The company did not collect any private information. However, it still resulted in detailed profiles of users who were not allowed to generate and could make people uncomfortable, such as targeted ads and surprising comments from location owners. Facebook's rules specifically prohibit relying on "automated means" to collect data without explicit approval, and they don't even offer Stories through its official developer framework.
Furthermore, BI claimed that Hyp3r flags Facebook's privacy changes in the wake of the Cambridge Analytica scandal. While it publicly welcomed restrictions on placement tools and other features, it privately developed a system that could circumvent Facebook's limitations and acquire Instagram positioning information anyway. The company apparently went ahead with reversing an Instagram frame that was closed after the Cambridge Analytica affair.
In a statement, Hyp3r chief Carlos Garcia claimed that the marketing system was "in compliance with consumer privacy and social network Terms of service." see stories after the regular 24 hour period. Facebook absolutely disagrees ̵
Facebook has also taken steps to prevent similar data scraping. On top of a cease-and-desist request for Hyp3r, it requires logging in to site access and fixing security lapses (apparently linked to a publicly available JSON package).
While the move is likely to be welcomed by privacy advocates, it also illustrates some potential flaws in Facebook's policies. The social site had included Hyp3r as part of the list of trusted marketing partners. While Instagram regularly reviews these partners to ensure they comply with the rules, Hyp3r's behavior may not have been accurate despite the marketer publicly announcing his behavior. Simply put, it may have slipped through the cracks.