Roles and responsibilities
Replybot is the data controller for data needed to operate the website, accounts, subscriptions, security, and its relationship with business customers.
For data relating to people who interact with a WhatsApp bot or call a voice agent deployed by a business customer, that customer determines the purposes of processing and acts as data controller. Replybot then processes the data on its behalf as a processor in order to provide the service.
For any question regarding the processing of your data, you can contact us through the dedicated form on the platform.
Data we collect
As part of using our service, we collect the following categories of data:
- Identification data: first name, last name, email address, account ID.
- Connection data: IP address, date and time of connection, browser type.
- Usage data: connected WhatsApp numbers, sending statistics, AI configurations.
- Payment data: handled exclusively by our payment provider Polar (no banking data is stored).
- WhatsApp conversation content: incoming and outgoing messages required for the bot to operate.
- Voice-agent call data: caller number, display name where available, date and time, duration, status, call audio recording, transcript, summary, actions performed by the agent, and any transfer number.
- Google OAuth refresh tokens, encrypted at rest with AES-256-GCM, when you connect a Google Calendar to a voice agent for appointment booking. The contents of your calendar are never stored: the Google API is queried in real time during a call.
Purposes of processing
Your data is processed for the following purposes:
- Provide and maintain the service (account creation, WhatsApp session management, AI reply generation).
- Answer calls, hold a real-time conversation, perform actions configured by the business customer, provide the call history, and support follow-up from the dashboard.
- Handle billing and subscription tracking.
- Improve the service and detect technical issues.
- Notify you of incidents (session disconnection, QR code expiration).
- Comply with our legal and regulatory obligations.
Legal basis
For customer accounts, processing is mainly based on performance of the contract with Replybot, our legal obligations, and our legitimate interest in securing and improving the service. Non-essential cookies, if used, rely on consent.
For end contacts' conversations and calls, the business customer selects and documents the legal basis appropriate to its purpose, such as performance of a contract, a legal obligation, legitimate interests following a balancing test, or consent where required. Replybot does not record calls for its own marketing purposes.
Voice-agent calls: recording and transcription
When someone calls a number on which a voice agent is enabled, the caller's voice and the agent's voice are processed in real time to conduct the conversation. Calls are recorded by default. At the end of a call, an MP3 audio file, a text transcript, and a summary are stored in the business customer's workspace, together with related metadata and agent actions.
This content may reveal personal information and may include sensitive data if the caller chooses to disclose it. Callers should not provide payment-card data, passwords, or other secrets that are not necessary for their request.
The business customer must inform callers at the start of the call that they are interacting with AI and that the call is recorded and transcribed. It must state the purpose, legal basis, retention period, recipients, applicable rights, and a way to access the full notice. Where the law requires it, the customer must also obtain consent or offer a non-recorded alternative.
Processors and recipients
To provide our service, we rely on technical processors that may access some of your data strictly within their mission scope:
- Supabase (Singapore): database hosting and authentication.
- Vercel (United States): web application hosting.
- OpenAI (United States): AI reply generation.
- Mistral AI (France): text-to-speech (TTS) for voice messages.
- Twilio (United States): phone-number provisioning, routing and transport of telephone calls and, depending on configuration, SMS delivery.
- Google LLC (United States): real-time conversational processing of audio streams by the voice AI service and generation of transcripts.
- Polar (United States): payment processing and billing (Merchant of Record).
- Google LLC (United States): Google Calendar API, when you connect a calendar to a voice agent for appointment booking. Our use complies with the Google API Services User Data Policy and its Limited Use requirements.
Retention period
Account data is kept for the entire duration of service use, then deleted within 12 months after account closure.
WhatsApp messages and event logs are kept for a rolling 90 days, unless a specific legal obligation applies.
Call recordings, transcripts, summaries, and metadata are retained while the service is in use and deleted no later than 12 months after account closure. The business customer must verify that this period is necessary for the purposes disclosed to callers and request a shorter period where needed, subject to any legal retention requirement.
Billing data is kept for 10 years in accordance with French accounting obligations.
Transfers outside the European Union
Some of our processors are located outside the European Union, so your data may be transferred to those countries. Such transfers are governed by Standard Contractual Clauses adopted by the European Commission or by other mechanisms ensuring an adequate level of protection.
Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access to your personal data.
- Right to rectification of inaccurate data.
- Right to erasure (right to be forgotten).
- Right to restriction of processing.
- Right to data portability.
- Right to object to processing.
- Right to withdraw your consent at any time.
- Right to lodge a complaint with the CNIL (www.cnil.fr) or your local data protection authority.
Cookies
The site uses cookies strictly necessary for the platform to operate (authentication, session). No third-party advertising or profiling cookies are placed without your explicit consent.
Security
Replybot implements appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction: encryption of data in transit (TLS), encryption at rest for sensitive secrets such as third-party API access tokens (AES-256-GCM), strict access control, logging of sensitive actions, and regular backups.
Call recordings are held in private storage. Playing them from the dashboard requires authentication as a user of the relevant customer and uses a temporary signed link.
Google Calendar connection (appointment booking)
When you enable appointment booking for a voice agent, you may connect your Google Calendar. The integration uses OAuth 2.0 and is strictly optional: no Google data is collected unless you complete this connection.
The permissions ("scopes") requested at consent time are:
- https://www.googleapis.com/auth/calendar.events — create, read and update events to book or move appointments.
- https://www.googleapis.com/auth/calendar.readonly — list your calendars so you can choose which one to use.
- https://www.googleapis.com/auth/userinfo.email — display the connected account's email in your dashboard.
Google data we process and Limited Use policy
We store on our servers only your Google email address and a refresh token encrypted at rest with AES-256-GCM. The contents of your calendar (events, attendees, descriptions) are never persisted: the Google API is queried in real time only when a voice agent needs to check your availability or to book/move an appointment during a phone call.
Our use of Google data complies with the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including its Limited Use requirements. In practice:
- We use Google data exclusively to provide and improve user-facing features (availability checks, creating, modifying and cancelling appointments by the voice agent).
- We do not transfer Google data to third parties except as strictly necessary to provide the service or as required by law.
- We do not use Google data for advertising purposes.
- We do not use Google data to train, fine-tune or improve any AI model, whether ours or a third party's.
- No human reads your Google data, except: (a) with your explicit consent, (b) for security reasons (incident investigation, abuse prevention), (c) where required by law, or (d) in aggregated and anonymized form for operational purposes.
Revoke Google Calendar access
You may withdraw the access granted to our application at any time, via either of these equivalent paths:
- from the www.replybot.org dashboard, by clicking "Disconnect" in the "Tools & integrations" tab of the relevant voice agent. The token is then revoked at Google and removed from our database.
- from your Google account, at https://myaccount.google.com/permissions, by removing the authorization granted to our application.
Business customer's obligations toward its contacts
When an end user contacts a bot or voice agent deployed via www.replybot.org, we may process their WhatsApp identifier (JID), phone number, and conversation content to provide the service and maintain the history requested by the business customer.
The business customer (tenant) using www.replybot.org is the data controller for their own contacts' data. As such, they must:
- comply with the WhatsApp Business Terms of Service and Meta platform policies, including the ban on unsolicited messaging and the requirement for prior, verifiable opt-in;
- collect the data subject's explicit, informed and auditable consent before re-contacting them on a different channel (phone call, SMS, email), as required by articles 6 and 7 of the GDPR;
- for recipients residing in France, check registration on the Bloctel telemarketing opt-out list (www.bloctel.gouv.fr) prior to any B2C outbound campaign and, where applicable, exclude registered numbers in accordance with article L. 223-1 of the French Consumer Code;
- provide at all times a simple, free way to withdraw consent and request deletion of personal data.
- configure a clear announcement at the start of each voice call stating that AI is being used and that the call is recorded and transcribed, and provide its own privacy notice to callers;
- limit collection to necessary information, set a retention period, and restrict recordings, transcripts, and summaries to authorized personnel;
- avoid requesting sensitive data; where such processing is necessary, identify an applicable exception under Article 9 GDPR and implement enhanced safeguards.
Changes
This policy may be updated at any time to reflect changes in our services or the legal framework. Any substantial change will be notified to you by email or through the platform.
Contact
To exercise your rights or for any question regarding this policy, you can contact us through the dedicated form on www.replybot.org.