Privacy Policy — GeniReply
Last update: April 15, 2026 Version: 1.0 — DRAFT, to be validated by legal counsel before publication
Table of contents
- Data Controller
- Who this policy applies to
- Categories of personal data
- Purposes and legal bases
- Recipients and sub-processors
- Non-EU transfers
- Retention periods
- Your rights
- Automated decision-making
- Security
- Children
- Changes to this policy
- Contacts and complaints
1. Data Controller
The Data Controller of the personal data processed through GeniReply is:
Contributo Utile S.r.l. Società Benefit Registered office: Via Olimpo 47, 24030 Terno d'Isola (BG) — Italy VAT no.: IT04353080270 Italian fiscal code: IT04353080270 Email: privacy@genireply.com Certified email (PEC): [PEC_TO_BE_FILLED] Phone: [PHONE_TO_BE_FILLED]
Data Protection Officer (DPO): [DPO_NAME_TO_BE_APPOINTED] · [DPO_EMAIL_TO_BE_FILLED]
2. Who this policy applies to
GeniReply plays a dual role when processing personal data:
A. If you are a paying customer of GeniReply — you use the platform to moderate with AI the comments and messages on your Facebook Pages and Instagram Business accounts — we are the Data Controller for your account, billing and authentication data.
B. If you commented or sent a message on a social channel managed with GeniReply by a customer of ours — in this case we act as a Data Processor (art. 28 GDPR) and the Data Controller is our customer. Your data is processed on their behalf under the Data Processing Agreement (DPA) we have signed with them. For requests concerning your data you can contact us directly or the Data Controller (our customer).
C. If you are a visitor of the website genireply.com — we are Data Controller for browsing data (see Cookie Policy).
3. Categories of personal data
3.1 Paying customer data (Controller)
- Identification and business data: first name, last name, company name, VAT no., billing address, operating address.
- Contact data: email, phone number.
- Credentials: login email, password (stored encrypted via bcrypt).
- Meta OAuth tokens: long-lived (60-day) tokens issued by Meta Platforms to allow GeniReply to operate on the Pages and Instagram accounts that the customer has chosen to connect. Tokens are stored encrypted in our database.
- Billing data: subscription history, invoices, payment methods (full credit card data is handled exclusively by Stripe, not by us — we only receive a payment token).
- Audit logs: actions performed on the platform (logins, rule edits, manual corrections of AI classifications).
3.2 Social channel end-user data (Processor)
- Public comment content: the text of the comment posted by the user on our customer's Page or post.
- Public username and Meta user ID: public identifiers provided by Meta Platforms.
- Timestamp: date and time of the comment.
- DM content: only if the customer has enabled direct message handling, limited to messages addressed to their channel.
- Comment metadata: post ID, media ID, public URL of the post, any tags of mentioned people.
- AI classification: the rule assigned by the AI algorithm and any manual correction applied by the customer to improve future classification.
3.3 Website browsing data
- IP address, user agent, pages visited, timestamps.
- Technical session cookies (no third-party profiling cookies). See the Cookie Policy for details.
4. Purposes and legal bases
| Purpose | Data category | Legal basis |
|---|---|---|
| Delivering the SaaS service to paying customers | 3.1 | Contract performance — Art. 6(1)(b) GDPR |
| Automated comment/DM moderation on behalf of customer | 3.2 | Contract with the customer (Art. 28 GDPR) + Controller's (customer's) legitimate interest in moderating their channels — Art. 6(1)(f) |
| Billing and tax obligations | 3.1 | Legal obligation — Art. 6(1)(c) GDPR |
| Platform security and abuse prevention | All | Legitimate interest — Art. 6(1)(f) GDPR |
| Aggregate analytics for service improvement | All (anonymized) | Legitimate interest — Art. 6(1)(f) GDPR |
| Service communications to customer | 3.1 | Contract performance — Art. 6(1)(b) GDPR |
| Newsletter (consent only) | Customer email | Consent — Art. 6(1)(a) GDPR |
Important: the end user's consent is NOT required when they publicly comment on our customers' social channels. The legal basis for processing public comments is the legitimate interest of the Controller (our customer) in moderating content posted on their own channel, consistently with Meta Platforms' Terms of Use. Comments posted on a Facebook Page or Instagram post are by their very nature publicly visible.
5. Recipients and sub-processors
To deliver the service, GeniReply engages the following sub-processors, with whom GDPR art. 28 compliant agreements have been signed:
| Sub-processor | Role | Location |
|---|---|---|
| Meta Platforms Ireland Ltd. | Graph API provider to read and execute actions on comments and messages of connected social channels | Ireland (also processing in USA) |
| Anthropic PBC | Artificial Intelligence service (Claude Haiku for comment classification, Claude Sonnet for reply generation). Comment texts are sent to the Anthropic API solely for classification/response purposes. No data is used to train models — Anthropic contractual guarantee | USA |
| Hetzner Online GmbH | Application server and PostgreSQL database hosting | Germany (Falkenstein / Helsinki) |
| Cloudflare Inc. | DNS, CDN, Web Application Firewall | USA with EU edge nodes |
| Stripe Payments Europe Ltd. | Subscription payment processing | Ireland |
| Google Firebase (Google Ireland Ltd.) | Mobile app authentication and push notifications (under development) | Ireland (also processing in USA) |
The updated list of sub-processors is available on request at privacy@genireply.com.
6. Non-EU transfers
Some sub-processors may process data outside the European Economic Area, in particular in the United States. For these transfers GeniReply relies on:
- Standard Contractual Clauses (SCC) 2021/914 issued by the European Commission.
- Adhesion to the EU-USA Data Privacy Framework where the sub-processor is certified.
- Transfer Impact Assessment documented for each transfer.
- Supplementary technical and organizational measures (in-transit encryption, minimization of transferred data).
Details of guarantees are available on request.
7. Retention periods
| Category | Retention |
|---|---|
| Active customer account data | For the duration of the contractual relationship |
| Terminated customer account data | Deletion within 90 days after termination, except legal obligations |
| Meta OAuth tokens | Deleted within 30 days after channel disconnection or subscription termination |
| Ingested comments and DMs | 24 months from receipt, then anonymization (only aggregate metrics remain) |
| Billing data | 10 years (Italian tax obligation — DPR 600/1973) |
| Audit and security logs | 24 months |
| Website browsing data | 12 months |
| AI-classification learning feedback | For the account lifetime, used in derived form (embeddings) even after the original text is anonymized |
8. Your rights
As a data subject you have the rights granted by art. 15-22 GDPR:
- Right of access (art. 15): obtain confirmation of processing and a copy of your data.
- Right to rectification (art. 16): request correction of inaccurate data.
- Right to erasure (art. 17 — "right to be forgotten"): request deletion when data is no longer necessary for the purposes collected.
- Right to restriction (art. 18): request restriction of processing if the accuracy is contested.
- Right to data portability (art. 20): receive your data in a structured, machine-readable format.
- Right to object (art. 21): object to processing on legitimate grounds.
- Right not to be subject to automated decision-making (art. 22 — see section 9).
How to exercise your rights
Write to privacy@genireply.com specifying:
- The right you intend to exercise.
- A copy of your ID (needed for verification; the copy will be deleted once verified).
- Any information that helps identify the data you refer to.
We reply within 30 days of receiving the request (extendable to 60 days for complex requests, with prior justified notice).
If you are an end user of a social channel managed via GeniReply
You can request the deletion of a specific comment from our platform by writing to privacy@genireply.com and providing:
- The Page or Instagram account on which you commented.
- The approximate date of the comment.
- The text or link of the comment if available.
Alternatively, use the automated procedure at: https://genireply.com/privacy#data-deletion
Right to complain
You can lodge a complaint with the Italian Data Protection Authority: Garante per la Protezione dei Dati Personali — Piazza Venezia 11, 00187 Roma · https://www.garanteprivacy.it · urp@gpdp.it
9. Automated decision-making
GeniReply uses Anthropic's Claude Artificial Intelligence to:
- Automatically classify received comments against a set of rules defined by the Controller customer.
- Generate automatic reply drafts based on the classified rule.
- Execute automated actions such as hiding a comment, deleting it, banning a user when the matched rule has those actions enabled by the customer.
These decisions may produce legal effects or similarly significant effects for you (e.g. temporary exclusion from commenting on a Page).
Under art. 22 GDPR you have the right to:
- Human intervention: every customer has a review area where human operators can approve, modify or cancel AI actions.
- Express your view and contest the decision: by writing to privacy@genireply.com.
- Request explanation of the decision logic: classification is based on publicly documented rules and a language model that evaluates the semantics of the comment.
Logic, significance and consequences: classification rules are defined in advance by each customer and are available on request. AI follows these rules and can learn from human corrections. Possible consequences: publication of a reply, hiding the comment, deletion, ban of the user from the Page.
10. Security
In accordance with art. 32 GDPR, GeniReply adopts appropriate technical and organizational measures including:
- At-rest encryption: PostgreSQL database volumes are encrypted.
- In-transit encryption: all exchanges via TLS 1.3.
- Encryption of OAuth tokens in the database.
- Role-based access control (RBAC).
- Two-factor authentication for system administrators.
- Daily encrypted backups, retained for 30 days.
- Continuous monitoring of logs and anomaly alerts.
- Incident response: breach notification to the Italian DPA within 72 hours, notification to data subjects if the risk is high (art. 33-34 GDPR).
11. Children
The GeniReply service is not intended for users under 16 years of age (art. 8 GDPR, as implemented in Italy). We do not knowingly collect data from minors under 16. If a parent or guardian becomes aware that we have collected data from a minor, they can write to privacy@genireply.com to request deletion.
12. Changes to this policy
Any significant changes to this policy will be communicated to paying customers with at least 30 days' notice via email. Minor changes (clarifications, rephrasings) will be published directly on this page with an updated date at the top.
13. Contacts and complaints
- Data Controller: Contributo Utile S.r.l. Società Benefit
- Privacy email: privacy@genireply.com
- DPO: [DPO_EMAIL_TO_BE_FILLED]
- Supervisory authority: Garante per la Protezione dei Dati Personali — https://www.garanteprivacy.it
Exclusive competent court: Tribunal of Palermo, Italy.
This document is provided as a technical draft for approval by a qualified data protection legal counsel before final publication. The fields between square brackets [...] must be filled before publication.