Privacy Policy

1. Information We Collect

Information you provide directly

• Email address — collected when you sign in via magic link. Used for authentication and transactional communications only.
• Facebook / Instagram account data — when you connect your Instagram Business or Creator account, we receive and store: your Instagram account ID, username, display name, and profile picture URL; your linked Facebook Page ID and name; and the Meta access token required to call the Meta Graph API on your behalf.

Information collected through the Meta Graph API

When you connect an account and activate automation flows, Meta sends webhook events to our servers. We receive and process:

• Comment content and author — the text of comments on your posts and the Instagram user ID of the commenter, used solely to evaluate whether your keyword trigger condition is met.
• Story reply content — text of replies to your Instagram stories, used solely to match against your configured story reply flows.
• Inbound DM content — text of DMs sent to your account, used solely to match against inbound DM triggers.
• Recipient identity — the Instagram user ID (and username where available) of users who trigger a flow, stored in our conversation log so you can review which accounts received automated DMs.
• DM delivery status — whether each automated DM was sent successfully, queued, or failed, stored to surface in your dashboard.

We do not store the full text of DMs we send. The DM template text is set by you and stored as part of your flow configuration. Individual DM send events reference the flow ID but do not duplicate the message body.

Information collected automatically

• Usage data — DM send counts, flow trigger counts, and account health status used to operate the dashboard analytics.
• Authentication tokens — magic link tokens (expire after 15 minutes) and session identifiers stored in your browser's local storage.

Payment information

All payment processing is handled by our payment processor, which acts as the seller of record. We receive only a subscription ID and subscription status — never your card details.

2. How We Use Your Information

• Automation delivery — to match incoming webhook events against your configured flows and send DMs via the Meta Graph API on your behalf.
• Dashboard and analytics — to display your conversation log, send statistics, queue status, and account health in your dashboard.
• Authentication — to verify your identity via email magic links and maintain your session.
• Token management — to refresh your Meta access tokens before they expire (60-day Meta token lifetime), ensuring uninterrupted automation.
• Payment provisioning — to activate or deactivate your subscription based on payment status received from our payment processor.
• Transactional email — to send sign-in links and account notices. We do not send marketing emails without explicit consent.
• Security and abuse prevention — to detect and prevent misuse of the Service.

3. How We Share Your Information

We do not sell your personal data. We share information only with the following service providers, strictly to operate the Service:

• Meta Platforms (Facebook / Instagram) — we call the Meta Graph API to send DMs and subscribe to webhooks on your behalf. Meta processes this data under its own Data Policy.
• Database infrastructure providers — store your account data, access tokens, flows, and conversation logs in encrypted storage.
• Email delivery providers — send transactional emails such as sign-in links.
• Payment processors — handle billing and subscriptions. They receive your payment details; we do not.

All service providers are bound by data processing agreements. We may disclose data if required by law or court order, or to protect the rights, property, or safety of the Company or its users.

4. Meta API Data and Platform Policies

CommentDM by Replygen uses the Meta Graph API under Meta's Platform Terms. We access only the permissions necessary to operate the Service:

• instagram_basic — to read account details after connection
• instagram_business_manage_messages — to send DMs and receive message webhooks
• pages_read_engagement and pages_manage_metadata — to subscribe to comment webhooks on linked Facebook Pages
• pages_messaging — to send Facebook Messenger DMs

We do not use these permissions for any purpose other than operating the features described in this policy. We do not scrape, aggregate, or resell Instagram or Facebook data.

5. Data Retention

• Account and flow data — retained while your account is active, and for up to 90 days after a deletion request to comply with legal obligations.
• Meta access tokens — stored securely and used solely to call the Meta Graph API on your behalf. Deleted immediately upon account disconnection or deletion request.
• Conversation log entries — retained for 90 days then automatically purged. You can delete individual entries or your full log from your dashboard at any time.
• Webhook event payloads — processed in real-time and not retained after matching against flows. Only the outcome (trigger matched, DM queued/sent) is stored.
• Authentication tokens — magic link tokens expire after 15 minutes.
• Payment records — retained for 7 years as required by financial regulations, managed by our payment processor.

6. Data Deletion

You may request deletion of your account and all associated data at any time by emailing support@replygen.app. We will process deletion requests within 30 days.

If you disconnect your Instagram or Facebook account from within the dashboard, we immediately revoke the associated access token and delete all stored credentials for that account. Existing conversation log entries for that account are retained for 30 days then purged.

Per Meta's Platform Terms, we also maintain a data deletion callback endpoint at https://replygen.app/comment-dm/data-deletion. Meta may call this endpoint to request deletion of data associated with a specific Facebook user.

7. Your Rights

Depending on your location, you may have the following rights under GDPR, CCPA, or other applicable laws:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate data.
• Deletion — request deletion of your account and personal data.
• Portability — request your data in a machine-readable format.
• Objection / Restriction — object to or restrict certain processing activities.
• Opt-out of sale — we do not sell your data.

To exercise any of these rights, email support@replygen.app. We will respond within 30 days.

8. Security

Meta access tokens are stored encrypted at rest. We use HTTPS for all data in transit. Access to production data is restricted to authorized personnel only. We conduct periodic reviews of our security practices.

Despite these measures, no system is completely secure. If you become aware of any security issue, please report it to support@replygen.app immediately.

9. Children's Privacy

The Service is not directed to children under 13 (or 16 in the EU). We do not knowingly collect personal data from children. Contact us at support@replygen.app if you believe a child has provided us with personal data.

10. International Data Transfers

Our infrastructure is primarily located in the United States and European Union. If you access the Service from outside these regions, your data may be transferred internationally. All transfers are subject to appropriate safeguards including Standard Contractual Clauses where required.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the effective date above and, where appropriate, by email. Continued use of the Service after changes constitutes acceptance.

12. Contact Us

For privacy questions, data requests, or Meta data deletion requests:

CommentDM by Replygen (operated by Replygen)
India
Email: support@replygen.app
Data deletion callback: https://replygen.app/comment-dm/data-deletion