Privacy Policy
Last updated: February 14, 2026
1. Introduction
ReplyList ("we," "us," or "our") operates the ReplyList application at app.replylist.com (the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect your information when you use our Service.
By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- First and last name
- Email address
- Password (stored as a cryptographic hash; we never store plaintext passwords)
- Phone number and country code
- Timezone (auto-detected from your browser)
- Profile photo URL (if you sign up with Google)
2.2 Connected Account Data
When you connect third-party accounts (e.g. Gmail, Outlook, Slack, Microsoft Teams, Google Chat, Asana, Monday.com, or Jira), we access and process:
- Email metadata: Sender, recipients, subject line, date, message ID, labels, and a link to the message in your email provider
- Email content: Message body text, which may be used for AI analysis to determine whether a response is needed (see Section 5)
- Chat metadata: Sender, channel/space name, message timestamp, and a link to the message
- Chat content: Message text, which may be used for AI analysis to determine whether a response is needed
- Task/project data: Task titles, comments, assignees, and status from project management tools
- OAuth tokens: Access and refresh tokens that allow us to read your data from connected services
2.3 Payment Information
Payment processing is handled entirely by Stripe. We do not store your full credit card number. We retain only:
- Stripe customer ID
- Subscription status and billing period
- Last four digits of your payment card and card brand
- Invoice and payment history (amounts, dates, statuses)
2.4 Automatically Collected Information
- IP address: Collected at signup for fraud prevention and rate limiting. IP addresses used for rate limiting are stored as irreversible hashes.
- reCAPTCHA data: We use Google reCAPTCHA Enterprise during signup to prevent automated abuse. Google may collect device and interaction data as part of this process, subject to Google's Privacy Policy.
- Activity timestamps: We record when you last logged in and last used the Service, for account maintenance and inactivity cleanup.
2.5 Information We Do Not Collect
We do not use cookies for advertising or cross-site tracking. We may use privacy-focused analytics to understand aggregate usage patterns and improve the Service. We do not employ session recording, heatmaps, or behavioral profiling tools.
3. How We Use Your Information
We use the information we collect to:
- Provide the Service: Identify messages and tasks that need your response, and notify you through digest emails or digest chat messages
- AI analysis: Analyze email and chat message content to determine whether a response is needed and assign a priority level (see Section 5)
- Send notifications: Deliver digest summaries at your configured times via email or Slack
- Process payments: Manage subscriptions, billing, and invoices through Stripe
- Prevent abuse: Rate limiting, spam detection, and reCAPTCHA verification during signup
- Maintain and improve the Service: Debug sync errors, monitor webhook health, and ensure reliable operation
- Communicate with you: Send transactional emails such as verification emails and billing notices
4. How We Store and Protect Your Data
4.1 Infrastructure
Your data is stored on Google Cloud Platform in the United States. All data in transit is encrypted via TLS.
4.2 Encryption
We apply additional encryption to sensitive fields beyond standard at-rest encryption:
- OAuth tokens (access tokens and refresh tokens) are encrypted before storage
- Contact names and email subjects in response-tracking records are encrypted at the application layer
- User notes (e.g., follow-up notes, ignore-list notes) are encrypted at the application layer
4.3 Access Controls
Administrative access to the backend is restricted to authorized personnel, protected by email allowlisting, time-based one-time password (TOTP) verification, and session management.
5. AI Processing and Email Content
ReplyList uses artificial intelligence to analyze your email and chat messages to determine whether they require a response from you. Here is how that works:
We temporarily send message content to an AI provider, like Google Vertex AI, to determine whether a response is needed, then discard it. Message bodies are not stored. We retain only a limited and encrypted message record (sender name, sender email, and subject line) and the AI's structured analysis result. Message records are automatically deleted within 7 days of being resolved. Your data is not used to train AI models.
6. Data Retention
We retain your data for the following periods:
Data Type | Retention Period
Account profile | Until account deletion
Connected account credentials (OAuth tokens) | Until account disconnected or deleted
Message tracking records | Until resolved; closed records deleted after 7 days
Notification/digest history | 30 days
Payment history | Until account deletion (retained for billing and dispute resolution)
When you delete your account, all of the above data is permanently removed (see Section 9).
7. Third-Party Services
We share data with the following third-party service providers, solely to operate the Service:
Provider | Purpose | Data Shared
Google Vertex AI | Message analysis (inference only) | Message content (not stored by provider for training)
Stripe | Payment processing | Billing details, subscription data
Amazon Web Services (SES) | Transactional and digest email delivery | Recipient email address, email content
Google reCAPTCHA Enterprise | Signup fraud prevention | IP address, browser interaction data
We do not sell, rent, or trade your personal information to any third party. We do not share your data with advertisers or data brokers.
8. Google API Services - Limited Use Disclosure
ReplyList's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only use access to Google user data to provide and improve the Service's core functionality (identifying messages needing a response and sending you digest notifications).
- We do not use Google user data for advertising or to serve ads.
