Privacy Policy

Effective Date: April 2, 2026 · Last Updated: April 2, 2026

Summary: Replia collects only what's needed to provide the service. We don't sell your data. We don't use your content to train AI models. You can delete everything at any time.

1. Data Controller

The data controller for information processed through Replia is:

Arve Tech FZC - LLC
Free Zone Company — Limited Liability
United Arab Emirates
Email: privacy@replia.net
Data Protection Contact: dpo@replia.net

2. Scope of This Policy

This Privacy Policy applies to all personal data processed through:

The Replia mobile application (iOS, Android)
The Replia website (replia.net)
Associated APIs and backend services

This policy does not apply to third-party services we integrate with (Meta Threads, Anthropic). Please review their respective privacy policies separately.

3. Categories of Personal Data We Collect

3.1 Data You Provide Directly

Category	Data	Purpose
Account	Email address, password hash	Authentication
Profile	Display name, avatar	Personalization
Preferences	Theme, AI voice tone, niches, notification settings	Service configuration
Content	Post drafts, custom AI prompts, edited replies	Content creation

3.2 Data Collected from Third Parties

Source	Data	Purpose
Meta Threads API	Username, profile picture, follower count, published posts, post metrics (views, likes, replies, reposts), public mentions	Analytics, reply queue, publishing
Meta OAuth	Authorization tokens	API access on your behalf

3.3 Data Collected Automatically

Category	Data	Purpose
Usage	Feature usage, AI generation count, posts/replies sent per day, streak data	Service limits, gamification
Device	Device type, OS version, app version, IP address	Technical support, security
Performance	Crash reports, API response times	Service reliability

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases:

Processing Activity	Legal Basis
Account creation and authentication	Contract performance (Art. 6(1)(b))
Publishing posts and replies on Threads	Contract performance (Art. 6(1)(b))
AI content generation	Contract performance (Art. 6(1)(b))
Analytics and performance tracking	Contract performance (Art. 6(1)(b))
Usage tracking and rate limiting	Legitimate interest (Art. 6(1)(f))
Crash reporting and diagnostics	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))

5. How We Use Your Data

Service Delivery: Authenticate you, publish content to Threads, display analytics, manage reply queue, track streaks and goals
AI Processing: Generate post drafts, rewrites, reply suggestions, and virality scores. Your content and preferences are sent to our AI provider (Anthropic) for processing. Anthropic does not use API inputs to train models per their commercial data policy.
Personalization: Adjust AI output based on your selected voice tone and niches
Account Management: Enforce usage limits, manage subscriptions, process payments
Security: Detect abuse, prevent unauthorized access, enforce terms of service
Improvement: Aggregate, anonymized analytics to improve service quality. Individual content is never reviewed by staff unless you report an issue.

6. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal data.

We share data with the following categories of service providers ("sub-processors"), solely to operate the Service:

Sub-Processor	Purpose	Data Shared	Location
Meta Platforms, Inc.	Threads API (publish, read, analytics)	OAuth tokens, post content, API requests	United States
Anthropic PBC	AI content generation	Text prompts, tone preferences	United States
Supabase, Inc. (AWS)	Database, authentication, file storage	All account and usage data	United States (us-east-1)
Stripe, Inc. / Apple / Google	Payment processing	Email, subscription status	United States
Cloudflare, Inc.	CDN, DNS, website hosting, DDoS protection	IP address, page views, request metadata	Global (edge network)

We may also disclose data if required by law, court order, or to protect the safety of our users or the public.

7. Threads OAuth and Access Tokens

When you connect your Threads account via Meta's OAuth 2.0 flow:

We receive a long-lived access token (valid 60 days, auto-refreshed)
The token is stored encrypted in our database with Row-Level Security (only you can access your token)
We use the token exclusively for actions you initiate within the app
We never access your Instagram account, DMs, or data outside the Threads API scope
You can revoke access at any time: in-app (Settings → Delete Account) or via Meta's security settings
Upon revocation, we delete the token from our database within 24 hours

Requested Threads API permissions: threads_basic, threads_content_publish, threads_manage_insights, threads_manage_replies, threads_read_replies, threads_keyword_search

