Legal

Privacy Policy

Last updated: 2026-05-08

ReplyFlow ("ReplyFlow", "we", "us") provides an AI-powered messaging platform that helps businesses respond to their customers across WhatsApp, Instagram, Facebook Messenger, Telegram, Viber, and a web widget. This policy explains what personal data we process, why, and the rights you have over it under the EU General Data Protection Regulation (GDPR) and Greek Law 4624/2019. It applies to our website at replyflow.techand to the ReplyFlow application.

1. Who we are (data controller)

ReplyFlow
Proteos 75, Palaio Faliro 175 61, Greece
Greek Tax ID (AFM): 188069677
Contact: hello@replyflow.tech

For data about our customers (the businesses that subscribe to ReplyFlow), ReplyFlow is the data controller. For data about their end-users (the people who message a business through a connected channel), ReplyFlow is the data processor on behalf of that business; the business is the controller and is responsible for having a lawful basis to message its end-users and for its own privacy notice.

2. Data we collect

  • Account & business data: name, email, password hash, business name, phone, billing address, plan, usage limits.
  • Channel credentials: tokens and identifiers needed to send and receive messages on connected channels (e.g., WhatsApp Business phone number ID, Meta access tokens, Telegram bot tokens). Sensitive credentials are encrypted at rest.
  • Conversations: messages exchanged between a business and its end-users through ReplyFlow, including text, media URLs, timestamps, and the AI replies generated.
  • Calendar & booking data (if you enable scheduling): event titles, times, participant names and contact info as provided.
  • Payment data: we never store full card numbers. Stripe processes payments and returns a token plus the last four digits, brand, and expiry.
  • Usage & technical data: log records, IP address, device, browser, pages viewed, errors. We use PostHog for product analytics.

3. Why we process it (lawful bases under GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)): operating the Service you subscribed to.
  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention, analytics, product improvement, and direct communication with our customers about their subscription. You can object at any time.
  • Consent (Art. 6(1)(a)): non-essential cookies and optional marketing emails. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, anti-money-laundering, and responding to lawful authority requests.

4. AI processing

To generate replies, classify intent, and search prior conversations, ReplyFlow sends the relevant message content and a system prompt to AI providers (Anthropic for chat models, OpenAI for vector embeddings). These providers process the content under their enterprise terms and do not use it to train their public models. Processing occurs in the United States under appropriate safeguards (see Section 6). Conversation content is retained on our infrastructure to power per-business memory and search; you can request deletion at any time (Section 9).

5. Sub-processors

We rely on the following third parties to operate the service:

  • Supabase (Ireland / United States) — database, authentication, file storage
  • Vercel (United States) — application hosting and edge delivery
  • Anthropic (United States) — Claude AI models for reply generation
  • OpenAI (United States) — text embeddings for memory and search
  • Stripe (Ireland / United States) — subscription billing and payment processing
  • Resend and Postmark (United States) — transactional email delivery
  • PostHog (United States / EU) — product analytics and error tracking
  • Meta Platforms (Ireland / United States) — WhatsApp Business, Instagram, Messenger APIs (when you connect those channels)

Each sub-processor receives only the data needed for its function and is bound by a data processing agreement (GDPR Art. 28).

6. International transfers

Some sub-processors are located outside the European Economic Area, mainly in the United States. When we transfer personal data internationally we rely on the safeguards in GDPR Chapter V, including:

  • Adequacy decisions (e.g., the EU-U.S. Data Privacy Framework, where the recipient is certified);
  • Standard Contractual Clauses adopted by the European Commission;
  • Supplementary measures such as encryption in transit and at rest where appropriate.

7. Retention

  • Account and business data: while the account is active, plus up to 24 months after closure for legal and audit purposes.
  • Conversations: while you remain a customer. After you close your account or request deletion, conversations are deleted within 30 days, except where retention is required by law.
  • Billing and tax records: retained for the period required by Greek tax law (currently a minimum of 5 years for VAT and accounting records; 10 years where applicable).
  • Logs and analytics: typically 90 days.

8. How we protect data

  • TLS in transit and AES-256 at rest for sensitive fields (channel tokens are encrypted with application-level keys before being stored).
  • Row-level access policies isolate each business's data.
  • Least-privilege access for our team, with audit logging.
  • Regular backups; recovery procedures tested periodically.

No system is perfectly secure. If we become aware of a personal data breach we will notify the Hellenic Data Protection Authority within 72 hours and inform affected users without undue delay where required (GDPR Art. 33-34).

9. Your rights (GDPR Art. 15-22)

You can ask us to:

  • Confirm whether we process your data and obtain a copy (right of access)
  • Correct inaccurate or incomplete data (right of rectification)
  • Delete data when no longer necessary or processed unlawfully (right to erasure)
  • Restrict processing in specific situations
  • Receive your data in a portable format and transfer it to another provider
  • Object to processing based on legitimate interest, including profiling
  • Withdraw consent at any time, without affecting prior lawful processing
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you

To exercise these rights, email hello@replyflow.tech from the address associated with your account. We respond within one month (extendable by two further months for complex requests, GDPR Art. 12). If you are an end-user whose data is held on behalf of a business, please contact that business first; if you cannot reach them or need our help, write to us and we will route the request.

To request deletion specifically, see our Data Deletion page.

10. Cookies

We use essential cookies to keep you signed in and to remember preferences. We use first-party analytics cookies (PostHog) to understand product usage. You can clear cookies in your browser at any time; doing so may sign you out.

11. Children

ReplyFlow is a B2B product not directed to individuals under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us so we can remove it.

12. Changes to this policy

We may update this policy. Material changes will be announced by email or a banner in the product at least 15 days before they take effect. The "Last updated" date above always reflects the current version.

13. Contact and complaints

Data protection & general contact: hello@replyflow.tech

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Kifisias 1-3, 115 23 Athens, Greece — www.dpa.gr. If your habitual residence is in another EU/EEA Member State, you may also lodge the complaint with the supervisory authority there.