Privacy Policy

1. Introduction

Ripli (operated by Shiftcore UG (haftungsbeschränkt), Weilstraße 10, 65183 Wiesbaden, Germany) is a B2B social media management platform that enables businesses to manage their social accounts, respond to comments and direct messages across multiple platforms, and receive AI-generated reply suggestions. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

If you are located in the European Economic Area (EEA), we process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable German data protection law (BDSG).

2. Information We Collect

3. How We Use Your Information

We process your data based on the following legal bases (GDPR Art. 6):

• Contract performance (Art. 6(1)(b)): To provide social media management services, process payments, manage subscriptions, and authenticate your identity
• Legitimate interests (Art. 6(1)(f)): To improve our services, develop new features, prevent fraud, and ensure security
• Consent (Art. 6(1)(a)): To send marketing communications (you may withdraw consent at any time)
• Legal obligation (Art. 6(1)(c)): To comply with applicable laws and regulations

Specifically, we use your information to:

• Integrate with Instagram, Facebook, LinkedIn, YouTube, and TikTok APIs for comment and message management
• Generate contextual AI responses using OpenAI API
• Communicate important updates and service information
• Monitor and analyze usage to improve the platform

4. Third-Party Services and Sub-Processors

We share data with the following categories of third-party service providers ("sub-processors") who assist us in operating the Service. A full list of sub-processors is available at ripli.app/sub-processors.

• Google OAuth — Authentication
• Google Analytics — Website analytics and performance monitoring
• Meta (Facebook & Instagram) APIs — Social media integration
• LinkedIn APIs — Professional network integration
• TikTok API — TikTok content management
• YouTube (Google) APIs — Video content management
• Stripe — Payment processing
• OpenAI — AI-powered response generation

Each third-party service has its own privacy policy. We recommend reviewing their policies to understand how they handle your data. We will notify you of any material changes to our sub-processor list with at least 30 days' advance notice.

5. International Data Transfers

As a German company serving a global customer base, some of your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. These transfers occur when we use sub-processors such as OpenAI, Stripe, or Google, which are based in the US.

Where data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter 5, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, additional technical and organizational measures. You may request a copy of the applicable transfer mechanisms by contacting us at privacy@shiftcore.de.

6. Data Storage and Security

• All data is encrypted in transit (TLS/HTTPS) and at rest
• Social media access tokens are stored encrypted and scoped to minimum required permissions
• Payment information is processed and stored exclusively by Stripe — we do not store raw card data
• Access to personal data is restricted to authorized personnel on a need-to-know basis
• Regular security reviews and updates are performed

7. Security Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (Landesbeauftragter für Datenschutz und Informationsfreiheit Rheinland-Pfalz) within 72 hours of becoming aware of the breach, as required by GDPR Art. 33. Where the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay, as required by GDPR Art. 34.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website. Cookies are small text files stored on your device that help us provide and improve the Service.

You can manage your cookie preferences at any time using the cookie settings panel on our website. Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

9. Your Rights and Choices (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right to access — Request a copy of your personal data
• Right to rectification — Request correction of inaccurate or incomplete data
• Right to erasure — Request deletion of your data ("right to be forgotten")
• Right to restriction — Request limitation of processing in certain circumstances
• Right to data portability — Receive your data in a structured, machine-readable format
• Right to object — Object to processing based on legitimate interests
• Rights related to automated decision-making — Not to be subject to solely automated decisions with significant effects
• Right to withdraw consent — Withdraw consent at any time where processing is based on consent
• Right to lodge a complaint — File a complaint with your national data protection supervisory authority

You may also, at any time: disconnect social media accounts, cancel your subscription, or request deletion of your account. To exercise any of these rights, please contact our Data Protection Officer at privacy@shiftcore.de. We will respond within 30 days.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service and comply with legal obligations. If you delete your account, we will remove your personal information and associated social media data within 30 days, except where we are required to retain records for legal, tax, or accounting purposes (typically up to 10 years under German commercial law).

11. Controller Information

The data controller responsible for your personal data is:

12. Updates to Privacy Policy

We may update this privacy policy periodically. We will notify you of any significant changes through your registered email address or when you next log in to the application. Minor changes may be made without individual notice. The date at the top of this page indicates when the policy was last updated.

13. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your rights: