An investigation from Business Insider has uncovered how a San Francisco tech company used Instagram to collect the information of millions of users before offering it to clients as a marketing tool.

Facebook-owned Instagram hasn’t had many privacy scandals in its history, offering a vision of how uncontroversial social media can be in contrast with Facebook’s clusterfuck of a platform. However, this latest discovery – which an Instagram spokesperson said was “not sanctioned and violates our policies” could move the magnifying glass over the photo-sharing app.

“Location-based marketing platform” tech start-up HYP3R reportedly collected photos, bios, Instagram Stories, and physical locations through Instagram, offering companies the opportunity to have access to the data.

HYP3R also “geofenced” thousands of locations like bars, hotels, and restaurants, to save public posts from those locations.

What’s geofencing? Imagine a huge fence built around an area, now imagine that fence is virtual and imaginary, existing only in a digital way. Software is then triggered whenever you or your mobile device enters or leaves that area.

Advertisers can use geofencing to determine when people are nearby a client, or a competitor, and flex their social output with that in mind.

Instagram Stories – intended to disappear after 24 hours unless saved by the user – were also scraped by the company if they had been posted and tagged from a specific location.

In a statement to Business Insider, Instagram said said it had sent a cease-and-desist letter to HYP3R and had removed the company from its platform.

“We’ve also made a product change that should help prevent other companies from scraping public location pages in this way.”

That’s all well and good, but the greater issue is that HYP3R wasn’t exactly hiding what it what doing. In fact, the company’s CEO Carlos Garcia denied breaking Instagram’s rules and said it does not view “any content or information that cannot be accessed publicly by everyone online.”

What’s more: HYP3R was featured on Facebook’s rather exclusive list of Facebook Marketing Partners, which is a directory of supposedly vetted companies that “can give you superior insights and data for better marketing decisions.”

For now, HYP3R has been removed from that list and also had its access to the Facebook’s API’s revoked.

Remember: everything you post on social, no matter the platform, is probably getting scraped by someone. Privacy is dead, get used to it.