Legal

Privacy Policy

Last updated: May 5, 2026

Automate Anything LLC, doing business as Reply Flow ("Reply Flow", "we", "us", or "our"), provides a shared inbox where teams and AI agents handle customer messages across WhatsApp, email, and other connected channels. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data. It applies to replyflowapp.ai, platform.replyflowapp.ai, and all related services (collectively, the "Service").

1. Who we are

The Service is operated by Automate Anything LLC (DBA Reply Flow), a limited liability company organised in the United States. You can reach us at [email protected] for any privacy-related question, request, or complaint.

2. Information we collect

2.1 Account information

When you create a Reply Flow account we collect your name, email address, and a password (stored as a salted hash). If you sign up via Google, we receive your Google account email and name through OAuth.

2.2 Connected account data (Gmail, WhatsApp, and other integrations)

Reply Flow only works if you connect at least one messaging account. When you connect an account, we store the OAuth access token, refresh token, and token expiry so we can keep the connection active on your behalf. The specific data we receive depends on which integration you connect:

Gmail

Reply Flow uses the following Google API scopes:

https://www.googleapis.com/auth/gmail.modify — to read incoming messages, show them in your Reply Flow inbox, send replies and new messages on your behalf, mark messages as read, apply or remove labels, and move messages between folders. We do not permanently delete your Gmail messages.
https://www.googleapis.com/auth/userinfo.email — to identify which Gmail address you connected so we can route replies and audit activity.

From your Gmail account we store: message subjects; the HTML and plaintext bodies of incoming and outgoing emails; sender, recipient, CC, and BCC addresses; RFC 5322 identifiers (Message-ID, In-Reply-To, References) needed for threading; Gmail label IDs (such as INBOX, SENT, SPAM); and timestamps. We store this information to render conversations inside Reply Flow, to help AI agents draft accurate replies in context, and to keep an auditable history of messages your team and agents have sent.

WhatsApp (via Whapi)

Reply Flow connects to WhatsApp through our messaging provider, Whapi. We store the message text, sender phone number, contact display name, and timestamps for messages received on, and sent from, your connected WhatsApp number(s). We do not access WhatsApp accounts you have not explicitly connected to Reply Flow.

Other integrations

If you connect other integrations, Reply Flow requests only the scopes needed for each feature:

Slack — read channel and DM history, post messages, and read user profiles for tagging.
Google Sheets & Drive — read-only access to specific spreadsheets you select, used as a knowledge source for AI agents.
Shopify — read access to products, orders, customers, inventory, content, shipping, price rules, and discounts so AI agents can answer order-related questions, plus the ability to create draft orders and orders when you enable order-taking. We honour Shopify's mandatory customer-data-erasure and shop-redaction requests automatically.
WooCommerce — read and write access to product, order, and customer data for the same purpose.
Airtable — read-only access to records and base schema for selected bases used as a knowledge source.

2.3 Content you create inside Reply Flow

We store the contacts, conversations, notes, tags, AI agent configurations, knowledge sources, prompts, message templates, and any other content you create in the Service.

2.4 Billing information

Subscriptions are processed by Stripe. We do not see or store your full card number; we only receive the billing metadata Stripe returns to us (name, country, last four digits of the card, subscription status, invoice records).

2.5 Technical information

Our servers automatically log IP addresses, user-agent strings, request paths, and timestamps for security, debugging, and abuse prevention. We do not run third-party analytics, advertising trackers, or behavioural-tracking cookies on the marketing site or the app.

3. How we use your information

We use the information described above only to:

Operate the Service — display your inbox, deliver and send messages, run AI agents you have configured, and sync state with connected accounts.
Authenticate you and keep your connected accounts authorised (refreshing OAuth tokens before they expire).
Bill your subscription and prevent fraud.
Diagnose errors, monitor service health, and protect against abuse.
Send transactional notifications (security alerts, billing receipts, product status emails). We do not send marketing email to addresses imported from your connected inboxes.
Comply with legal obligations.

