ReplyMagic data processing addendum.
Processor terms that apply when ReplyMagic processes personal data on your behalf under GDPR and related privacy laws.
This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and ZipLyne ("Processor", "ReplyMagic"), with a registered address at 30 N Gould St Ste N, Sheridan, WY 82801, United States. It applies whenever we process personal data on your behalf, including data about your followers, customers, and recipients of your Instagram messages.
1. Roles
For data we process to deliver the service to you (e.g. comments and DMs from your audience), you are the Controller and we are the Processor. For data we collect about you as our customer, we are the Controller and our Privacy Policy applies.
2. Subject matter and duration
Subject matter: provision of automated reply generation and delivery via the Instagram Graph API. Duration: the term of your subscription plus any retention period required by law.
3. Categories of data and data subjects
- Data subjects — your followers and people who comment on or DM your Instagram account.
- Categories — Instagram username, public profile info, message content, comment content, message timestamps.
- We do not process special categories of data unless your audience voluntarily includes it in messages. We discourage this.
4. Sub-processors
You consent to our use of the following sub-processors. We give 30 days' notice before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Meta Platforms | Instagram Graph API delivery | US / global |
| Supabase | Managed Postgres + Auth | US |
| Cloudflare | API hosting and request routing | Global edge |
| Stripe | Payment processing | US / EU |
| Commercial AI providers | Reply generation (training disabled) | US |
| Microsoft Clarity | Marketing-site analytics (anonymized) | US |
An up-to-date list is always available on request and on this page. Email [email protected] if you need a signed copy of this DPA.
5. International transfers
Where personal data is transferred outside the EEA, the transfer is covered by the EU Standard Contractual Clauses (Module 2: Controller-to-Processor or Module 3: Processor-to-Processor as applicable), incorporated by reference, plus any additional safeguards required after a transfer impact assessment.
6. Security measures
- Encryption in transit (HTTPS/TLS) for all traffic to ReplyMagic.
- Encryption at rest for our managed database, provided by our database sub-processor.
- Principle of least privilege — production access is limited to the small operating team.
- Authentication is provided by our managed identity provider with support for multi-factor authentication.
- Automated, off-site database backups managed by our database sub-processor.
7. Confidentiality
Personnel with access to personal data are bound by written confidentiality obligations.
8. Audit rights
Once per 12-month period, on 30 days' written notice, you may send a reasonable written questionnaire and we will respond with the information needed to demonstrate compliance with this DPA.
9. Breach notification
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information reasonably available to us to help you meet your own notification obligations.
10. Assistance
We will assist you, taking into account the nature of processing, in responding to data subject requests and meeting your obligations under Articles 32–36 GDPR.
11. Deletion and return
On termination, we delete or return all personal data within 30 days, except where retention is legally required.
12. Contact
For DPA matters, contracts, and SCC signing: [email protected].