Privacy Policy
Effective date: May 30, 2025
1 · Data we collect
We only collect data necessary to operate ReplyFox. The table below summarises each category, gives examples, and states our legal basis under the GDPR / CCPA where relevant.
We collect and process data from Meta Platform APIs (Facebook Graph API and Instagram Graph API), including but not limited to: Facebook Page IDs, Instagram User IDs, Instagram Comments, and OAuth tokens, strictly for providing the core functionality of ReplyFox.
| Category | Examples | Legal basis* |
|---|---|---|
| Account data | Name, email, IG/Facebook Page IDs | Contract |
| OAuth tokens | Meta access & refresh tokens | Contract |
| Instagram comments | Text, handle, timestamp | Contract |
| Usage data | Page views, IP address | Legitimate interest |
| Billing data | Card last‑4, billing address (via Stripe) | Legal obligation |
*For EU / EEA users.
2 · How we use data
- Deliver and improve the service.
- Generate automated replies on your behalf.
- Provide customer support.
- Detect fraud and misuse.
- Send transactional emails (billing, critical alerts).
- Send marketing emails only with your explicit opt‑in (unsubscribe any time).
3 · Data sharing
We never sell or rent your data. We share it only with the processors below, each bound by a Data Processing Agreement (DPA):
- Meta Platforms, Inc. — Instagram comment access & posting (USA)
- OpenAI, LLC — AI reply generation (USA)
- Stripe, Inc. — payment processing (USA)
- Sentry — error monitoring (USA)
- AWS / Render — hosting & backups (USA)
4 · Retention
- OAuth tokens: until you disconnect or after 90 days of inactivity.
- Comment logs: 24 months, then anonymised.
- Billing records: 7 years (tax compliance).
- Encrypted backups: rolling 30‑day window.
5 · Your rights
Depending on your jurisdiction, you may have the right to access, export, correct, or delete your data. Email support@replyfox.io and we’ll respond within 30 days.
6 · Security
- TLS 1.2+ for all network traffic.
- Tokens and PII encrypted at rest (AES‑256).
- Staff access limited via least‑privilege roles.
7 · International transfers
For EU → US transfers we rely on Standard Contractual Clauses (SCCs). Servers are located in the United States.
8 · Children
ReplyFox is not intended for or directed to individuals under the age of 13, and we do not knowingly collect personal data from children.
9 · Changes to this Policy
We’ll notify you by email or in‑app message before making material changes. Continued use after the effective date constitutes acceptance.
10 · Contact
Email support@replyfox.io with any questions.
11 · Meta Platform Compliance
ReplyFox operates in compliance with Meta Platform Terms and Developer Policies. We access user data only as authorized by each user through OAuth consent and never sell or share Platform Data except as outlined in this policy.