Legal
Data Deletion Instructions
Effective date: April 10, 2026 · Last updated: April 30, 2026
Your right to delete your data
Under the EU/UK General Data Protection Regulation (GDPR Article 17, "right to erasure"), the California Consumer Privacy Act (CCPA right to delete), and Meta's Platform Terms, you have the right to request deletion of the personal data we hold about you. Tour Reels honors deletion requests from:
- Tour Reels account holders — request deletion of your full account and all associated data.
- Staff members (guides, captains, hosts, drivers) whose names and phone numbers are stored by a tour operator, or who use the Reel Social AI mobile app — request removal from a specific operator's roster or from our systems entirely. This includes any photos, photo metadata (EXIF), GPS coordinates (if you opted in to share location), Firebase user identifier, push notification tokens, and notification preferences associated with your account.
- Facebook commenters whose public comments on a connected Page have been cached by Tour Reels — request removal of comment text and display name associated with you.
- Instagram or Facebook users who previously authorized Tour Reels — request deletion of any data we retained from that authorization.
What data Tour Reels stores
From Meta (Instagram Business and Facebook Pages):
- Instagram Business Account username, numeric account ID, and encrypted long-lived access token
- Facebook Page ID, Page name, and encrypted Page-scoped access token (for the specific Page you connected)
- IDs of posts Tour Reels published on your behalf
- Engagement counts on those posts (like, comment, share counts; impressions/reach where available)
- Comment text and the commenter's public display name on posts Tour Reels published (retained up to 90 days)
- Facebook user ID and name of the account that authorized the connection (via public_profile)
From account signup:
- Business name, owner name, owner email, owner phone number
- Website URL, staff role label, and product/tour roster
- Team member names and email addresses
From Tour Reels operations:
- Photos sent by staff via SMS (MMS), stored in Cloudflare R2
- AI-generated captions, hashtags, and photo analysis metadata
- SMS message logs and consent records (via Twilio)
- Booking data retrieved via the Peek Pro OCTO API (if you connected Peek)
From the Reel Social AI mobile app:
- Phone number used to sign in
- Firebase user identifier returned by the phone-verification flow
- Photos uploaded through the app, stored in Cloudflare R2
- Photo EXIF metadata (capture timestamp, camera make/model, lens, exposure data)
- GPS coordinates from photo EXIF — only if the staff member explicitly opted in via the in-app Privacy → Share Photo Location toggle
- Optional context note text the staff member attached to a submission
- Push notification device token (if notifications were enabled) and notification preferences
- Submission and approval statistics used by the in-app leaderboard
- Consent timestamps recording when the staff member accepted participation consent and any GPS opt-in
How to request deletion of your data
- Send an email to info@moonshinemediagroup.com with the subject line "Data Deletion Request".
- Tell us who you are:
- If you are a Tour Reels account holder, include the email address on your account.
- If you are a Facebook commenter, include your Facebook display name and the URL of the Page where you commented so we can locate the cached data.
- If you are a staff member whose phone number was added to Tour Reels, include your phone number and the name of the tour business.
- We will confirm receipt of your request within 2 business days and assign a confirmation code.
- All associated data will be permanently deleted within 30 days of verified receipt.
- On completion, we will email you confirmation that deletion has been performed.
What gets deleted, and where
A deletion request propagates to all systems that hold your data:
- Tour Reels PostgreSQL database (Railway): all account records, captains/staff rows, posts, activity logs, access tokens, and engagement snapshots referring to you are removed.
- Cloudflare R2 object storage: photos submitted by or featuring you are deleted from our storage bucket.
- Twilio (SMS): inbound SMS logs containing your phone number are deleted from our systems. (Twilio may retain carrier-level logs per its own policy and legal requirements.)
- Meta (Instagram / Facebook): access tokens are revoked and deleted on our side. Content that was previously published to your own Instagram or Facebook Page remains under your control on those platforms — you must delete it directly in Instagram or Facebook if desired.
- Anthropic (AI): we do not retain copies of photos or captions on Anthropic's servers beyond the lifetime of the API call. No persistent AI-side data store is used.
- Resend (email): email logs referring to you are purged via Resend's retention.
- Stripe (billing): your Stripe Customer object is deleted or anonymized, subject to the tax-record exception below.
- Firebase Authentication (Google): your Firebase user record (phone number and Firebase user identifier) is deleted via the Firebase Admin API. Removal here is what prevents the device from re-signing in.
- Expo Push Service: your push notification device token is removed from our database. Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) hold transient delivery records per their own policies.
- Firebase Crashlytics: crash and performance reports from the Reel Social AI mobile app are install-scoped, not linked to your user account, so deleting your account does not require a separate Crashlytics deletion request. Reports auto-expire per Firebase's default policy (typically 90 days for crash data, 60 days for performance traces).
What may be retained (legal exceptions)
In limited circumstances we may retain certain minimized records after a deletion request:
- Billing and tax records may be retained for up to 7 years as required by U.S. tax law (IRS) and applicable state law. These records do not include Meta platform data, photos, or captions.
- SMS consent records may be retained in minimized form as required by TCPA/carrier compliance rules (proof that consent was obtained and later revoked).
- Aggregated, de-identified usage metrics that cannot be linked back to you may be retained for service improvement.
Remove Tour Reels from Facebook / Instagram directly
You can revoke Tour Reels' access to your Facebook and Instagram accounts at any time, independently of requesting server-side deletion:
- Go to Facebook Settings → Apps and Websites
- Find Tour Reels in the list of connected apps
- Click Remove
For Instagram, go to Instagram Settings → Apps and Websites → Active, find Tour Reels, and select Remove. This revokes Tour Reels' access on Meta's side. To also delete data stored on our servers, follow the email instructions above.
Contact