XreplyAI Privacy Policy

Last Updated: March 19, 2025

This Privacy Policy describes how Red Green Solutions LLC, operating as XreplyAI ("we", "us", or "our"), collects, uses, and protects your personal information when you use our Chrome extension and related services (the "Service"). By using the Service, you agree to the practices described in this policy.

1. Definitions

  • Personal Data: Any information that identifies or could reasonably identify you as an individual.
  • Usage Data: Data collected automatically about how you interact with the Service (e.g., features used, session duration).
  • Cookies: Small text files stored on your device by a web browser to remember preferences or session state.
  • Data Controller: XreplyAI, the entity that determines the purposes and means of processing your personal data.
  • Service Providers: Third-party companies that process data on our behalf to help us deliver the Service.

2. Information We Collect

We collect the following categories of information:

  • Account information: Your email address, used to create and manage your account.
  • AI API keys (BYOK plan): Your API keys for Gemini, OpenAI, or Anthropic, encrypted with AES-256 and stored securely. We never read or transmit these keys to anyone other than the respective AI provider on your behalf.
  • Voice profile data: Samples of your public posts, used to analyze your writing style and generate replies that match your voice.
  • Usage data: Information about how you interact with the Service, such as features used and session duration.
  • Payment information: Billing details processed by Stripe. We do not store your full card number — Stripe handles all payment data.
  • Social platform OAuth data: When you connect a social account (X / Twitter, Instagram, Threads, YouTube, or LinkedIn), we receive an OAuth token that allows us to read your public posts for voice profile generation. We do not post to any platform on your behalf without your explicit action.

3. How We Use Your Information

We use your information for the following purposes:

  • Service provision: Generate AI-powered tweet reply suggestions and maintain your account.
  • Voice analysis: Build and update your writing style profile to improve reply quality.
  • Billing: Process payments and manage your subscription via Stripe.
  • Communication: Send service updates, billing notices, and announcements. You may opt out of non-essential emails at any time.
  • Security: Detect, investigate, and prevent fraudulent or unauthorized activity.
  • Service improvement: Analyze usage patterns to improve performance and features.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract performance: Processing necessary to provide the Service you have subscribed to (account management, billing, reply generation).
  • Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service and preventing fraud, where those interests are not overridden by your rights.
  • Consent: Where you have given explicit consent, such as for optional marketing emails.

5. Third-Party Service Providers

We share data with the following service providers only to the extent necessary to deliver the Service:

  • Stripe: Payment processing. Stripe receives your billing details to handle subscription payments. See Stripe's Privacy Policy.
  • Render.com: Cloud hosting provider. Our backend and database run on Render.com servers located in the United States.
  • AI providers (Gemini / OpenAI / Anthropic): On the BYOK plan, your API key is sent directly to the provider you choose to generate replies. On the Pro plan, we use our own API key. We do not store or log AI provider responses.
  • X (Twitter), Instagram, Threads, YouTube, LinkedIn: OAuth authentication and public post retrieval for voice profile analysis. Each platform's own privacy policy governs how they handle your data on their end.
  • MCP integrations: If you choose to connect XreplyAI via our Model Context Protocol (MCP) server to an AI coding assistant or developer tool, that tool may send requests to our Service on your behalf. Data exchanged through MCP integrations is subject to this Privacy Policy. We do not share your personal data with third-party MCP clients beyond what is necessary to fulfill your requests.

We do not sell your personal data to any third party.

6. Cookies

We use cookies and similar technologies for the following purposes:

  • Session cookies: Keep you logged in during your session. These expire when you close your browser.
  • Preference cookies: Remember your settings and preferences across sessions.
  • Security cookies: Help detect and prevent fraudulent activity.

You can control cookies through your browser settings. Disabling cookies may affect your ability to use certain features of the Service.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service:

  • Account data: Retained until you request deletion or your account is terminated.
  • Voice profile data: Retained while your account is active and deleted upon account deletion.
  • API keys: Deleted immediately upon account deletion or disconnection of the relevant AI provider.
  • Usage logs: Retained for up to 12 months for security and analytics purposes.
  • Billing records: Retained as required by applicable tax and financial regulations (typically 7 years).

8. Data Transfers

Your data is processed and stored in the United States on Render.com infrastructure. If you are located outside the United States, please be aware that your data will be transferred to and processed in the US, which may have different data protection laws than your country of residence. By using the Service, you consent to this transfer.

9. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: All API keys encrypted with AES-256 at rest
  • HTTPS: All data transmission encrypted in transit
  • Access controls: Strict internal access controls limit who can access your data

No security system is impenetrable. If you discover a security vulnerability, please report it responsibly to john@xreplyai.com. We will investigate all valid reports promptly.

10. Your Data Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data (see section below).
  • Portability: Request your data in a structured, machine-readable format.
  • Opt-out of marketing: Unsubscribe from non-essential emails at any time via the unsubscribe link or by contacting us.

11. How to Request Data Deletion

You may request deletion of your account and all associated personal data at any time. To submit a deletion request:

  1. Email us at john@xreplyai.com with the subject line "Data Deletion Request"
  2. Include the email address associated with your XreplyAI account
  3. We will confirm receipt within 48 hours and complete deletion within 30 days

Disconnecting a connected platform account (Instagram, Threads, YouTube, LinkedIn, or X) from your account settings will immediately remove all stored OAuth tokens and platform-specific profile data for that platform. For Meta platforms (Instagram and Threads), we also process deletion requests automatically via Meta's webhook-based data deletion mechanism.

Upon deletion, we will remove your account, voice profile data, stored API keys, and all other personal information from our systems, except where retention is required by law (e.g., billing records).

12. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal data, please contact us at john@xreplyai.com.

13. California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know: Request disclosure of the categories and specific pieces of personal data we have collected about you.
  • Right to delete: Request deletion of your personal data, subject to certain exceptions.
  • Right to opt out of sale: We do not sell your personal data. No opt-out action is required.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at john@xreplyai.com.

14. Business Transfers

If XreplyAI is acquired, merged, or undergoes a substantial asset transfer, your personal data may be transferred as part of that transaction. We will notify you by email or a prominent notice within the Service before your data becomes subject to a different privacy policy.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and post a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after that date constitutes your acceptance of the updated policy.

16. Contact Us

For privacy-related questions, data rights requests, or security vulnerability reports:

Back to Home