Reply Box

Menu
Menu
ReplyBox – Privacy & Security

Privacy & Security – ReplyBox

Security

Data collection, usage & minimisation

  • We do not save any personal data permanently.
  • Selected email content and voice snippets live in RAM; encrypted cache is purged within 24 h (or instantly on enterprise “zero-retention” mode).
  • No data is ever used to train AI models or for advertising / profiling.
  • Sub-processors receive only the minimum required data under strict DPAs.

Data protection & security

  • TLS 1.2+ in transit; AES-256 at rest.
  • Role-based access, MFA, and least-privilege policies across all environments.
  • Annual penetration tests and continuous vulnerability scanning.

International transfers & compliance

  • Sub-processor & Transfer-Impact Assessments reviewed at least annually (list published in our Trust Center).

Your rights & controls

  • Self-service portal plus email (replyboxai@gmail.com) for access, correction, deletion, restriction.
  • Typical response time: <72 hours.

Data retention & deletion

  • Default retention: 24h or less for message/voice payloads; logs 90 days.
  • Zero-day retention available on enterprise plans.
  • Deleted accounts = data purged or irreversibly anonymised within 30 days (billing data retained only for legal compliance).

Incident response & breach notification

  • Documented IRP with 24×7 on-call engineer.
  • Post-incident root-cause analysis shared with affected customers.
  • GDPR-aligned breach notification within 72 hours when required.

Privacy Policy

Table of Contents

  1. Introduction
  2. Acceptance of This Policy
  3. Scope of Services Covered
  4. What We Collect & Why
  5. Security Measures
  6. Use & Transfer of Google and Microsoft Data
  7. Sharing Information with Third Parties
  8. International Data Transfers
  9. Your Privacy Rights
  10. Data Storage & Retention
  11. Children’s Data
  12. Cookies & Similar Technologies
  13. Changes to This Policy
  14. Questions, Concerns, or Complaints

1. Introduction

ReplyBox (“we”, “our”, “us”) is a productivity tool that helps you manage email communications more efficiently. Protecting your information is central to how we build every feature.

2. Acceptance of This Policy

By installing the extension or using our services, you consent to the practices described here.

3. Scope of Services Covered

  • ReplyBox Chrome Extension for Gmail and Outlook Web
  • replybox.app website
  • Any optional beta features (e.g., desktop companion app)

4. What We Collect & Why

Category Examples Purpose
Email Content Subject lines, bodies, attachments while you trigger an action Generate AI replies, summarise or draft content, save drafts
Account & Authentication Name, email, OAuth tokens Sign-in, licence management, sync settings
Voice Data Audio + transcript Convert speech to text for email dictation
Device & Usage IP, browser, crash logs Bug detection, security monitoring, UX analytics
Website Analytics Page views, clicks (aggregated) Understand marketing performance

Email Content

Examples: Subject lines, bodies, attachments while you trigger an action

Purpose: Generate AI replies, summarise or draft content, save drafts

Account & Authentication

Examples: Name, email, OAuth tokens

Purpose: Sign-in, licence management, sync settings

Voice Data

Examples: Audio + transcript

Purpose: Convert speech to text for email dictation

Device & Usage

Examples: IP, browser, crash logs

Purpose: Bug detection, security monitoring, UX analytics

Website Analytics

Examples: Page views, clicks (aggregated)

Purpose: Understand marketing performance

4.1 Use of the ReplyBox Website

We use first-party cookies and GA4 analytics to improve our website experience. This data is never combined with extension data.

4.2 Use of the Chrome Extension

When you click “Reply with ReplyBox” or use our AI features, we process the necessary email content to provide our services. All data is deleted within 24h (shorter on enterprise plans).

4.3 Voice-to-Text

Audio is streamed via HTTPS for transcription purposes. Raw audio is not retained after processing.

5. Security Measures

  • Encryption in transit & at rest (TLS 1.2+ / AES-256)
  • Principle of least privilege
  • OAuth 2.0 (we never store mailbox passwords)
  • Annual penetration tests, vulnerability scans
  • Bug-bounty programme

6. Use & Transfer of Google and Microsoft Data

Complies with Google API Services User Data Policy (Limited Use) and Microsoft’s equivalent policies. No advertising, no human access unless support is specifically requested.

7. Sharing Information with Third Parties

Partner Role Safeguards
OpenAI, LLC AI text & speech processing SCCs
Google Cloud Primary hosting ISO 27001, SOC 2
Datadog Logs & metrics Pseudonymised metadata
Stripe Payments PCI DSS compliance

OpenAI, LLC

Role: AI text & speech processing

Safeguards: SCCs

Google Cloud

Role: Primary hosting

Safeguards: ISO 27001, SOC 2

Datadog

Role: Logs & metrics

Safeguards: Pseudonymised metadata

Stripe

Role: Payments

Safeguards: PCI DSS compliance

8. International Data Transfers

Primary servers are located in Google Cloud (Iowa, USA). GDPR transfers use Standard Contractual Clauses plus encryption.

