1. Data Controller
The data controller responsible for your personal data is:
- Company: Techcorp informatique et communication
- Legal Form: SA (Moroccan Law)
- ICE: 003689600000091
- Address: Marrakech, Morocco
- Email: contact@replystack.io
- Representative: Mounir LAKHFIF, President
2. Scope of This Policy
This Privacy Policy applies to:
- The ReplyStack website and web application
- The ReplyStack dashboard
- The ReplyStack browser extension for Chrome and Firefox
- Any related services and communications
3. Data We Collect
3.1 Account Information
- Email address
- Name (optional)
- Password (stored as a secure hash, never in plain text)
- Plan and subscription status
3.2 Business Profile Data
- Establishment name
- Business sector
- Address (optional)
- Response preferences (tone, language, signature)
3.3 Customer Review Data
- Review content, authors, ratings, and dates from connected platforms
- AI-generated responses
- Response history and analytics
3.4 OAuth and Platform Connections
- OAuth tokens for Google Business Profile and Facebook (encrypted at rest)
- Platform identifiers for connected accounts
3.5 Usage Data
- Log files (IP address, browser type, access times)
- Feature usage statistics
- Preferences and settings
3.6 Payment Information
- Billing information is processed by our payment provider (Lemon Squeezy)
- We do NOT store credit card numbers or banking details
3.7 Browser Extension Data
- Review data from supported platforms (Google Business, TripAdvisor, etc.)
- The extension only operates on supported review platform pages
- We do not track your general browsing activity
4. How We Use Your Data
| Purpose | Legal Basis |
|---|
| Providing the ReplyStack service (AI response generation, review aggregation) | Contract performance |
| Managing your user account | Contract performance |
| Processing payments and billing | Contract performance / Legal obligation |
| Sending transactional emails (account, billing, security) | Contract performance |
| Improving our services through analytics | Legitimate interest |
| Security and fraud prevention | Legitimate interest / Legal obligation |
| Marketing communications | Consent (opt-in) |
5. Data Recipients and Processors
We share your data with the following service providers:
| Recipient | Purpose | Location | Safeguards |
|---|
| Google LLC | AI response generation | USA | DPF, SCCs |
| Mistral AI | AI response generation | France | EU |
| Railway, Inc. | API hosting | USA | DPF, SCCs |
| Vercel Inc. | Frontend hosting | USA | DPF, SCCs |
| Lemon Squeezy, LLC | Payment processing | USA | DPF, SCCs, PCI-DSS |
| Google LLC | OAuth (if connected) | USA | DPF, SCCs |
| Meta Platforms, Inc. | OAuth (if connected) | USA | DPF, SCCs |
DPF = EU-U.S. Data Privacy Framework; SCCs = Standard Contractual Clauses
6. International Data Transfers
Your data may be transferred to and processed in the United States. We ensure adequate protection through:
- EU-U.S. Data Privacy Framework certification of our processors
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Your explicit consent to these transfers when you create an account
7. Data Retention
| Data Type | Retention Period |
|---|
| Account data | Duration of subscription + 3 years |
| Reviews and responses | Duration of subscription + 1 year |
| OAuth tokens | Until disconnection or expiration |
| Server logs | 12 months |
| Billing records | 10 years (legal requirement) |
8. Your Privacy Rights
8.1 Rights for All Users
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Data Portability: Receive your data in a structured format
- Right to Object: Object to certain processing activities
- Right to Withdraw Consent: Withdraw consent at any time
8.2 Additional Rights for EU/EEA Residents (GDPR)
- Right to lodge a complaint with your local Data Protection Authority
- Right to restrict processing
- Right not to be subject to automated decision-making
8.3 Additional Rights for California Residents (CCPA)
- Right to know what personal information is collected, used, and shared
- Right to delete personal information
- Right to opt-out of the sale of personal information (Note: We do NOT sell personal data)
- Right to non-discrimination for exercising your rights
8.4 Additional Rights for Brazil Residents (LGPD)
- Right to information about data sharing with third parties
- Right to anonymization, blocking, or deletion of excessive data
- Right to revoke consent
8.5 How to Exercise Your Rights
To exercise any of these rights, contact us at: contact@replystack.io
We will respond within 30 days of receiving your request.
9. Cookies
We use essential cookies for authentication and security. For detailed information, please see our Cookie Policy.
10. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- Encryption of sensitive data at rest (AES-256)
- HTTPS encryption for all data in transit
- OAuth tokens encrypted at rest
- Passwords hashed using bcrypt
- Regular security audits
- Access controls and logging
- Employee training on data protection
11. Browser Extension Privacy
The ReplyStack browser extension:
- Only activates on supported review platforms (Google Business, TripAdvisor, etc.)
- Does NOT track your general browsing activity
- Does NOT collect data from pages outside supported platforms
- Requires permissions only for functionality (storage, active tab on review sites)
- Processes review data locally before syncing with your account
12. Children's Privacy
ReplyStack is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will:
- Notify you by email of material changes
- Provide 30 days notice before changes take effect
- Update the "Last Updated" date at the top of this page
14. Contact and Complaints
For questions or complaints about this policy or our data practices:
- Email: contact@replystack.io
- Address: Techcorp informatique et communication, Marrakech, Morocco
You may also contact the relevant supervisory authority:
- EU: Your local Data Protection Authority
- Morocco: CNDP (Commission Nationale de contrôle de la protection des Données à caractère personnel)
- California: California Attorney General
- Brazil: ANPD (Autoridade Nacional de Proteção de Dados)