This Privacy Policy explains how Empra Consultancy LTD ("we", "us", "our"), operating as ReplyLabs, collects, uses, stores, and protects your personal information when you use our service at replylabs.io and the ReplyLabs Google™ Sheets add-on.
1. Who We Are
ReplyLabs is operated by Empra Consultancy LTD, a company registered in the United Kingdom. We are the data controller for the personal information described in this policy.
Contact for data inquiries: privacy@replylabs.io
General: hello@replylabs.io
2. Information We Collect
2.1 Information You Provide
- Account information: Your name, email address, and password when you sign up (or your Google™ account name and email if you sign up via Google™ OAuth).
- Organization information: Company name and website, provided during onboarding.
- Payment information: Processed by Stripe. We receive your last four card digits, card brand, and billing email. We never see or store your full card number.
- API keys (BYOK): If you choose to bring your own provider keys, they are encrypted at rest using AES-256 and stored in our database. We use them only to make API calls on your behalf.
- Support communications: Any emails or messages you send us.
2.2 Information Collected Automatically
- Usage data: Batch job metadata (type, row count, model used, cost, timestamps, success/failure status). We do not store the content of your spreadsheet rows after a job completes.
- Device and browser information: IP address, browser type, operating system, and device type.
- Analytics data: Page views, feature usage, and interaction events via PostHog (subject to your cookie consent. You can decline analytics in the cookie banner, and we will not load PostHog at all).
- Error data: Application errors and performance metrics via Sentry, used to diagnose and fix bugs. We do not record session replays. Sentry is configured to not send personal identifiers (IP addresses, user IDs) on error reports. Errors capture stack traces and breadcrumbs only.
2.3 Information from Third Parties
- Google™: When you install the add-on or sign in with Google™, we receive your name and email address from your Google™ account.
- Stripe: Payment confirmation, subscription status, and invoice data.
3. How We Use Your Information
We use your information to:
- Provide the service. Process your batch jobs, manage your account, handle billing.
- Improve the service. Analyze usage patterns to identify bugs and improve features.
- Communicate with you. Send transactional emails (receipts, invitations, password resets). We do not send marketing emails without your consent.
- Prevent abuse. Detect and prevent fraud, spam, or violation of our Terms.
- Customer relationship management. We sync certain account data to HubSpot, our CRM, to manage our relationship with you, including your name, email, company name, plan type, usage metrics, and engagement scores.
3.1 Legal Basis for Processing (GDPR)
For users in the EEA and UK:
| Purpose | Legal Basis |
|---|---|
| Provide the service | Performance of contract |
| Process payments | Performance of contract |
| Send transactional emails | Performance of contract |
| Analytics and product improvement | Legitimate interest |
| CRM and customer success | Legitimate interest |
| Error tracking and bug fixes | Legitimate interest |
| Marketing communications | Consent |
| Cookie-based analytics | Consent |
4. Cookies and Tracking
4.1 Essential Cookies. We use essential cookies for authentication and session management. These are required for the service to function and cannot be disabled.
4.2 Analytics Cookies. We use PostHog for product analytics. PostHog stores a small amount of data on your device (an anonymous identifier, first-party cookie, with a one-year lifetime) so we can recognize returning users in our usage statistics. We only load PostHog if you accept the cookie banner. If you decline, we never load the PostHog SDK on your device, and no PostHog cookies are written. PostHog data is processed in the United States; international transfers from EU/UK users are covered under Standard Contractual Clauses as described in §9.
4.3 No Advertising Cookies. We do not use advertising cookies or tracking pixels. We do not sell your data to advertisers.
