1. Who We Are
Replyy AI is an AI-powered Instagram and WhatsApp DM appointment-setting service operated by Girik Varma and Suyash Verma ("we", "us", "our"), trading under the name Replyy AI. Our website is located at https://tryreplyy.com.
We are not a registered legal entity at this time. We operate as a co-founded agency and will register as a partnership firm in India. All contractual and financial matters are currently handled by Girik Varma on behalf of the agency.
Contact: team@tryreplyy.com
2. Scope of This Policy
This Privacy Policy applies to:
- Website visitors — anyone visiting https://tryreplyy.com or any subdomain operated by us.
- Clients — coaches, consultants, and service businesses who engage Replyy AI to provide appointment-setting services under a signed agreement.
- Leads and prospects ("Leads") — individuals whose Instagram DM conversations are processed by Replyy AI on behalf of our clients.
We operate as:
- Data Controller in respect of website visitor data and our own client relationship data.
- Data Processor in respect of Lead data — we process this data solely on the instructions of our clients, who are the Data Controllers for their own audiences.
3. Data We Collect
3.1 Website Visitors
When you visit our website, we may collect:
- Contact form / demo booking data: Name, email address, Instagram handle, business type — submitted voluntarily when you request a demo or contact us.
- Server and infrastructure logs: IP address, browser type, operating system, referrer URL, pages visited, and timestamps. These are collected automatically by our hosting infrastructure (Coolify / Hetzner) and log aggregation service (Axiom).
- Cookies and similar technologies: See our Cookie Policy for full details. We currently use only strictly necessary authentication cookies. We do not use analytics, marketing, or third-party tracking cookies.
3.2 Clients
When you engage Replyy AI as a client, we collect:
- Identity: Full name, email address, business name, Instagram and/or WhatsApp account handle(s), business type.
- Credentials: Instagram and/or WhatsApp account access credentials and API tokens (Zernio API tokens or Meta Graph API tokens, depending on the integration mode selected during onboarding), stored encrypted at rest using AES-256-GCM encryption in our database. Credentials are never stored in plaintext.
- Booking platform credentials: Calendly, Cal.com, Google Calendar, or Zoom API tokens, where applicable — encrypted at rest.
- Communication: Emails, messages, and records of our correspondence with you.
- Payment information: Payment amounts, dates, and basic transaction references. Actual payment processing is handled by Wise. We do not store full card numbers or sensitive payment credentials.
- Usage and performance data: KPI reports, booking counts, conversation counts, closed-deal revenue (amount and currency, recorded when a client marks a lead as closed-won), and agent performance metrics generated by our platform on your behalf.
3.3 Leads and Prospects (Processed on Behalf of Clients)
As part of delivering our service, our AI agent accesses and processes data belonging to your client's Instagram audience. This data is processed solely to perform the appointment-setting service and includes:
- DM conversation content: The full text of inbound and outbound DM conversations between the client's Instagram or WhatsApp account and their leads.
- Platform profile data: Publicly visible profile information accessible via the Zernio API or Meta Graph API (Instagram/WhatsApp username, display name, profile picture URL, follower/following counts where available, lead display name as provided by the platform).
- Voice message content: Where the voice notes feature is enabled, inbound voice messages from leads are transcribed using OpenAI Whisper. Outbound voice notes are generated using ElevenLabs text-to-speech.
- Booking data: Name, email address, and calendar event details where a Lead books a call via Calendly, Cal.com, Google Calendar, or Zoom.
- Qualification data: AI-generated assessments of lead readiness, conversation stage, lead temperature (cold / warm / hot), and disqualification reasons — stored as structured data in our database.
- Close and revenue data: Where a client records that a Lead converted into a paying customer, we store the closed deal amount, currency, and conversion to USD (computed using daily exchange rates from openexchangerates.org).
We do not sell, share, rent, or use Lead data for any purpose other than delivering the appointment-setting service to the relevant client.
4. How We Use Data
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Website visitor contact/form data | Respond to demo requests and sales enquiries | Legitimate interest (pre-contractual) / Consent |
| Server logs | Security, abuse prevention, infrastructure monitoring | Legitimate interest |
| Client identity and credentials | Deliver the appointment-setting service | Contract performance |
| Client payment information | Invoicing, commission tracking, financial records | Contract performance / Legal obligation |
| Lead conversation data | AI-powered DM qualification and appointment booking | Contract performance (on behalf of client/controller) |
| Lead booking data | Syncing booked calls to client's calendar | Contract performance |
| Lead voice data | Transcription (inbound) and voice note delivery (outbound) | Contract performance |
We may use aggregated, non-personally-identifiable patterns observed across client engagements to improve our service methodology and conversation strategies. For example, we may learn that certain conversation approaches are more effective in specific industries and apply those insights across our client base. This aggregate operational learning does not involve sharing any individual lead's personal data between clients and is based on our legitimate interest in improving our service quality.
