Abanro
How we collect, use, share, and protect personal information across the Abanro platform.
app.abanro.com to operate Instagram-driven storefronts{shop}.abanro.com)resellers.abanro.com to refer merchantsabanro.com and its public marketing pagesThis document is governed by GDPR (EU/EEA/UK), CCPA/CPRA (California), and the Meta Platform Terms applicable to all Instagram-integrated services.
Welcome to Abanro. This Privacy Policy explains how Abanro (“Abanro,” “we,” “us,” or “our”) collects, uses, shares, retains, and protects personal information in connection with the Abanro platform — a service that turns Instagram Direct Messages (DMs) into a checkout experience for small and medium businesses.
The Abanro platform consists of three distinct applications that share a common backend infrastructure:
This Privacy Policy applies to all three applications, our marketing website at abanro.com, and any associated APIs, services, or features (collectively, the “Services”). By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.
Abanro typically acts as a Data Controller for information collected from Merchants, Resellers, and visitors to abanro.com. With respect to End Customer information processed through a Merchant’s storefront or Instagram DM checkout, Abanro acts as a Data Processor (or Service Provider, under CCPA) on behalf of the Merchant, who is the Data Controller for that customer relationship. Section 2 explains these roles in more detail.
To make this Policy easier to read, the following terms have specific meanings throughout this document:
| Term | Meaning |
|---|---|
| Merchant | A business or individual that operates a shop on Abanro and uses our Services to sell products through Instagram DMs and/or a public storefront subdomain. |
| End Customer | An individual who interacts with a Merchant’s storefront — either by sending an Instagram DM to a Merchant’s connected Instagram account, or by visiting a Merchant’s public storefront at {shop}.abanro.com — and who may place an order. |
| Reseller | An individual or business that signs up at resellers.abanro.com to refer Merchants to Abanro in exchange for a commission. |
| Personal Information / Personal Data | Information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual or household. This term has the meaning given by GDPR and CCPA/CPRA where applicable. |
| Data Controller | The entity that determines the purposes and means of processing Personal Data. |
| Data Processor / Service Provider | An entity that processes Personal Data on behalf of a Data Controller. |
| Meta Platform Data | Information obtained through Meta Platforms, Inc.’s APIs (including the Instagram Graph API and Messenger Platform), subject to the Meta Platform Terms. |
| Services | The Abanro platform, including all three applications, the marketing site, and supporting APIs and infrastructure. |
Different categories of users have different relationships with us under data-protection law:
| Data Subject | Abanro’s Role | Other Party |
|---|---|---|
| Merchant | Data Controller | — |
| Reseller | Data Controller | — |
| abanro.com visitor | Data Controller | — |
| End Customer (DM or web) | Data Processor / Service Provider | Merchant is the Controller |
This means that if you are an End Customer and you have questions about how a specific Merchant uses your information beyond what is described in this Policy, you should also consult that Merchant’s own privacy notice. Abanro processes End Customer data strictly to provide the Services to the Merchant.
We collect different categories of Personal Information depending on whether you are a Merchant, End Customer, Reseller, or general visitor. This section sets out, for each category of user, exactly what we collect and from what source.
When you sign up for and use the Merchant Application, we collect:
When an End Customer interacts with a Merchant’s storefront — either through Instagram DMs or through a public storefront page — we process the following on behalf of the Merchant:
ig_user_id), current Instagram username, and current profile picture URL. These are obtained from Meta when a customer messages the Merchant’s Instagram account.web_session_id) used to maintain a shopping cart before checkout.When you sign up for or use the Reseller Portal, we collect:
When you use the Services, we automatically collect certain technical information, regardless of your user category:
We receive information about you from third parties in the following circumstances:
We use Personal Information only for the purposes described below. We do not sell Personal Information, and we do not use Personal Information for advertising or for any purpose unrelated to operating the Services.
