ReplyMagic privacy policy and data rights.

This Privacy Policy explains how ReplyMagic (operated by ZipLyne, 30 N Gould St Ste N, Sheridan, WY 82801, United States) collects, uses, and protects information when you use our website, app, and services. It is written to be readable. If anything is unclear, write us at [email protected].

1. Data we collect

• Account data — your name, email address, and profile image. You sign in with Google or a one-time code sent to your email, so for most accounts we never receive or store a password.
• Instagram data via the official Meta Graph API — the business/creator account you connect, its access token, public profile metadata (username, picture, follower counts), the posts on which you enable replies (caption and media), the comments received on those posts (comment text plus the commenter's Instagram username, user ID, and profile picture), and the replies we send on your behalf.
• Context you provide — business description, products, prices, offers, voice/tone samples, FAQs, signature phrases, exclusion phrases, and topics you ask the agent to always mention.
• Billing data — handled by Stripe. We store your Stripe customer ID, plan, and subscription state. We never see or store full card numbers.
• Usage and diagnostic data — pages visited, feature interactions, approximate location, IP address, device/browser type, and error reports (including, in some cases, session replays of UI interactions on our own app via our error-monitoring provider).

2. How we use it

• To run the service — generate replies, analyze the media on your posts so replies stay on-topic, deliver replies through Meta, and show analytics.
• To authenticate you and protect your account.
• To bill you and enforce plan limits.
• To diagnose errors and improve the product.
• To send transactional email (login codes, receipts, important changes) via our email provider.
• To measure marketing and advertising performance (see section 5).

3. Legal bases (GDPR)

We process personal data under the following bases: contract (to provide the service you signed up for), legitimate interests (to secure, diagnose, and improve the service), consent (for analytics and advertising technologies), and legal obligation (tax and accounting records).

4. Third-party processors

We share data only with the vendors needed to run the product. The current list is also kept in our Data Processing Addendum:

• Cloudflare — hosting, request routing, and our databases (Cloudflare D1 and KV) and background queues. Stores essentially all account, Instagram, and usage data.
• Meta Platforms — the official Instagram Graph API, used to read comments on your enabled posts and send replies on your behalf.
• AI providers — to draft replies and analyze post media, we send the relevant content to commercial AI provider APIs such as OpenAI, Anthropic, and Google (Gemini), accessed directly and through an AI gateway. We do not use your data to train our own models, and we do not sell it.
• Stripe — payment processing and subscription billing.
• Resend — delivery of transactional email (login codes, verifications, notices).
• Sentry — error monitoring and limited session replay of our own app to diagnose bugs.
• Google — Google Analytics and Google Ads conversion measurement on our website.
• Meta — the Meta Pixel for advertising measurement on our website.

5. Analytics and advertising

On our public website we use Google Analytics, the Meta Pixel, and Google Ads conversion tracking, and we record advertising click identifiers (such as Google and Meta click IDs) to measure where sign-ups come from. These technologies set cookies and similar identifiers and may share data with Google and Meta for measurement. We do not run these advertising or analytics technologies inside the logged-in app, and we do not sell your personal information.

To be fully transparent: we do not yet present a cookie-consent banner, so these technologies currently load by default. We plan to add granular consent controls. In the meantime you can block them using your browser settings, an ad/tracker blocker, or a Global Privacy Control signal, which we honor where applicable. See our Cookie Policy for the full list.

6. Retention

Account, Instagram, and context data is retained while your account is active. When you ask us to delete your account, we remove your personal data within 30 days, except for records we are legally required to keep (typically billing records, retained as required by U.S. federal and state tax law). Some Instagram data is stored using a soft-delete first and then purged.

7. Your rights

If you are in the EEA, UK, or Switzerland, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with a supervisory authority. If you are in California, you have rights under the CCPA/CPRA including access, deletion, correction, and the right to opt out of "sharing" — we do not sell or share personal information for cross-context behavioral advertising.

To exercise any right — including deleting your account and connected data — email [email protected] from the address on your account. We respond within 30 days.

8. International transfers

Our processors are primarily based in the United States, and Cloudflare operates a global edge network. Where personal data is transferred outside the EEA/UK, the transfer is covered by Standard Contractual Clauses (SCCs) and additional safeguards. See our Data Processing Addendum for details.

9. Security

We use encryption in transit (HTTPS/TLS) and rely on our infrastructure provider's encryption at rest, principle-of-least-privilege access controls, and continuous error monitoring. See /security for an overview.

10. Children

ReplyMagic is not intended for anyone under 16. We do not knowingly collect data from children.

11. Changes

We may update this policy. Material changes will be announced by email and on this page at least 14 days before they take effect.

12. Contact

ZipLyne, 30 N Gould St Ste N, Sheridan, WY 82801, United States — [email protected]. For data processing matters, see our DPA.

---

Last updated: 2026-05-25