Privacy Policy
Last updated: April 27, 2026
Document version: 2026-04-27.
1. Who we are (data controller)
replibo("replibo", "we", "our service") is a SaaS platform that automates replies to comments on Instagram professional accounts (Business or Creator), using the official Meta Platforms, Inc. APIs. This Privacy Policy describes how we process personal data, in accordance with Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) and the applicable Meta Platforms requirements for apps using the Instagram Graph API.
Controller (LGPD art. 5º VI): the operator of the replibo service, a Brazilian micro-enterprise under the Simples Nacional regime, headquartered in Brazil. The full formal identification of the controller (corporate name, Brazilian Tax ID and address) is provided upon request via the contact channel below, in accordance with LGPD art. 9º (information on demand) and art. 18, II.
For questions, access, correction, portability or deletion requests: privacy@replibo.com.
2. Legal bases per purpose (LGPD art. 7º)
Each processing operation relies on one of the bases listed in art. 7 of the LGPD. The table below lists the main purposes, the data involved, and the legal basis applied:
| Purpose | Data | Legal basis (LGPD art. 7º) |
|---|---|---|
| Create and operate the customer account, authenticate the user, and provide the contracted service. | Email, name, password hash, Meta OAuth tokens, Instagram account identifiers. | V – contract performance. |
| Receive and automatically reply to comments delivered via Instagram webhooks. | Comment text and ID, media ID, commenter username, recipient IGSID for the DM. | V – contract performance. |
| Credit billing, subscription processing, and receipt issuance. | Email, internal purchase ID, amount, payment status, payment method data processed by the gateway (we do not store full card number nor CVV). | V – contract performance + II – compliance with legal/tax obligations. |
| Fraud and abuse prevention, automated-attack defense, rate-limit enforcement (access logs, IP, user-agent). | Source IP, user-agent, timestamps, request patterns. | IX – legitimate interest (security of the platform and other customers). |
| Operational, transactional notifications (low credit balance, charge failed, rule disabled, security alerts). | Email and notification preferences. | V – contract performance. |
| Marketing/news communications (opt-in only). We do not send any marketing today; when enabled, it will require explicit opt-in and an unsubscribe link in every message. | Email, name, preferences. | I – consent (revocable at any time). |
| Compliance with legal, tax, and judicial obligations. | Registration data, billing history, audit logs. | II – compliance with legal or regulatory obligation; VI – regular exercise of rights. |
| Consent audit trail (date, time, IP, and user-agent of the acceptance of the Terms and this Policy at signup or re-acceptance). | Accepted version, timestamp, IP, user-agent. | II – legal obligation (LGPD art. 9º requires verifiable consent). |
3. Data we collect
- replibo customer account: name, email, and password (stored only as a bcrypt hash with 12+ rounds, never in plain text).
- Instagram authorization tokens:when you connect an Instagram account via Meta's official OAuth, we receive and store the long-lived access token issued by Meta. This token is encrypted at rest (Fernet / AES-128) and only grants the permissions you authorized:
instagram_business_basic,instagram_business_manage_comments, andinstagram_business_manage_messages. - Instagram account identifiers:
ig_business_account_id,ig_user_id, and the username, received directly from Meta. - Webhook events: comments that Instagram sends to us (comment text, comment ID, media ID, commenter username). Only events related to the accounts you have connected, and only while the connection is active.
- Automation history: rules configured by you (keyword → message) and the log of replies sent (status/success/failure), so you can audit the system.
- Billing and recurring-billing data: amount paid, status (pending/paid/failed/refunded/disputed), coupon code used, last 4 digits and brand of the card (display only; the full number remains with the gateway and never transits through replibo).
- Technical / security data: source IP address, browser agent, timestamps, server error logs, retained for the minimum period necessary for operation, security, and diagnostics.
- Consent audit trail: date, time, IP, user-agent, and version of the legal documents accepted at signup and any subsequent re-acceptance.
What we do NOT collect: Direct Message content beyond what is needed to reply to the triggering comment via Private Reply; data from third parties who do not interact with the connected accounts; data from children under 13; full card number or CVV.
4. How we use data
Collected data is used exclusively to:
- Operate the comment auto-reply service according to the rules you configured.
- Periodically refresh the Instagram access token (roughly every 60 days, per Meta's lifecycle).
- Authenticate you in the dashboard via a signed HttpOnly cookie (JWT).
- Display history, metrics, and rule performance.
- Process one-time and recurring charges through the payment gateway (AbacatePay).
- Comply with legal, tax, and judicial obligations.
- Prevent fraud, abuse, automated attacks, and violations of Meta's or replibo's Terms.
We do not sell personal data. We do not use your data to train third-party AI models nor our own. We do not use it for behavioral advertising.