If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR) and equivalent UK and Swiss law:
| Legal Basis | When We Rely On It | Examples |
|---|---|---|
| Contract (Art. 6(1)(b)) | Processing is necessary to perform a contract with you or to take pre-contractual steps at your request. | Creating a Merchant or Reseller account, fulfilling an End Customer order, charging a subscription. |
| Legitimate Interests (Art. 6(1)(f)) | Processing is necessary for our legitimate interests, provided these are not overridden by your rights. | Fraud prevention, system security, internal analytics, abandoned-cart reminders to existing customers. |
| Legal Obligation (Art. 6(1)(c)) | Processing is required to comply with a legal obligation. | Tax record-keeping, responding to lawful government requests, financial audit obligations. |
| Consent (Art. 6(1)(a)) | You have given clear consent for a specific purpose. | Optional cookies and analytics, optional marketing communications, where applicable. |
Where we rely on legitimate interests, you have the right to object — see Section 12. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Because Abanro is fundamentally a DM-first commerce platform, our use of data obtained from Meta Platforms is central to the Services. This section is provided to comply with the Meta Platform Terms and to give you full transparency.
When a Merchant connects an Instagram Business or Creator account to Abanro, and when an End Customer messages that account, we receive from Meta:
X-Hub-Signature-256 header before any processing.We use Meta Platform Data strictly to operate the Services on behalf of the Merchant. We do not:
A Merchant may disconnect their Instagram account at any time from the Merchant dashboard. Upon disconnection, we stop receiving new Meta Platform Data and we delete or anonymize stored Instagram tokens. Existing orders retain their immutable customer snapshots in accordance with Section 10, but live profile fields (such as ig_profile_picture_url) cease to be updated.
Abanro supports three customer payment methods and one subscription payment system. Different payment methods involve different third-party processors and different data flows.
| Method | Who Handles Card / Bank Data | What Abanro Stores |
|---|---|---|
| Cash on Delivery (COD) | Cash is handled offline between customer and Merchant. | Only the fact that COD was selected and the order’s payment status. |
| Bank Transfer | Customer transfers funds directly to the Merchant’s bank. | The customer-uploaded receipt image (stored in Azure Blob Storage) and Merchant approval state. Abanro never receives the bank account number from the customer’s side. |
| Stripe Connect (online card) | Stripe, Inc. handles all card data as the payment processor. | Stripe payment-intent identifiers, amounts, currency, and payment status. We never store full card numbers or CVV. |
Merchant subscriptions to the Abanro platform are billed exclusively through Stripe in subscription mode. Stripe handles all card data; Abanro receives only the customer identifier, subscription identifier, invoice events, and amounts. Customer order payments and Merchant subscription payments are processed through separate webhook endpoints, separate signing secrets, and separate database tables — they are never commingled.
Reseller payouts are processed manually by the Abanro operations team. When you request a payout, you provide your bank account details (IBAN or equivalent, account holder name, bank name, currency). These details are stored to enable the manual transfer and are accessible only to authorized Abanro personnel.
Stripe is an independent Data Controller for the payment data it processes. Stripe’s privacy practices are governed by Stripe’s own privacy policy at https://stripe.com/privacy. We recommend you review it if you make a payment or sign up for a paid Abanro plan.
We share Personal Information only as described in this Section. We do not sell Personal Information, and we do not share it for cross-context behavioral advertising.
End Customer information collected through a Merchant’s storefront or DM checkout is shared with that Merchant. The Merchant uses this information to fulfill orders, communicate with customers, and operate their business. Each Merchant only sees information for their own shop — shop isolation is enforced on every database query and is one of our non-negotiable security rules.
We engage trusted third parties to provide infrastructure and operational services. Each sub-processor processes Personal Information on our behalf, under written agreements, and only for the purposes we specify:
| Sub-Processor | Purpose | Data Categories |
|---|---|---|
| Microsoft Azure | Hosting, database (PostgreSQL Flexible Server), Redis cache, Blob Storage, CDN, DNS. | All Personal Data categories — stored and processed within our Azure environment. |
| Stripe, Inc. | Customer-facing card payments (Stripe Connect) and Merchant subscription billing. | Payment metadata, card tokens, customer/subscription identifiers, invoice events. |
| Meta Platforms, Inc. | Instagram and Messenger APIs. | Instagram user IDs, usernames, profile pictures, message events, page tokens. |
| Google LLC | Reseller OAuth sign-in. | Google profile identifiers for Resellers who choose Google sign-in. |
| WhatsApp / SMS provider(s) | Sending one-time passcodes for phone authentication. | Phone number and OTP code (short-lived). |
| Email delivery provider(s) | Sending transactional emails (order notifications, payout notifications, support messages). | Email address, name, and message content. |
Resellers see only aggregated and limited information about the Merchants they have referred — for example, store name, plan, subscription state, and approximate earnings. Resellers do not see Merchant order details, customer information, or Instagram tokens.