9. Your Privacy Rights

RegionRightsHow to Exercise
EU / UK (GDPR)Access, Rectify, Erase, Restrict, Portability, ObjectEmail replyboxai@gmail.com
California (CCPA)Know, Delete, Opt-out of saleEmail replyboxai@gmail.com
OthersWe honour comparable rightsContact us

EU / UK (GDPR)

Rights: Access, Rectify, Erase, Restrict, Portability, Object

How to Exercise: Email replyboxai@gmail.com

California (CCPA)

Rights: Know, Delete, Opt-out of sale

How to Exercise: Email replyboxai@gmail.com

Others

Rights: We honour comparable rights

How to Exercise: Contact us

10. Data Storage & Retention

  • Email & AI prompts: 24h default, purge on request
  • Access tokens: until revoked
  • Billing records: 3 years
  • Crash & usage logs: 90 days
  • Custom schedules available via DPA

11. Children’s Data

Our services are not intended for users under 16. Contact us for deletion if such data has been collected.

12. Cookies & Similar Technologies

We use a single first-party cookie for login persistence. See our separate Cookie Notice for detailed information.

13. Changes to This Policy

Policy revisions are announced in-extension and on our website 14 days before taking effect.

14. Questions, Concerns, or Complaints

Email us at replyboxai@gmail.com or write to:

Data Protection Officer
ReplyBox Labs
44A InfoPark, Ahmedabad, India

Security

Data collection, usage & minimisation

• We do not save any personal data permanently.
Selected email content and voice snippets live in RAM; encrypted cache is purged within 24 h (or instantly on enterprise “zero-retention” mode).
• No data is ever used to train AI models or for advertising / profiling.
• Sub-processors receive only the minimum required data under strict DPAs.

Data protection & security

• TLS 1.2+ in transit; AES-256 at rest.
• Role-based access, MFA, and least-privilege policies across all environments.
• Annual penetration tests and continuous vulnerability scanning.

International transfers & compliance

• Sub-processor & Transfer-Impact Assessments reviewed at least annually (list published in our Trust Center).

Your rights & controls

• Self-service portal plus email (replyboxai@gmail.com) for access, correction, deletion, restriction.
• Typical response time: < 72 hours.

Data retention & deletion

• Default retention: 24 h or less for message/voice payloads; logs 90 days.
• Zero-day retention available on enterprise plans.
• Deleted accounts = data purged or irreversibly anonymised within 30 days (billing data retained only for legal compliance).

Incident response & breach notification

• Documented IRP with 24×7 on-call engineer.
• Post-incident root-cause analysis shared with affected customers.
• GDPR-aligned breach notification within 72 hours when required.

Privacy Policy

Table of Contents

.1. Introduction
2. Acceptance of This Policy
3. Scope of Services Covered
4. What We Collect & Why
4.1 Use of the ReplyBox Website
4.2 Use of the ReplyBox Chrome Extension for Gmail & Outlook Web
4.3 Voice-to-Text Feature
5. Security Measures
6. Use & Transfer of Google and Microsoft Data (Limited-Use Compliance)
7. Sharing Information with Third Parties
8. International Data Transfers
9. Your Privacy Rights (GDPR / UK-GDPR / CCPA & others)
10. Data Storage & Retention
11. Children’s Data
12. Cookies & Similar Technologies
13. Changes to This Policy
14. Questions, Concerns, or Complaints

1.Introduction

ReplyBox (“we”, “our”, “us”) is a productivity tool that lives in your browser and helps you compose, reply to, summarise, and draft emails in Gmail and Outlook Web. We also offer a voice-to-text option that lets you dictate email replies directly from the extension. Protecting your information and keeping your correspondence private is central to how we build every feature.

2. Acceptance of This Policy

By installing the ReplyBox Chrome extension, creating an account, or using any related web services, you consent to the practices described here. If you ever disagree with the policy, uninstall the extension and discontinue use. You may withdraw consent at any time by emailing replyboxai@gmail.com.

3. Scope of Services Covered

This document applies to:
• ReplyBox Chrome Extension for Gmail and Outlook Web
• replybox.app marketing & documentation website
• Any optional beta features we label as part of ReplyBox (e.g., desktop companion app)

Category

Examples

purpose

Email Content
Name, email address, Google or Microsoft OAuth tokens
• Sign-in & licence management • Sync settings across devices
Account & Authentication
Subject lines, message bodies, attachments only while you trigger an action (reply, compose, summarise)
• Generate AI replies
• Summarise or draft content
Save drafts on your behalfe

Voice Data

Audio you record via the mic, its transcript
• Convert speech to text
• Insert dictated text into an email

Device & Usage

IP address, browser type, extension version, crash logs
• Detect & resolve bugs
• Security monitoring
• Usage analytics to improve UX

Website Analytics

Page views, clicks (aggregated)
• Understand marketing performance
We never sell personal data and only keep the minimum required to provide the service.

4.1 Use of the ReplyBox Website

We use first-party cookies and Google Analytics (GA4) to understand aggregated visitor behaviour. IP addresses are truncated before storage and are never combined with email data from the extension.

