Privacy Policy
Effective Date: February 26, 2026 | Last Updated: February 26, 2026
1. Introduction
This Privacy Policy describes how Replybase ("we," "us," or "our"), a company based in Ontario, Canada, collects, uses, discloses, and protects personal information in connection with our Instagram automation platform (the "Service"). The Service enables businesses to automate AI-powered responses to Instagram direct messages and comments.
We are committed to compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, to the extent applicable, other privacy laws including the General Data Protection Regulation (GDPR) for users in the European Economic Area and the United Kingdom.
If you have questions or concerns about this policy, please contact us at:
Replybase Ontario, Canada Email: support@replybase.app
2. Scope
This policy applies to:
- Customers — businesses and individuals who register for and use the Service.
- Prospects — Instagram users whose direct messages or comments are processed through the Service on behalf of our Customers.
If you are a Prospect whose messages have been processed by the Service, see Section 5 (Prospects) for information specific to you.
3. Information We Collect About Customers
3.1 Account and Identity Information
When you create an account, we collect:
- Email address and password (managed by Supabase Auth)
- Your name and business name
- Industry and company size
- Business goals and a description of your business
3.2 Instagram Account Credentials
When you connect an Instagram Business account to the Service, we collect and store:
- Instagram user ID and username
- Instagram profile picture URL
- Linked Facebook Page ID (if applicable)
- Instagram API access tokens and their expiry timestamps
Access tokens are stored encrypted at rest and are used solely to send messages and retrieve account data on your behalf through the Instagram Graph API. Tokens are automatically refreshed before expiry and invalidated when you disconnect your account.
3.3 Automation Configuration Data
To operate your automation flows, we store:
- Flow names, event types (DM or comment), and active/inactive status
- Agent configurations including system prompts, AI model selection, voice settings, and tool access settings
- Trigger configurations (keyword rules or AI-evaluated conditions)
- Example responses you provide to calibrate your communication style, including derived characteristics such as energy level, sentence length, and characteristic phrases
- Instagram post IDs linked to comment-targeting flows
3.4 Message and Execution Data
For each automated interaction, we store:
- The full text of incoming messages (from your prospects) and outgoing AI-generated responses
- Instagram message IDs for delivery confirmation
- Approval status of each message (where manual approval is required)
- Execution metadata: timestamps, success status, step counts
This data is retained to provide conversation history to the AI agent, enable manual approval workflows, and generate analytics.
3.5 Third-Party Tool Integration Data
If you connect third-party tools through Composio (currently Google Calendar, Google Sheets, and Gmail), we store:
- An OAuth connection ID and the name of the connected service
- Active/inactive connection status
We do not store your Google credentials directly; these are managed by Composio. See Section 7 (Third-Party Processors).
3.6 Instagram Export Data
During onboarding, you may optionally upload an export of your own Instagram message history. This file is stored in Supabase Storage solely for the purpose of analyzing your communication style.
3.7 Usage and Technical Data
We may collect standard server-side technical data including IP addresses, browser type, and timestamps through our hosting provider Vercel and background job processor Inngest, primarily for security, debugging, and service reliability purposes.
4. How We Use Customer Information
We use the personal information described above for the following purposes:
| Purpose | Legal Basis (PIPEDA) | Legal Basis (GDPR, if applicable) |
|---|---|---|
| Provide and operate the Service | Consent / Contractual necessity | Performance of contract |
| Authenticate you and protect your account | Contractual necessity | Performance of contract |
| Send automated Instagram messages and replies on your behalf | Consent | Performance of contract |
| Generate AI responses using your communication style profile | Consent | Performance of contract |
| Enable manual approval review of AI-generated messages | Consent | Performance of contract |
| Provide analytics and performance metrics | Consent | Legitimate interests |
| Refresh and manage Instagram access tokens | Contractual necessity | Performance of contract |
| Notify you of token expiry or account issues | Contractual necessity | Performance of contract |
| Detect fraud, abuse, and security threats | Legitimate interest | Legitimate interests |
| Comply with legal obligations | Legal obligation | Legal obligation |
We do not sell your personal information to third parties. We do not use your data to train AI models beyond the immediate context of generating responses on your behalf within your active session.
5. Information About Prospects
"Prospects" are Instagram users who send DMs to or comment on posts belonging to your connected Instagram Business account.
5.1 What We Collect About Prospects
When a Prospect interacts with your Instagram account, we collect and store:
- Instagram user ID (IGSID) and username
- The full text content of their DMs and comments
- Instagram message IDs
If you have enabled the Book Meeting tool, the AI agent may collect a Prospect's email address and name during a conversation in order to send a calendar invitation. This data is passed to Google Calendar and Gmail via Composio.
If you have enabled the Add to Sheet tool, the AI agent may add Prospect data to your configured Google Sheet.