We do not use any data for automated decision-making that produces legal or similarly significant effects on individuals, except for the lead qualification scoring used solely for the purpose of prioritising appointment-setting conversations on behalf of clients.
5. Sub-Processors and Third Parties
We use the following third-party sub-processors to deliver our service. We have carried out good-faith due diligence on each. Where compliance documentation is limited (particularly for smaller vendors), we have noted this transparently.
| Sub-processor | Purpose | Data Processed | Location | Compliance Notes |
|---|---|---|---|---|
| Supabase | Database (all structured data) | All categories | EU West (Paris) / Configurable | GDPR compliant; DPA available on all plans; SOC 2 Type II |
| OpenAI | AI language model (conversation generation, Whisper transcription) | DM text, voice transcripts | US | Does not train on API inputs/outputs by default; formal DPA requires enterprise contract; GDPR compliance limited for standard API plans |
| ElevenLabs | Voice note synthesis (text-to-speech) | Lead-directed audio scripts | US | GDPR compliant (EU-US Data Privacy Framework); voice/audio data may be used for model training unless opted out — we have opted out at account level; DPA available via enterprise plan only |
| Zernio | Instagram/WhatsApp messaging API (DM sending/receiving) — one of two messaging providers, selected per client | DM content, platform profile data | EU (Spain) | Claims GDPR compliance; governed by Spanish law; no formal DPA published; limited compliance documentation |
| Meta Platforms (Instagram/WhatsApp Graph API) | Direct Instagram/WhatsApp messaging API — alternative messaging provider, selected per client | DM content, platform profile data, OAuth access tokens | US / Global | GDPR compliant; subject to Meta's Platform Terms, Privacy Policy, and Data Processing Terms; DPA available via Meta's standard developer agreements |
| ManyChat | First-contact outbound DM automation (agency tool, configured per client) | Client Instagram account access | US | GDPR compliance documentation available; DPA availability dependent on plan tier |
| Railway | Agent deployment infrastructure | Agent runtime environment, logs | US / EU | GDPR compliant (EU-US Data Privacy Framework); DPA available on request |
| Coolify (self-hosted) | Infrastructure orchestration | Container and service configuration | EU (Hetzner, Germany) | Self-hosted; no data leaves our Hetzner VPS |
| Hetzner Online | VPS hosting (all infrastructure) | All data at rest and in transit | Germany (EU) | GDPR compliant; EU-based data centre; German data protection laws apply |
| Axiom | Infrastructure log aggregation | Server logs, error traces | US | GDPR compliant (EU-US Data Privacy Framework); DPA terms unclear; logs contain IP addresses and infrastructure metadata only |
| Calendly | Booking platform (client calendar integration) | Lead name, email, booking time | US | GDPR compliant (EU-US Data Privacy Framework); DPA available |
| Cal.com | Booking platform (alternative) | Lead name, email, booking time | US / Self-hosted | Open-source; GDPR compliance depends on deployment mode |
| Open Exchange Rates (openexchangerates.org) | Daily currency exchange rate data for converting closed-deal revenue to USD | No personal data (public exchange rate data only — we query rates, we do not send PII) | US | Standard SaaS terms; queries are aggregate-level and contain no Lead or Client personal data |
| Wise | Payment processing | Transaction amounts, client identity | UK / EU | FCA regulated; GDPR compliant |
Honest compliance note: We are an early-stage agency operating under Indian law. We do not currently hold a formal Data Processing Agreement with every sub-processor listed above (notably Zernio and ElevenLabs for non-enterprise accounts). Full formal GDPR and CCPA compliance is a work in progress. If you are an EU or California resident and this matters for your engagement with us, please contact privacy@tryreplyy.com before engaging our services.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Website visitor logs | 90 days (infrastructure log rotation) |
| Contact/form submissions | Until you request deletion, or 2 years of inactivity |
| Client data (active) | Duration of the client agreement |
| Client data (post-termination) | 30 days after termination, then deleted or anonymised |
| Encrypted credentials | Deleted immediately upon client offboarding or account deletion |
| Lead conversation logs | Duration of the client agreement; deleted within 30 days of client offboarding |
| Lead booking data | Duration of the client agreement; deleted within 30 days of client offboarding |
| Voice data (audio files) | Deleted after transcription processing; transcripts retained for the duration of the client agreement |
| Financial/payment records | 7 years (Indian tax law requirements) |
After the applicable retention period, data is either permanently deleted or irreversibly anonymised. Clients may request early deletion of their data and their leads' data by contacting us.