5. How We Share Your Information
We share your information only with the following service providers who process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | EU (Frankfurt) |
| Stripe | Payment processing | US/EU |
| HubSpot | CRM | EU |
| PostHog | Analytics (with consent) | US |
| Sentry | Error tracking | US |
| Resend | Transactional email | US |
| OpenAI / Anthropic / Google™ AI / Mistral | AI processing (when using our keys) | US/EU |
| No2Bounce | Email verification | EU |
| Vercel | Web hosting | US/EU |
| LogSnag | Founder notifications | EU |
| Inngest | Asynchronous job processing (batch AI/Verify/Scrape runs) | US |
| Upstash | Rate limiting (IP and request identifiers) | Global edge |
| OpenRouter | Public model catalog sync (no customer prompt content sent) | US |
| Better Stack | Uptime monitoring of public site (no customer data) | EU |
For the comprehensive list of subprocessors, including changes over time, see /subprocessors.
We do not sell, rent, or trade your personal information to third parties.
5.1 BYOK Data Processing. When you use your own API keys, your spreadsheet data is sent directly to the AI provider under your own agreement with them. We do not log or store the content of BYOK requests.
5.2 Law Enforcement. We may disclose your information if required by law, court order, or governmental authority. We will notify you where legally permitted.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account |
| Batch job metadata | Until you delete your account |
| Spreadsheet content from jobs | Not retained after job completion |
| Payment records | 7 years (UK tax compliance) |
| API keys (BYOK) | Until you remove them or delete your account |
| Analytics data (PostHog) | 12 months |
| Error logs (Sentry) | 90 days |
| Server logs | 30 days |
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: all data transmitted over HTTPS/TLS.
- Encryption at rest: BYOK API keys encrypted using AES-256; database encrypted via Supabase infrastructure.
- Access control: role-based access within your workspace; admin-only billing controls.
- Authentication: secure password hashing via Supabase Auth; optional Google™ OAuth.
- Input validation: all API inputs validated using Zod schemas.
- Rate limiting: API endpoints rate-limited to prevent abuse.
- Infrastructure: hosted on Vercel (SOC 2 Type II) and Supabase (SOC 2 Type II).
No system is 100% secure. If we discover a data breach that affects your personal information, we will notify you and the relevant supervisory authority in accordance with applicable law.
8. Your Rights
8.1 For All Users
You have the right to:
- Access your personal data (view your profile, usage history, and billing on the dashboard).
- Correct inaccurate data (edit your profile in Settings).
- Delete your account and associated data (from Settings > Delete Account).
- Export your data (your spreadsheet data is already in Google™ Sheets; usage history is viewable on the dashboard).
8.2 Additional Rights for EEA/UK Users (GDPR)
Under GDPR, you also have the right to:
- Restrict processing of your data in certain circumstances.
- Object to processing based on legitimate interest.
- Data portability (receive your data in a structured, machine-readable format).
- Withdraw consent for analytics cookies at any time. You can revisit your cookie consent in two ways: (1) click "Cookie preferences" in the footer of any page; or (2) sign in and go to Settings → Privacy and click "Manage cookie preferences." Your previous decision will clear and the cookie banner will reopen so you can change your choice.
- Lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office).
To exercise any of these rights, email privacy@replylabs.io. We will respond within 30 days.
8.3 California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used.
- Request deletion of your personal information.
- Opt out of the sale of personal information (we do not sell personal information).
- Non-discrimination for exercising your privacy rights.
9. International Data Transfers
Your data may be processed in the United States and European Union. Where data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and the data processing agreements of our service providers.
10. Children's Privacy
ReplyLabs is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.
11. Google™ API Services User Data Policy
ReplyLabs' use of information received from Google™ APIs adheres to the Google™ API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only request the minimum OAuth scopes necessary (
spreadsheets.currentonlyandscript.container.ui). - We only access the current spreadsheet you are working in.
- We do not use Google™ user data for advertising purposes.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the dashboard. The "Last Updated" date at the top reflects the most recent revision.
13. Contact Us
For privacy-related inquiries, data requests, or complaints:
Empra Consultancy LTD
Email: privacy@replylabs.io
General: hello@replylabs.io
Website: replylabs.io
For UK data protection concerns, you may also contact the Information Commissioner's Office (ICO).