Security & Data Practices

Our Commitment

Dinopix Reviews is built with security and privacy as core principles. We access only the minimum data needed to provide our service, and we're transparent about exactly what that data is and how it's used.

Infrastructure & Hosting

• Database: Hosted on Supabase (powered by AWS) in the Singapore region with encryption at rest and in transit
• Frontend: Hosted on Netlify with HTTPS enforced on all connections
• Background workers: Hosted on Railway with isolated containers
• Edge functions: Run on Supabase Edge (Deno runtime) with no persistent state
• All data transmission between services uses TLS/HTTPS encryption

Authentication & Access Control

• User authentication via Supabase Auth with bcrypt password hashing
• Row Level Security (RLS) on all database tables — users can only access their own data
• Facebook OAuth tokens are stored encrypted and automatically refreshed every 60 days
• API endpoints verify user identity on every request
• No shared access — each user account is fully isolated

What Data We Access from Facebook

When you connect your Facebook account, we request specific permissions. Here's exactly what each one does:

• Page information: Names, categories, and logos of pages you manage — used to display your pages in the dashboard
• Comments and reviews: Public comments on your page posts and reviews/recommendations — displayed in your Reviews & Comments view
• Messenger conversations: Private messages sent to your page — displayed in the Inbox for you to respond
• Post engagement: Comment counts and reaction data — used for analytics metrics
• Page management: Ability to reply to comments, hide/unhide comments, and subscribe to real-time notifications
• Ad accounts: Ad account IDs — used to sync comments on sponsored posts
• Instagram accounts: Instagram Business accounts linked to your pages — used to sync Instagram comments

We never access your personal Facebook profile, friends list, photos, or any data unrelated to your business pages.

What Data We Access from Instagram

• Instagram Business account profile information (linked via Facebook Pages)
• Comments on your Instagram Business posts
• We do not access Instagram Direct Messages, stories, reels analytics, or follower data

How AI Processes Your Data

We use Anthropic's Claude AI for three features:

• Sentiment analysis: Each comment/review text (up to 200 characters) is sent to Anthropic's API to classify as positive, neutral, or negative. Only the text is sent — no personal information about the commenter.
• Reply suggestions: When you click "AI Suggest", the comment text and your brand voice settings are sent to generate a draft reply. You always review and edit before sending.
• Sentiment insights: A sample of up to 200 recent comments is sent to identify trending themes and provide recommendations.

Important: Anthropic does not use data sent via their commercial API to train their AI models. Your business data is not used for model training.

Data We Never Share

• We never sell your data or your customers' data to third parties
• We never use your data for advertising or profiling
• We never share your Facebook/Instagram data with other Dinopix users
• We never access data from platforms you haven't explicitly connected

Data Retention & Deletion

• Your data is retained for as long as your account is active
• Unassigning pages gives you the choice to keep or delete associated data
• Disconnecting Facebook deactivates syncing but preserves existing data
• Deleting your account permanently removes all data within 30 days
• You can request full data deletion at any time via our contact form

Compliance

• We comply with Meta's Platform Terms and Developer Policies
• We comply with the Australian Privacy Act 1988 and Australian Privacy Principles (APPs)
• We implement GDPR-aligned practices for data access, portability, and deletion rights
• Our full privacy policy is available at dinopix.com.au/privacy