1. Who we are

ReplyArk ("ReplyArk", "we", "us") provides an AI-powered email and messaging assistant for small businesses. This policy describes the personal data we collect when you use our service at replyark.com, and how we use, share, and protect that data.

Data Controller (Verantwortlicher gemäß Art. 4 Nr. 7 DSGVO)

Pallav Jaini
Fliederstraße 2
64747 Breuberg
Deutschland
E-Mail: hello@replyark.com

Vollständige Anbieterkennzeichnung im Impressum.

2. Data we collect

Account data

When you create an account we store your name, email address, business name, business description, and any pricing or service information you upload.

Email data (when you connect a mailbox)

With your explicit consent via Google OAuth or IMAP credentials, we access your inbox to monitor incoming messages and draft replies.

We do not save email message bodies to our database. When a new email arrives, its body is held only in transient memory long enough for an AI model to extract metadata, and is then discarded. Nothing typed into the body of an email is written to persistent storage, backups, or logs.

What we do persist per email is limited to: sender and recipient addresses, subject line, timestamps, a short AI-generated summary, and structured entities (names, dates, locations, party size, requested services, etc). This metadata is what powers the draft-reply feature.

WhatsApp data (when you connect a WhatsApp Business account)

With your explicit consent via Meta's Embedded Signup flow, we access your WhatsApp Business Account to receive incoming messages via webhook.

We do not save WhatsApp message content to our database. Incoming message text is held only in transient memory (long enough for an AI model to extract metadata) and is then discarded. Nothing typed by a WhatsApp customer into the body of a message is written to persistent storage, backups, or logs.

What we do persist from WhatsApp conversations is limited to extracted metadata: sender phone number, display name, timestamps, a short AI-generated summary of the thread, and structured entities (names, dates, locations, requested services, party size, etc). This metadata is what powers the draft-reply feature.

Contact data

We build a profile per customer you correspond with, containing their name (if discoverable), email address, phone number (if mentioned in correspondence), conversation history summary, and engagement metrics.

Usage data

We record anonymised usage metrics (pages viewed, actions taken, AI calls made) to operate, secure, and improve the service.

3. How we use data

Draft replies. Extracted email and WhatsApp metadata is sent to AI providers (see section 5) to produce draft responses for your review.
Classify and route. We classify incoming messages (e.g. new enquiry, follow-up, B2B) and match them to knowledge in your account.
Contact management. We link conversations across channels (email, WhatsApp) to a single contact profile so you see the full history per customer.
Service operation. Authentication, billing, support, security monitoring, and abuse prevention.
Product improvement. Aggregate, anonymised metrics only. We do not train AI models on your data.

4. Legal basis (GDPR)

We process data under the following bases: (a) contract — to provide the service you signed up for; (b) consent — for connecting your email or WhatsApp accounts; (c) legitimate interests — to operate, secure, and improve the service; (d) legal obligation — for tax and accounting records.

5. Subprocessors and sharing

We share data only with the following subprocessors, each bound by data processing terms. We do not sell your data. We do not share data with any party for advertising purposes.

Supabase (database and authentication) — EU region. Stores account data, contact profiles, and extracted conversation metadata.
Vercel (application hosting) — serves the web application and API routes.
Anthropic (Claude models for drafting). Anthropic does not train on API inputs.
Google AI (Gemini models for classification and extraction).
OpenAI (embeddings for knowledge search). Data sent via the API is not used for training.
xAI (Grok models for analysis).
DeepSeek (occasional reasoning model calls).
Meta Platforms (WhatsApp Business Cloud API) — when you connect a WhatsApp Business account. Incoming messages pass through Meta's infrastructure to reach our webhook. Meta acts as a data processor for messages routed through the Cloud API, does not use message content for advertising, and retains messages on its servers for up to 30 days solely to ensure delivery. See Meta's Hosting Terms for Cloud API.
Google (Gmail API) — when you connect a Gmail account. ReplyArk's use of Gmail API data adheres to the Google API Services User Data Policy, including Limited Use requirements. We do not transfer Gmail data to third parties except as necessary to provide the Service, do not use Gmail data for advertising, do not allow humans to read Gmail data except (a) with your explicit consent, (b) for security, (c) to comply with law, or (d) in anonymised, aggregated form for internal operations.
Resend (transactional email delivery) — authentication, billing, and system emails only.
Inngest (background job execution) — orchestrates asynchronous tasks such as AI drafting and follow-up scheduling.

5a. WhatsApp Business Platform — specific notices

When you connect a WhatsApp Business account through Meta's Embedded Signup flow, you authorise ReplyArk to receive incoming messages on your behalf via webhook, read message metadata (sender phone number, timestamp), and manage subscriptions to your WhatsApp Business Account.

Your obligations as the WhatsApp business operator: You are solely responsible for obtaining explicit opt-in from every end user before initiating WhatsApp conversations with them, maintaining records of that opt-in, and providing a clear opt-out path. You must comply with the WhatsApp Business Messaging Policy and WhatsApp Commerce Policy.

ReplyArk's commitments:

We do not save WhatsApp message bodies to our database. Raw message text is held transiently while we extract metadata, then discarded. See Section 2 for details.
We do not forward WhatsApp data to marketing partners, data brokers, or advertising networks.
We do not use WhatsApp data to train AI models.
You can disconnect your WhatsApp account at any time from Settings, which revokes our access token immediately.

6. Security

We encrypt sensitive credentials (OAuth tokens, IMAP passwords, WhatsApp access tokens) at rest using AES-256. All traffic is TLS-encrypted. Access is restricted to authorised personnel under audit logging.

7. Retention

We retain account and conversation metadata for as long as your account is active, plus 30 days after deletion for backup and dispute-resolution purposes. AI-model inputs and outputs sent to subprocessors are retained by those processors per their own policies (generally 30 days or less; no training).

8. Data deletion — how to delete your data

To delete your ReplyArk account and all associated data, email hello@replyark.com with the subject "Data deletion request" from the email address on the account. We will confirm within 72 hours and complete deletion within 30 days.

Deletion removes: your account, conversation metadata, contact profiles, uploaded knowledge, and stored OAuth / access tokens for any connected services (Gmail, WhatsApp). Backups are purged within 30 days. Some records may be retained longer where required by law (e.g. tax invoices).

You can also disconnect individual integrations at any time from Settings — this revokes our tokens for that integration without deleting the rest of your account.

Meta/Facebook users: If you connected via Facebook Login and later revoke ReplyArk's access from your Facebook account (Facebook → Settings → Business Integrations), our access token is invalidated immediately. To also delete the data ReplyArk has already stored, email us as described above.

9. Your rights

Wherever you are located, and specifically if you are in the EEA, UK, Switzerland, or California, you have the right to:

Access the personal data we hold about you
Rectify inaccurate data
Delete your data (see Section 8)
Restrict or object to certain processing
Receive an export of your data in a portable format
Withdraw consent at any time (for consent-based processing)
Lodge a complaint with your local data-protection authority

To exercise any of these rights contact hello@replyark.com. We respond within 30 days.

10. Cookies

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

11. International transfers

ReplyArk is operated from the EU. Some subprocessors (notably Anthropic, OpenAI, Google, xAI, Meta, Vercel) process data in the United States. Transfers are protected by Standard Contractual Clauses where applicable.

12. Children

ReplyArk is a business-to-business service not directed at children under 16. We do not knowingly collect data from children.

13. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to account holders. The "last updated" date at the top reflects the current version.

14. Contact

Questions or requests about this policy, including data-deletion requests (see Section 8): hello@replyark.com.

Privacy Policy