Privacy Policy

1. Introduction

ReplyRadar ("we," "our," "us," or the "Service") is operated by Raj Vishwakarma. ReplyRadar is an AI-powered email follow-up assistant that helps professionals automate follow-up drafts. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you access or use our website, applications, and services (collectively, the "Service").

This policy is designed to comply with applicable data protection laws worldwide, including but not limited to the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG), the California Consumer Privacy Act (CCPA) as amended by the CPRA, the Indian Digital Personal Data Protection Act, 2023 (DPDPA), and other applicable privacy laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller / Data Fiduciary

For the purposes of applicable data protection laws, the data controller (or "data fiduciary" under Indian law) responsible for your personal data is:

• Name: Raj Vishwakarma
• Email: rwelabs@gmail.com

3. Information We Collect

We collect the following categories of personal information:

3.1 Account Information

• Your name, email address, and profile picture provided during sign-up via Google OAuth.
• Authentication tokens necessary to maintain your session securely.

3.2 Email Data

• When you CC assistant@replyradar.online on an email, we process the contents of that specific email thread (including sender/recipient addresses, subject line, and email body) to understand context and generate appropriate follow-up drafts.
• We do not access, read, or scan any emails that are not explicitly CC'd to our assistant address.

3.3 Usage Data

• Information about how you interact with our platform, such as draft approval/rejection actions, dashboard interactions, and feature usage.
• Credit usage and transaction history.

3.4 Technical Data

• IP address, browser type and version, operating system, device identifiers, and access timestamps.
• Cookies and similar tracking technologies (see Section 9 below).

4. Legal Basis for Processing (GDPR / UK GDPR / BDSG)

We process your personal data on the following legal bases:

• Contractual Necessity (Art. 6(1)(b) GDPR): Processing is necessary to perform the service you have requested — i.e., generating AI-powered follow-up drafts based on your email threads.
• Consent (Art. 6(1)(a) GDPR): Where you explicitly consent, such as when you CC our assistant address on an email or opt in to marketing communications.
• Legitimate Interest (Art. 6(1)(f) GDPR): For purposes such as fraud prevention, security, service improvement, and analytics, where our interests do not override your fundamental rights.
• Legal Obligation (Art. 6(1)(c) GDPR): Where processing is required to comply with a legal obligation to which we are subject.

5. How We Use Your Data

We use your personal data exclusively for the following purposes:

• To provide, operate, and maintain the Service, including generating follow-up email drafts using AI.
• To manage your account, authentication, and credit balance.
• To communicate with you about your drafts, account status, and service updates.
• To detect, prevent, and address technical issues, fraud, and security threats.
• To comply with legal obligations and respond to lawful requests from public authorities.
• To improve and optimize the Service based on aggregated, anonymized usage patterns.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We never have. We never will.

6. Data Sharing & Third-Party Processors

We share your data only with the following categories of third-party processors, and only to the extent necessary to provide the Service:

• Google Gemini API (AI Processing): We send relevant email thread context to Google's Gemini API to generate follow-up drafts. Google processes this data under their enterprise data processing terms and does not use it to train their general AI models.
• Supabase (Authentication & Database): We use Supabase for secure user authentication and data storage. Data is processed under Supabase's Data Processing Agreement.
• Google OAuth (Authentication): We use Google OAuth for secure sign-in. Google processes authentication data under their privacy policy.
• Hosting Providers: Our infrastructure providers process data necessary for hosting and delivering the Service.

All third-party processors are bound by contractual obligations to protect your data and process it only for the purposes specified by us.

We may also disclose your personal data if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety, or that of our users or the public.

7. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside your country of residence, including the United States. These countries may have data protection laws that are different from the laws of your country.

Where we transfer personal data outside the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the relevant data protection authority.
• Other legally recognized transfer mechanisms as applicable.

8. Data Retention

We retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy, or as required by applicable law. Specifically:

• Account Data: Retained for as long as your account is active. Upon account deletion, we delete or anonymize your data within 30 days, unless retention is required by law.
• Email Thread Data: Email content processed for draft generation is retained for a maximum of 90 days after the last interaction with that thread, after which it is permanently deleted.
• Generated Drafts: Retained until you delete them from your dashboard, or for 90 days after account deletion.
• Technical & Usage Logs: Retained for a maximum of 12 months for security and analytics purposes, then automatically deleted.

9. Cookies & Tracking Technologies

We use only essential cookies that are strictly necessary for the operation of the Service, including:

• Authentication Cookies: To keep you securely logged in during your session.
• Security Cookies: To prevent cross-site request forgery and other security threats.

We do not use third-party advertising cookies, analytics cookies, or tracking pixels. We do not engage in cross-site tracking or targeted advertising.

10. Your Rights

Depending on your location and applicable law, you may have some or all of the following rights regarding your personal data:

10.1 GDPR / UK GDPR / BDSG Rights (EU, UK, Germany)

• Right of Access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16 GDPR): Request correction of inaccurate personal data.
• Right to Erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Art. 18 GDPR): Request restriction of processing of your personal data.
• Right to Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with your local supervisory authority (e.g., the Bundesbeauftragte für den Datenschutz in Germany, the ICO in the UK, or your local EU DPA).

10.2 CCPA / CPRA Rights (California, USA)

• Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell.
• Right to Delete: Request deletion of your personal information.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

In the preceding 12 months, we have not sold any personal information of consumers, as defined by the CCPA.

10.3 DPDPA Rights (India)

• Right to Access: Obtain a summary of your personal data and processing activities.
• Right to Correction and Erasure: Request correction of inaccurate data, completion of incomplete data, updating of data, and erasure of data no longer necessary for the purpose for which it was collected.
• Right to Grievance Redressal: Lodge a grievance with us using the contact details below.
• Right to Nominate: Nominate another person to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, please contact us at rwelabs@gmail.com. We will respond to your request within the timeframe required by applicable law (generally 30 days).

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest.
• Secure authentication through Google OAuth and Supabase Auth.
• Regular security reviews and access controls.
• Principle of least privilege for data access.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 16 (or such higher age as required by applicable law). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at rwelabs@gmail.com.

13. Automated Decision-Making & Profiling

Our Service uses artificial intelligence to generate email draft suggestions. However, no automated decisions with legal or similarly significant effects are made without human involvement. You always retain full control over whether to approve, edit, or discard any AI-generated draft before it is sent. We do not engage in profiling for the purpose of automated decision-making that produces legal or similarly significant effects.

14. "Do Not Track" Signals

We honor "Do Not Track" (DNT) browser signals. Since we do not use third-party tracking or advertising cookies, our Service operates consistently regardless of your DNT preferences.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date at the top. Where required by applicable law, we will obtain your consent or provide additional notice before the changes take effect.

We encourage you to review this Privacy Policy periodically for any changes.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, or if you wish to exercise any of your rights under applicable data protection law, please contact us:

• Company: Raj Vishwakarma
• Email: rwelabs@gmail.com

We will acknowledge receipt of your communication and respond within the timeframe required by applicable law.