Privacy Policy
Last updated: April 6, 2025
1. Who we are
CommentPull is a web-based tool that lets you extract, filter, and export comments from Facebook, Instagram, and YouTube posts. We are the operator of this service, reachable at the contact details at the bottom of this page.
2. What we collect
We collect only the minimum information needed to run your account:
- Email address — used to identify your account and for transactional messages (e.g. password reset).
- Name — displayed in the app interface.
- Password — stored as a bcrypt hash (cost 12). We never store your plain-text password.
- Account timestamps — when your account was created and last updated.
We do not collect payment information. No credit card is required to use CommentPull.
3. What we do NOT collect
- Your Facebook or Instagram access tokens — these are entered in your browser and sent directly to Meta's servers. They never pass through ours.
- The comments, usernames, or post content you extract — all processing happens in your browser and the data goes straight to your downloaded file.
- Your YouTube API key — same as above, browser-only.
- Browsing behaviour, page interactions, or session recordings beyond basic analytics.
4. How we use your data
- To authenticate you and maintain your session.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
5. Cookies & sessions
We set one HTTP-only, secure cookie (cp_token) when you sign in. It contains a random session token — not your password or any personal data. It expires after 30 days or when you sign out. We do not use advertising cookies or third-party tracking cookies.
6. Analytics
We use Google Analytics 4 to understand how the app is used in aggregate (e.g. which platform tab is most popular, how many extractions succeed). This data is anonymised and not linked to your account. You can opt out via browser extensions that block Google Analytics.
7. Data storage & security
Account data is stored in a MySQL database hosted on Hostinger. We use bcrypt password hashing, cryptographically random session tokens (256-bit entropy), and HTTPS-only delivery. Session tokens expire automatically after 30 days.
No extraction data (comments, post content, API keys) is ever written to our database.
8. Data retention
Your account data is retained for as long as your account is active. You may request deletion at any time by contacting us — we will permanently delete your email, name, and password hash within 7 days.
9. Your rights
Depending on your location, you may have rights under GDPR, CCPA, or similar laws, including:
- The right to access the data we hold about you.
- The right to correct inaccurate data.
- The right to delete your account and all associated data.
- The right to data portability — a copy of your data in a machine-readable format.
- The right to withdraw consent at any time.
To exercise any of these rights, contact us at the email below.
10. Third-party services
- Meta Graph API — used directly from your browser to fetch Facebook and Instagram comments. Subject to Meta's Privacy Policy.
- YouTube Data API v3 — used directly from your browser. Subject to Google's Privacy Policy.
- Google Analytics — aggregate usage analytics. Subject to Google's Privacy Policy.
- Hostinger — our hosting provider stores account data in their data centres. Subject to Hostinger's Privacy Policy.
11. Changes to this policy
We may update this Privacy Policy occasionally. When we do, we will revise the "Last updated" date at the top. Continued use of CommentPull after changes are posted constitutes your acceptance of the updated policy.
12. Contact
Questions, data requests, or deletion requests can be sent to:
privacy@commentpull.com