5.2 Our Role Regarding Prospect Data
For Prospect personal information, we act as a data processor on behalf of our Customer (you). You, as the Instagram Business account operator, are the data controller responsible for how Prospect data is handled. You are responsible for ensuring your use of the Service complies with applicable privacy laws with respect to your Prospects, including providing any required disclosures to Prospect users.
5.3 Retention of Prospect Data
Prospect data is retained as long as your Customer account is active and for a reasonable period thereafter, unless you request deletion. Deleting your Instagram account connection from the Service will cascade-delete associated sessions and message history.
6. Disclosure of Information
We do not disclose your personal information to third parties except in the following circumstances:
- Service providers and processors: As described in Section 7.
- At your direction: When you connect third-party tools (Google Calendar, Gmail, Google Sheets), you authorize us to pass relevant data to those services through Composio.
- Legal requirements: If required by law, court order, or government authority in Canada or another applicable jurisdiction, we will disclose information as required, and where legally permissible, we will notify you.
- Business transfers: If we undergo a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service in advance.
- Protection of rights: To protect the rights, safety, and property of us, our Customers, or the public where required or permitted by law.
7. Third-Party Service Providers and Processors
We use the following third-party processors to operate the Service. Each is bound by their own privacy policy and applicable terms:
| Processor | Role | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | USA (AWS) |
| Vercel | Web hosting and serverless compute | USA / Global edge |
| Anthropic | AI language model (Claude) for response generation | USA |
| Inngest | Background job processing and event orchestration | USA |
| Composio | Third-party tool OAuth and action execution | USA |
| ElevenLabs | Text-to-speech voice synthesis (optional) | USA |
| Meta (Instagram/Facebook) | Instagram Graph API — receiving webhooks and sending messages | USA / Global |
Message content processed by Anthropic is subject to Anthropic's data usage policies. Under the standard Anthropic API terms, your data is not used to train their models.
Cross-border transfers: Some processors are located in the United States. By using the Service, you consent to the transfer of your personal information to the United States and other jurisdictions which may have different data protection laws than your home country. We rely on our processors' own cross-border transfer mechanisms (such as Standard Contractual Clauses) where applicable.
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and profile information | Duration of account, plus 30 days after deletion request |
| Instagram access tokens | Duration of account connection; deleted upon disconnection or expiry |
| Automation flow configurations | Duration of account |
| Message history (Customer and Prospect) | Duration of account; deleted upon account deletion |
| Instagram export files | Duration of account |
| Temporary voice audio files | Deleted after delivery to Instagram |
| Server and application logs | Up to 90 days |
9. Security
We implement commercially reasonable technical and organizational safeguards to protect your personal information, including:
- HTTPS encryption for all data in transit
- Database encryption at rest (Supabase)
- Instagram access tokens stored encrypted and never exposed client-side
- HMAC-SHA256 signature verification on all incoming Instagram webhooks
- JWT-based session authentication with HTTP-only cookies
- Role-based access controls separating customer and administrative data
No security measure is perfect. If you believe your account has been compromised, contact us immediately at support@replybase.app.
10. Your Rights Under PIPEDA
Under PIPEDA, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete personal information.
- Withdraw consent to the collection, use, or disclosure of your personal information (subject to legal or contractual limitations). Note that withdrawing consent may prevent us from providing some or all of the Service.
- Challenge compliance with this policy or PIPEDA by contacting our privacy contact.
To exercise these rights, contact us at support@replybase.app. We will respond within 30 days.
10.1 Additional Rights for EU/EEA/UK Users (GDPR)
If you are located in the European Economic Area or the United Kingdom, you additionally have the right to:
- Erasure ("right to be forgotten"): Request deletion of your personal data.
- Restriction of processing: Request that we limit how we process your data in certain circumstances.
- Data portability: Receive a copy of your data in a structured, machine-readable format.
- Object to processing: Object to processing based on legitimate interests.
- Lodge a complaint with your local data protection authority (e.g., the ICO in the UK or a relevant EU supervisory authority).
Our legal basis for processing under GDPR is primarily performance of contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
11. Deleting Your Account and Data
To request deletion of your account and personal data:
- Email support@replybase.app with the subject line "Account Deletion Request."
- Include the email address associated with your account.
- We will confirm receipt and complete deletion within 30 days.
Upon deletion:
- Your account, profile, and flow configurations will be permanently deleted.
- Instagram account connections and stored access tokens will be revoked and deleted.
- Message history (including Prospect messages processed through your account) will be deleted.
Some information may be retained where required by law or for legitimate fraud prevention purposes for a limited time after deletion.
12. Children's Privacy
The Service is intended for use by businesses and individuals aged 18 and over. We do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently collected such information, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Sending an email to the address associated with your account, and/or
- Displaying a prominent notice within the Service.
The updated policy will be effective as of the date noted at the top of this document. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
14. Contact Us
For privacy-related inquiries, access requests, or complaints:
Privacy Officer Replybase Ontario, Canada Email: support@replybase.app
If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca or, for EU/EEA users, your local data protection authority.