ReplyLabs
FeaturesPricingCompareFAQUse casesBlogHelpSetup
Sign inInstall
Install

Product

  • Install
  • Features
  • Pricing
  • Compare
  • Roadmap

Resources

  • Use cases
  • Blog
  • Glossary
  • Cost calculator

Support

  • Setup Guide
  • Help Center
  • Contact Support
  • Report an Issue
  • Feature Requests

Company

  • Opt Out of Testing

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie list
  • Subprocessors

Empra Consultancy LTD
hello@replylabs.io

ReplyLabs|PrivacyTermsCookiesSubprocessors

© 2026 Empra Consultancy LTD. All rights reserved.

Privacy Policy

Privacy Policy

Effective April 25, 2026 · Last Updated: May 18, 2026 · Version 1.3

Contents
  1. 1. Who we are
  2. 2. Information we collect
  3. 3. How we use your information
  4. 4. Cookies and tracking
  5. 5. How we share
  6. 6. Data retention
  7. 7. Data security
  8. 8. Your rights
  9. 9. International transfers
  10. 10. Children's privacy
  11. 11. Google™ API services
  12. 12. Changes to this policy
  13. 13. Contact us

This Privacy Policy explains how Empra Consultancy LTD ("we", "us", "our"), operating as ReplyLabs, collects, uses, stores, and protects your personal information when you use our service at replylabs.io and the ReplyLabs Google™ Sheets add-on.

1. Who We Are

ReplyLabs is operated by Empra Consultancy LTD, a company registered in the United Kingdom. We are the data controller for the personal information described in this policy.

Contact for data inquiries: privacy@replylabs.io
General: hello@replylabs.io

2. Information We Collect

2.1 Information You Provide

  • Account information: Your name, email address, and password when you sign up (or your Google™ account name and email if you sign up via Google™ OAuth).
  • Organization information: Company name and website, provided during onboarding.
  • Payment information: Processed by Stripe. We receive your last four card digits, card brand, and billing email. We never see or store your full card number.
  • API keys (BYOK): If you choose to bring your own provider keys, they are encrypted at rest using AES-256 and stored in our database. We use them only to make API calls on your behalf.
  • Batch inputs and outputs: When you run a batch, the cell values you reference (prompt inputs, URLs to scrape, email addresses to verify) and the results produced (AI outputs, scrape outputs, verification verdicts) are written to our database so that the run can be retried, refunded, or supported. This data is retained for the period described in §6 and then automatically purged.
  • Support communications: Any emails or messages you send us.

2.2 Information Collected Automatically

  • Usage data: Batch job metadata (type, row count, model used, cost, latency, timestamps, success or failure status). This is retained as account history per §6.
  • OAuth state: When you grant ReplyLabs access to your Google™ Sheets, we store an encrypted access and refresh token so that long-running batches can finish in the background after you close the sidebar. Tokens are scoped to your account and revoked when you uninstall or sign out.
  • Device and browser information: IP address, browser type, operating system, and device type, for security and abuse prevention.
  • Analytics data: Page views, feature usage, and interaction events via PostHog (subject to your cookie consent). You can decline analytics in the cookie banner, in which case we do not load PostHog at all.
  • Error data: Application errors and performance metrics via Sentry, used to diagnose and fix bugs. We do not record session replays. Sentry is configured to not send personal identifiers (IP addresses, user IDs) on error reports. Errors capture stack traces and breadcrumbs only.

2.3 Information from Third Parties

  • Google™: When you install the add-on or sign in with Google™, we receive your name and email address from your Google™ account.
  • Stripe: Payment confirmation, subscription status, and invoice data.

3. How We Use Your Information

We use your information to:

  • Provide the service. Process your batch jobs and Flows, manage your account, handle billing, and write results back to your Google™ Sheet.
  • Improve the service. Analyze usage patterns to identify bugs and improve features.
  • Communicate with you. Send transactional emails (receipts, batch completion alerts, password resets). We do not send marketing emails without your consent.
  • Prevent abuse. Detect and prevent fraud, spam, or violation of our Terms.
  • Customer relationship management. We sync limited account data to HubSpot, our CRM, to manage our relationship with you, including your name, email, company name, plan type, and usage metrics.

3.1 Legal Basis for Processing (GDPR)

For users in the EEA and UK:

PurposeLegal Basis
Provide the servicePerformance of contract
Process paymentsPerformance of contract
Send transactional emailsPerformance of contract
Analytics and product improvementLegitimate interest
CRM and customer successLegitimate interest
Error tracking and bug fixesLegitimate interest
Marketing communicationsConsent
Cookie-based analyticsConsent

4. Cookies and Tracking

4.1 Essential Cookies. We use essential cookies for authentication and session management. These are required for the service to function and cannot be disabled.

4.2 Analytics Cookies. We use PostHog for product analytics. PostHog stores a small amount of data on your device (an anonymous identifier, first-party cookie, with a one-year lifetime) so we can recognize returning users in our usage statistics. We only load PostHog if you accept the cookie banner. If you decline, we never load the PostHog SDK on your device, and no PostHog cookies are written. PostHog data is processed in the United States; international transfers from EU/UK users are covered under Standard Contractual Clauses as described in §9. The full inventory of cookies is published at /cookies.

4.3 No Advertising Cookies. We do not use advertising cookies or tracking pixels. We do not sell your data to advertisers.

5. How We Share Your Information

We share your information only with service providers who process data on our behalf. The categories below are summarized; the canonical, comprehensive list of every subprocessor (provider, role, region, what data they receive) lives at /subprocessors and is updated whenever subprocessors change.

CategoryPurposeRegion
Database and primary application hostingStore account, organization, batch, and Flow dataEU (London, UK)
Flow processing infrastructureRun batch and Flow jobs (AI, scraping, verification) end to endEU (Germany)
PaymentsSubscription billing and prepaid balance rechargesUS / EU
AI inferenceGenerate AI step outputs from your promptsUS / EU (provider-dependent)
Web scrapingFetch and extract content from URLs you provideUS / EU (provider-dependent)
Email verificationCheck deliverability of email addresses you submitEU
Transactional emailSend signup, billing, and batch completion emailsUS
Analytics and error reportingProduct analytics (with consent), error tracking, uptime monitoringUS / EU
CRM and internal operationsCustomer relationship management and operational notifications to our teamEU / US

We do not sell, rent, or trade your personal information to third parties.

5.1 BYOK Data Processing. When you bring your own API key for an AI, scraping, or verification provider, the API call to that provider is made under your account and your contract with the provider. ReplyLabs still orchestrates the request (routing, retries, cost accounting, writing results back to your sheet) and logs operational metadata such as model, token counts, latency, and cost class. We do not log the content of your prompt or the provider's response in the BYOK path. Your key is stored encrypted at rest and is never shown to other teammates.

5.2 Law Enforcement. We may disclose your information if required by law, court order, or governmental authority. We will notify you where legally permitted.

6. Data Retention

Data TypeRetention Period
Account and organization informationUntil you delete your account
Batch and Flow metadata (row counts, costs, timestamps, success/failure status)Until you delete your account
Batch row content (prompt inputs, AI outputs, scrape outputs, verification verdicts)30 days from completion, then automatically purged
Payment records7 years (UK tax compliance)
API keys (BYOK)Until you remove them or delete your account
Analytics data (PostHog)12 months
Error logs (Sentry)90 days
Server logs and request logs30 days

Account deletion removes all of the above except payment records (which we are legally required to retain for tax purposes) and any anonymized aggregates that no longer identify you.

