IRreplibo
Ler em portuguêsBack to site

Privacy Policy

Last updated: April 22, 2026

1. Who we are

replibo("replibo", "we", "our service") is a SaaS platform that automates replies to comments on Instagram professional accounts (Business or Creator), using the official Meta Platforms APIs. This Privacy Policy describes how we process personal data, in accordance with Brazil's Lei Geral de Proteção de Dados (LGPD — Law 13.709/2018) and the applicable Meta Platforms requirements for apps using the Instagram API.

Questions, access, correction or deletion requests: privacy@replibo.com.

2. Data we collect

We collect the following categories of data:

  • replibo customer account: name, email, and password (stored only as a bcrypt hash — never in plain text).
  • Instagram authorization tokens:when you connect an Instagram account via Meta's official OAuth, we receive and store the long-lived access token issued by Meta. This token is stored encrypted at rest (Fernet / AES-128) and only grants the permissions you authorized:instagram_business_basic,instagram_business_manage_comments, andinstagram_business_manage_messages.
  • Instagram account identifiers: ig_business_account_id, ig_user_id, and the username, received directly from Meta.
  • Webhook events: comments that Instagram sends to us (comment text, comment ID, media ID, commenter username). Only events related to the accounts you have connected, and only while the connection is active.
  • Automation history:rules configured by you (keyword → message) and the log of replies sent (status/success/failure) — so you can audit the system's behavior.
  • Technical data: server access logs (source IP address, browser agent, timestamps) for the minimum period necessary for operation, security, and diagnostics.

What we do NOT collect: Direct Message content beyond what is needed to reply to the triggering comment via Private Reply; data from third parties who do not interact with the connected accounts; data from children under 13.

3. How we use data

Collected data is used exclusively to:

  • Operate the comment auto-reply service according to the rules you configured.
  • Periodically refresh the Instagram access token (roughly every 60 days, per Meta's lifecycle).
  • Authenticate you in the dashboard via a signed HttpOnly cookie (JWT).
  • Display history, metrics, and rule performance.
  • Comply with legal obligations and respond to valid court orders.
  • Prevent fraud, abuse, automated attacks, and violations of Meta's or replibo's Terms.

We do not sell personal data. We do not use your data to train third-party models or for behavioral advertising.

4. Data sharing

We share data only with the third parties strictly necessary for the service to operate:

  • Meta Platforms, Inc.— all Instagram API calls and webhooks. Subject to Meta's Privacy Policy.
  • Amazon Web Services (AWS) — infrastructure provider (EC2, RDS Postgres, Secrets Manager, Amplify), in the region us-east-1. Data is not transferred between regions nor outside the providers listed here.
  • Public authorities — when legally required, upon valid court order or regulatory determination.

We do not share data with marketing partners, data brokers, or any third party for commercial profiling purposes.

5. Data retention

  • Account and tokens: retained while your replibo account is active. Upon account deletion, tokens are removed within 30 days.
  • Webhook events (comments) and reply logs: retained for up to 90 days for auditing and diagnostics; after that they are aggregated or deleted.
  • Instagram account disconnection: upon disconnect, the token is revoked and the data for that account is anonymized or deleted within 30 days, except where legally required otherwise.
  • Technical logs: retained for up to 30 days for operational security purposes.

6. Your rights

At any time you may request:

  • Confirmation that processing exists;
  • Access to your data;
  • Correction of incomplete, inaccurate, or outdated data;
  • Anonymization, blocking, or elimination of unnecessary or non-compliant data;
  • Data portability;
  • Deletion of data processed with consent;
  • Information about with whom we share data;
  • Withdrawal of consent.

To exercise any right, email privacy@replibo.com. We respond within 15 calendar days.

You can also request deletion through Meta's official flow (Data Deletion Request). We honor these requests within 30 days and expose a public status URL at https://api.replibo.com/auth/instagram/data-deletion/status?code=<code>.

7. Security

Technical and organizational measures in place:

  • Encryption in transit (TLS 1.2+) on all connections.
  • Encryption at rest (AES) for Instagram access tokens stored in the database.
  • Passwords stored only as bcrypt hashes with 12+ rounds.
  • Authentication via HttpOnly + Secure + SameSite cookie.
  • HMAC-SHA256 validation on every webhook request received from Meta, rejecting forged payloads.
  • CSRF protection on the OAuth flow (state persisted and validated).
  • Database in a private subnet; access only from the authorized application.
  • Secrets stored in AWS Secrets Manager; never in source code.

In the event of a security incident that may cause material risk, we will notify affected users and the competent data protection authority within legal deadlines.

8. International data transfer

Our AWS infrastructure runs in us-east-1(United States). Meta also processes data in the United States. These jurisdictions are recognized as adequate for personal data protection by Brazil's ANPD, and transfers are subject to the respective providers' contractual safeguards.

9. Cookies

We use a single essential cookie: access_token, session-scoped, HttpOnly, required to authenticate you in the dashboard. We do not use advertising or cross-site tracking cookies.

10. Children

replibo is not intended for users under 13. We do not knowingly collect data from this age group. If we become aware of inadvertent collection, the data will be deleted.

11. Changes to this Policy

We may update this Policy periodically. The last-updated date is shown at the top. Material changes will be communicated by email to users with active accounts.

12. Data Protection Officer and contact

Data Protection Officer: dpo@replibo.com.

Address for formal communications: (to be published at launch — populate before submitting to Meta App Review).