Get started
Security

Built on trusted infrastructure.

ReplyMagic talks to Meta on your behalf. Here's an honest summary of how the system is built and where your data lives — without any made-up certifications.

Get started
Practices

What we actually do.

01

Encryption in transit

All traffic to the ReplyMagic website and app is served over HTTPS/TLS via our hosting provider.

02

Encryption at rest

Application data lives in Cloudflare D1 and KV, which are encrypted at rest by the platform. Card data never touches our database — it stays with Stripe.

03

Official Instagram Graph API

We connect to Instagram only through Meta's official Graph API. No scraping, no proxies, no rate-limit hacks.

04

Authentication

Sign in with Google or a one-time code sent to your email — for most accounts there's no password for anyone to leak. Sessions are managed by our auth layer on Cloudflare.

05

Payments

Card data is collected and stored by Stripe, a PCI-DSS Level 1 service provider. We never see or store full card numbers.

06

Least privilege

Production access is limited to the small operating team. We use the access controls provided by our cloud, database, and identity providers.

Sub-processors

Where your data actually lives.

We deliberately keep our stack small. The current list is also kept up-to-date in our DPA.

"A small, named stack. Each vendor is best-in-class at one thing, and you can verify them yourself."
  • Cloudflare Hosting, request routing, databases (D1 + KV), and background queues — where your data lives.
  • Meta Platforms Official Instagram Graph API for reading comments on your enabled posts and sending replies.
  • AI providers Reply drafting and post-media analysis via commercial APIs such as OpenAI, Anthropic, and Google (Gemini). We don't train our own models on your data.
  • Stripe Payment processing and subscription billing.
  • Resend Transactional email — login codes, verifications, notices.
  • Sentry Error monitoring and limited session replay of our own app.
  • Google / Meta Analytics and advertising measurement on our public website only.
Account safety

How we treat your Instagram.

Connect

You connect via Instagram's official OAuth flow. You can revoke access at any time from your Instagram settings.

Stop

The app has a master AI on/off switch. Flipping it off stops new AI replies across every connected account immediately.

Skip

Comments containing your configured exclusion phrases are skipped by the AI entirely.

Delete

Email [email protected] from your account address and we delete your account and connected data within 30 days (excluding legally required billing records).

Responsible disclosure

Found something? Tell us.

We welcome reports from researchers and customers. We won't take legal action against good-faith research that respects user privacy and doesn't disrupt the service.

Report to

Include reproduction steps. Out of scope: denial-of-service, social engineering, physical attacks, and findings that require a rooted/jailbroken device.