Note on backups. The retention periods above apply to the live database. Our database provider takes encrypted backups for disaster recovery, which may retain content beyond the live retention window per their standard backup schedule. We do not access or process backup content except to restore service after an incident.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit: all data transmitted over HTTPS/TLS.
  • Encryption at rest: BYOK API keys encrypted using AES-256; database encrypted via our database provider's infrastructure.
  • Access control: role-based access within your workspace; admin-only billing controls.
  • Authentication: secure password hashing via our auth provider; optional Google™ OAuth.
  • Input validation: all API inputs validated using schema validation.
  • Rate limiting: API endpoints rate-limited to prevent abuse.
  • Secret redaction: credentials, BYOK keys, and bearer tokens are redacted from error logs and analytics events before transmission.
  • Infrastructure: hosted on SOC 2 Type II infrastructure providers.

No system is 100% secure. If we discover a data breach that affects your personal information, we will notify you and the relevant supervisory authority in accordance with applicable law.

8. Your Rights

8.1 For All Users

You have the right to:

  • Access your personal data (view your profile, usage history, and billing on the dashboard).
  • Correct inaccurate data (edit your profile in Settings).
  • Delete your account and associated data (from Settings > Delete Account).
  • Export your data (your spreadsheet data is already in Google™ Sheets; usage history is viewable on the dashboard).

8.2 Additional Rights for EEA/UK Users (GDPR)

Under GDPR, you also have the right to:

  • Restrict processing of your data in certain circumstances.
  • Object to processing based on legitimate interest.
  • Data portability (receive your data in a structured, machine-readable format).
  • Withdraw consent for analytics cookies at any time. You can revisit your cookie consent in two ways: (1) click "Cookie preferences" in the footer of any page; or (2) sign in and go to Settings → Privacy and click "Manage cookie preferences." Your previous decision will clear and the cookie banner will reopen so you can change your choice.
  • Lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office).

To exercise any of these rights, email privacy@replylabs.io. We will respond within 30 days.

8.3 California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used.
  • Request deletion of your personal information.
  • Opt out of the sale of personal information (we do not sell personal information).
  • Non-discrimination for exercising your privacy rights.

9. International Data Transfers

Your primary application data is hosted in the United Kingdom (London) and Flow processing runs in the European Union (Germany). Some subprocessors, including certain AI inference providers, analytics, error tracking, and transactional email providers, are based in the United States. Where data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and the data processing agreements of our service providers. The per-provider region is published at /subprocessors.

10. Children's Privacy

ReplyLabs is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

11. Google™ API Services User Data Policy

ReplyLabs' use of information received from Google™ APIs adheres to the Google™ API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We request the OAuth scopes our extension needs to function. The Google™ Sheets add-on uses scopes such as spreadsheets.currentonly for in-sidebar reads of the active spreadsheet, script.container.ui to display the sidebar, script.external_request to communicate with our servers, and userinfo.email + userinfo.profile to identify you.
  • To complete long-running batches after you close the sidebar, ReplyLabs operates a separate server-side OAuth Web Application client that asks for the spreadsheets scope only. You see and approve this consent screen explicitly when you first enable background completion. The server-side token is stored encrypted in our database, is scoped to your account, and can be revoked at any time from your Google™ Account settings or from the Settings page in our dashboard.
  • We only read from and write to spreadsheets you have explicitly initiated batches from in our sidebar. We never enumerate, list, or read any other spreadsheet in your Drive.
  • Spreadsheet IDs and active row ranges are retained for the duration of an in-flight batch. Row content (prompt inputs and produced outputs) is retained for up to 30 days from completion for retry, refund, and support purposes, then automatically purged.
  • We do not use Google™ user data for advertising purposes, profiling, or to train AI models. Every AI inference request we route on your behalf is sent with a per-request flag instructing the provider not to train on the prompt or response. BYOK customers who choose to bring keys for providers that permit training would be acting under their own agreement with that provider, outside ReplyLabs' default routing.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the dashboard. The "Last Updated" date at the top reflects the most recent revision.

13. Contact Us

For privacy-related inquiries, data requests, or complaints:
Empra Consultancy LTD
Email: privacy@replylabs.io
General: hello@replylabs.io
Website: replylabs.io

For UK data protection concerns, you may also contact the Information Commissioner's Office (ICO).

Questions?

Email us at hello@replylabs.io. We respond within 24 hours.

Email Us