NEWNew: connect Notion, Confluence, Zendesk, Intercom, Google Drive, SharePoint and more — bring your existing knowledge into Replai in minutes. Learn more

Privacy Policy

How Replai handles personal data — as a controller for its own data, and as a processor for customer end-user data.

Last updated: 17 June 2026Draft — pending legal review

This Privacy Policy explains how Replai handles personal data. It covers the activities where Replai decides why and how data is processed (Replai as controller) and explains, at a high level, the activities where Replai processes data on behalf of its business customers (Replai as processor).

1. Who we are

Controller: Replai, [registered address], Belgium · company number [company number].

Privacy contact: [email protected].

2. Controller vs. processor — who is responsible for what

2.1 Replai as controller. For the personal data of our own account holders, billing contacts, marketing/website visitors, and prospects, Replai decides the purposes and means of processing. This Privacy Policy governs those activities.

2.2 Replai as processor. For the end-user conversation data that our business customers route through the Service, the customer is the controller and Replai acts as a processor on the customer's documented instructions under the Data Processing Agreement. If you are an end user, please contact the relevant business (the customer) about how your conversation data is used.

3. Data we process as controller, purposes, and legal bases

Category of dataPurposeLegal basis (Art. 6 GDPR)
Account & identity (name, business email, credentials)Create and manage your account; provide the ServiceContract — Art. 6(1)(b)
Billing & transaction dataProcess payments, invoicing, tax complianceContract — 6(1)(b); Legal obligation — 6(1)(c)
Support & communicationsRespond to requests; provide supportContract — 6(1)(b); Legitimate interests — 6(1)(f)
Marketing contact dataSend service and marketing communications (B2B)Legitimate interests / consent — 6(1)(f) / 6(1)(a)
Website & analytics (incl. cookies)Operate, secure, and improve the website, including self-hosted, privacy-friendly product analytics (OpenPanel) loaded only with consentConsent — 6(1)(a); Legitimate interests — 6(1)(f)
Security & log dataProtect the Service against abuse and fraudLegitimate interests — 6(1)(f)

4. Recipients and sub-processors

We share personal data only with service providers who help us run the Service, and only as needed. These include Anthropic (AI/LLM provider) and Qdrant (vector database), alongside [cloud hosting], [transactional email], and [payment processor]. The current list is maintained in the Sub-processors list.

5. International transfers

Where personal data is transferred outside the EEA, we rely on an appropriate safeguard, such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision. Details per provider are in the Sub-processors list.

6. Retention

We keep personal data only as long as necessary for the purposes above and to meet legal, accounting, and tax obligations, after which we delete or anonymise it:

  • account data — for the life of the account plus 90 days;
  • billing data — for 7 years (Belgian accounting law);
  • marketing data — until you object or withdraw consent.

7. Your rights

Subject to law, you may: access your data; rectify it; erase it; restrict or object to processing; obtain portability; and withdraw consent at any time (without affecting prior processing). To exercise these rights, contact [email protected].

You may also lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), Drukpersstraat 35, 1000 Brussels, Belgium — [GBA contact / website].

8. Automated decision-making and AI

The Service uses AI to generate support responses. As controller, Replai does not use your personal data to make decisions producing legal or similarly significant effects on you by solely automated means. For AI processing of end-user conversation data, see the DPA. Output may be inaccurate and should be reviewed. Replai also tells End Users in the chat that they are interacting with an AI assistant, in line with Article 50 of the EU AI Act.

9. Security

We apply appropriate technical and organisational measures to protect personal data, described at a principles level in the DPA annex on technical and organisational measures.

10. Cookies

Our use of cookies and similar technologies is described in the Cookie Policy.

11. Changes

We may update this Policy and will post the revised version with a new "Last updated" date.