Privacy Policy
Last updated: May 1, 2026
ReplyMate ("we", "our", "the Service") is operated from Malaysia and complies with the Personal Data Protection Act 2010 (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR). This policy explains what we collect, why, how long we keep it, and the rights you have over it.
1. Who is the data controller
The data controller is the ReplyMate operator. If you have privacy questions, contact privacy@replymate.pro.
2. What we collect
Account data
- Your email address and the name of your business
- Authentication tokens issued by Supabase Auth
- Plan tier, billing status, and (when payments launch) the last four digits of your card
WhatsApp data
- The phone numbers and WhatsApp JIDs of your connected business numbers
- Messages exchanged between your customers and your AI agent (text, image references, voice notes, transcripts)
- Conversation metadata: timestamps, sentiment scores, escalation flags
Operational data
- IP address, user-agent, and request timing for security and rate-limiting
- Error reports (Sentry) — sensitive headers and tokens are scrubbed before transmission
- Optional Google integration data when you connect Google My Business or Google Calendar
We do not collect race, ethnicity, religion, sexual orientation, biometric data, or financial account numbers. We do not sell or rent your data to third parties.
3. Why we collect it (lawful basis)
- Contract performance: to deliver the AI helpdesk service you signed up for
- Legitimate interest: to keep the platform secure, debug errors, and prevent abuse
- Consent: for optional analytics and onboarding emails (you can withdraw at any time)
- Legal obligation: tax records, fraud prevention, and law-enforcement requests where applicable
4. Where data is stored
Customer data is stored in Supabase (Asia-Pacific region). Operational secrets are managed in Doppler. AI inference is performed by MiniMax (and a fallback provider) under a contractual data-processing agreement that prohibits training on your data. WhatsApp connectivity is provided via Baileys deployed on Render.
5. How long we keep it
- Account data: as long as your account is active, plus 90 days after deletion
- Conversation history: 12 months by default; you can shorten this in your settings
- Backups: 30 days rolling
- Error logs: 30 days, scrubbed of message content
6. Your rights (PDPA + GDPR)
You have the right to:
- Access a copy of your data (we provide JSON export within 30 days)
- Correct inaccurate data through the dashboard or by emailing us
- Delete your account and all associated data (irreversible, completes within 30 days)
- Restrict or object to specific processing
- Withdraw consent for optional processing at any time
- Lodge a complaint with the Malaysian Personal Data Protection Commissioner (jpdp.gov.my) or, if applicable, your local supervisory authority
To exercise any of these, sign in and use Settings → Privacy, or email privacy@replymate.pro.
7. Customers of our customers
If you message a business that uses ReplyMate, your messages are processed by our AI on behalf of that business. The business is the controller of those messages; we are the processor. To exercise your rights, contact the business directly. We will support them in responding to your request.
8. Cookies and tracking
We use essential cookies for authentication and session management. We use Sentry for error monitoring (no advertising trackers). We do not use Google Analytics, Meta Pixel, or any ad-network tag.
9. Children
ReplyMate is for businesses, not individuals under 18. If you believe a minor has created an account, contact us and we will delete it.
10. Changes to this policy
We will notify account holders by email if we make material changes. The "last updated" date at the top of this page reflects the most recent revision.
11. Contact
Privacy enquiries: privacy@replymate.pro
General support: support@replymate.pro