We may disclose Personal Information if we believe in good faith that disclosure is necessary to:
If Abanro is involved in a merger, acquisition, reorganization, financing, or sale of assets, Personal Information may be transferred to the acquiring or successor entity, subject to the protections described in this Policy.
Abanro’s infrastructure is hosted on Microsoft Azure, and Personal Information may be processed in countries other than the country in which you reside. These countries may have data-protection laws that differ from those in your jurisdiction.
When we transfer Personal Information out of the EEA, the United Kingdom, or Switzerland, we rely on appropriate safeguards under GDPR, which may include:
You may request a copy of the relevant safeguards used for transfers of your Personal Information by contacting us using the details in Section 19.
We retain Personal Information only for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods vary by data category:
| Data Category | Retention Approach |
|---|---|
| Merchant account and shop data | Retained for the duration of the active subscription, plus a reasonable period after closure for financial, tax, and dispute-resolution purposes. |
End Customer profile (customers table) | Retained for as long as the Merchant remains active on Abanro. End Customers may request deletion via the Merchant or by contacting Abanro (see Section 19). |
| Order records and order item snapshots | Retained for the period required by applicable tax, accounting, and consumer-protection law. Order-level customer snapshots (name, phone, email captured at checkout) are immutable for the integrity of financial records. |
| Payment records | Retained as long as required by financial regulations and reconciliation needs; Stripe also retains its own records under its policy. |
| DM conversation content and flow events | Retained for as long as needed to operate the trigger-and-flow system and provide order history context. Older conversations may be summarized or pruned. |
| Reseller account and payout records | Retained for as long as the Reseller account is active and as required for tax and commission record-keeping after closure. |
| Webhook event logs and audit logs | Retained for security, debugging, and compliance purposes for a limited period (typically several months). |
| Instagram access tokens | Retained in encrypted form for as long as the Merchant maintains the Instagram connection. Deleted or anonymized upon disconnection. |
| Carts (active, abandoned, expired) | Active carts expire 24 hours after the last activity. Carts idle for more than one hour may be marked abandoned for re-engagement; older carts are expired. |
| Marketing and support communications | Retained for a reasonable period after the last interaction, unless deletion is requested. |
When Personal Information is no longer needed, we delete it or anonymize it. Some information may persist in encrypted backups for a limited period before being overwritten in the normal course of backup rotation.
We take security seriously and have implemented technical and organizational measures designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. Specific measures include:
X-Hub-Signature-256 before processing, and deduplicated using Redis-based keys to prevent replay or duplicate orders.No system can be guaranteed to be 100% secure. While we work hard to protect your information, we cannot warrant the absolute security of any data transmitted to us, and you acknowledge this risk when using the Services.
If you are in the EEA, the United Kingdom, or Switzerland, you have the following rights with respect to your Personal Information:
To exercise any of these rights, please contact us using the details in Section 19. We will respond within one (1) month of receiving your request, unless the request is complex, in which case we may extend the period by an additional two (2) months and inform you of the extension.
If you are an End Customer and your request relates to a Merchant’s processing of your information, we will either forward your request to that Merchant (as the Data Controller) or assist the Merchant in responding.
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). This section is intended to comply with those laws.
In the preceding twelve months, we have collected the following categories of Personal Information, as defined under CCPA:
| CCPA Category | Collected by Abanro? |
|---|---|
| Identifiers (name, email, phone, IP address, Instagram user ID, account IDs) | Yes |
| Customer records (as defined in Cal. Civ. Code § 1798.80(e)) | Yes — name, contact details, payment-related metadata |
| Commercial information (orders, transactions, purchase history) | Yes |
| Internet/electronic network activity (logs, session data, cookies) | Yes |
| Geolocation data (approximate, from IP) | Yes — approximate only |
| Inferences drawn from other information | Limited — only operational inferences (e.g., abandoned-cart status, activation funnel stage) |
| Sensitive Personal Information (precise geolocation, government IDs, financial account login credentials, biometric data, health data, racial/ethnic origin, religious beliefs, contents of mail/email/text messages not addressed to us, sexual orientation) | We do not knowingly collect sensitive Personal Information in these categories. |
Note: Customer-to-Merchant DM messages routed through the Messenger Platform are processed by Abanro on behalf of the Merchant to operate the Services; they are not analyzed by Abanro to derive sensitive inferences.
