CommentR Privacy Policy

This Privacy Policy explains how CommentR (“CommentR,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data when you use our website and service at commentr.io.

1. Who we are (data controller)

The data controller responsible for your personal data is:

For any privacy-related question, including requests to exercise your rights described below, please contact us at the email address above. We act as our own privacy point of contact and respond to all enquiries within a reasonable timeframe (typically within 30 days). We have not formally appointed a Data Protection Officer under GDPR Article 37, as we are not required to do so; [email protected] is the single point of contact for all privacy matters.

2. Information we collect

We collect the following categories of personal data:

• Account information from Facebook Login: name, email address, profile picture, Facebook User ID.
• Meta platform data: Facebook Page data, Page access tokens, ad account data, comments and replies on Pages and ads, and Instagram Business Account data (comments on Instagram posts) for the accounts you connect to CommentR.
• Commenter data: when comments are fetched from your connected Pages and ads, the display name, comment text, and platform comment ID of the people who commented are stored so you can review and respond.
• Billing information: if you subscribe to a paid plan, our payment processor collects and tokenizes your payment method. We store the resulting customer ID, plan, and invoice records.
• Usage and product data: AI response statistics, audit and security logs (sign-in events, account actions), error logs, and feature usage events.
• Cookies and similar technologies: see section 10 below.

3. How we use your information and legal bases

Under the EU/UK General Data Protection Regulation (GDPR) we rely on the following legal bases:

• Performance of a contract (GDPR Art. 6(1)(b)) , to provide the CommentR service: fetching comments, generating AI response suggestions, posting approved replies on your behalf, processing payments, and providing customer support.
• Legitimate interests (GDPR Art. 6(1)(f)), to secure our service against fraud and abuse, maintain audit and security logs, and improve product reliability. Where we rely on legitimate interests, we have weighed those interests against your rights.
• Consent (GDPR Art. 6(1)(a)), for non-essential cookies and certain marketing communications. You can withdraw consent at any time without affecting prior processing.
• Legal obligation (GDPR Art. 6(1)(c)), to retain billing and tax records as required by applicable law.

For customers in Canada, we rely on the equivalent grounds under the Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA), including consent and the necessity of processing to provide a requested service.

4. AI processing and automated decisions

CommentR sends comment text and post context to third-party language model providers (OpenAI and Anthropic) to generate suggested replies. We do not send your account tokens, email address, or Facebook user ID to these providers.

No solely automated decisions with legal effects. AI-generated replies are suggestions only. They are never posted automatically without explicit human review and approval (with the exception of Pre-Approved Rules on higher tiers, which still require a human-defined rule to be created and accepted in advance). You retain full control over what is posted on your behalf. We do not use automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Article 22.

5. Sharing and sub-processors

We do not sell your personal data. We share personal data only with the third-party service providers (“sub-processors”) that help us operate the service, such as our hosting provider, payment processor, AI providers, and email delivery providers. A current list of these sub-processors, the data each one processes, and where they are located is available on our Sub-processors page.

We also use website analytics and conversion-tracking providers as set out in the cookie list in section 10 below. These providers receive only the data described in our cookie declaration and do not receive your CommentR account credentials, page access tokens, or comment content.

We may also disclose personal data when required to comply with applicable law, valid legal process, or to protect the rights, property, or safety of CommentR, our customers, or others.

6. International data transfers

CommentR is operated from Canada. Several of our sub-processors are located in the United States and other jurisdictions outside of the European Economic Area and the United Kingdom. When we transfer personal data internationally, we rely on safeguards required by applicable law, including the European Commission's Standard Contractual Clauses, adequacy decisions (Canada has an adequacy decision from the European Commission for commercial data covered by PIPEDA), the EU-US Data Privacy Framework where the sub-processor is certified, and equivalent mechanisms. A copy of the relevant transfer safeguard for any specific sub-processor is available on request to [email protected].

7. Data retention

We retain personal data only for as long as it is necessary for the purposes set out in this Policy:

• Account data and connected page data: for as long as your account is active. Deleted within 30 days of account deletion (except where retention is required by law).
• Comment and AI response data: for as long as your account is active or the underlying Page connection exists, then deleted on account or page disconnect.
• Billing records: retained for the period required by applicable tax and accounting law (typically 6–7 years).
• Audit and security logs: retained for up to 24 months to investigate fraud, abuse, and security incidents.
• Account-deletion audit records: retained indefinitely in a pseudonymized form to demonstrate compliance with deletion requests.

8. Your rights

Depending on where you are located, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete information.
• Erasure — ask us to delete your personal data (also known as “right to be forgotten”).
• Restriction — ask us to limit how we process your data.
• Portability — request a machine-readable copy of your data to transfer to another service.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.

Residents of Canada have equivalent rights to access, correction, and withdrawal of consent under PIPEDA and, for British Columbia residents, under BC PIPA.

You can exercise these rights at any time by contacting [email protected]. For erasure, you can also delete your account and all associated data immediately in-app via Settings → Account → Delete Account, or by removing CommentR from your Facebook Business Integrations settings.

Right to lodge a complaint: if you believe our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. In Canada, the relevant authority is the Office of the Privacy Commissioner of Canada and, for British Columbia residents, the Office of the Information and Privacy Commissioner for British Columbia.

9. Children

CommentR is not directed to children. We do not knowingly collect personal data from anyone under the age of 16 (or the equivalent minimum age in the user's jurisdiction). If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Cookies and similar technologies

We use a small number of strictly necessary cookies to operate the service (for example, to keep you signed in) and, with your consent, additional cookies for analytics and marketing attribution. You can manage your cookie preferences at any time via the cookie banner on our marketing pages.

The list below is generated automatically by our consent management provider and reflects the cookies actually set by this site:

If the list above does not load, please refresh the page or contact [email protected].

11. Security

We apply industry-standard technical and organisational measures to protect personal data, including encryption in transit (HTTPS/TLS), encryption of sensitive data at rest, strict access controls, audit logging, and incident response procedures. Access tokens for connected Meta accounts are never exposed to the client and are stored with restricted server-side access.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top and, where required, notify you through the service or by email. Your continued use of CommentR after a change takes effect means you accept the updated Policy.

13. Contact

For any questions about this Privacy Policy or our handling of your personal data, contact us at [email protected].