7. Data Security
We implement the following security measures:
- Encryption at rest: All sensitive credentials (Instagram tokens, booking platform API keys) are encrypted using AES-256-GCM with per-record initialisation vectors before database storage.
- Encryption in transit: All API communications use TLS 1.2 or higher.
- Database access controls: Row-level security (RLS) policies in Supabase ensure clients can only access their own data.
- Infrastructure isolation: Per-client agent instances are deployed as separate services with isolated environment variables.
- Internal API authentication: All inter-service communication is authenticated via internal API secrets.
- No plaintext credentials: Credentials are never logged, exported, or stored in plaintext.
Despite these measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet.
8. Your Rights
8.1 Indian Users — Digital Personal Data Protection Act 2023 (DPDPA)
As a data principal under the DPDPA 2023, you have the right to:
- Access information about what personal data we hold about you.
- Correct inaccurate or incomplete personal data.
- Erase personal data (subject to legal retention requirements).
- Withdraw consent where processing is based on consent.
- Nominate another individual to exercise your rights on your behalf.
8.2 EU/EEA/UK Users — GDPR and UK GDPR
Where GDPR applies, you have the right to:
- Access your personal data (Subject Access Request).
- Rectification of inaccurate data.
- Erasure ("right to be forgotten"), subject to legal obligations.
- Restriction of processing.
- Data portability.
- Object to processing based on legitimate interests.
- Lodge a complaint with your national supervisory authority (e.g., ICO in the UK).
Limitation: As noted in Section 5, not all of our sub-processors have formal DPAs in place. We are working towards full GDPR compliance. If your request relates to data processed through a sub-processor without a formal DPA, we will make best efforts but cannot guarantee full GDPR-standard responses.
8.3 California Users — CCPA / CPRA
California residents have the right to:
- Know what personal information is collected and how it is used.
- Request deletion of personal information.
- Opt out of the sale or sharing of personal information. (We do not sell personal information.)
- Non-discrimination for exercising your rights.
Limitation: We do not meet the thresholds that trigger mandatory CCPA compliance for most businesses (we are below $25M annual gross revenue and below 100,000 consumers). We nonetheless honour these rights in good faith.
8.4 Exercising Your Rights
To exercise any of the above rights, contact us at:
- Email: privacy@tryreplyy.com
- Response time: We aim to respond within 30 days.
- Verification: We may ask you to verify your identity before processing a request.
If your request relates to Lead data (i.e., you are a prospect whose data was processed by our AI on a client's behalf), you should also contact the client directly, as they are the Data Controller for your personal data in that context.
9. Meta Platform Data (Instagram and WhatsApp)
Our service accesses Instagram and WhatsApp account data via one of two routes, selected per client during onboarding:
- Zernio API — a third-party integration layer that wraps Meta's Instagram Graph API and WhatsApp Business API.
- Meta Graph API (direct) — direct integration with Meta's Instagram Graph API and WhatsApp Business API using OAuth-issued access tokens.
Use of Instagram and WhatsApp data is subject to:
- Meta's Privacy Policy
- Instagram's Terms of Use
- WhatsApp Business Solution Terms
- Meta's Platform Terms and Developer Policies
We are not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc., Instagram, or WhatsApp. We do not access data beyond what is necessary to deliver the appointment-setting service.
10. International Data Transfers
We are based in India. Data may be transferred to and processed in the United States, European Union, and United Kingdom by our sub-processors listed in Section 5. Where such transfers occur, we rely on the sub-processor's applicable transfer mechanisms (EU-US Data Privacy Framework, Standard Contractual Clauses, or adequacy decisions).
11. Children's Privacy
Our service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact team@tryreplyy.com and we will delete it promptly.
12. Changes to This Policy
We may update this policy periodically. Material changes will be communicated to active clients by email. The "Last Updated" date at the top reflects the most recent revision. Continued use of our website or services after changes constitutes acceptance of the updated policy.
13. Contact
Replyy AI (operated by Girik Varma and Suyash Verma) Email: team@tryreplyy.com Website: https://tryreplyy.com