- We do not allow humans to read your Google user data unless: (a) we have your express consent, (b) it is necessary for security purposes (e.g., investigating abuse), or (c) it is required by law.
- We do not transfer Google user data to third parties except as necessary to provide the Service (as described in Section 7), as required by law, or as part of a merger/acquisition with notice.
- Your Google user data is not used to train artificial intelligence or machine learning models.
9. Your Rights and Choices
9.1 Access and Export
You can export all of your data at any time from the Profile page in the application. The export is delivered as a JSON file containing your profile, connected accounts, response-tracking records, and settings.
9.2 Disconnect Accounts
You can disconnect any connected account at any time from the Accounts page. When you disconnect an account, we revoke the OAuth token and stop accessing data from that provider. Associated response-tracking records are closed.
9.3 Delete Your Account
You can delete your account from the Settings page or the Profile page. Account deletion permanently removes:
- Your user profile and all personal information
- All connected account records and access tokens
- All response-tracking records
- All notification and digest history
- All payment history records
- Your authentication account
- Your subscription (cancelled automatically)
- Any team memberships (teams you own are deleted along with all associated data)
If you request deletion from the Profile page, there is a 7-day grace period during which you can cancel the request. Deletion from the Settings page is immediate.
9.4 Notification Preferences
You can control when and how you receive digest notifications from the Settings page, including delivery times, days of the week, and delivery channel (email or Slack). You can also unsubscribe from digest emails using the link in any digest email.
9.5 VIP and Ignore Lists
You can prioritize specific contacts (VIP list) or exclude contacts and domains (ignore list) from your Settings page.
10. Teams and Shared Data
If you join or create a team, the following data is visible to other team members:
- Your display name, email address, and role within the team
- Team billing and subscription status (visible to team owner)
The following data is **never** shared with other team members:- Your connected accounts and access tokens
- Your messages, emails, or chat content
- Your response-tracking records
- Your notification settings and preferences
- Your VIP contacts and ignore lists
11. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS) for all connections
- Encryption at rest for all stored data
- Application-layer encryption for sensitive fields such as access tokens and message metadata
- Rate limiting and abuse prevention at multiple levels
- Restricted administrative access with multi-factor authentication
No system is 100% secure. If we become aware of a security breach that affects your personal data, we will notify you and any applicable regulator as required by law.
12. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.
13. International Data Transfers
Your data is stored and processed in the United States on Google Cloud Platform infrastructure. If you are located outside of the United States, your information is transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice in the application before the changes take effect. Your continued use of the Service after the changes become effective constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or how we handle your data, please contact us at: support@replylist.com.
1. Introduction
ReplyList ("we," "us," or "our") operates the ReplyList application at app.replylist.com (the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect your information when you use our Service.
By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- First and last name
- Email address
- Password (stored as a cryptographic hash; we never store plaintext passwords)
- Phone number and country code
- Timezone (auto-detected from your browser)
- Profile photo URL (if you sign up with Google)
2.2 Connected Account Data
When you connect third-party accounts (e.g. Gmail, Outlook, Slack, Microsoft Teams, Google Chat, Asana, Monday.com, or Jira), we access and process:
- Email metadata: Sender, recipients, subject line, date, message ID, labels, and a link to the message in your email provider
- Email content: Message body text, which may be used for AI analysis to determine whether a response is needed (see Section 5)
- Chat metadata: Sender, channel/space name, message timestamp, and a link to the message
- Chat content: Message text, which may be used for AI analysis to determine whether a response is needed
- Task/project data: Task titles, comments, assignees, and status from project management tools
- OAuth tokens: Access and refresh tokens that allow us to read your data from connected services
2.3 Payment Information
Payment processing is handled entirely by Stripe. We do not store your full credit card number. We retain only:
- Stripe customer ID
- Subscription status and billing period
- Last four digits of your payment card and card brand
- Invoice and payment history (amounts, dates, statuses)
2.4 Automatically Collected Information
- IP address: Collected at signup for fraud prevention and rate limiting. IP addresses used for rate limiting are stored as irreversible hashes.
- reCAPTCHA data: We use Google reCAPTCHA Enterprise during signup to prevent automated abuse. Google may collect device and interaction data as part of this process, subject to Google's Privacy Policy.
- Activity timestamps: We record when you last logged in and last used the Service, for account maintenance and inactivity cleanup.
2.5 Information We Do Not Collect
We do not use cookies for advertising or cross-site tracking. We may use privacy-focused analytics to understand aggregate usage patterns and improve the Service. We do not employ session recording, heatmaps, or behavioral profiling tools.
3. How We Use Your Information
We use the information we collect to:
- Provide the Service: Identify messages and tasks that need your response, and notify you through digest emails or digest chat messages
- AI analysis: Analyze email and chat message content to determine whether a response is needed and assign a priority level (see Section 5)
- Send notifications: Deliver digest summaries at your configured times via email or Slack
- Process payments: Manage subscriptions, billing, and invoices through Stripe
- Prevent abuse: Rate limiting, spam detection, and reCAPTCHA verification during signup
- Maintain and improve the Service: Debug sync errors, monitor webhook health, and ensure reliable operation
- Communicate with you: Send transactional emails such as verification emails and billing notices
4. How We Store and Protect Your Data
4.1 Infrastructure
Your data is stored on Google Cloud Platform in the United States. All data in transit is encrypted via TLS.
4.2 Encryption
We apply additional encryption to sensitive fields beyond standard at-rest encryption:
- OAuth tokens (access tokens and refresh tokens) are encrypted before storage
- Contact names and email subjects in response-tracking records are encrypted at the application layer
- User notes (e.g., follow-up notes, ignore-list notes) are encrypted at the application layer
4.3 Access Controls
Administrative access to the backend is restricted to authorized personnel, protected by email allowlisting, time-based one-time password (TOTP) verification, and session management.
5. AI Processing and Email Content
ReplyList uses artificial intelligence to analyze your email and chat messages to determine whether they require a response from you. Here is how that works:
We temporarily send message content to an AI provider, like Google Vertex AI, to determine whether a response is needed, then discard it. Message bodies are not stored. We retain only a limited and encrypted message record (sender name, sender email, and subject line) and the AI's structured analysis result. Message records are automatically deleted within 7 days of being resolved. Your data is not used to train AI models.
6. Data Retention
We retain your data for the following periods:
Data Type | Retention Period
Account profile | Until account deletion
Connected account credentials (OAuth tokens) | Until account disconnected or deleted
Message tracking records | Until resolved; closed records deleted after 7 days
Notification/digest history | 30 days
Payment history | Until account deletion (retained for billing and dispute resolution)
When you delete your account, all of the above data is permanently removed (see Section 9).
7. Third-Party Services
We share data with the following third-party service providers, solely to operate the Service:
Provider | Purpose | Data Shared
Google Vertex AI | Message analysis (inference only) | Message content (not stored by provider for training)
Stripe | Payment processing | Billing details, subscription data
Amazon Web Services (SES) | Transactional and digest email delivery | Recipient email address, email content
Google reCAPTCHA Enterprise | Signup fraud prevention | IP address, browser interaction data
We do not sell, rent, or trade your personal information to any third party. We do not share your data with advertisers or data brokers.
8. Google API Services - Limited Use Disclosure
ReplyList's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only use access to Google user data to provide and improve the Service's core functionality (identifying messages needing a response and sending you digest notifications).
- We do not use Google user data for advertising or to serve ads.
- We do not allow humans to read your Google user data unless: (a) we have your express consent, (b) it is necessary for security purposes (e.g., investigating abuse), or (c) it is required by law.
- We do not transfer Google user data to third parties except as necessary to provide the Service (as described in Section 7), as required by law, or as part of a merger/acquisition with notice.
- Your Google user data is not used to train artificial intelligence or machine learning models.
9. Your Rights and Choices
9.1 Access and Export
You can export all of your data at any time from the Profile page in the application. The export is delivered as a JSON file containing your profile, connected accounts, response-tracking records, and settings.
9.2 Disconnect Accounts
You can disconnect any connected account at any time from the Accounts page. When you disconnect an account, we revoke the OAuth token and stop accessing data from that provider. Associated response-tracking records are closed.
9.3 Delete Your Account
You can delete your account from the Settings page or the Profile page. Account deletion permanently removes:
- Your user profile and all personal information
- All connected account records and access tokens
- All response-tracking records
- All notification and digest history
- All payment history records
- Your authentication account
- Your subscription (cancelled automatically)
- Any team memberships (teams you own are deleted along with all associated data)
If you request deletion from the Profile page, there is a 7-day grace period during which you can cancel the request. Deletion from the Settings page is immediate.
9.4 Notification Preferences
You can control when and how you receive digest notifications from the Settings page, including delivery times, days of the week, and delivery channel (email or Slack). You can also unsubscribe from digest emails using the link in any digest email.
9.5 VIP and Ignore Lists
You can prioritize specific contacts (VIP list) or exclude contacts and domains (ignore list) from your Settings page.
10. Teams and Shared Data
If you join or create a team, the following data is visible to other team members:
- Your display name, email address, and role within the team
- Team billing and subscription status (visible to team owner)
The following data is **never** shared with other team members:- Your connected accounts and access tokens
- Your messages, emails, or chat content
- Your response-tracking records
- Your notification settings and preferences
- Your VIP contacts and ignore lists
11. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS) for all connections
- Encryption at rest for all stored data
- Application-layer encryption for sensitive fields such as access tokens and message metadata
- Rate limiting and abuse prevention at multiple levels
- Restricted administrative access with multi-factor authentication
No system is 100% secure. If we become aware of a security breach that affects your personal data, we will notify you and any applicable regulator as required by law.
12. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.
13. International Data Transfers
Your data is stored and processed in the United States on Google Cloud Platform infrastructure. If you are located outside of the United States, your information is transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice in the application before the changes take effect. Your continued use of the Service after the changes become effective constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or how we handle your data, please contact us at: support@replylist.com.
