Privacy Policy

ReplyRun is an Instagram DM automation platform operated at replyrun.in. We enable Instagram Business and Creator account holders to automate direct message responses via keyword-based campaigns.

Data Controller: Email: privacy@replyrun.in

Account Data: Name, email address, hashed password, profile picture (via Google OAuth), and billing info (processed by Razorpay — we never store raw card data).

Instagram & Meta Platform Data (via Graph API):

• Instagram Business/Creator Account ID (IGSID) and username
• Cached profile info: name, biography, follower count, profile picture URL
• Long-lived Meta Graph API access tokens (encrypted at rest)
• Linked Facebook Page IDs and page-level access tokens
• Inbound comment text and sender IGSIDs (for keyword matching — not stored long-term)
• Outbound DM delivery metadata (message ID, timestamp)

Lead Capture Data (Optional): When enabled on a campaign, we may store the Instagram handles of users who interact. Additional data (email, phone) is only collected if explicitly submitted by the end-user.

• We only send DMs within the 24-hour standard messaging window as required by Meta Messaging Policy.
• We never access private content, friends lists, or messages beyond what is required for your automation features.
• We do not sell, license, or transfer Meta Platform Data to any third party, data broker, or advertiser.
• Access tokens are encrypted at rest and never exposed to client-side code.
• We respect all opt-out requests. If an end-user replies with "STOP" or "UNSUBSCRIBE", they are immediately added to an opt-out list.

We use collected information exclusively to: provide and improve the ReplyRun platform; authenticate your identity; dispatch automated DMs via the Instagram Messaging API; generate campaign analytics; send transactional emails; send newsletter updates (with consent only); and comply with legal and Meta Platform Policy requirements.

We never sell your data or use it for targeted advertising.

Data is stored in a PostgreSQL database on Neon (AWS ap-southeast-1) with TLS in transit and AES-256 at rest. The application runs on Vercel with enforced HTTPS.

• Passwords are hashed using bcrypt (cost factor 12) — plaintext passwords are never stored.
• Meta access tokens are encrypted and rotated every 60 days per Meta requirements.
• Rate limiting, CSRF protection, and disposable-email blocking are enforced on all auth endpoints.

In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by GDPR Article 33.

We share data only with trusted service providers necessary to operate our platform:

• Meta (Facebook) — Instagram API access (access tokens, IGSID)
• Resend — Transactional email delivery (email address, name)
• Razorpay — Payment processing (email, billing amount)
• Neon / AWS — Database hosting (all stored user data)
• Vercel — Application hosting (server logs, IP addresses)

We do not share your data with advertising networks or data brokers.

• Access: Request a copy of all personal data we hold about you.
• Rectification: Correct inaccurate data (via Dashboard → Settings).
• Erasure ("Right to be Forgotten"): Request deletion of all your personal data.
• Restriction: Limit how we use your data.
• Portability: Receive your data in a machine-readable format.
• Object: Object to processing for marketing purposes.

Email privacy@replyrun.in to exercise any right. We respond within 30 days.

We retain your data while your account is active. Upon deletion:

• All user data, campaigns, DM events, Instagram connections, and tokens are permanently and immediately deleted via cascading database deletions.
• Backup data is purged within 30 days.
• Billing records may be retained for 7 years per Indian financial regulations.

To delete: Dashboard → Settings → Security → Delete Account, or see our Data Deletion page.

We use essential cookies only for authentication and security. See our Cookie Policy for full details.

We may update this policy from time to time. We will notify you of significant changes by email and by updating the "Last updated" date. Continued use of ReplyRun after changes constitutes acceptance.