On this page, we provide full transparency on how the Facebook and Instagram
integration of our platform works, which permissions are used, which data is
processed, and how users retain control over their data at all times.
This page remains permanently publicly accessible and serves both users and
Meta reviewers as the central source of information about our implementation
of Facebook Login and Instagram Business Login.
1. Use Case
companycore ai is a B2B SaaS platform that lets registered businesses plan and
publish posts for their social media channels — either fully manually or with
the help of brand-tuned AI that generates post copy and image suggestions
based on the brand information provided by the user.
Every post must be manually reviewed, confirmed and scheduled with a
date and time by the user.
Only after this active approval is the post automatically published at the
scheduled time, on the platform selected by the user, via a scheduled server-side
process (cron job).
No automatic publishing takes place without prior, explicit user
confirmation. Neither the AI nor the system publishes content on its own.
- No automatic AI publishing
- No auto-posting without manual confirmation
- Posts are created exclusively after user interaction
- Tokens are stored encrypted and can be deleted at any time
- No use of messaging, comments, or private third-party content
2. Supported Platforms
We integrate two separate OAuth flows within a single Meta app:
- Facebook Login – allows connecting a Facebook account, selecting a
Facebook Page managed by the user, and (when an Instagram Business account is
linked) publishing to Instagram via the Page connection.
- Instagram Business Login – directly connects an Instagram Business or
Creator account without going through Facebook.
Users decide for themselves which of the two flows they want to use — or whether
to use both in parallel in order to publish across all of their channels.
3. Meta Permissions Used (Permissions / Scopes)
Facebook Login
- public_profile – Basic identification of the user (name, ID)
- pages_show_list – Displaying the Facebook Pages managed by the user for
selection in the app interface
- pages_manage_posts – Publishing posts on a Facebook Page managed by the
user
- pages_read_engagement – Reading public engagement data (likes, comment
counts) for the managed Page's own posts, so the user can review the performance
of their posts in the app
- business_management – Technically bundled by Meta as required in the
“Manage everything on your Page” use case; not used by us independently for
Business Manager operations
- instagram_basic – Identification of an Instagram Business account linked
to the Facebook Page
- instagram_content_publish – Publishing posts to Instagram via the
Facebook Page connection
Instagram Business Login
- instagram_business_basic – Identification of the Instagram Business
account (ID, username, profile picture)
- instagram_business_content_publish – Publishing image and carousel posts
to the Instagram Business account
- business_management – Technically bundled by Meta as required in the
“Manage messaging and content on Instagram” use case; not used by us
independently for Business Manager operations
4. What we do not do
Our integration is intentionally kept minimal. We use
publishing functions only. In particular, we do not read or process:
- no direct messages (DMs / Instagram Messaging)
- no third-party comments beyond those under our own posts
- no follower lists, contacts, or third-party profile information
- no insights/analytics data from third-party accounts
- no audience data or advertising campaign information
- no Instagram Stories, Reels, or Live videos (feed posts only)
We use Meta APIs exclusively for the purpose of publishing content created
and scheduled by the user themselves on the user's own accounts/Pages.
5. Technical Publishing Flow
- The user creates the post via an AI-assisted editor in which text suggestions are
generated individually. Alternatively, the user can enter the entire text
themselves. The user fully reviews, edits and confirms the post before it is
saved.
- The user selects the target platform(s) — LinkedIn, Facebook, Instagram, or a
combination.
- The user sets the publication date and time manually, or saves the post as a
draft. Only an actively scheduled post is later published automatically.
- The post appears in the app's calendar as “Scheduled”.
- A secure cron job on our EU server checks the upcoming publications every minute
and triggers publication only for posts that were previously actively
scheduled by the user.
- Publication takes place via Meta's official Graph API endpoints, separately per
platform and target.
Each publication target has its own status in our system
(planned, posted, error, skipped),
so that if an error occurs on one platform, the other platforms can be published
independently and the user is informed of the exact state.
6. Processing & Storage of Meta Data
We store exclusively:
- Facebook User ID / Instagram Business ID
- Username or display name
- Access token (encrypted with AES-256-GCM)
- Refresh token (encrypted with AES-256-GCM)
- List of the Facebook Pages managed by the user, with IDs and names
- Page access tokens for publication targets selected by the user (encrypted)
We store no:
- Content from posts (neither our own nor third-party)
- Followers, contacts, subscribers
- Comments or messages
- Third-party profile information
- Payment or advertising data
Tokens are stored encrypted exclusively with AES-256-GCM.
The database (Supabase) runs in the EU region
(eu-central-1, Frankfurt am Main).
All stored Meta tokens are deleted immediately and completely from our systems as
soon as the user disconnects the integration in the app or removes the app in the
settings of their Facebook or Instagram account.
7. Revocation, Data Deletion & User Control
Users have three independent ways to revoke their connection and delete all stored
data:
a) Via our app
In the app settings, a “Disconnect Facebook” or “Disconnect Instagram” button is
available per platform. After confirmation, all tokens and associated data are
removed immediately and completely from our database.
b) Via the user's Meta settings
Users can remove the app directly at Meta at any time:
- Facebook → Settings → Apps and Websites → companycore → Remove
- Instagram → Settings → Apps and Websites → companycore → Remove
In this case, Meta automatically sends a cryptographically signed request to our
deauthorize endpoint
(https://api.companycore.ai/live/meta/deauthorize).
Our systems verify the signature, identify the affected user, and immediately delete
all associated tokens and data mappings.
c) Formal data deletion request
Users can submit a formal deletion request through the same route, which is sent to
our data deletion endpoint
(https://api.companycore.ai/live/meta/data-deletion).
After successful deletion, the user receives a unique confirmation code as
well as a publicly accessible status URL where they can track the state of the
request at any time.
Alternatively, an informal email to
jan@companycore.ai is sufficient.
8. Security & Compliance
- All OAuth flows run exclusively over HTTPS
- State parameter with CSRF protection during OAuth
- Tokens are never stored in plain text
- All backend communication with the Meta Graph API takes place server-side;
tokens never leave our backend environment
- Signed request verification (HMAC-SHA256) for all Meta callbacks
- Hosting in the EU (Germany); GDPR-compliant processing
9. Contact
For questions about the integration, permissions, or data handling:
jan@companycore.ai
companycore ai UG (haftungsbeschränkt)
Sömmeringstraße 69, 50823 Köln, Germany
HRB 124109 (Amtsgericht Köln / Local Court of Cologne)
Managing Director: Jan Bennefeld
This page is continuously updated whenever the Meta APIs, permissions, or processes
we use change. Every change is documented transparently here.