfers
Some recipients in §6 are located outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses, together with the transfer frameworks operated by the respective providers. You may request a copy of the relevant safeguards at legal@maketio.com.
9. Cookies
The Service uses only essential cookies required to authenticate you and keep your session secure. We do not use advertising or cross-site tracking cookies. If we introduce analytics or other non-essential cookies in future, we will present a consent mechanism before setting them.
10. Your rights
Subject to the conditions in the GDPR, you have the right to:
- access your personal data and obtain a copy;
- rectify inaccurate or incomplete data;
- erase your data ("right to be forgotten");
- restrict or object to processing, including processing based on legitimate interests;
- data portability; and
- withdraw consent at any time, where processing is based on consent.
To exercise any right, email legal@maketio.com or follow our Data Deletion Instructions. For Buyer data, where Maketio and the Merchant are joint controllers (see §2), you may exercise your rights against either of us; Maketio acts as the single point of contact and will handle your request or coordinate with the Merchant.
You also have the right to lodge a complaint with the Czech supervisory authority, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ), uoou.gov.cz, or your local supervisory authority.
11. Deleting your data
You can request deletion of your Maketio data, and Instagram Commenters can request deletion of data we hold about them, at any time. See our Data Deletion Instructions for how, what is deleted, and the timeline.
12. Security
We use appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, and restricted access to production systems. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
13. Children
The Service is intended for people aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.
14. Changes to this Policy
We may update this Policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes affecting Merchants, notify you by email or in the app.
15. Contact
Ing. Jakub Havej — IČO 01491563 Lužice 115, 435 24, Czech Republic Email: legal@maketio.com