Data collection, usage & minimisation
- We do not save any personal data permanently.
Selected email content and voice snippets live in RAM; encrypted cache is purged within 24 h (or instantly on enterprise “zero-retention” mode). - No data is ever used to train AI models or for advertising / profiling.
- Sub-processors receive only the minimum required data under strict DPAs.
Data protection & security
- TLS 1.2+ in transit; AES-256 at rest.
- Role-based access, MFA, and least-privilege policies across all environments.
- Annual penetration tests and continuous vulnerability scanning.
International transfers & compliance
- SCCs in place for transfers from EEA/UK to our primary US data centre.
- Sub-processor & Transfer-Impact Assessments reviewed at least annually (list published in our Trust Center).
Your rights & controls
- Self-service portal plus email (replyboxai@gmail.com) for access, correction, deletion, restriction.
- Typical response time: < 72 hours.
Data retention & deletion
- Default retention: 24 h or less for message/voice payloads; logs 90 days.
- Zero-day retention available on enterprise plans.
- Deleted accounts = data purged or irreversibly anonymised within 30 days (billing data retained only for legal compliance).
Incident response & breach notification
- Documented IRP with 24×7 on-call engineer.
- Post-incident root-cause analysis shared with affected customers.
- GDPR-aligned breach notification within 72 hours when required.
Privacy Policy
Table of Contents
- Introduction
- Acceptance of This Policy
- Scope of Services Covered
- What We Collect & Why
4.1 Use of the ReplyBox Website
4.2 Use of the ReplyBox Chrome Extension for Gmail & Outlook Web
4.3 Voice-to-Text Feature - Security Measures
- Use & Transfer of Google and Microsoft Data (Limited-Use Compliance)
- Sharing Information with Third Parties
- International Data Transfers
- Your Privacy Rights (GDPR / UK-GDPR / CCPA & others)
- Data Storage & Retention
- Children’s Data
- Cookies & Similar Technologies
- Changes to This Policy
- Questions, Concerns, or Complaints
1. Introduction
ReplyBox (“we”, “our”, “us”) is a productivity tool that lives in your browser and helps you compose, reply to, summarise, and draft emails in Gmail and Outlook Web. We also offer a voice-to-text option that lets you dictate email replies directly from the extension. Protecting your information and keeping your correspondence private is central to how we build every feature.
2. Acceptance of This Policy
By installing the ReplyBox Chrome extension, creating an account, or using any related web services, you consent to the practices described here. If you ever disagree with the policy, uninstall the extension and discontinue use. You may withdraw consent at any time by emailing replyboxai@gmail.com.
3. Scope of Services Covered
This document applies to:
- ReplyBox Chrome Extension for Gmail and Outlook Web
- replybox.app marketing & documentation website
- Any optional beta features we label as part of ReplyBox (e.g., desktop companion app)
4. What We Collect & Why
Category | Examples | Purpose |
Account & Authentication | Name, email address, Google or Microsoft OAuth tokens | • Sign-in & licence management • Sync settings across devices |
Email Content | Subject lines, message bodies, attachments only while you trigger an action (reply, compose, summarise) | • Generate AI replies • Summarise or draft content • Save drafts on your behalf |
Voice Data | Audio you record via the mic, its transcript | • Convert speech to text • Insert dictated text into an email |
Device & Usage | IP address, browser type, extension version, crash logs | • Detect & resolve bugs • Security monitoring • Usage analytics to improve UX |
Website Analytics | Page views, clicks (aggregated) | • Understand marketing performance |
We never sell personal data and only keep the minimum required to provide the service.
4.1 Use of the ReplyBox Website
We use first-party cookies and Google Analytics (GA4) to understand aggregated visitor behaviour. IP addresses are truncated before storage and are never combined with email data from the extension.
4.2 Use of the Chrome Extension
When you click “Reply with ReplyBox”, the selected email text and your prompt are sent securely to our servers and then to our AI provider (OpenAI) to generate a response. The result is returned to the extension and immediately deleted from our servers within 24 hours (enterprise plans may request shorter windows).
4.3 Voice-to-Text
Audio is streamed via HTTPS to our speech-to-text provider (OpenAI Whisper) and discarded once the transcription is returned. Raw audio is not retained.
5. Security Measures
- Encryption in transit & at rest (TLS 1.2+ / AES-256)
- Principle of least privilege: production data accessible only to vetted, role-based engineers
- OAuth 2.0: we never store your mailbox password—only tokens issued by Google/Microsoft
- Annual penetration tests and routine dependency vulnerability scans
- Bug-bounty programme (see security.txt on our domain)
6. Use & Transfer of Google and Microsoft Data
Our handling of Gmail data complies with the [Google API Services User Data Policy, including Limited Use requirements]. Likewise, Outlook data is accessed through Microsoft Graph under equivalent terms. We use these permissions solely to:
- Read the message you choose in order to draft or summarise it
- Create or send a reply or draft you explicitly approve
- Display email metadata (e.g., subject, recipient) inside the extension
We do not:
- use email or voice data for advertising
- allow humans to read it (except when you request support)
- transfer it to additional apps without your permission
7. Sharing Information with Third Parties
Partner | Role | Safeguards |
OpenAI, LLC | AI text & speech processing | Standard Contractual Clauses (SCCs) |
Google Cloud (Iowa / Belgium regions) | Primary hosting | ISO 27001, SOC 2 |
Datadog | Logs & metrics | Pseudonymised metadata only |
Stripe | Payments (when you upgrade) | PCI DSS compliance |
All vendors are contractually bound to act as processors and may not use your data for their own purposes.
8. International Data Transfers
Primary servers reside in Google Cloud (Iowa, USA). Where GDPR applies, transfers rely on SCCs plus encryption. Users in the EU/EEA acknowledge that their data may be processed outside their jurisdiction.
9. Your Privacy Rights
Region | Rights You Have | How to Exercise |
EU / UK (GDPR) | Access • Rectification • Erasure • Restrict • Portability • Object | Email replyboxai@gmail.com |
California (CCPA) | Know • Delete • Opt-out of sale (we don’t sell) | Email replyboxai@gmail.com |
Others | We will honour any comparable local right | Contact us |
We respond within 30 days. Identification may be required.
10. Data Storage & Retention
- Email & AI prompts: 24 hours (default), purge on user request
- Access tokens: until you revoke in Google/Microsoft settings or uninstall
- Billing records: 3 years (tax compliance)
- Crash & usage logs: 90 days
Enterprise customers can negotiate custom retention schedules in a Data Processing Addendum (DPA).
11. Children’s Data
ReplyBox is not intended for children under 16. We do not knowingly collect such data; if you believe we have, contact us for deletion.
12. Cookies & Similar Technologies
We set a single first-party cookie (replybox_session) for login persistence on our website. You may clear cookies at any time via browser settings. See our separate Cookie Notice for a full list.
13. Changes to This Policy
We may revise this document to reflect product or legal changes. Material updates will be announced in-extension and on replybox.app 14 days before they take effect. Continued use means acceptance of the revised terms.
14. Questions, Concerns, or Complaints
Email replyboxai@gmail.com or write to:
Data Protection Officer
ReplyBox Labs
4th Floor, 44A InfoPark
Ahmedabad 380015, India
If you believe your request has not been handled adequately, EU/UK residents may lodge a complaint with their local supervisory authority.