Permission Table
Every Meta OAuth scope Conwerz requests, mapped to a single business purpose. Copy rows verbatim into the "Permission Justification" boxes in your Meta app dashboard.
| Permission | Why we need it | Data accessed | Stored? | Retention |
|---|---|---|---|---|
pages_show_list | List the Facebook Pages owned by the Business Admin so they can pick which Page to connect. | Page IDs, names, categories, profile pictures. | Yes β Page ID, name, category only. | Until the Page is disconnected. |
pages_manage_metadata | Subscribe the connected Page to our webhook so Conwerz receives messages, leadgen, and mention events. | Page subscription state. | No β action only. | N/A. |
pages_read_engagement | Show basic Page engagement (conversation counts, response rate) in the Conwerz dashboard. | Page insights: message counts, response latency. | Aggregated daily counters only. | 13 months. |
pages_messaging | Send and receive Messenger messages on behalf of the connected Page via the Conwerz inbox. | Message text, attachments, sender Page-scoped ID. | Yes β encrypted at rest. | 90 days (configurable down to 7). |
instagram_basic | Identify the Instagram Business account linked to the connected Page. | IG Business Account ID, username, profile picture. | Yes β ID and username only. | Until disconnect. |
instagram_manage_messages | Display Instagram DMs in the Conwerz inbox and let the Business Admin (or configured AI) reply. | DM text, media, participant IDs. | Yes β encrypted at rest. | 90 days (configurable down to 7). |
instagram_manage_comments | Show comments on the Business Adminβs posts and allow moderation / auto-reply. | Comment text, author handle, timestamp. | Yes β encrypted at rest. | 90 days. |
instagram_manage_insights | Surface account-level Instagram insights in the analytics dashboard. | Reach, impressions, follower counts. | Aggregated daily counters only. | 13 months. |
whatsapp_business_management | Register phone numbers on the connected WABA, submit templates, and manage business profile. | WABA ID, phone number IDs, display name, templates. | Yes β required for sending. | Until disconnect. |
whatsapp_business_messaging | Send and receive WhatsApp messages between the Business Admin and their customers. | Message content, media, contact phone numbers. | Yes β encrypted at rest. | 90 days (configurable down to 7). |
leads_retrieval | Fetch Lead Ad submissions in real time so they appear as qualified leads in the CRM. | Form fields the lead submitted (name, phone, email, custom fields). | Yes β under the Business Adminβs CRM. | 13 months or until the Business Admin deletes. |
business_management | Identify which Business Manager owns the connected assets. Used only for scoping System User tokens. | Business ID and name. | Yes β ID only. | Until disconnect. |
Data Minimization
We request only the permissions strictly required to deliver the features the Business Admin has enabled. If a feature is not enabled on a plan, the corresponding scope is not requested during OAuth.
No Secondary Use
Meta Platform Data is never sold, shared with advertisers, used to train general-purpose AI models, or combined with third-party datasets. AI inference on message content occurs only to generate the response the Business Admin configured, using providers under zero-retention data processing agreements.
Revocation
Business Admins can revoke any connected asset at any time from Settings β Integrations. Tokens are invalidated with Meta immediately and purged from our database within 24 hours. See /data-deletion.