Privacy policy

The data controller for personal data collected through the www.replybot.org platform is Replybot.

For any question regarding the processing of your data, you can contact us through the dedicated form on the platform.

As part of using our service, we collect the following categories of data:

• Identification data: first name, last name, email address, account ID.
• Connection data: IP address, date and time of connection, browser type.
• Usage data: connected WhatsApp numbers, sending statistics, AI configurations.
• Payment data: handled exclusively by our payment provider Polar (no banking data is stored).
• WhatsApp conversation content: incoming and outgoing messages required for the bot to operate.
• Google OAuth refresh tokens, encrypted at rest with AES-256-GCM, when you connect a Google Calendar to a voice agent for appointment booking. The contents of your calendar are never stored: the Google API is queried in real time during a call.

Your data is processed for the following purposes:

• Provide and maintain the service (account creation, WhatsApp session management, AI reply generation).
• Handle billing and subscription tracking.
• Improve the service and detect technical issues.
• Notify you of incidents (session disconnection, QR code expiration).
• Comply with our legal and regulatory obligations.

Processing is mainly based on the performance of the contract concluded between the user and Replybot, as well as on our legitimate interest in improving the service and ensuring its security. Some processing may also rely on user consent (non-essential cookies).

To provide our service, we rely on technical processors that may access some of your data strictly within their mission scope:

• Supabase (Singapore): database hosting and authentication.
• Vercel (United States): web application hosting.
• OpenAI (United States): AI reply generation.
• Mistral AI (France): text-to-speech (TTS) for voice messages.
• Polar (United States): payment processing and billing (Merchant of Record).
• Google LLC (United States): Google Calendar API, when you connect a calendar to a voice agent for appointment booking. Our use complies with the Google API Services User Data Policy and its Limited Use requirements.

Account data is kept for the entire duration of service use, then deleted within 12 months after account closure.

WhatsApp messages and event logs are kept for a rolling 90 days, unless a specific legal obligation applies.

Billing data is kept for 10 years in accordance with French accounting obligations.

Some of our processors are located outside the European Union, so your data may be transferred to those countries. Such transfers are governed by Standard Contractual Clauses adopted by the European Commission or by other mechanisms ensuring an adequate level of protection.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access to your personal data.
• Right to rectification of inaccurate data.
• Right to erasure (right to be forgotten).
• Right to restriction of processing.
• Right to data portability.
• Right to object to processing.
• Right to withdraw your consent at any time.
• Right to lodge a complaint with the CNIL (www.cnil.fr) or your local data protection authority.

The site uses cookies strictly necessary for the platform to operate (authentication, session). No third-party advertising or profiling cookies are placed without your explicit consent.

Replybot implements appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction: encryption of data in transit (TLS), encryption at rest for sensitive secrets such as third-party API access tokens (AES-256-GCM), strict access control, logging of sensitive actions, and regular backups.

When you enable appointment booking for a voice agent, you may connect your Google Calendar. The integration uses OAuth 2.0 and is strictly optional: no Google data is collected unless you complete this connection.

The permissions ("scopes") requested at consent time are:

• https://www.googleapis.com/auth/calendar.events — create, read and update events to book or move appointments.
• https://www.googleapis.com/auth/calendar.readonly — list your calendars so you can choose which one to use.
• https://www.googleapis.com/auth/userinfo.email — display the connected account's email in your dashboard.

We store on our servers only your Google email address and a refresh token encrypted at rest with AES-256-GCM. The contents of your calendar (events, attendees, descriptions) are never persisted: the Google API is queried in real time only when a voice agent needs to check your availability or to book/move an appointment during a phone call.

Our use of Google data complies with the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including its Limited Use requirements. In practice:

• We use Google data exclusively to provide and improve user-facing features (availability checks, creating, modifying and cancelling appointments by the voice agent).
• We do not transfer Google data to third parties except as strictly necessary to provide the service or as required by law.
• We do not use Google data for advertising purposes.
• We do not use Google data to train, fine-tune or improve any AI model, whether ours or a third party's.
• No human reads your Google data, except: (a) with your explicit consent, (b) for security reasons (incident investigation, abuse prevention), (c) where required by law, or (d) in aggregated and anonymized form for operational purposes.

You may withdraw the access granted to our application at any time, via either of these equivalent paths:

• from the www.replybot.org dashboard, by clicking "Disconnect" in the "Tools & integrations" tab of the relevant voice agent. The token is then revoked at Google and removed from our database.
• from your Google account, at https://myaccount.google.com/permissions, by removing the authorization granted to our application.

When an end user contacts a bot deployed via www.replybot.org, we may collect their WhatsApp identifier (JID) and — when WhatsApp exposes it — their phone number in international format. This collection is strictly limited to operating the messaging service and maintaining a faithful conversation history.

The business customer (tenant) using www.replybot.org is the data controller for their own contacts' data. As such, they must:

• comply with the WhatsApp Business Terms of Service and Meta platform policies, including the ban on unsolicited messaging and the requirement for prior, verifiable opt-in;
• collect the data subject's explicit, informed and auditable consent before re-contacting them on a different channel (phone call, SMS, email), as required by articles 6 and 7 of the GDPR;
• for recipients residing in France, check registration on the Bloctel telemarketing opt-out list (www.bloctel.gouv.fr) prior to any B2C outbound campaign and, where applicable, exclude registered numbers in accordance with article L. 223-1 of the French Consumer Code;
• provide at all times a simple, free way to withdraw consent and request deletion of personal data.

This policy may be updated at any time to reflect changes in our services or the legal framework. Any substantial change will be notified to you by email or through the platform.

To exercise your rights or for any question regarding this policy, you can contact us through the dedicated form on www.replybot.org.