Privacy Policy

• Clerk account identifier: we store the opaque Clerk user ID as our internal account key. Clerk separately holds your email, password, and any social-login profile details on their systems under their own privacy policy — we do not import those details into our database. During onboarding, if you previously signed in with X/Twitter, we read your X username from Clerk at render time to pre-fill the profile-scan field; it is not persisted from Clerk.
• Preferences you submit: topics, niches, optional reply-style notes.
• X handle you submit when scanning a profile during onboarding. We do not store your X credentials and never act on your behalf on X.
• Session data: the queries you run, the public X posts surfaced for those queries, which posts you opened, and timestamps. Posts are public X content; we store metadata, not full post text long-term.
• Billing data: subscription status, plan, renewal date. Payment card details are handled by Lemon Squeezy; we never see or store them.
• Operational logs: minimal request logs (IP, timestamp, route) for security and abuse prevention.

• Performance of a contract (GDPR Art. 6(1)(b)) for running the service you signed up for.
• Legitimate interest (Art. 6(1)(f)) for security logs, abuse prevention, and aggregate product analytics.
• Legal obligation (Art. 6(1)(c)) for tax records kept by our payment processor.

We rely on the following processors to operate Replyable. Each is bound by a Data Processing Agreement and, where relevant, Standard Contractual Clauses (SCCs) for international transfers.

• Clerk (US) — authentication provider. Clerk stores your email, password, and any social-login profile data you provide at sign-up; they are the controller of that identity data under their own privacy policy. Our application only receives an opaque user ID from Clerk and stores nothing else from your Clerk profile.
• Neon (EU region) — managed Postgres database.
• xAI (US) — the Grok API processes your topics, niches, optional style notes, and (if you scan) your X handle in order to find relevant posts and extract preferences. Inputs are sent to xAI at request time. We do not authorize xAI to train models on your inputs.
• Lemon Squeezy (US) — payment processor acting as our Merchant of Record. Lemon Squeezy collects card details, issues invoices, and remits sales tax / VAT in applicable jurisdictions.
• Vercel (US / EU edge) — application hosting and request delivery. Includes Vercel Analytics and Speed Insights, both of which are cookieless and IP-anonymized.

Some of the subprocessors above are located in the United States. Transfers rely on the EU Standard Contractual Clauses and additional technical safeguards (encryption in transit and at rest).

When you delete your account, we delete your sessions, session posts, and preferences immediately via an automated webhook from our authentication provider. Backups containing your data are rotated out within 30 days.

Billing records are retained by Lemon Squeezy for the period required by Polish tax law (currently 5 years from the end of the relevant tax year).

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw any consent you previously gave. Many of these can be handled in-app (editing your topics, deleting your account).

For requests that need our involvement — including data export (portability) — email {{CONTACT_EMAIL}}. We respond within 30 days as required by GDPR Article 12.

We use only strictly-necessary cookies set by our authentication provider to keep you signed in. These do not require consent under the ePrivacy Directive. We do not use advertising, marketing, or cross-site tracking cookies. Vercel Analytics and Speed Insights are cookieless. If we add additional tracking in the future, this policy will be updated and consent will be collected where required.

Data is encrypted in transit (TLS) and at rest by our database provider. Access to production data is limited to the operator of the service. Despite reasonable measures, no system is perfectly secure; notify us immediately if you suspect a breach.

Replyable is not directed at children under 18. We do not knowingly collect data from anyone under 18.

We may update this policy. Material changes will be announced by email and in-app at least 30 days before they take effect. The “last updated” date at the top of this page always reflects the current version.

The data controller responsible for processing your personal data, and the service provider for the purposes of art. 5 ust. 1 of the Polish Act on Providing Services by Electronic Means (ustawa o świadczeniu usług drogą elektroniczną) and EU e-commerce disclosure rules, is:

Legal name

{{LEGAL_NAME}}

Business address

{{BUSINESS_ADDRESS}}

Tax ID (NIP)

{{NIP}}

Email

{{CONTACT_EMAIL}}

If you believe we have mishandled your data you have the right to complain to the Polish data protection authority (Prezes Urzędu Ochrony Danych Osobowych — UODO, uodo.gov.pl) or your local EU supervisory authority.