Privacy Policy
Last updated: April 16, 2026
1. Who we are (Data Controller)
ReplyStars is the service operated at replystars.com (“ReplyStars”, “we”, “us”). For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, the data controller for the personal data described in this Policy is Vivan Shah, an individual established in Belgium, acting in a sole-trader capacity under the commercial name “ReplyStars”.
Postal address for written correspondence and GDPR Article 13 notices: Vivan Shah, Fazantenlaan 26, 2610 Antwerp, Belgium. If Vivan Shah later incorporates a legal entity as data controller, this section will be updated and users will be given advance notice.
You can reach us regarding any privacy matter at privacy@replystars.com.
Controller vs processor relationship
ReplyStars is used by local businesses (the “merchant”) to manage their own customer relationships. For personal data that the merchant uploads into ReplyStars about their own customers (names, emails, phone numbers captured via contact imports or dashboard forms), ReplyStars acts as a processor within the meaning of GDPR Article 4(8), and the merchant is the controller. Our data processing on the merchant’s behalf is governed by the Data Processing Agreement (GDPR Article 28), which the merchant accepts when they sign up for ReplyStars.
For the account-holder data the merchant gives us directly (their email, password hash, billing metadata, OAuth tokens), ReplyStars is the independent controller.
2. The personal data we process
From you (the account holder)
- Name, email address, password hash (never plain text)
- Organization name, location details, business hours
- Billing metadata stored by Stripe (we store a customer ID and subscription ID only; card numbers never reach our servers)
- OAuth tokens granting access to your connected Google Business Profile (encrypted at rest and only used to fetch your reviews and post your drafted replies)
- Support conversations, surveys, feedback
- Cookie-consent preference
From third parties (on your behalf)
- Google reviews associated with your connected business profiles, as returned by Google’s Business Profile API
- Google category, operating hours, photos, and other public business data linked to your profile
From your end customers
- Contact details you upload (name, email, phone number) so we can send review requests, Win Back campaigns, rewards, or referral messages on your behalf
- Opt-out status (e.g. someone replies STOP to an SMS) — we retain this indefinitely so we never contact them again
Automatically
- IP address, user-agent, referrer, timestamps — stored in web server / edge logs
- Anonymous analytics and performance metrics (Vercel Web Analytics, Speed Insights). These are only collected after you grant analytics consent in the cookie banner.
3. Why we process it & legal basis (GDPR Art. 6)
We rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Creating and operating your account; fetching and replying to your reviews; running review request, Win Back, referral and loyalty campaigns you configure | Art. 6(1)(b) — performance of the contract with you |
| Processing payments, tax records, invoicing | Art. 6(1)(b) & Art. 6(1)(c) — contract and legal obligation (accounting / tax law) |
| Product improvement, abuse detection, security monitoring, server logs | Art. 6(1)(f) — legitimate interests (running a secure, reliable service). You may object at any time. |
| Marketing emails to existing customers about closely related features | Art. 6(1)(f) — legitimate interests, with opt-out in every email |
| Cold outreach emails to prospective customers | Art. 6(1)(f) — legitimate interests (B2B prospecting). Each message identifies us, provides our postal address, and lets the recipient opt out in one reply. |
| Non-essential cookies and analytics | Art. 6(1)(a) — consent via the cookie banner |
| Responding to legal requests, defending claims | Art. 6(1)(c) & Art. 6(1)(f) |
4. Sub-processors
To run ReplyStars we rely on the following sub-processors. Each is bound by a data processing agreement and may only act on our documented instructions. Business customers acting as controllers for their end-customer data can review the full Data Processing Agreement:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) where available; parent in US |
| Vercel | Application hosting, edge CDN, analytics | US, with EU edge nodes |
| Stripe | Payment processing, billing | US (Stripe, Inc.); Ireland (Stripe Payments Europe) |
| OpenAI | Drafting AI replies. Content submitted to OpenAI is not used to train their models per their API DPA. | US |
| Resend | Transactional and marketing email delivery | US |
| Twilio | SMS delivery and inbound webhooks | US, with EU-region numbers where applicable |
| Google Business Profile API (on your authorization) | US |
5. International data transfers
Several of our sub-processors are based in or may access data from the United States. Where personal data leaves the EEA or the UK, transfers are covered by either the European Commission’s Standard Contractual Clauses (2021/914) together with supplementary measures (encryption in transit, minimization, role-based access), by certification under the EU–US Data Privacy Framework, or by both. We review our sub-processors’ safeguards annually. You may request a copy of our transfer risk assessment by writing to privacy@replystars.com.
6. How long we keep your data
- Active account data: for as long as your subscription is active.
- After account deletion: personal data is erased within 30 days. Backups containing the data roll off within 35 days.
- Billing records: retained for 6 years to meet Spanish / EU accounting and tax obligations.
- SMS and email opt-out lists: retained indefinitely so we never contact an opted-out person again.
- Server and security logs: retained for up to 90 days.
- Support tickets: retained for 24 months.
7. Your rights
If you are located in the EEA, the UK, or Switzerland, you have the rights to access, rectification, erasure, restriction, objection, and data portability under GDPR Articles 15-22, as well as the right to withdraw consent at any time without affecting prior lawful processing.
Self-service: account owners can instantly export their data (GDPR Art. 20) or permanently delete their account (GDPR Art. 17) from Settings → Privacy inside the app. No ticket required.
By email: for all other requests write to privacy@replystars.com. We respond within 30 days (extendable by 60 where permitted under Art. 12(3)).
You also have the right to lodge a complaint with a data protection supervisory authority. In Spain this is the Agencia Española de Protección de Datos (AEPD); if you live elsewhere in the EEA you may use your local authority.
8. AI-generated replies
ReplyStars uses large language models to draft replies to reviews and customer messages. Drafts are clearly labelled in-app. Nothing is posted publicly or sent to a customer until you (or a person you have authorized) review it and click send. Because a human decision is required, these are not automated decisions within the meaning of GDPR Art. 22.
9. Cookies
We use a small number of essential cookies to keep you signed in and to remember your cookie choice. Optional analytics are only loaded if you enable them in the cookie banner. Full details are in our Cookie Policy. You can change your choice any time via the Cookie preferences link in the footer.
10. Security
We encrypt data in transit with TLS, encrypt secret fields (such as Google OAuth tokens) at rest, enforce least-privilege access for staff, and keep audit logs of administrative actions. No system is perfectly secure; if we become aware of a breach affecting your personal data we will notify you and the relevant supervisory authority as required by GDPR Art. 33-34.
11. Children
ReplyStars is a B2B product intended for people aged 16 or over. We do not knowingly collect data from children. If you believe we have, contact privacy@replystars.com and we will delete it.
12. Changes to this Policy
When we make material changes we notify account holders by email at least 14 days before the new version takes effect. The “Last updated” date at the top of this Policy always reflects the current version.
13. Contact
Questions, complaints, or requests related to your personal data: privacy@replystars.com.