snapsXSign in →

Privacy Policy

Last updated: 2026-05-21

Introduction

SnapsX is a tool that automates keyword-based replies on Facebook Pages and Instagram Business accounts. When a comment or Direct Message on a connected account matches one of the rules you configure, SnapsX sends the response you authored. This policy explains what data we collect to deliver that service, who processes it on our behalf, how long we keep it, and what rights you have over it. It applies to snapsx.app and any sub-domains we operate (including the Clerk auth proxy at clerk.snapsx.app).

Data We Collect

Account information

When you create a SnapsX account, we receive your email address, name, and profile picture URL from Clerk, our authentication provider. We use this to identify you across sessions, send transactional email, and display your name in the dashboard. We do not receive your Google or Facebook password — only the OAuth-scoped identity Clerk hands us.

Connected platform data

When you connect a Facebook Page or Instagram Business Account, we store the page or account ID, the page or account name, the OAuth access token, the token expiry timestamp, and the list of permission scopes you granted. OAuth access tokens are encrypted at rest in our database using AES-256-GCMwith a 256-bit key managed by our infrastructure provider's secret manager. Tokens are decrypted only on the server when SnapsX needs to call the Meta Graph API on your behalf.

Public engagement content

SnapsX receives webhook events from Meta whenever a public comment is left on a post belonging to one of your connected pages. We persist the event so that we can match it against your keyword rules and so that the activity log can show you what happened. The persisted record includes the comment text, the commenter's platform-scoped ID, the post ID, and the event timestamp. We do not retroactively read historical comments; we only see what Meta delivers via webhook from the moment you connect.

Direct Messages (Instagram)

Instagram Direct Messages (instagram_manage_messages). When you connect an Instagram Business Account, SnapsX uses the instagram_manage_messages permission to read incoming Direct Messages to your account in real time so we can match them against your keyword rules. DM content is processed in memory and is not stored unless one of your rules fires. When a rule fires, we persist a redacted log entry containing the matched keyword, the rule that matched, the sender's Instagram-Scoped ID, and the timestamp — same retention schedule as comment activity (90 days). We do not read DM history retroactively, we do not export DM content, and we do not use DM content for advertising or analytics.

Operational logs

We capture request metadata (HTTP status, route, latency), error reports, and product-analytics events through PostHog Error Tracking. Logs are PII-scrubbed: OAuth tokens, raw DM bodies, and email addresses are stripped before they reach the analytics pipeline. We use these logs to debug failures and keep the service stable.

How We Use Your Data

  • Deliver the auto-reply service you configured.
  • Apply per-account Trigger.dev token-bucket rate limits, randomized jitter delays (15–90 seconds, non-configurable), message-length validation (8000 char comment, 2000 char DM), DM-messaging-window enforcement (7 days for Facebook, 24 hours for Instagram), and webhook idempotency to keep your page within Meta's acceptable-use thresholds — this is the core safety surface that prevents your account from being banned.
  • Surface the activity log so you can audit every reply, skip, and failure.
  • Debug failures and improve the matching engine.
  • Comply with Meta Platform Terms, including honoring user deauthorization callbacks.

We do not sell your data, we do not use your data to train machine-learning models, and we do not show your DM or comment content to third parties beyond the named sub-processors below.

Sub-processors

Per GDPR Article 28, we engage the following sub-processors. Each one signs a data-processing agreement that binds them to confidentiality, security, and breach-notification standards aligned with this policy.

  • Convex— cloud database (United States). Stores account records, rules, encrypted OAuth tokens, activity log, and cooldown state.
  • Trigger.dev— background job orchestration (United States / European Union). Runs the reply pipeline including jitter, rate limiting, and Meta Graph API calls.
  • Clerk— authentication (United States). Manages sign-in, session tokens, and user lifecycle webhooks.
  • Railway— hosting (United States / European Union). Runs the Next.js application server.
  • PostHog— product analytics and error tracking (United States, with EU residency available). PII-scrubbed telemetry only.
  • Cloudflare— CDN, DNS, and receive-only email routing (global). Carries traffic to the application and routes inbound email for support@, privacy@,security@, and [email protected] to the operator inbox.
  • Meta Platforms— Graph API consumer and source. Not a sub-processor in the strict data-controller sense, but data flows to and from Meta whenever SnapsX reads webhook events or posts a reply.

SnapsX does not currently operate transactional outbound email; all account-related notifications are surfaced in-app. When outbound email infrastructure ships in a future release, the chosen provider will be added to this list with at least 30 days of advance notice to active users.

Retention

Activity log entries (matched comments, DM rule fires, reply outcomes) are retained for 90 days and then automatically deleted by a daily cron. OAuth access tokens are retained until you disconnect the account or revoke access from Facebook or Instagram. Account profile data is retained until you delete your SnapsX account.

DM content that did not match any rule is never persisted; it is evaluated in memory and discarded.

Encryption

OAuth access tokens are encrypted at rest in our database using AES-256-GCMwith a key stored in our infrastructure provider's secret manager. The encryption format is iv:authTag:ciphertext (hex-encoded), generated per record with a fresh initialization vector. All client and server traffic is carried over TLS 1.2 or higher; we redirect plain HTTP to HTTPS at the edge.

International Data Transfers

Convex, Trigger.dev, Clerk, Railway, and PostHog operate primarily in the United States; Cloudflare operates a global anycast network. SnapsX relies on Standard Contractual Clauses (SCCs) for personal data transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that the European Commission has not deemed adequate. If you are based in the EU/EEA and would like a copy of the SCCs we operate under, contact [email protected].

Your Rights (GDPR / CCPA)

Depending on where you live, you have some or all of the following rights over your personal data:

  • Access— request a copy of the data we hold about you.
  • Rectification— correct inaccurate data.
  • Deletion— request that we delete your data. Use the in-app flow at /data-deletion or email [email protected].
  • Data portability— receive your data in a machine-readable format.
  • Objection— object to processing based on legitimate interests.
  • Restriction— restrict processing while a dispute is resolved.
  • Withdraw consent— revoke consent for processing that depends on it.
  • Lodge a complaint— file a complaint with your local supervisory authority (EU/EEA users) or invoke California Privacy Rights Act remedies (California users).

To exercise any of these rights, email [email protected] from the address registered with your account or use the in-app data deletion flow at /data-deletion. We respond within 30 days as required by GDPR and CCPA.

Children

SnapsX is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has signed up, contact [email protected] and we will delete the account.

Changes

When we change this policy, we update the “Last updated” date at the top. Material changes — for example, adding a new sub-processor or changing the retention period — are emailed to active users at the address on file before they take effect.

Contact

Privacy questions and data-subject-rights requests: [email protected].

Security disclosures: [email protected] (also published at /.well-known/security.txt per RFC 9116).

General and partnership questions: [email protected].