Your DMs
stay yours.

Never touchedHow each part of your data is handled

When you drop the DM export, it's uploaded encrypted. Here's exactly what happens — these are never extracted, stored, or shared :

• Attachments, photos, voice notes, and shared media — only message text is ever processed
• Conversations filtered as spam, Meta AI, or empty — discarded during classification, never sent anywhere
• Anything that doesn't qualify — unrated threads, irrelevant contacts, fan-only DMs

Want zero upload? Add ?engine=browser to the app URL and everything is unpacked and classified on your device, with no file sent to us — you can verify it in classifier.js. It's slower and caps out on very large archives, which is why processing runs server-side by default.

SentWhat we send to Claude (and never store)

For each qualified conversation (booker / promoter / label / collab / relevant), the message text is sent to Anthropic's Claude API for narrative summarization. We proxy those calls — your browser can't reach Claude directly with our API key.

• Condensed message history per qualified thread : sender names, timestamps, text
• Your authentication cookie (so we know which account is calling)
• Basic rate-limit signals (IP, timestamp)

The proxy is a Cloudflare Worker. It does not log or store the conversation text — requests are forwarded to Anthropic and the response streams back to your browser. The summary that comes back is then saved in your account (see Block 4).

Third-partyWhat Anthropic does

The summarization itself runs on Claude Sonnet 4.6 (Anthropic). Their commercial terms apply to the content you send them via our proxy:

• Anthropic does not train on API traffic by default
• They retain inputs/outputs for 30 days for safety monitoring, then delete
• Enterprise zero-retention is available for business-critical use cases — not currently enabled on our tier

If you're doing genuinely sensitive conversation analysis (journalism, legal, medical), use BYOK (Bring Your Own Key) and enable zero-retention on your own Anthropic account. Backline never sees your conversations either way.

StoredWhat we actually store on our side

Five buckets, scoped to the minimum :

• Your account, in Cloudflare D1 : your email, the date you first signed in, your active plan, your reminder-email opt-in flag, the timestamp of your last login. This is the row that backs your /account page.
• Your classified contacts, in Cloudflare D1 : per qualified DM thread we keep the handle, the thread ID (so we can build the deeplink back to Instagram), zone / country / city / role / level (the regex classification), the short narrative summary written by Claude, your private notes, the status you've set (new/contacted/archived), starred flag, and the timestamps. This is the contact list you see in your dashboard — accessible only via your authenticated session.
• Purchase metadata, in Cloudflare KV : tier, the email Stripe handed us at checkout, internal license-id (audit trail). No name, no address, no card data.
• Anonymous rate-limit counters : hashed IP + request count per window, to stop bots from burning the free tier. Retained for 24h, auto-expired.
• Imported archives, temporarily : while Backline is in its test phase, the uploaded .zip is kept in Cloudflare R2 and parsed import payloads are retained for up to 30 days, so failed runs can be debugged. Email [email protected] to have them deleted on request — and they are purged when you delete your account.

How the raw material is handled :

• Your raw .zip — uploaded over an encrypted connection, never sold or shared
• Attachments, shared media, photos, voice notes — never extracted or read; only the text in messages/inbox is processed
• Your contact list + summaries — stored in your private account, visible only to you
• Conversations filtered as spam / Meta AI / empty — discarded during classification, never summarized

No Google Analytics, no Facebook pixel, no session replay, no third-party tracking of any kind. The only telemetry is Cloudflare Web Analytics — a privacy-respecting beacon that counts pageviews and measures Core Web Vitals (LCP, INP) without cookies, fingerprinting, or cross-site tracking. Cloudflare's commitment : no PII, no IP retention beyond aggregation, no data sold or shared.

LocalCookies & local storage

One cookie, two minor localStorage entries :

• backline_session (cookie, HttpOnly, Secure, SameSite=Lax, 30 days) — set only after you click a magic-link sign-in email. A random 256-bit token whose hash maps to your account record server-side. Removed when you click Logout.
• bk_view_mode, bk_theme, bk_sidebar_collapsed (localStorage) — your dashboard UI preferences (compact vs detail, dark vs light, sidebar open/closed). No personal data.
• bk_hint_* (localStorage) — flags remembering which onboarding hints you've dismissed, so we don't show them again.

That's the entire client-side footprint. Clear cookies + localStorage anytime from your browser's devtools → Application → Storage.

RightsYour data rights

You can delete your account and all your contacts in one click from /account → Danger zone → Delete account. That instantly wipes your account record, every classified contact and note, every import and captured payload, any uploaded archive, and your BYOK API key. No 48h delay, no email back-and-forth.

Under the GDPR you have the rights of access, rectification, erasure, and portability. Delete account handles erasure instantly, and the CSV export covers most of portability. For everything else — a full copy of your data, fixing a record, opting out of telemetry — email [email protected]. Reply within 48h, fix within 7 days.

ChangesIf this ever changes

If we ever add analytics, third-party pixels, or any new data flow — we update this page before shipping, and we email every license holder. The privacy pillar is load-bearing for the whole product. We don't break it in silence.