Skip to main content
← Back

Privacy Policy

Last updated: May 10, 2026

Lurk (“we,” “us”) operates an Instagram follow-tracking service available at getlurk.app and as iOS/Android apps. This policy explains what data we collect, why, and the third parties that process it on our behalf.

1. What we collect

  • Device identifier — a random UUID generated on first launch and stored in your device's local storage. We use it to associate tracked accounts with your device without requiring an account.
  • Email address — only if you choose to link one after subscribing, so you can recover access on a new device or sign in with Google. Linking is optional and can be skipped.
  • Payment metadata — your Stripe customer ID, subscription plan, and billing status. We never see or store your card number.
  • Usage data — pages visited, features tapped, and aggregate engagement signals, for product analytics.
  • Network metadata — your IP address, user agent, and approximate location (country-level), captured in standard server logs and by the analytics/advertising services listed below.
  • Push notification token — if you opt in to alerts, your device's FCM/APNs token so we can deliver real-time follow updates.

2. Instagram data

We only access publicly available Instagram profile information — the same data visible to any logged-out visitor. We do not access private accounts, direct messages, stories from private accounts, or anything requiring an Instagram login. We are not affiliated with, endorsed by, or partnered with Meta or Instagram.

3. Service providers

We use a small number of vendors to run Lurk: payment processing (Stripe), hosting, email delivery, push notifications, ad measurement, and error monitoring (which may include session replay on pages where an error occurred). They process data on our behalf under contractual confidentiality terms. For our current list of sub-processors, email privacy@getlurk.app.

4. Local storage & cookies

We use your browser's local storage to hold your device identifier, theme preference, subscription status, and the list of accounts you're tracking. We do not set first-party advertising cookies. Third-party services listed above may set their own cookies governed by their respective policies.

5. Advertising & analytics

When you arrive from an ad (e.g. TikTok), we measure the funnel — page view, plan selection, checkout start, and purchase — and report aggregate, hashed events back to the ad network so we can attribute spend. We do not sell your personal data. California residents may opt out via the “Do Not Sell or Share” mechanism described in section 8.

6. Data retention

We retain device identifiers, tracked-account snapshots, and subscription records for as long as your subscription is active plus 12 months for billing and accounting recordkeeping. Email addresses are retained for as long as you keep an account linked or for 24 months after your last interaction, whichever is shorter. You can request earlier deletion at any time (section 8).

7. Children

Lurk is not directed at children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from minors. If you believe a minor has used Lurk, contact us and we will remove the data.

8. Your rights

Depending on where you live (GDPR — EEA/UK, CCPA/CPRA — California, similar laws elsewhere) you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (“right to be forgotten”)
  • Export your data in a portable format
  • Object to processing for marketing or analytics purposes
  • Opt out of the “sale” or “sharing” of personal information (CCPA)

To exercise any of these rights, email privacy@getlurk.app. We respond within one month of receipt, as required by GDPR Article 12(3). For complex or numerous requests we may extend by up to two additional months and will notify you of the extension and our reasons within the original one-month window.

9. International transfers

Lurk is operated from Canada. By using Lurk you consent to your data being processed in Canada, the United States, and any other jurisdiction where our third-party processors operate. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms.

10. Security

We use HTTPS for all transport, hash sensitive identifiers before sending them to ad networks, and rely on Stripe and Supabase for payment + auth data we never touch directly. No system is perfectly secure; if we detect a breach affecting you we will notify you within the timeframes required by applicable law.

11. Changes

We will update this policy from time to time. Material changes will be flagged in-app or by email if you have one linked. The “Last updated” date at the top reflects the most recent change.

12. Contact

Privacy questions: privacy@getlurk.app. General support: support@getlurk.app.