Privacy Policy

We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use our AI Booking Assistant service. We operate in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using our service, you acknowledge that you have read and understood this Privacy Policy. If you have any questions, please contact us using the details provided at the end of this document.

We collect and process the following categories of personal data to provide our AI Booking Assistant service:

Information You Provide Directly

• Contact Information: Name, email address, phone number
• Account Information: Business name, account credentials, billing address
• Booking Details: Appointment dates, times, service types, and preferences
• Communication Content: Messages exchanged through our booking assistant

Information Collected Automatically

• Usage Data: How you interact with our service, features used, booking patterns
• Technical Data: IP address, browser type, device information, time zone
• Messaging Platform Data: Information received through Facebook Messenger and WhatsApp Business integrations

Conversation Data

When customers interact with your AI agent on WhatsApp, Instagram DMs, or Facebook Messenger, we process the following data on your behalf:

• Message Content: The text of each conversation between the customer and the AI agent
• Sender Identifiers: Platform-assigned user IDs (e.g. WhatsApp phone number, Facebook PSID) — not linked to real-world identities by us
• Timestamps: Date and time of each message and conversation event
• Booking & Order Details: Appointment times, service selections, order items captured during the conversation
• Conversation State: The current stage of a booking or sales flow (e.g. "awaiting confirmation")

Live Chat Handover

If a customer requests to speak to a human, or if the AI agent cannot resolve a query, the conversation may be handed over to the business owner or staff. During and after handover:

• The authenticated business owner/staff member can view the full conversation history for that customer
• Access is limited to authorised personnel of the business only
• Handover events are logged for audit and quality purposes

End-User Data & Your Role as Data Controller

When your customers interact with the AI agent, you (the business) are the data controller for their personal data. ReplAI Smart acts as a data processor, processing that data solely on your behalf and under your instructions. You are responsible for ensuring your customers are informed about how their data is used and for providing a lawful basis for processing.

We process personal data for the following purposes:

• Service Delivery: To provide and operate the AI Booking Assistant, including automated appointment scheduling, availability management, and booking confirmations.
• Booking Automation: To process booking requests, send reminders, handle rescheduling, and manage your calendar integrations.
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
• Billing and Payments: To process subscription payments, issue invoices, and manage your account.
• Service Improvement: To analyse usage patterns, improve our AI algorithms, and enhance user experience.
• Communication: To send service-related notifications, updates, and important announcements.
• Legal Compliance: To comply with legal obligations, resolve disputes, and enforce our terms.

Legal Basis for Processing

We process your data based on the following legal grounds under GDPR:

• Contract Performance: Processing necessary to provide our service to you
• Legitimate Interests: Improving our service and preventing fraud
• Legal Obligation: Compliance with applicable laws and regulations
• Consent: Where you have given explicit consent for specific processing

We work with trusted third-party service providers who process data on our behalf. All providers are carefully selected and contractually bound to protect your data:

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required by law.

• Account Data: Retained for the duration of your subscription and for up to 2 years after account closure for legal and accounting purposes.
• Booking Records: Retained for 3 years to support service delivery, analytics, and dispute resolution.
• Conversation Data (Messages & Sessions): Retained for a default of 90 days from the last message in a session. Business owners may configure a shorter retention period in their dashboard. Data is automatically deleted after the retention period expires.
• Payment Records: Retained for 7 years to comply with financial and tax regulations.
• Usage Analytics: Aggregated and anonymised data may be retained indefinitely for service improvement.

Upon request, we will delete your personal data within 30 days, subject to any legal retention requirements.

As a data subject in the European Union, you have the following rights regarding your personal data:

To exercise any of these rights, please contact us using the details below. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest
• Access Controls: Strict access controls and authentication mechanisms
• Regular Audits: Periodic security assessments and vulnerability testing
• Employee Training: Staff trained on data protection and security practices
• Incident Response: Procedures for detecting and responding to data breaches
• Data Minimisation: We only collect data necessary for our services

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We encourage you to use strong passwords and keep your account credentials safe.

7. International Data Transfers

Your data is primarily processed within the European Economic Area (EEA). Where we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for countries with equivalent data protection standards
• Binding Corporate Rules where applicable

8. Cookies and Tracking

Our dashboard uses Supabase authentication (JWT stored in localStorage) for session management — this is an essential functional cookie. We do not use third-party tracking or advertising cookies in the dashboard. The marketing website (replaismart.com) may use analytics cookies; see our Cookie Policy for details.

9. Data Processing Agreement (DPA)

For businesses using ReplAI Smart to process their customers' personal data, a Data Processing Agreement is in place between the business (data controller) and ReplAI Smart (data processor). This DPA is incorporated into and forms part of our Terms of Service. A full copy of the DPA is available at replaismart.com/dpa.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by email or through our service. We encourage you to review this policy periodically.

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your data, please contact our Data Protection team: