Privacy Policy

Last updated: April 3, 2026

Effective date: April 3, 2026

1. Who We Are

ReplyInn ("we", "our", or "us") is an AI-powered customer messaging platform that helps businesses manage conversations across WhatsApp and Instagram. We are operated from India.

2. What This Policy Covers

This policy describes how we collect, use, store, and protect personal data when you:

  • Visit our website (replyinn.in)
  • Use our platform as a business customer ("Company")
  • Interact with a business that uses ReplyInn via WhatsApp or Instagram ("End User")

3. Information We Collect

3.1 From Business Customers (Companies)

  • Account Information: Name, email address, company name, and business category
  • Billing & Payment Info: Payment details processed via Razorpay for subscription management
  • Channel Credentials: WhatsApp and Instagram API access tokens for message delivery
  • AI Configuration: Custom AI instructions and product catalog data you provide

3.2 From End Users (People messaging businesses)

  • Contact Identifiers: Phone number (WhatsApp) or Instagram ID, used for message routing
  • Message Content: Messages sent to and received from businesses, used for AI response generation
  • Conversation History: Stored to provide context for AI-powered responses
  • Opt-out Status: Whether you have opted out of receiving messages

3.3 Automatically Collected

  • IP address, browser type, and device information for website security
  • Aggregated usage metrics (message counts, response times) with no personally identifiable information

4. How We Use Your Information

We use personal data only for:

  • Delivering the service — routing messages, generating AI responses, managing subscriptions
  • Compliance — honoring opt-out requests, data deletion, consent tracking
  • Service improvement — aggregated analytics only, no individual data
  • Communication — account-related notifications and support responses
  • Security — preventing fraud and ensuring platform integrity

We never:

  • Sell personal data to third parties
  • Use end-user conversations for advertising
  • Share data across business customers (strict tenant isolation)
  • Use customer data to train AI models

5. Data Security

Encryption at rest: All personal data is encrypted using AES-256-GCM encryption. Each business customer's data is encrypted with a unique per-tenant key derived via HKDF.

Encryption in transit: All data is protected via TLS 1.2+ encryption.

Identifier protection: Phone numbers and Instagram IDs are stored as cryptographic hashes for lookups, with encrypted originals stored separately.

Infrastructure: Hosted on Google Cloud Platform (asia-south1, Mumbai region) with Cloud SQL, automated backups, role-based access controls, and least-privilege service accounts.

AI processing: AI responses are generated using Google Gemini. Message content is sent to the AI model for response generation only. Conversation context is held in memory for up to 30 minutes, then discarded. We do not use customer conversations to train AI models.

6. Data Sharing

We share personal data only with the following service providers, solely as needed to deliver our service:

  • Google Cloud Platform: Infrastructure hosting (all data encrypted at rest)
  • Google Gemini AI: Response generation (message content in transit, not stored by Google)
  • Meta (WhatsApp & Instagram): Message delivery via their APIs — messages and contact identifiers
  • Razorpay: Payment processing — billing details only
  • Clerk: Authentication and user session management

We do not share data with any other third parties unless required by law.

7. Your Rights

7.1 For End Users (People messaging businesses)

You can exercise these rights by messaging the business on WhatsApp or Instagram:

  • STOP — Opt out of all future messages
  • PRIVACY — Request information about your stored data
  • DELETE — Request deletion of all your data (messages, conversations, and contact record)

These commands are processed automatically and immediately.

7.2 For Business Customers

Under applicable data protection laws (including India's Digital Personal Data Protection Act 2023), you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and all associated data
  • Export your data in a portable format
  • Withdraw consent for optional data processing
  • Nominate a person to exercise rights on your behalf

Contact admin@replyinn.in to exercise these rights.

7.3 Response Timeline

We will respond to data rights requests within 72 hours and fulfil them within 30 days.

8. Data Retention

  • In-memory conversation context: 30 minutes (automatically deleted)
  • Stored messages: Until the company deletes them or closes their account
  • Company account data: Duration of subscription + 90 days
  • Billing records: 7 years (legal requirement in India)
  • Opt-out records: Retained indefinitely to prevent re-contact
  • Deleted user data: Purged from backups within 30 days

9. Cookies & Tracking

Our website uses essential cookies for session management and security. We do not use advertising cookies, cross-site tracking, or third-party tracking pixels.

10. International Data Transfers

Your data is stored in Google Cloud's asia-south1 (Mumbai, India) region. If data is processed outside India (e.g., for AI model inference), it is protected by Google Cloud's data processing agreements, standard contractual clauses, and encryption in transit and at rest.

11. Children's Privacy

ReplyInn is a B2B service. We do not knowingly collect data from anyone under 18 years of age. If we become aware of such collection, we will delete the data immediately.

12. Data Breach Notification

In the event of a data breach affecting personal data, we will notify affected business customers within 72 hours, notify the relevant Data Protection Board as required under DPDPA 2023, and provide details on the nature of the breach, data affected, and remediation steps.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last Updated" date, notify business customers via email for material changes, and post the updated policy on this page.

14. Grievance Officer (India — DPDPA 2023)

For any grievances, contact us at admin@replyinn.in. Complaints will be acknowledged within 48 hours and resolved within 30 days.

15. Contact Us

For any privacy-related questions or concerns, please contact us at admin@replyinn.in.