Privacy Policy

At ReplyFlow, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services. Please read this policy carefully to understand our practices regarding your data.

By using ReplyFlow, you consent to the data practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

We collect information you directly provide when you:

• Create an account: Name, email address, password, profile avatar
• Use our Services: Customer messages, contacts, conversation data, business information
• Make payments: Billing information processed securely by Razorpay (we do not store your card details)
• Manage subscriptions: Subscription plan, billing cycle, payment history via Razorpay
• Contact support: Support tickets, feedback, communications
• Connect integrations: API keys, OAuth tokens for third-party platforms

1.2 Automatically Collected Information

When you use our Services, we automatically collect:

• Usage data: Features used, messages sent, actions performed
• Device information: IP address, browser type, operating system
• Log data: Access times, pages viewed, errors encountered
• Cookies and tracking: Session data, preferences, analytics

1.3 Information from Third Parties

We may receive information from:

• WhatsApp/Instagram: Messages, media, contact information
• Telegram: Messages, user data from connected accounts
• Authentication providers: Login credentials, profile information
• Payment processors: Transaction details, billing status

2. How We Use Your Information

We use collected information for the following purposes:

2.1 Provide Services

• Deliver, operate, and maintain our messaging platform
• Process and route customer messages across channels
• Generate AI-powered reply suggestions using OpenAI
• Manage your account, workspace, and team members
• Process payments and manage subscriptions

2.2 Improve Services

• Analyze usage patterns to enhance features and user experience
• Conduct research and development for new features
• Monitor and improve AI model performance
• Identify and fix technical issues

2.3 Communication

• Send service updates, security alerts, and technical notices
• Respond to your questions and support requests
• Send billing notifications and subscription updates
• Provide marketing communications (with your consent)

2.4 Security and Compliance

• Detect, prevent, and address fraud, abuse, and security issues
• Enforce our Terms of Service and policies
• Comply with legal obligations and government requests
• Protect our rights, privacy, safety, or property

2.5 Role as Data Processor

When you use our Services to process personal data of your customers (End Users), you act as the "Data Controller" and ReplyFlow acts as the "Data Processor" (as defined under GDPR and applicable laws). We process such data strictly in accordance with your instructions, our Terms of Service, and for the sole purpose of providing the Services to you.

3. Data Storage and Security

3.1 Data Storage Infrastructure

Your data is stored using industry-leading cloud infrastructure:

• Supabase: Database and authentication (PostgreSQL, hosted on AWS)
• Geographic location: Data centers in regions with strong data protection laws
• Encryption at rest: All data encrypted using AES-256 encryption
• Encryption in transit: TLS 1.3 for all data transmission
• Backup frequency: Automated daily backups with 30-day retention

3.2 Security Measures

We implement comprehensive security measures:

• Access control: Role-based access with principle of least privilege
• Authentication: Secure password hashing (bcrypt), optional 2FA
• Network security: Firewall protection, DDoS mitigation
• Monitoring: 24/7 security monitoring and incident response
• Vulnerability management: Regular security audits and penetration testing
• Employee access: Strict controls on employee access to customer data

3.3 Data Retention

We retain your data as follows:

• Active accounts: Data retained while your account is active
• Deleted accounts: When you delete your account, your profile, businesses, messages, contacts, connected accounts, and subscription data are permanently removed immediately. Any active Razorpay subscription is cancelled at the time of deletion.
• Third-party credentials: All OAuth tokens, API keys, and access credentials for connected platforms (WhatsApp, Instagram, Telegram) are permanently deleted upon account or business deletion. Connected accounts are deregistered from their respective platforms.
• Backups: Backup copies may persist for up to 90 days before being purged
• Payment records: Razorpay retains transaction records independently per their own policies
• Legal requirements: Some data retained longer if required by law
• Aggregated data: De-identified analytics may be retained indefinitely

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We share data with trusted service providers who help us operate our Services:

• Supabase: Database hosting and authentication
• Razorpay: Payment processing (PCI-DSS compliant)
• OpenAI: AI-powered reply generation.(Note: Data sent to OpenAI via our API is not used to train their public models)
• Meta (WhatsApp/Instagram): Messaging platform integration
• Telegram: Messaging platform integration
• Vercel: Application hosting and delivery

All service providers are contractually obligated to protect your data and use it only for specified purposes.

4.2 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change and your options.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal process (court orders, subpoenas)
• Government or regulatory requests
• Protection of our rights, property, or safety
• Prevention of fraud or illegal activities

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Cookies and Tracking Technologies

5.1 Cookies We Use

• Essential cookies: Required for authentication and core functionality
• Preference cookies: Remember your settings and preferences
• Analytics cookies: Help us understand how you use our Services
• Security cookies: Detect and prevent security threats

5.2 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may affect the functionality of our Services.

6. Your Rights and Choices

6.1 Access and Portability

• Request access to your personal data
• Export your data in a structured, machine-readable format
• Review and download your message history

6.2 Correction and Deletion

• Update or correct your personal information from your profile settings
• Permanently delete your account and all associated data from the Security settings page
• Account deletion cancels any active Razorpay subscriptions immediately
• Account deletion removes all businesses you own and their data
• Account deletion deregisters all connected accounts from third-party platforms and permanently deletes stored credentials
• Request deletion of specific data categories by contacting support

6.3 Marketing Communications

• Opt out of marketing emails via unsubscribe link
• Manage email preferences in account settings
• Note: You cannot opt out of essential service communications

6.4 Objection and Restriction

• Object to processing of your data for certain purposes
• Request restriction of processing in specific circumstances
• Withdraw consent where processing is based on consent

7. International Data Transfers

Our Services are operated from India. If you access our Services from outside India, your information may be transferred to, stored, and processed in India or other countries where our service providers operate.

We ensure appropriate safeguards are in place for international data transfers, including standard contractual clauses and compliance with applicable data protection laws.

8. Children's Privacy

Our Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will delete it.

9. Compliance with Data Protection Regulations

9.1 GDPR (European Users)

For users in the European Economic Area, we comply with GDPR requirements:

• Lawful basis for processing (contract performance, legitimate interests, consent)
• Right to access, rectification, erasure, and portability
• Right to object to processing and automated decision-making
• Right to lodge a complaint with supervisory authority

9.2 Indian IT Act

We comply with the Information Technology Act, 2000 and associated rules:

• Reasonable security practices and procedures
• Sensitive personal data protection
• Data breach notification requirements
• Compliance with IT (Reasonable Security Practices) Rules, 2011

9.3 DPDP Act (Digital Personal Data Protection Act)

We are prepared to comply with India's Digital Personal Data Protection Act as it comes into force, including requirements for consent, data processing, and user rights.

10. Data Breach Notification

In the event of a data breach that affects your personal information:

• We will notify affected users within 72 hours of discovery
• Notification will include nature of breach, data affected, and remedial actions
• We will report to relevant authorities as required by law
• We will take immediate steps to contain and remediate the breach

11. Third-Party Links and Services

Our Services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Email notification to your registered email address
• Prominent notice on our website or within our Services
• Update to the "Last Updated" date at the top of this policy

Your continued use of our Services after such notification constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices: