How we handle your data

1. Data we collect

When you use Reply Buddy, we collect the minimum data necessary to provide the service. Here is exactly what we collect and why:

• Account information: Your Twitter/X handle and display name, obtained when you log in via Twitter OAuth. We use this to identify your account within our system.
• Twitter credentials: Your Twitter session credentials, which you provide in Settings. These allow us to fetch tweets and post replies on your behalf. They are stored encrypted using industry-standard symmetric encryption — we cannot read them in plaintext.
• OpenRouter API key: Your personal OpenRouter API key, used to call AI models (Claude Sonnet) for generating reply suggestions. Stored encrypted using the same Fernet encryption. Required only for Buddy and Autopilot modes — not for Scout mode.
• Tweet content: Tweets we fetch from accounts and lists you are targeting, used only to generate reply suggestions. Raw tweet text, author handles, and tweet IDs are stored temporarily in our database while they are in your approval queue. Older entries are cleaned up automatically (see Data Retention below).
• Reply history: Replies we generate and/or post on your behalf, including whether you approved, rejected, or edited them. This history is visible to you on your History page and is used to improve future AI suggestions through your feedback.
• Feedback and voice profile: Your edits to AI-generated replies, rejection reasons, and the identity/voice profile we build from that feedback. This is used to make future replies sound more like you.
• Configuration data: Your settings including target accounts, Twitter lists, keyword filters, posting schedules, and mode preferences.
• Payment information: We do not store your payment card details. Billing is handled entirely by Stripe. We store only your Stripe customer ID and subscription status so we know whether your account is active.

2. How we store your data

All user data is stored in a PostgreSQL database hosted by Supabase in the EU (Frankfurt region). Row-level security (RLS) is enabled on all 13 database tables, meaning your data is scoped to your user account and cannot be accessed by other users.

Sensitive credentials (your Twitter tokens and OpenRouter API key) are encrypted at rest using Fernet symmetric encryption before being written to the database. The encryption key is stored separately as an environment variable on our API servers and never committed to source code.

Our API backend runs on Railway infrastructure. Vercel hosts our frontend. Both services operate in secure, managed environments with access restricted to our team.

3. Third-party services

Running Reply Buddy requires using several third-party services. Here is what data each receives:

• Supabase (supabase.com) — Our database and authentication provider. Supabase stores all your account data, configuration, tweet history, and encrypted credentials. Data is hosted in EU-West (Frankfurt). Supabase is SOC 2 compliant.
• Stripe (stripe.com) — Payment processing. Stripe handles all billing, subscription management, and card storage. We share your email (if provided) with Stripe to create a billing customer. Stripe is PCI DSS compliant.
• OpenRouter (openrouter.ai) — AI inference. When generating reply suggestions in Buddy or Autopilot mode, we send tweet content and your voice profile to OpenRouter, which routes requests to Claude Sonnet (Anthropic) and Grok (xAI). Your own API key is used for billing — we do not pay for your AI usage. Tweet content and voice profile data is sent to these models for inference only; OpenRouter's privacy policy governs their data handling.
• Twitter / X (twitter.com / x.com) — We connect to the Twitter API on your behalf to fetch tweets and post replies. Your Twitter credentials are used only for these operations. Twitter's own Terms of Service and Privacy Policy apply to all activity on their platform.
• Vercel (vercel.com) — Frontend hosting and analytics. Vercel hosts the Reply Buddy web app. We use Vercel Analytics and Speed Insights to collect anonymized, aggregated usage data (page views, performance metrics). No personally identifiable information is included in these analytics. See Vercel's privacy policy for details.
• Railway (railway.app) — API and worker server hosting. Your API requests are processed on Railway infrastructure. Railway does not have direct access to your stored data.

4. Cookies and local storage

We use cookies and browser storage for the following purposes:

• Supabase auth cookies — Required for authentication. When you log in, Supabase sets chunked session cookies (named sb-*-auth-token.0,sb-*-auth-token.1, etc.) that keep you logged in between page visits. These are essential session cookies and cannot be opted out of while using the service.
• rg_onboarded cookie — A simple flag indicating whether you have completed onboarding. Set after your first setup is complete.
• rg_subscribed cookie — A flag used to determine whether to redirect you to the subscription page. Set after a valid Stripe subscription is confirmed.
• theme in localStorage — Your light/dark mode preference. Stored locally in your browser only, never sent to our servers.
• rg_guide_done_* in localStorage — Records whether you have completed the app onboarding guide. Keyed by your Supabase user ID.
• Vercel Analytics — Vercel injects lightweight analytics to measure page views and performance. This data is anonymized and aggregated; it does not track individuals. No advertising cookies are used.

We do not use advertising cookies, cross-site tracking cookies, or sell data to advertisers. You can manage your cookie preferences via the consent banner shown on your first visit. Declining cookies will disable analytics tracking.

5. Data retention and deletion

We retain your data for as long as your account is active. Specific retention rules:

• Seen tweets: Tweet IDs we have already processed are stored temporarily to prevent duplicate replies. These are automatically deleted after 24 hours via a scheduled database job.
• Reply history and feedback: Retained for the lifetime of your account. This data powers the learning features of the service. You can request deletion at any time (see GDPR rights below).
• Account deletion: You can permanently delete your account and all associated data from Settings at any time. Deletion is immediate and irreversible — all your data is removed from our database, your Stripe subscription is cancelled, and your encrypted credentials are purged. We do not retain backups of deleted accounts.

6. Your GDPR rights

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data protection laws, you have the following rights regarding your personal data:

• Right of access: You can request a copy of all personal data we hold about you.
• Right to rectification: You can correct inaccurate data. Most of your data (settings, profile, voice identity) is editable directly within the app.
• Right to erasure ("right to be forgotten"): You can delete your account and all associated data at any time via Settings > Danger Zone. You can also contact us to request deletion if you are unable to access your account.
• Right to data portability: You can request an export of your data in a machine-readable format by contacting us at the address below.
• Right to object: You can object to certain processing of your data, including profiling used to improve AI suggestions. Contact us to discuss your specific situation.
• Right to restrict processing: You can request that we limit how we use your data in certain circumstances.

Our legal basis for processing your data is contract performance — we process your data because it is necessary to provide the service you have signed up for. For analytics data collected via Vercel, the basis is legitimate interests in understanding how the product is used to improve it.

To exercise any of these rights, contact us at info@solana.id. We will respond within 30 days.

7. Children's privacy

Reply Buddy is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

8. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we may also notify you via email or an in-app notice. Continued use of the service after changes constitutes acceptance of the updated policy.

9. Contact us

For privacy-related requests, questions, or concerns, contact us at: