FRFounderReply
Reddit marketingCompareGuidesDevelopersPricing
Log inStart free
EU data residency · GDPR-native

GDPR compliance

Last updated: 8 June 2026

FounderReply is built for Europe. Data residency and GDPR compliance are part of the product design, not an afterthought. This page explains how we comply; our Privacy Policy and Data Processing Agreement provide the legal detail.

Controller and processor roles

For your own account and billing data, FounderReply is the data controller. For the personal data you process through the service — for example the comments, mentions and direct messages from your audience — you are the controller and FounderReply acts as your processor under a Data Processing Agreement.

Lawful basis

We process account data to perform our contract with you and on the basis of our legitimate interest in operating and securing the service. Personal data you process via the service is handled under your instructions and your own lawful basis, as set out in the DPA.

EU data residency

Application data — workspaces, personas, content plans, scheduled posts and OAuth tokens — is hosted in the EU. We do not transfer this data outside the EU/EEA except where a connected platform you authorise (Reddit, Instagram, Facebook, LinkedIn, X) is itself located abroad, which is inherent to using that platform.

AI drafting

By default, content generation and the processing of inbound audience messages use Google’s Gemini API. Under Google’s API terms this processing takes place in the United States, and Google does not use API inputs to train its models. EU/CH-hosted AI via our phi-cloud integration is available when configured, keeping AI processing on the continent. In either case, your brand data and your audience’s personal data are not used to train third-party models, and processing remains under our DPA.

Sub-processors

We use a short list of sub-processors, all bound by data-processing terms:

  • Supabase (EU region) — application database and authentication.
  • Cloudflare — application hosting, edge delivery and DDoS protection.
  • Google (Gemini API) — AI draft generation and message processing (default; processed in the US under Google’s API terms); no third-party model training.
  • phi-cloud (EU/CH-hosted) — alternative AI generation and message processing, available when configured; no third-party model training.
  • Stripe — payments and VAT handling for paid plans.
  • The social platforms you connect (Reddit, Meta, LinkedIn, X) for publishing and engagement on your own accounts.

We notify customers of material changes to this list. Request the current sub-processor register at admin@founderreply.com.

Data-subject rights

We support access, rectification, erasure, restriction, portability and objection. You can delete your data at any time via Data & Deletion, or contact us to exercise any right. Where we act as your processor, we assist you in responding to your own data subjects’ requests.

Security

OAuth tokens are encrypted at rest, access is scoped per workspace with row-level security, and the service runs over TLS. See our Security page for detail.

Request a DPA

A Data Processing Agreement is available to all customers. Email admin@founderreply.com to request one, or read the DPA summary.