8. AI Processing Details

Replia uses Anthropic's Claude API (specifically Claude Haiku) for content generation. Important details:

What is sent: Your text (for rewrites), your custom prompt, your selected voice tone and niche topics
What is NOT sent: Your email, password, Threads token, financial data, or analytics data
Anthropic's data policy: API inputs are not used for model training. Data is retained for up to 30 days for abuse detection, then deleted. See Anthropic's Privacy Policy
Our processing: AI-generated content is stored in your account for your reference. You may delete it at any time.
No profiling: We do not use AI to make automated decisions that produce legal effects concerning you

9. Data Retention

Data Category	Retention Period	Deletion Trigger
Account data (email, password)	Duration of account	Account deletion
Threads access token	Duration of connection	Disconnect or account deletion
AI generation history	Duration of account	Account deletion
Analytics data	Duration of subscription	Account deletion or 12 months after subscription end
Daily usage / streaks	Duration of account	Account deletion
Payment records	7 years (legal requirement)	Retained for tax/audit compliance
Server logs	90 days	Automatic rotation

Upon account deletion, all personal data is permanently removed from our systems within 30 days, except where retention is required by law.

10. Your Rights

10.1 All Users

Access: View all data we hold about you
Deletion: Delete your account and all data (Settings → Delete Account)
Revocation: Disconnect Threads access at any time
Opt-out: Unsubscribe from marketing emails

10.2 EEA/UK/Swiss Users (GDPR)

Under the General Data Protection Regulation, you additionally have the right to:

Rectification: Correct inaccurate personal data
Restriction: Request restriction of processing
Portability: Receive your data in a structured, machine-readable format
Object: Object to processing based on legitimate interest
Withdraw consent: Where processing is based on consent
Complaint: Lodge a complaint with your local Data Protection Authority

To exercise any right, contact dpo@replia.net. We respond within 30 days.

10.3 California Users (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act:

Right to Know: Request disclosure of categories and specific pieces of personal information collected
Right to Delete: Request deletion of personal information
Right to Opt-Out: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
Non-Discrimination: We will not discriminate against you for exercising your rights

To submit a verifiable consumer request, email privacy@replia.net.

10.4 Brazilian Users (LGPD)

Under the Lei Geral de Proteção de Dados, you have rights to access, correction, anonymization, portability, deletion, and information about sharing. Contact dpo@replia.net.

11. International Data Transfers

Your data is transferred to and processed in the United States (where our infrastructure providers are located). For transfers from the EEA/UK, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Sub-processor compliance with equivalent privacy frameworks
Supplementary technical measures (encryption in transit and at rest)

12. Data Security

We implement the following technical and organizational measures:

Encryption: TLS 1.3 for all data in transit; AES-256 for data at rest
Access Control: Row-Level Security (RLS) ensuring users can only access their own data
Authentication: OAuth 2.0 tokens stored server-side; passwords hashed with bcrypt
API Keys: Stored as Supabase secrets, never exposed in client-side code or application bundles
Monitoring: Automated alerts for unusual access patterns
Vendor Security: Sub-processors maintain SOC 2 Type II compliance (Supabase, Anthropic, Stripe)

13. Cookies and Tracking

The Replia website (replia.net) uses:

Essential cookies: Session management (no consent required)
Analytics: We may use privacy-respecting analytics (e.g., Plausible, PostHog) that do not use cookies or track across sites
No third-party advertising cookies
No cross-site tracking

The Replia mobile app does not use cookies.

14. Children's Privacy

Replia is not directed at individuals under 16 years of age (or 13 in jurisdictions where that is the applicable age of digital consent). We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@replia.net.

15. Do Not Track

We honor Do Not Track (DNT) browser signals. When DNT is enabled, we do not collect website analytics data.

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. For material changes:

We will provide at least 14 days' notice before changes take effect
Notice will be sent via in-app notification and/or email
Continued use after the effective date constitutes acceptance
Previous versions will be archived and available upon request

17. Contact

For privacy inquiries, data requests, or complaints:

Arve Tech FZC - LLC
United Arab Emirates

General Privacy: privacy@replia.net
Data Protection Officer: dpo@replia.net
Legal: legal@replia.net

We aim to respond to all requests within 30 days.