Privacy Policy
Last updated: May 12, 2026
This Privacy Policy describes how repco.ai ("repco," "we," "us," or "our") collects, uses, shares, and protects your information when you use our website at repco.ai and our service (collectively, the "Service"). repco.ai is operated by Outsi sp. z o.o., registered in Poland at Kartuska 2, 83-334 Miechucino, KRS 0000935494, NIP PL5892069190, REGON 520550442. By using the Service, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
We collect three categories of information. — Information you provide directly: account info (name, email, hashed password, billing details), connected social accounts (Reddit, LinkedIn, X — we store an encrypted session reference, not your platform password), configuration (keywords, subreddits, profiles, personas), content you create (drafts, message templates, comments), and communications with our support team. — Information about your prospects: when repco scans social platforms on your behalf, we collect publicly available data about prospects matching your criteria — usernames, post text, timestamps, public profile data, and intent scores. You are responsible for ensuring you have a lawful basis to process prospect data under applicable laws (GDPR, CCPA). — Information collected automatically: usage data (pages visited, features used, click events, session duration), browser type, device, IP address, timestamps, log data, and cookies (essential plus analytics). See §6 for cookie details.
2. How We Use Your Information
We use the information we collect to: provide, maintain, and improve the Service; execute actions on your connected social accounts at your direction (monitoring, scoring, drafting, sending messages, follow-ups); process payments and manage your subscription; communicate with you about your account, security events, product updates, and support; detect, prevent, and respond to fraud, abuse, and security incidents; comply with legal obligations; and — only with your consent — send you marketing emails about new features (you can unsubscribe at any time). We do not sell your personal information.
3. How We Share Your Information
We share information only with the following sub-processors, strictly as necessary to operate the Service: Supabase (hosting, database, authentication — EU/US), Vercel (application hosting — global edge), Browserbase (managed browser sessions and residential proxies for executing actions on your social accounts — US), Anthropic / Claude (AI inference for drafting messages, scoring intent, computer-use loops — US), Stripe (payment processing — global), Google Analytics 4 via Google Tag Manager (aggregate product analytics — global), and Resend (transactional email — US). Each sub-processor is bound by a Data Processing Agreement consistent with GDPR Article 28. We may also disclose information if required by law, valid legal process, or to protect the rights, property, or safety of repco, our users, or others. In the event of a merger, acquisition, or sale of all or part of our assets, your information may be transferred to the acquiring entity. We will notify you before any transfer.
4. Data Retention
Account data is retained while your account is active and deleted within 30 days of account deletion, except where retention is required by law (e.g., tax records: 5 years under Polish law). Prospect data is retained while your account is active — you can delete prospects from your dashboard at any time. Logs and usage data are retained for 90 days, then aggregated or deleted. Payment records are retained for the period required by applicable Polish tax and accounting laws (typically 5 years). Backups are rolling 30-day; deleted records purge from backups within 30 days.
5. Your Rights
If you are in the EU/EEA, UK, or Switzerland, you have rights under GDPR / UK GDPR including: access (request a copy of your data), rectification (correct inaccurate data), erasure (the "right to be forgotten"), restriction of processing in certain circumstances, objection to processing based on legitimate interests, data portability (receive your data in a machine-readable format), and withdrawal of consent at any time where processing is based on consent. You may also lodge a complaint with your local supervisory authority — in Poland: Prezes Urzędu Ochrony Danych Osobowych (https://uodo.gov.pl). If you are in California, you have CCPA/CPRA rights to know, delete, correct, and opt out of "sales" or "sharing" — we do not sell personal information. To exercise rights, email legal@repco.ai. We respond within 30 days. Where GDPR applies, our lawful bases are: contract (to provide the Service), legitimate interests (to improve, prevent fraud, basic analytics — balanced against your rights), consent (marketing emails, non-essential cookies), and legal obligation. For prospect data processed on behalf of customers, the customer is the controller and repco is the processor under GDPR Article 28 — if you believe repco processes your data because a customer has added you as a prospect, contact legal@repco.ai with your platform username and we will assist.
6. Cookies and Tracking
We use essential cookies (session, authentication, CSRF protection — cannot be disabled) and analytics cookies via Google Analytics 4 and Google Tag Manager (GTM-TBJVSF29, G-CLMV480JYP), with IP anonymization enabled. You can opt out of analytics cookies via your browser settings or Google's opt-out add-on. We do not use advertising or cross-site tracking cookies.
7. Sign in with Google (OAuth)
When you sign in to repco.ai using your Google account, Google shares the following information with us through the OAuth 2.0 protocol: your email address, your name, your Google account profile picture, and a unique Google account identifier (sub). We request only the standard non-sensitive OAuth scopes: openid, email, and profile. We do not access your Gmail, Google Drive, Google Calendar, Contacts, or any other Google services. How we use this data: to create and identify your repco.ai account; to pre-fill your profile (name, avatar) so you don't have to re-enter it; and to send you transactional emails related to your account and the service. What we don't do: we do not share, sell, or transfer your Google account data to any third party for advertising, data brokering, credit assessment, or any purpose unrelated to running repco.ai; we do not train AI/ML models on your Google account data; and we do not access any Google data beyond what is shown on the consent screen at sign-in. Storage and deletion: your Google-provided profile data is stored in our authentication database (Supabase, hosted in the US West region). It is retained for as long as your repco.ai account exists. When you delete your repco.ai account, this data is permanently removed from our systems within 30 days. Revoking access: you can revoke repco.ai's access to your Google account at any time at myaccount.google.com/permissions. Revoking access will sign you out of repco.ai; if you want to keep using the service, sign back in with a magic link instead. Google's role: use of Google user data by repco.ai complies with the Google API Services User Data Policy, including the Limited Use requirements.
8. Security
We implement industry-standard security measures including TLS encryption for data in transit, encryption at rest for sensitive fields (social-account session references, API keys), row-level security in our database to isolate user data, restricted access to production systems based on least privilege, and regular security reviews and dependency updates. No method of transmission or storage is 100% secure. If we discover a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.
9. Children's Privacy
The Service is not directed to individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact legal@repco.ai and we will delete it.
10. International Data Transfers
We process data primarily in the EU and the US. Where data is transferred from the EU/EEA to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where required.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or via an in-app notice at least 14 days before the change takes effect. The "Last updated" date at the top reflects the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact Us
Questions or concerns about privacy at repco.ai. Email: legal@repco.ai. Postal address: Outsi sp. z o.o., Kartuska 2, 83-334 Miechucino, Poland. Data Protection Officer: not appointed (review at scale per GDPR Article 37 thresholds).