Privacy Policy
Last updated: 15 July 2026
Replyd AI(“we”, “us”) provides a customer-messaging platform that lets businesses (“merchants”) connect their WhatsApp Business, Instagram, Facebook, email and Shopify accounts to a single inbox with AI-assisted replies and messaging automations. This policy explains what data we handle, why, and the choices available to merchants and to their customers (“end customers”).
Our two roles
- For merchant account data (your login, workspace settings, billing) we act as the data controller.
- For end-customer data(messages, order details, contact lists) we act as a data processor on the merchant’s behalf. The merchant decides what is collected and remains responsible for having a lawful basis — we process it only to run the service they configured.
Data we process
Merchant account data
- Name, email address and authentication credentials for your workspace login.
- Connection credentials for the channels you link (e.g. Meta page tokens, WhatsApp Cloud API tokens, Shopify access tokens, Google OAuth tokens). Tokens are stored encrypted (AES-256-GCM) and used only to operate the integration you connected.
- Billing details, processed by our payment provider — we do not store card numbers.
End-customer data (processed for merchants)
- Messages, comments and mentions exchanged with the merchant on connected channels (WhatsApp, Instagram, Facebook Messenger, email), plus sender identifiers (phone number, platform user ID, profile name) delivered by those platforms.
- Order information from the merchant’s Shopify store (order number, items, delivery status, customer name/phone/email on the order) used to answer order questions and send order notifications.
- Contact records the merchant imports or that are created from checkouts and conversations, including marketing consent status and its provenance (when and where the customer opted in), and opt-out records.
How we use data
- Deliver the service: route inbound messages to the merchant’s inbox and send their replies.
- Generate AI-assisted replies: the relevant conversation and order context is sent to our AI provider (Anthropic) to draft a response. Our agreements do not permit the provider to train models on this data.
- Run the automations the merchant enables: order confirmations, shipping updates, abandoned-cart and win-back messages — always subject to the customer’s consent status and platform messaging rules.
- Provide analytics to the merchant about their own messaging (delivery, response and opt-out rates).
- Operate, secure and debug the platform (audit logs, error monitoring).
We do not sell personal data, use it for third-party advertising, or use end-customer messages to train AI models.
Service providers (subprocessors)
| Provider | Purpose |
|---|---|
| Supabase (on AWS) | Primary database, authentication and storage |
| Vercel | Application hosting |
| Anthropic | AI reply generation (no model training on your data) |
| Meta Platforms | WhatsApp Business Platform, Instagram and Facebook messaging APIs |
| Shopify | Store, order and fulfillment data for connected stores |
| Upstash (QStash) | Scheduled message delivery queue |
| Sentry | Error monitoring |
| Stripe | Subscription billing |
| Optional Gmail and Google Sheets integrations, when a merchant connects them |
Google user data (Limited Use)
If a merchant connects Gmail or Google Sheets, we access only the data needed to provide the feature they enabled (reading and sending email from their support inbox; reading/writing the sheets they select). Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is never used for advertising, never sold, and never used to train AI models.
International transfers
Our infrastructure is hosted in AWS regions in Asia-Pacific; the platforms listed above may process data in other regions under their own safeguards. Message data necessarily flows through the platform the customer used to contact the merchant (e.g. Meta for WhatsApp).
Retention
- Conversation and order data is retained while the merchant’s account is active, so the merchant keeps their customer history.
- Connection tokens are deleted when an integration is disconnected or the account is closed.
- Opt-out (“do not contact”) records are retained even after other data is deleted — keeping that record is how we make sure the person is never messaged again.
- Aggregated, de-identified statistics (e.g. send counts) may be kept after personal data is removed.
Deletion and your rights
End customers can ask the merchant they talked to, or us, to delete their conversation data; merchants can delete contacts and disconnect integrations from their dashboard, or close their account entirely. Deletion requests initiated through Facebook or Instagram (via Meta’s app settings) and Shopify’s GDPR processes are handled automatically. Step-by-step instructions are on our data deletion page.
Depending on where you live, you may also have rights to access, correct, or port your data, and to complain to a supervisory authority. Contact us at hello@replyd-ai.com — where we act as a processor, we will pass the request to the responsible merchant and assist them in fulfilling it.
Security
- All traffic is encrypted in transit (TLS); data is encrypted at rest.
- Integration tokens are additionally encrypted at the application layer (AES-256-GCM).
- Webhooks from Meta and Shopify are cryptographically verified before any payload is processed.
- Access to production data is restricted and audit-logged; each merchant’s data is isolated per workspace.
Children
The service is for businesses and is not directed at children. We do not knowingly collect data from children under 13.
Changes
We will post any changes to this policy on this page and update the date above. Material changes will be announced to merchants in the dashboard or by email.
Contact
Replyd AI — hello@replyd-ai.com