Your DMs
stay yours.

The raw .zip file from Meta — with all its messages, attachments and shared media — never leaves your browser. We parse it locally and only send the classified output (contact handles, roles, short summaries) to your encrypted account so you can use them from any device. Below, the full breakdown of what we hold, where, and who can see it.

LocalWhat never leaves your device

When you drop the DM export, your browser does the unpacking and the regex classification. These stay on your device the whole time :

  • The Instagram export file itself (the .zip Meta sent you)
  • All raw message content inside it — every text, every attachment, every shared photo or voice note, every reaction
  • Conversations we filter out as spam / Meta AI / empty (discarded in-browser, never sent anywhere)

You can literally unplug your wifi after the file is parsed and the regex classification still completes. Proof : look at classifier.js — it runs in your browser, no network calls.

SentWhat we send to Claude (and never store)

For each qualified conversation (booker / promoter / label / collab / relevant), the message text is sent to Anthropic's Claude API for narrative summarization. We proxy those calls — your browser can't reach Claude directly with our API key.

  • Condensed message history per qualified thread : sender names, timestamps, text
  • Your authentication cookie (so we know which account is calling)
  • Basic rate-limit signals (IP, timestamp)

The proxy is a Cloudflare Worker. It does not log or store the conversation text — requests are forwarded to Anthropic and the response streams back to your browser. The summary that comes back is then saved in your account (see Block 4).

Third-partyWhat Anthropic does

The summarization itself runs on Claude Sonnet 4.6 (Anthropic). Their commercial terms apply to the content you send them via our proxy:

  • Anthropic does not train on API traffic by default
  • They retain inputs/outputs for 30 days for safety monitoring, then delete
  • Enterprise zero-retention is available for business-critical use cases — not currently enabled on our tier

If you're doing genuinely sensitive conversation analysis (journalism, legal, medical), use BYOK (Bring Your Own Key) and enable zero-retention on your own Anthropic account. Backline never sees your conversations either way.

StoredWhat we actually store on our side

Four buckets, scoped to the minimum :

  • Your account, in Cloudflare D1 : your email, the date you first signed in, your active plan, your reminder-email opt-in flag, the timestamp of your last login. This is the row that backs your /account page.
  • Your classified contacts, in Cloudflare D1 : per qualified DM thread we keep the handle, the thread ID (so we can build the deeplink back to Instagram), zone / country / city / role / level (the regex classification), the short narrative summary written by Claude, your private notes, the status you've set (new/contacted/archived), starred flag, and the timestamps. This is the contact list you see in your dashboard — accessible only via your authenticated session.
  • Purchase metadata, in Cloudflare KV : tier, the email Stripe handed us at checkout, internal license-id (audit trail). No name, no address, no card data.
  • Anonymous rate-limit counters : hashed IP + request count per window, to stop bots from burning the free tier. Retained for 24h, auto-expired.

What we explicitly do NOT store :

  • The raw .zip file from Meta — never uploaded to us
  • The raw message text (texts of every message you ever sent or received) — parsed in your browser, only the per-thread summary leaves your device
  • Attachments, shared media, photos, voice notes — those stay in the .zip on your machine
  • Conversations we filter as spam / Meta AI / empty — discarded in-browser, never seen

No Google Analytics, no Facebook pixel, no session replay, no third-party tracking of any kind. The only telemetry is Cloudflare Web Analytics — a privacy-respecting beacon that counts pageviews and measures Core Web Vitals (LCP, INP) without cookies, fingerprinting, or cross-site tracking. Cloudflare's commitment : no PII, no IP retention beyond aggregation, no data sold or shared.

LocalCookies & local storage

One cookie, two minor localStorage entries :

  • backline_session (cookie, HttpOnly, Secure, SameSite=Lax, 30 days) — set only after you click a magic-link sign-in email. A random 256-bit token whose hash maps to your account record server-side. Removed when you click Logout.
  • bk_view_mode, bk_theme, bk_sidebar_collapsed (localStorage) — your dashboard UI preferences (compact vs detail, dark vs light, sidebar open/closed). No personal data.
  • bk_hint_* (localStorage) — flags remembering which onboarding hints you've dismissed, so we don't show them again.

That's the entire client-side footprint. Clear cookies + localStorage anytime from your browser's devtools → Application → Storage.

RightsYour data rights

You can delete your account and all your contacts in one click from /account → Danger zone → Delete account. That instantly wipes your D1 row, every classified contact, every note, every captured payload. No 48h delay, no email back-and-forth.

For the GDPR rights we can't fulfil from a single button (data portability, rectification of legacy records, opt-out of telemetry beyond defaults), email josh@backline.so. Reply within 48h, fix within 7 days.

ChangesIf this ever changes

If we ever add analytics, third-party pixels, or any new data flow — we update this page before shipping, and we email every license holder. The privacy pillar is load-bearing for the whole product. We don't break it in silence.

LAST UPDATED · 2026-05-07

. Privacy posture: messages are sent to the Worker which forwards to Anthropic; no chat content is stored server-side. Conversation history and open/close state persist in localStorage only. Honors prefers-reduced-motion. ESC closes. Click outside does NOT close (frustrating UX). All copy in English to match the rest of the site. -->