ReplyArcReplyArc
Get started
LEGAL · PRIVACY NOTICE

Privacy.

What ReplyArc collects, why we collect it, how long we keep it, and how to exercise your rights under GDPR and equivalent regimes.

Last updated: 2026-05-26.

What we collect, why we collect it, how long we keep it, who we share it with, and how to exercise your rights. This page mirrors our internal Record of Processing Activities — the canonical inventory our team works from.

What we collect

Your account. Email address, name, password hash, role, and the timestamp you accepted the terms. We store the workspace you belong to and the integrations you have connected.

Operational records. The prospects you upload, the messages your workspace sends, the replies that come back, the send-lifecycle events (delivered, bounced, opened, replied), and the in-app notifications we generate for you. We also store the encrypted credentials for the email account, sender provider, AI provider, and CRM you have connected — secrets are Fernet-encrypted at the application layer.

Security audit log. Who did what, when, from where — in hashed form. We record the HTTP method, path, response status, a hashed IP, and a hashed user-agent fingerprint. We never log request or response bodies. The audit log is purged automatically after 90 days.

Why we collect it

To run the service you signed up for. Authentication, sending and receiving mail through your connected accounts, drafting AI replies with the credentials you brought, syncing to your CRM. The legal basis is the contract between you and us.

To make cold outreach work as a tool. Storing prospect details so your campaigns can run is necessary for the product to function. The legal basis is legitimate interest, balanced against the rights of the people being contacted. We constrain that interest: B2B contacts only, professional context only, honour suppression immediately, every outbound message carries an unsubscribe path. The full reasoning lives in our Legitimate Interest Assessment, available on request.

To keep the platform secure and auditable. The 90-day activity log lets us investigate incidents, detect misuse, and meet our security obligations. The legal basis is a combination of legitimate interest and legal obligation.

To improve the product when you let us. Activity tracking is consent-based and off by default until you opt in. You can turn it back off at any time from Settings → Privacy inside the app.

How long we keep it

Account, workspace, prospects, threads, sends, integrations. For the lifetime of your subscription. When you delete your account or close your workspace, this data is removed within the 30-day post-termination window described in our Data Processing Agreement.

Security audit log. 90 days, auto-purged daily at 03:00 UTC.

Aggregate operational metrics. Counts and ratios with no personal data may be retained longer for capacity planning and trend analysis.

Who we share it with

We use third-party subprocessors to deliver the service. The complete, current list lives at /legal/subprocessors. Material changes to that list are notified to you with at least 30 days' notice.

Analytics & cookies on this marketing site

This site (replyarc.com) uses two analytics tools:

Vercel Analytics & Speed Insights — cookie-less, aggregate. We measure page views, referrers, and Web Vitals at the edge using Vercel's first-party analytics. No cookies are set, no fingerprinting is performed, and visitor identifiers are anonymized within a 24-hour window.

PostHog (EU-hosted) — opt-in, anonymized. When you click Accept on the cookie banner, we load PostHog (EU instance at eu.i.posthog.com) to understand which pages convert and which drop off. We do not enable session recording, autocapture of keystrokes, or person-level profiles for anonymous visitors. PostHog requests are proxied through /api/posthog on our domain so cookies remain first-party.

Opting out. Three ways to opt out, all honored:

  1. Click Decline in the cookie banner (or Accept then later clear your ra_cookie_consent localStorage key).
  2. Enable Do Not Track in your browser — we honor the DNT header and PostHog will not load.
  3. Don't load the site. We do nothing analytics-related before the banner is dismissed.

No analytics data is shared with advertising networks. The marketing site does not run third-party ad pixels, retargeting tags, or chat widgets.

Your rights

Under GDPR (and most other privacy regimes) you can do the following. We honour each one.

Access — get a copy of your data. We return a machine-readable JSON archive of your account, consent state, and activity events. Use the "Export my data" button in Settings → Privacy inside the app.

Erasure — delete your data. Delete your account and we cascade through every table linked to you, preserving aggregate campaign performance counts. Use the "Delete my account" control in the Danger zone of Settings → Privacy. We recommend exporting your data first.

Rectification — fix incorrect data. Update your name, email, and notification preferences in Settings → Profile. For data you cannot edit yourself, email the privacy contact.

Portability — take your data with you. Same export as Access: a portable JSON archive you can move to another service.

Objection — opt out of processing. Turn off the activity tracking toggle in Settings → Privacy to opt out of consented processing. To object to processing based on legitimate interest (for example, if your details were uploaded by a workspace operator and you want them removed), email the privacy contact and we will honour the request without undue delay.

Restriction — pause processing. You can request that we hold your data but stop processing it while a dispute is resolved (for example, while you contest its accuracy). Email the privacy contact.

Data Processing Agreement

A controller-to-processor DPA is available on request. See /legal/dpa for the full text and how to receive a countersigned copy.

How to contact us

For any privacy request — access, erasure, rectification, portability, objection, restriction, or a question about this notice — email privacy@replyarc.com.

If your install operator has appointed a Data Protection Officer, their contact details are available on request. We will respond within the timeframe required by applicable law (typically one month under GDPR, extendable to three months for complex requests).

Updates to this notice

We version this notice. Material changes — new data categories, new subprocessors, changed retention — are notified in-app and via email with at least 30 days' notice before they take effect, except where a faster change is required to meet a legal or security obligation.

Questions? Email privacy@replyarc.com.ReplyArc · /legal/privacy