The sources from which we collect this information, the business and commercial purposes for which it is used, and the categories of third parties to whom it may be disclosed for a business purpose, are described in Sections 3, 4, and 8 of this Policy respectively.
We do not sell Personal Information for monetary or other valuable consideration, and we do not share Personal Information for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA.
To submit a request, contact us using the details in Section 19. We will verify your identity before responding to a right-to-know or right-to-delete request, typically by matching information you provide with information we already hold. Authorized agents may submit requests on your behalf, subject to verification of their authority.
We will respond within forty-five (45) days; this period may be extended by another forty-five (45) days when reasonably necessary, with notice to you.
Abanro uses cookies and similar technologies to operate the Services. The categories we use are:
| Category | Purpose | Examples |
|---|---|---|
| Strictly Necessary | Required to authenticate you, maintain your session, prevent fraud, and remember basic preferences. | JWT session token, web cart token (web_session_id), security and CSRF tokens. |
| Functional | Improve your experience by remembering settings and preferences. | Language preference, dashboard view state. |
| Analytics (where applicable) | Help us understand how the Services are used, in an aggregated form. | Page-view counts, feature-usage telemetry. Where required, only set after consent. |
We do not use advertising cookies. Where local law requires consent for non-essential cookies (e.g., in the EEA and UK), we will request your consent through a cookie banner before setting them. You can manage cookie preferences through your browser settings; note that blocking strictly necessary cookies may prevent you from using the Services.
The Services are not intended for, and we do not knowingly collect Personal Information from, individuals under the age of sixteen (16). If you are under 16, please do not provide any information to us.
If we learn that we have collected Personal Information from a child under 16 without verifiable parental consent, we will delete that information promptly. If you believe a child has provided us with Personal Information, please contact us using the details in Section 19.
Merchants are responsible for ensuring that their own Services and storefronts comply with applicable laws relating to minors, including the Children’s Online Privacy Protection Act (COPPA) where it applies to them.
We do not make decisions about you based solely on automated processing that produces legal or similarly significant effects on you, within the meaning of Article 22 of the GDPR.
Some operational features of the Services involve automated logic — for example, trigger matching of DM messages against product codes, abandoned-cart detection, and FeatureGate enforcement of plan limits — but these are operational rules that govern how the platform behaves, not automated decisions about your eligibility for a service, employment, credit, or similar.
The Services may contain links to or integrate with third-party websites and services, including Instagram, Stripe, Google, and Merchants’ own external links (for example, in their storefront footers). This Policy does not apply to those third parties. We are not responsible for the privacy practices of any third party, and we recommend you review their privacy policies before providing them with Personal Information.
We may update this Privacy Policy from time to time to reflect changes in our Services, in applicable law, or in our data practices. When we make a material change, we will:
We encourage you to review this Policy periodically. Your continued use of the Services after a change becomes effective constitutes your acknowledgment of the updated Policy, except where additional consent is required.
If you have questions about this Privacy Policy, want to exercise any of the rights described above, or wish to make a privacy complaint, please contact us:
| Channel | Contact Detail |
|---|---|
| General privacy inquiries | privacy@abanro.com |
| Data subject requests (GDPR / CCPA) | privacy@abanro.com — please include “Data Subject Request” in the subject line |
| Security disclosures | security@abanro.com |
| General support | support@abanro.com |
| If you are an End Customer and your inquiry relates specifically to how a particular Merchant uses your information, please also contact the Merchant directly using the contact information published on their storefront. If you are in the EEA, the United Kingdom, or Switzerland and you believe our processing of your Personal Information does not comply with data-protection law, you have the right to lodge a complaint with your local supervisory authority. |