Privacy Policy

Effective March 27, 2026

ReplyLabs is operated by Empra Consultancy LTD ("we", "us", "our"). This policy explains what data we collect, how we use it, and your rights.

1. What We Collect

When you create an account, we collect:

  • Account information: your email address, name, and password (hashed, never stored in plaintext).
  • Organization data: workspace name, team member emails, billing details.
  • Usage logs: timestamps, action types (AI prompt, scrape, verify), model used, row counts, and costs. We use this for billing and analytics.
  • API keys (encrypted): if you add your own provider keys (BYOK), they are encrypted with AES-256-GCM before storage. We never see or log raw keys.
  • Payment data: processed by Stripe. We store your Stripe customer ID but never see your card number.

2. What We Do Not Collect

We never access, read, or store your spreadsheet data. ReplyLabs operates as a sidebar within Google Sheets. All sheet operations (reading rows, writing results) happen through Google Apps Script running in your browser or on Google's servers. Your data stays in your Google Sheet. We do not have access to your Google Drive, other spreadsheets, or any Google Workspace data beyond what is needed for the sidebar to function.

3. How We Use Your Data

  • To provide and improve the service.
  • To process payments and manage your subscription.
  • To send transactional emails (receipts, password resets, usage alerts).
  • To detect and prevent abuse.

We do not sell your data. We do not use your data for advertising. We do not train AI models on your data.

4. Third-Party Services

  • Supabase: database hosting and authentication. Data stored in Supabase's cloud infrastructure.
  • Stripe: payment processing. Subject to Stripe's Privacy Policy.
  • Google OAuth: used for optional sign-in. We request only your email and basic profile.
  • No2Bounce: email verification provider (only when you use the Verify feature). Emails you verify are sent to their API.
  • AI providers (OpenAI, Anthropic, Google, etc.): your prompts are sent to the AI provider you select. Each provider has their own data handling policies.
  • PostHog: product analytics. We track anonymised usage events (page views, feature usage, funnel conversion) to improve the product. PostHog does not receive your spreadsheet data. See PostHog's Privacy Policy.
  • Sentry: error monitoring. When an error occurs, Sentry receives technical details (stack trace, browser info, URL) to help us fix bugs. No spreadsheet data is included. See Sentry's Privacy Policy.
  • LogSnag: internal notifications. We receive alerts when users sign up or encounter errors. Only your email address is included.
  • Resend: transactional email delivery (welcome emails, payment receipts, password resets). See Resend's Privacy Policy.

5. Cookies and Tracking

We use the following cookies and tracking technologies:

  • Authentication cookies: required for login sessions. Set by Supabase Auth.
  • Stripe cookies: set during payment processing for fraud prevention.
  • PostHog analytics: uses a first-party cookie to track anonymised product usage (page views, feature interactions, funnel steps). No advertising. No cross-site tracking. You can opt out by blocking requests to us.i.posthog.com.
  • Sentry: may set a session cookie for error correlation. No personal data is tracked.

We do not use advertising cookies, retargeting pixels, or cross-site tracking of any kind.

6. Data Security

  • All API keys encrypted with AES-256-GCM at rest.
  • All traffic encrypted with TLS in transit.
  • Passwords hashed with bcrypt (via Supabase Auth).
  • Row-level security enforced on all database tables.

7. Data Retention

  • Account data: kept until you delete your account.
  • Usage logs: retained for 90 days, then automatically deleted.
  • Transaction records: retained for 7 years for tax and compliance purposes.

8. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access your personal data.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Object to processing.

To exercise these rights, email privacy@replylabs.io.

9. Changes to This Policy

We may update this policy from time to time. We will notify you by email if the changes are material.

10. Contact

Empra Consultancy LTD
Email: privacy@replylabs.io