5. Sub-processors and data sharing
We share data only with the third parties strictly necessary for the service to operate. We update this list when there are material changes.
| Sub-processor | Purpose | Data involved | Country / Region |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Hosting infrastructure (EC2, RDS Postgres, SQS, CloudWatch, Secrets Manager, S3, Amplify for the frontend). | All personal data stored by the platform. | USA (us-east-1, N. Virginia). |
| Meta Platforms, Inc. | Receiving Instagram webhooks, OAuth authentication, and sending DMs/replies via the Graph API. | Account identifiers, comments, content of automated replies. | USA. |
| Abacate Pay Pagamentos Ltda. (AbacatePay) | Payment processing (Pix and credit card), hosted checkout, and recurring subscription billing. | Email, amount, internal purchase/subscription ID, last 4 digits and brand of the card (the full number remains exclusively with the gateway). | Brazil. |
| Cloudflare, Inc. | Domain registration of replibo.com, authoritative DNS, and Email Routing of @replibo.comaddresses to the operator's mailbox. | DNS metadata; email addresses and headers of routed messages. | USA. |
| Amazon Simple Email Service (Amazon SES) | Sending transactional emails (account verification, password recovery, operational alerts) when enabled. | Email, name, and the body of the transactional message. | USA (us-east-1). |
| Functional Software, Inc. (Sentry) | Backend error monitoring (optional, enabled only when the operator configures a DSN). PII scrubbing is applied before sending. | Error stack-traces, exception type, request IDs. We do not send email, name, or tokens. | USA. |
| Public authorities (only when legally required) | Compliance with court orders and requests from Brazil's ANPD or tax authorities. | Data strictly necessary to comply with the order. | Brazil. |
We do not share data with marketing partners, data brokers, or any third party for commercial profiling. We do not train AI models with customer content.
6. International data transfer
Some sub-processors above operate outside Brazil (mostly the USA). These transfers rely on the bases of LGPD art. 33: contractual guarantees that the sub-processor maintains a level of protection equivalent to the LGPD, standard contractual clauses for international transfers, and/or your execution of contract / compliance with legal obligations. Whenever possible, we choose regions and offerings with equivalent certifications (ISO 27001, SOC 2, etc.).
7. Data retention
- Account and tokens: retained while your replibo account is active. Upon account deletion, tokens are revoked and personal data is anonymized within 30 days.
- Webhook events (comments) and reply logs: retained for up to 90 days for auditing and diagnostics; after that period they are aggregated or deleted.
- Instagram account disconnection: upon disconnect, the token is revoked and the data for that account is anonymized or deleted within 30 days, except where legally required otherwise.
- Technical logs: retained for up to 30 days for operational security purposes.
- Financial / tax data: retained for the applicable legal period (up to 5 years from the end of the relevant fiscal year, per Brazilian accounting/tax legislation).
- Consent trail: retained for the same duration as the contractual relationship, to allow proof to the data subject, ANPD, or in court.
8. Your rights as a data subject (LGPD art. 18)
At any time you may request:
- Confirmation that processing exists;
- Access to your data;
- Correction of incomplete, inaccurate, or outdated data;
- Anonymization, blocking, or elimination of unnecessary or non-compliant data;
- Data portability (delivery in a structured, machine-readable format);
- Deletion of data processed with consent;
- Information about with whom we share data (public and private agents);
- Withdrawal of consent;
- Review of automated decisions, where applicable.
Self-service (logged-in customers):
- Portability:
Settings → My data → Download my datadownloads a JSON containing every personal data field replibo holds about you. - Rectification: name and preferences in
Settings; email change via token-confirmation flow (link sent to the new email). - Deletion:
Settings → Delete accounttriggers immediate anonymization; the final-removal link is sent by email and processed within 30 days. - Partial consent withdrawal: email notification preferences in
Settings.
By email: send your request to privacy@replibo.com. We respond within 15 calendar days (LGPD art. 19, §1º).
Meta Data Deletion Request:you can also trigger Meta's official flow. We honor those requests within 30 days and expose the processing status at https://api.replibo.com/auth/instagram/data-deletion/status?code=<code>. The code is generated by Meta when the request is submitted.
9. Security
Technical and organizational measures in place:
- Encryption in transit (TLS 1.2+) on all connections.
- Encryption at rest (AES) for Instagram access tokens stored in the database, with the key managed in AWS Secrets Manager.
- Passwords stored only as bcrypt hashes with 12+ rounds.
- Strong-password policy (zxcvbn score >= 3) and breached password detection.
- Authentication via HttpOnly + Secure + SameSite cookie; signing key rotation (KID-based).
- HMAC-SHA256 validation on every webhook request received from Meta, rejecting forged payloads.
- CSRF protection on the OAuth flow (state persisted and validated).
- Rate-limiting and AWS WAF on sensitive endpoints.
- Database in a private subnet; access only from the authorized application and operator VPN/SSM.
- Secrets stored in AWS Secrets Manager; never in source code.
- Automated database backups with configured retention and point-in-time recovery.
In the event of a security incident that may cause material risk, we will notify affected users and the competent data protection authority within the LGPD deadlines (art. 48).
Vulnerability reporting: security@replibo.com (also published at /.well-known/security.txt).
10. Cookies
We use a single strictly essential cookie: access_token, session-scoped, HttpOnly, Secure, SameSite=Lax, required to authenticate you in the dashboard. We do not use advertising, third-party analytics, or cross-site tracking cookies; that is why we do not display a cookie banner.
11. Children
replibo is not intended for users under 13. We do not knowingly collect data from this age group. If we become aware of inadvertent collection, the data will be deleted.
12. Changes to this Policy
We may update this Policy periodically. The last-updated date is shown at the top, along with the document version (2026-04-27). Material changes will be communicated by email to users with active accounts and will require new acceptance in the dashboard.
13. Data Protection Officer and contact
The Data Protection Officer (LGPD art. 41) can be reached at privacy@replibo.com. The full identification of the DPO is provided upon request from the ANPD or the data subject.
You may also lodge a complaint with the Brazilian National Data Protection Authority (ANPD) at www.gov.br/anpd.
For formal communications, please use privacy@replibo.com. The full identification of the controller (corporate name, Brazilian Tax ID and address) is provided upon request from the data subject or from a competent authority.