RepliedBack home

Privacy Policy

Last updated: 2026-04-26

Replied (“we”, “us”) is operated by Synikaa. We provide Instagram DM automation for creators. This policy explains what data we collect, why, and how to delete it.

1. What we collect

  • Account data. Email, name, hashed password, and subscription status when you sign up.
  • Instagram data. When you connect your Instagram Business account, we receive: your IGSID, username, profile picture URL, and an access token (encrypted at rest). We do not store your password.
  • Webhook events. When someone comments on your post or sends you a DM, Meta forwards the event to us. We store the raw payload to match it against your rules and send the configured reply.
  • Sent-DM logs. For analytics and abuse prevention, we record which rule sent which DM to which recipient IGSID.
  • Contact cache. A 30-day rolling cache of recipient IGSIDs so we can avoid duplicate replies. Auto-deleted after 30 days.
  • Payment data. Razorpay handles your payment method. We only store your Razorpay customer/subscription IDs and status.

2. What we do NOT collect

  • We do not read or store the content of DMs sent to you by your followers.
  • We do not sell your data. Ever.
  • We do not use your data to train AI models.
  • We do not share Instagram data with third parties beyond what Meta requires.

3. Why we collect it

Solely to operate the service: receive Instagram events, match them against the auto-reply rules you create, and send the reply you configured.

4. Sharing

  • Meta / Instagram. We send your reply text via the Instagram Graph API to deliver DMs you authorize.
  • Razorpay. Your payment information is handled entirely by Razorpay; we never see your card or UPI details.
  • Resend. Sends transactional emails (signup, payment receipts, etc.).
  • PostHog. Product analytics on aggregated, anonymized usage.

5. Your rights

  • Disconnect Instagram. Settings → Connected Accounts → Disconnect. Your token is revoked and the IG account record deleted.
  • Delete your account. Settings → Account → Delete. All your data — user record, IG accounts, rules, logs, contacts — is permanently deleted within 7 days.
  • Export your data. Email hello@replied.in from your registered email and we’ll send a JSON export within 7 days.

6. Instagram data deletion (Meta requirement)

To request deletion of all Instagram-derived data we hold about you:

  1. Email hello@replied.in with subject “Instagram Data Deletion” and your IG username.
  2. We confirm and delete all related records within 7 days. We will email you a confirmation.
  3. You can also revoke our access immediately at Instagram › Apps and Websites.

7. Data retention

  • Webhook events: 90 days, then deleted.
  • Sent-DM logs: 12 months for analytics, then deleted.
  • Contact cache: 30 days (TTL-enforced in the database).
  • Account data: until you delete your account.

8. Security

Access tokens are encrypted at rest with AES-256-GCM. Passwords are hashed with bcrypt. All traffic is HTTPS. Hosted in AWS Mumbai (ap-south-1).

9. Children

Replied is not for users under 18. If you believe a minor has signed up, email us and we’ll delete the account.

10. Changes

We’ll email registered users at least 14 days before any material change.

11. Contact

Synikaa, India · hello@replied.in