This Privacy Policy explains how Replai handles personal data. It covers the activities where Replai decides why and how data is processed (Replai as controller) and explains, at a high level, the activities where Replai processes data on behalf of its business customers (Replai as processor).
1. Who we are
Controller: Replai, [registered address], Belgium · company number [company number].
Privacy contact: [email protected].
2. Controller vs. processor — who is responsible for what
2.1 Replai as controller. For the personal data of our own account holders, billing contacts, marketing/website visitors, and prospects, Replai decides the purposes and means of processing. This Privacy Policy governs those activities.
2.2 Replai as processor. For the end-user conversation data that our business customers route through the Service, the customer is the controller and Replai acts as a processor on the customer's documented instructions under the Data Processing Agreement. If you are an end user, please contact the relevant business (the customer) about how your conversation data is used.
3. Data we process as controller, purposes, and legal bases
| Category of data | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Account & identity (name, business email, credentials) | Create and manage your account; provide the Service | Contract — Art. 6(1)(b) |
| Billing & transaction data | Process payments, invoicing, tax compliance | Contract — 6(1)(b); Legal obligation — 6(1)(c) |
| Support & communications | Respond to requests; provide support | Contract — 6(1)(b); Legitimate interests — 6(1)(f) |
| Marketing contact data | Send service and marketing communications (B2B) | Legitimate interests / consent — 6(1)(f) / 6(1)(a) |
| Website & analytics (incl. cookies) | Operate, secure, and improve the website, including self-hosted, privacy-friendly product analytics (OpenPanel) loaded only with consent | Consent — 6(1)(a); Legitimate interests — 6(1)(f) |
| Security & log data | Protect the Service against abuse and fraud | Legitimate interests — 6(1)(f) |
4. Recipients and sub-processors
We share personal data only with service providers who help us run the Service, and only as needed. These include Anthropic (AI/LLM provider) and Qdrant (vector database), alongside [cloud hosting], [transactional email], and [payment processor]. The current list is maintained in the Sub-processors list.
5. International transfers
Where personal data is transferred outside the EEA, we rely on an appropriate safeguard, such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision. Details per provider are in the Sub-processors list.
6. Retention
We keep personal data only as long as necessary for the purposes above and to meet legal, accounting, and tax obligations, after which we delete or anonymise it:
- account data — for the life of the account plus 90 days;
- billing data — for 7 years (Belgian accounting law);
- marketing data — until you object or withdraw consent.
7. Your rights
Subject to law, you may: access your data; rectify it; erase it; restrict or object to processing; obtain portability; and withdraw consent at any time (without affecting prior processing). To exercise these rights, contact [email protected].
You may also lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), Drukpersstraat 35, 1000 Brussels, Belgium — [GBA contact / website].
8. Automated decision-making and AI
The Service uses AI to generate support responses. As controller, Replai does not use your personal data to make decisions producing legal or similarly significant effects on you by solely automated means. For AI processing of end-user conversation data, see the DPA. Output may be inaccurate and should be reviewed. Replai also tells End Users in the chat that they are interacting with an AI assistant, in line with Article 50 of the EU AI Act.
9. Security
We apply appropriate technical and organisational measures to protect personal data, described at a principles level in the DPA annex on technical and organisational measures.
11. Changes
We may update this Policy and will post the revised version with a new "Last updated" date.