4.2 Use of the Chrome Extension

When you click “Reply with ReplyBox”, the selected email text and your prompt are sent securely to our servers and then to our AI provider (OpenAI) to generate a response. The result is returned to the extension and immediately deleted from our servers within 24 hours (enterprise plans may request shorter windows)..

4.3 Voice-to-Text

>Audio is streamed via HTTPS to our speech-to-text provider (OpenAI Whisper) and discarded once the transcription is returned. Raw audio is not retained. .

Security Measures

• Encryption in transit & at rest (TLS 1.2+ / AES-256). .
. Principle of least privilege: production data accessible only to vetted, role-based engineers
• OAuth 2.0: we never store your mailbox password—only tokens issued by Google/Microsoft .
• Annual penetration tests and routine dependency vulnerability scans .
• Bug-bounty programme (see security.txt on our domain) .

6. Use & Transfer of Google and Microsoft Data

Our handling of Gmail data complies with the [Google API Services User Data Policy, including Limited Use requirements]. Likewise, Outlook data is accessed through Microsoft Graph under equivalent terms. We use these permissions solely to: .
1. Read the message you choose in order to draft or summarise it .
Create or send a reply or draft you explicitly approve .
3. Display email metadata (e.g., subject, recipient) inside the extension .

We do not:

• use email or voice data for advertising .
• allow humans to read it (except when you request support) .
• transfer it to additional apps without your permission .

7. Sharing Information with Third Parties

Partner Role Safeguards .
OpenAI, LLC AI text & speech processing Standard Contractual Clauses (SCCs) .
Google Cloud (Iowa / Belgium regions) Primary hosting ISO 27001, SOC 2 .
Datadog Logs & metrics Pseudonymisedly metadata only .
Stripe Payments (when you upgrade) PCI DSS compliance .
All vendors are contractually bound to act as processors and may not use your data for their own purposes. .

8. International Data Transfers

Primary servers reside in Google Cloud (Iowa, USA). Where GDPR applies, transfers rely on SCCs plus encryption. Users in the EU/EEA acknowledge that their data may be processed outside their jurisdiction. .

9. Your Privacy Rights

6. Use & Transfer of Google and Microsoft Data

Our handling of Gmail data complies with the [Google API Services User Data Policy, including Limited Use requirements]. Likewise, Outlook data is accessed through Microsoft Graph under equivalent terms. We use these permissions solely to: .
1. Read the message you choose in order to draft or summarise it .
Create or send a reply or draft you explicitly approve .
3. Display email metadata (e.g., subject, recipient) inside the extension .

We do not:

• use email or voice data for advertising .
• allow humans to read it (except when you request support) .
• transfer it to additional apps without your permission .

7. Sharing Information with Third Parties

Partner Role Safeguards .
OpenAI, LLC AI text & speech processing Standard Contractual Clauses (SCCs) .
Google Cloud (Iowa / Belgium regions) Primary hosting ISO 27001, SOC 2 .
Datadog Logs & metrics Pseudonymisedly metadata only .
Stripe Payments (when you upgrade) PCI DSS compliance .
All vendors are contractually bound to act as processors and may not use your data for their own purposes. .

8. International Data Transfers

Primary servers reside in Google Cloud (Iowa, USA). Where GDPR applies, transfers rely on SCCs plus encryption. Users in the EU/EEA acknowledge that their data may be processed outside their jurisdiction. .
Region Rights You Have How to Exercise .
EU / UK (GDPR) Access • Rectification • Erasure • Restrict • Portability • Object Email replyboxai@gmail.com .
California (CCPA) Know • Delete • Opt-out of sale (we don’t sell) Email replyboxai@gmail.com .
Others We will honour any comparable local right Contact us .
We respond within 30 days. Identification may be required. .

10. Data Storage & Retention

• Email & AI prompts: 24 hours (default), purge on user request . .
• Access tokens: until you revoke in Google/Microsoft settings or uninstall .
• Billing records: 3 years (tax compliance) .
• Crash & usage logs: 90 days .
Enterprise customers can negotiate custom retention schedules in a Data Processing Addendum (DPA).

11. Children’s Data

ReplyBox is not intended for children under 16. We do not knowingly collect such data; if you believe we have, contact us for deletion.

12. Cookies & Similar Technologies

We set a single first-party cookie (replybox_session) for login persistence on our website. You may clear cookies at any time via browser settings. See our separate Cookie Notice for a full list.

13. Changes to This Policy

We may revise this document to reflect product or legal changes. Material updates will be announced in-extension and on replybox.app 14 days before they take effect. Continued use means acceptance of the revised terms.

14. Questions, Concerns, or Complaints

Email replyboxai@gmail.com or write to:
Data Protection Officer
ReplyBox Labs
4th Floor, 44A InfoPark
Ahmedabad 380015, India
If you believe your request has not been handled adequately, EU/UK residents may lodge a complaint with their local supervisory authority.
Scroll to Top