ReplyMagic data processing addendum.
Processor terms that apply when ReplyMagic processes personal data on your behalf under GDPR and related privacy laws.
This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and ZipLyne ("Processor", "ReplyMagic"), with a registered address at 30 N Gould St Ste N, Sheridan, WY 82801, United States. It applies whenever we process personal data on your behalf, including data about your followers, customers, and recipients of your Instagram messages.
1. Roles
For data we process to deliver the service to you (e.g. comments from your audience and the commenters' Instagram usernames/profile pictures), you are the Controller and we are the Processor. For data we collect about you as our customer, we are the Controller and our Privacy Policy applies.
2. Subject matter and duration
Subject matter: provision of automated reply generation and delivery via the Instagram Graph API. Duration: the term of your subscription plus any retention period required by law.
3. Categories of data and data subjects
- Data subjects — people who comment on the posts you enable on your connected Instagram account.
- Categories — Instagram username and user ID, public profile picture, comment content, and comment timestamps.
- We do not process special categories of data unless a commenter voluntarily includes it in a comment. We discourage this.
4. Sub-processors
You consent to our use of the following sub-processors. We give 30 days' notice before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, request routing, databases (D1 + KV), queues | US / global edge |
| Meta Platforms | Instagram Graph API — read comments, send replies | US / global |
| AI providers (e.g. OpenAI, Anthropic, Google), incl. an AI gateway | Reply generation and post-media analysis | US |
| Stripe | Payment processing | US / EU |
| Resend | Transactional email delivery | US |
| Sentry | Error monitoring and session replay (our app) | US |
| Google & Meta | Analytics & advertising measurement (public website only) | US |
An up-to-date list is always available on request and on this page. Email [email protected] if you need a signed copy of this DPA.
5. International transfers
Where personal data is transferred outside the EEA, the transfer is covered by the EU Standard Contractual Clauses (Module 2: Controller-to-Processor or Module 3: Processor-to-Processor as applicable), incorporated by reference, plus any additional safeguards required after a transfer impact assessment.
6. Security measures
- Encryption in transit (HTTPS/TLS) for all traffic to ReplyMagic.
- Encryption at rest for our databases (Cloudflare D1 and KV), provided by the platform.
- Principle of least privilege — production access is limited to the small operating team.
- Passwordless authentication for most accounts (Google sign-in or one-time email codes), so there are no end-user passwords for us to store.
- Continuous error monitoring.
7. Confidentiality
Personnel with access to personal data are bound by written confidentiality obligations.
8. Audit rights
Once per 12-month period, on 30 days' written notice, you may send a reasonable written questionnaire and we will respond with the information needed to demonstrate compliance with this DPA.
9. Breach notification
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information reasonably available to us to help you meet your own notification obligations.
10. Assistance
We will assist you, taking into account the nature of processing, in responding to data subject requests and meeting your obligations under Articles 32–36 GDPR.
11. Deletion and return
On termination, we delete or return all personal data within 30 days, except where retention is legally required.
12. Contact
For DPA matters, contracts, and SCC signing: [email protected].