Privacy Policy / Datenschutzerklärung

Last updated: April 9, 2026

1. Who we are / Verantwortlicher

Replyve is built and operated in Pakistan. Replyve is the data controller (Verantwortlicher) within the meaning of the EU General Data Protection Regulation (GDPR / DSGVO).

Contact: [email protected]

2. What we collect

We collect the following information when you use Replyve:

  • Account data — your email address, collected when you sign up via Supabase Auth.
  • Review content — text you paste into the app when generating replies. This is sent to Anthropic's API to produce the reply and saved to your reply history.
  • Usage data — a count of how many replies you've generated each month, used to enforce plan limits.
  • Billing data — if you subscribe to a paid plan, payment is handled by Stripe. We store only your plan tier — we never see your card details.

3. Legal basis for processing (Art. 6 DSGVO)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6 Abs. 1 lit. b DSGVO) — processing your email address and review content is necessary to provide the service you signed up for.
  • Legitimate interests (Art. 6 Abs. 1 lit. f DSGVO) — we process anonymised usage data to understand how the product is used and to improve it.
  • Legal obligation (Art. 6 Abs. 1 lit. c DSGVO) — certain billing and tax records must be retained in accordance with German commercial and tax law (§ 147 AO, § 257 HGB).

4. How we use your data

  • To provide the core service — generating review replies.
  • To enforce usage limits and manage your subscription plan.
  • To send transactional emails (account confirmation, password reset). We do not send marketing emails without your consent.
  • To improve the product — we may analyse aggregated, anonymised usage patterns.

5. Third-party processors and international data transfers

We share data with the following trusted processors only as necessary to operate the service. Where data is transferred to third countries, we rely on EU Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework (DPF) as appropriate safeguards under Art. 46 DSGVO.

  • Anthropic (USA) — review text is sent to Anthropic's Claude API to generate replies. Transfer basis: Standard Contractual Clauses. Anthropic's Privacy Policy applies to data processed by their API.
  • Supabase (USA / EU) — authentication and database hosting. Transfer basis: Standard Contractual Clauses / data stored in EU region where available.
  • Stripe (USA) — payment processing for paid plans. Transfer basis: EU–US Data Privacy Framework and Standard Contractual Clauses. Stripe's Privacy Policy applies.

We do not sell your personal data to any third party.

6. Data retention

We retain your data only as long as necessary. The following retention periods apply:

  • Account data (email, plan) — retained for the lifetime of your account. Deleted within 30 days of account deletion.
  • Review content and generated replies — retained for the lifetime of your account as your reply history. Deleted within 30 days of account deletion.
  • Usage records (monthly reply counts) — retained for the current and one prior calendar month, then deleted.
  • Contact form submissions — retained for 90 days, then permanently deleted.
  • Billing records — retained for 10 years as required by German tax law (§ 147 AO, § 257 HGB). Only plan tier and Stripe customer/subscription identifiers are stored — never card details.

7. Your rights under the DSGVO (Art. 15–22)

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — you may ask us to correct inaccurate data.
  • Right to erasure (Art. 17) — you may ask us to delete your personal data ("right to be forgotten").
  • Right to restriction of processing (Art. 18) — you may ask us to restrict how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — you may request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — you may object to processing based on legitimate interests at any time.
  • Right to withdraw consent (Art. 7 Abs. 3) — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by Art. 12 DSGVO.

8. Automated decision-making (Art. 22 DSGVO)

Replyve uses AI (Anthropic Claude) to generate draft reply suggestions based on the review text you submit. This constitutes automated processing, but not automated decision-making in the sense of Art. 22 DSGVO: the generated replies are suggestions only. You retain full human control over whether to use, edit, or discard any reply. No automated decision produces legal or similarly significant effects on you or your customers.

No AI training: We do not use your submitted review content or generated replies to train, fine-tune, or improve any AI model — including Anthropic's Claude or any Replyve-specific model.

9. Data breach notification (Art. 33–34 DSGVO)

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and in any case within 72 hours of becoming aware of the breach. Notification will be sent to the email address associated with your account. We will also notify the competent supervisory authority (Datenschutzaufsichtsbehörde) as required by Art. 33 DSGVO.

10. Right to lodge a complaint (Art. 77 DSGVO)

You have the right to lodge a complaint with a supervisory authority (Datenschutz­aufsichts­behörde) at any time. A list of all German supervisory authorities is available at: bfdi.bund.de.

11. Cookies

We use only essential cookies required for authentication (managed by Supabase). We do not use tracking, analytics, or advertising cookies. No cookie consent is required for essential cookies under § 25 TTDSG.

Please note that our website loads fonts from Google Fonts (fonts.googleapis.com). This causes a technical connection to Google's servers, which may involve the transfer of your IP address to Google. For more information, see Google's Privacy Policy.

12. Security

We use industry-standard measures to protect your data: HTTPS everywhere, JWT-based authentication with asymmetric key verification, and Row-Level Security on our database. If you discover a vulnerability, please contact us at [email protected].

13. Changes to this policy

We may update this policy from time to time. We will notify you by email if changes are material. Continued use of the service after changes means you accept the updated policy.

14. Contact / Datenschutzbeauftragter

Questions about privacy? Email us at [email protected].

As a small sole proprietorship, Replyve is not legally required to appoint a Data Protection Officer (Datenschutzbeauftragter) under Art. 37 DSGVO. The owner is personally responsible for data protection matters.