Privacy Policy

This policy explains what personal data InstaYolo processes when you visit our website or use our download tool, why we process it, how long we keep it, and the rights you have over it. It applies to everyone who uses instayolo.com regardless of location.

The operator of InstaYolo (the “we”, “us”, or “InstaYolo” in this policy) acts as the data controller for the processing described here. Contact for all privacy enquiries: [email protected].

We have built InstaYolo specifically to process as little personal data as possible. We do not collect:

• The Instagram URLs you paste into the downloader.
• The video, audio, or image files you download (they are streamed through our server without being saved to disk).
• Your Instagram username, password, session cookie, or any other Instagram credential — we never ask for these and the tool cannot function with them.
• Names, email addresses, phone numbers, or payment details (we have no account system and do not sell anything).
• Precise geolocation data.
• Device fingerprints beyond what the browser normally exposes during a web request.

The limited data we process falls into three buckets.

a. Short-term request data. When you load a page or trigger a download, our server receives standard HTTP request data: your IP address, the URL path you requested, the User-Agent header your browser sends, the referer header if any, and the timestamp. This is necessary to deliver the response and to enforce rate limits (to prevent abuse of the downloader). IP addresses used for rate-limiting are kept in memory for up to 24 hours and then discarded.

b. Server access logs. Our web server writes condensed access logs for security and debugging purposes. These logs contain the same fields listed above but are automatically rotated and deleted after 7 days. We do not cross-reference these logs with any other identifier.

c. Anonymized analytics. We use Google Analytics 4 with IP anonymization enabled to measure aggregate traffic (page views, bounce rate, geographic region at the country level, device category). GA4's default event data retention is 14 months; we have not extended it. You can opt out of GA4 entirely — see the Cookie Policy for details.

For visitors in the European Economic Area, the UK, and Switzerland, our legal bases under Article 6 GDPR are:

• Legitimate interest (Art. 6(1)(f)) for delivering the service, securing it against abuse, and keeping short-lived request logs. The interest is the technical operation of the website; the impact on you is minimal because the data is aggregated or short-lived.
• Consent (Art. 6(1)(a)) for optional analytics cookies where required by local law. Where consent is required, analytics scripts load only after you give it.

InstaYolo uses a minimal set of cookies. A full breakdown — names, purposes, lifespans, and how to opt out — is on the Cookie Policy page.

We share the minimum data needed to operate the service with the following processors:

• Cloudflare, Inc. — CDN, DNS, WAF, and DDoS protection. Cloudflare sees request metadata for every visit. Their privacy practices are published at cloudflare.com/privacypolicy.
• Google LLC — Google Analytics 4 with IP anonymization.
• Webshare, Inc. — residential proxy pool used only on the backend to fetch public Instagram CDN files. Webshare receives no visitor data; it sees only server-to-server requests from our backend to Instagram.
• GitHub, Inc. — hosts container images for our deployment pipeline. GitHub does not receive visitor traffic.
• European VPS hosting provider — the physical server running the website. Our host has standard access to the server as an infrastructure provider but does not process visitor data on our behalf.

Cloudflare, Google Analytics, Webshare, and GitHub are based in the United States. Where required, these transfers rely on the EU Commission's Standard Contractual Clauses and, for US recipients that self-certify, on the EU-US Data Privacy Framework.

• Rate-limit counters (IP address): up to 24 hours in memory.
• Web server access logs: 7 days, then automatically deleted.
• Short-lived parse-result cache (no user identifiers): 10 minutes.
• Google Analytics 4 event data: 14 months (GA4 default).

Depending on your jurisdiction, you may have rights under the GDPR, UK GDPR, California Consumer Privacy Act (CCPA/CPRA), Brazil's LGPD, and other laws. These typically include the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Restrict or object to our processing.
• Receive your data in a portable format.
• Withdraw consent at any time (where processing is based on consent).
• Lodge a complaint with your local data protection authority.

Because we do not maintain accounts or retain identifying data beyond the short windows listed above, requests to access or delete specific records will often return “no data held”. We will respond to any request sent to [email protected] within 30 days.

California residents: we do not sell or share personal information for cross-context behavioral advertising as those terms are defined in the CPRA.

InstaYolo is not directed at children under 13 (or under 16 in the EEA, or under the equivalent age in your jurisdiction). We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, contact [email protected] and we will delete it promptly.

Traffic between your browser and our server is encrypted with TLS. Our infrastructure sits behind Cloudflare's WAF and DDoS mitigation. The residential proxy credentials, analytics tokens, and server keys are kept outside the public codebase. No system is perfectly secure, but we aim to follow current industry best practice.

We may update this policy as the service evolves or as legal requirements change. The “Last updated” date at the top of the page reflects the most recent change. Material changes will be called out in a banner on the homepage for at least 14 days.

Questions, requests, or complaints about this policy: [email protected].