4. Google API user data: Limited Use disclosure

Reply Flow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We use Google user data only to provide and improve the user-facing features of Reply Flow that are visible in the product (your inbox, AI-drafted replies, threading, and sending).
We do not use Google user data to serve advertisements.
We do not use Google user data to train, fine-tune, or otherwise develop generalised or third-party AI/ML models. AI replies are generated by sending the relevant message context to Anthropic and OpenAI through their standard APIs, which contractually do not train on API content by default. Reply Flow does not opt in to any data-training program.
We do not sell Google user data, and we do not transfer it to third parties except the sub-processors listed in section 6 below, and only to the extent strictly necessary to operate the Service, comply with applicable law, or protect against fraud or abuse.
Human access to Google user data is restricted to (a) you and the team members you invite to your Reply Flow workspace, (b) a small number of Reply Flow engineers under strict confidentiality obligations, only when required to debug a specific issue you reported or to enforce our terms, and (c) where required by law.

5. Legal bases for processing (EEA, UK, Switzerland)

If you are in the EEA, UK, or Switzerland, we rely on the following legal bases:

Performance of a contract — to provide the Service you signed up for.
Legitimate interests — to secure the Service, prevent abuse, and improve product quality.
Consent — when you connect a third-party account, you give explicit consent (via the OAuth screen) for us to access the data described in section 2.2. You can withdraw consent at any time by disconnecting the account in Reply Flow.
Legal obligation — when we must retain or disclose data to comply with the law.

6. Sub-processors and third-party services

We share data with the following sub-processors, each only to the extent needed to operate the Service:

Supabase (database, authentication, file storage) — stores all customer data at rest.
Render (application hosting) — runs the Reply Flow servers.
Anthropic (Claude API) — generates AI replies and classifications. Message context is sent at request time and is not used to train Anthropic's models.
OpenAI (embeddings and language models) — generates vector embeddings for knowledge retrieval and, in some cases, AI replies. API content is not used to train OpenAI's models.
Google Cloud (Pub/Sub, Gmail API) — receives Gmail push notifications so new messages appear in Reply Flow in real time.
Whapi (WhatsApp gateway) — provisions and operates the WhatsApp connection.
Stripe (payments) — processes subscriptions, invoices, and refunds.

We do not sell your personal information, and we do not share it with advertising networks or data brokers.

7. International data transfers

Reply Flow is operated globally and our sub-processors operate in multiple jurisdictions including the United States and the European Union. Where personal data is transferred out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or equivalent safeguards offered by each sub-processor.

8. Data retention

Account and content data — kept for as long as your Reply Flow account is active, plus up to 30 days after you delete the account, to allow recovery from accidental deletions.
Connected account data — when you disconnect a Gmail, WhatsApp, or other integration, the OAuth tokens are revoked immediately. The historical messages already imported into your Reply Flow workspace remain in the workspace until you delete them or close your account.
Pending OAuth flows — abandoned OAuth flows (where you start connecting an account but never finish) are automatically purged within 30 minutes.
WhatsApp pending channels — pending WhatsApp pairings that you cancel are deleted upstream from Whapi automatically through a background job.
Billing records — invoice and subscription records are retained for as long as required by tax law (typically seven years).
Server logs — operational logs are retained for up to 30 days.

9. Security

We protect your data with TLS in transit and AES-256 at rest. OAuth tokens are stored in a Postgres database with row-level security so that one workspace cannot access another's data. Access by Reply Flow staff is limited, audited, and requires a documented support or engineering need. We will notify affected customers without undue delay if we discover a personal-data breach that materially affects them.

10. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate personal data.
Delete your account and associated personal data.
Export your data in a portable format.
Object to or restrict certain processing.
Withdraw consent for any integration by disconnecting it inside the app.
Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email [email protected]. You can also revoke Reply Flow's access to your Google account at any time at myaccount.google.com/permissions.

11. Children's privacy

Reply Flow is a business product intended for users aged 16 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Cookies

The marketing site at replyflowapp.ai does not set tracking cookies. The application at platform.replyflowapp.ai sets a small number of strictly necessary cookies and tokens required to keep you signed in and to protect against cross-site request forgery. We do not use third-party advertising cookies.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or through the app. Continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.

14. Contact

Questions, requests, or complaints? Email [email protected].