ReplyAI

← Back to home

Privacy Policy

Last updated: 22 April 2026 · Effective immediately.

1. Who we are

ReplyAI is a product operated by TroveDeck Solution, a company registered in Malaysia. You can reach us at [email protected]. When we say "we", "us", or "ReplyAI" below, we mean TroveDeck Solution operating the ReplyAI service at replyai.trovedeck.com.

2. What this policy covers

This policy explains what personal data we collect when you use ReplyAI, why we collect it, how we store it, who we share it with, and the rights you have over it. It applies to the ReplyAI web application, marketing website, and any related emails.

3. Data we collect

3.1 Account data (from you)

• Your name and email address (from your Google account when you sign in)
• Business name and preferred reply tone settings (from you)
• Billing details (handled entirely by Stripe; we never see your card number)

3.2 Google Business Profile data (from Google APIs, with your consent)

When you sign in with Google and grant the business.manage scope, ReplyAI accesses data from your Google Business Profile on your behalf. Specifically:

• The list of business accounts and locations you manage
• Reviews posted to your locations (reviewer display name, star rating, review text, timestamp, language)
• Existing replies to those reviews
• When you approve a draft, the reply text we post back to Google on your behalf

3.3 Usage data (automatically)

• Server logs: IP address, browser type, pages visited, timestamps — retained 30 days for security and diagnostics
• Error reports (no review content included)

4. How we use Google user data

ReplyAI's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google Business Profile data only to:

• Display your unreplied reviews to you inside ReplyAI
• Generate AI reply drafts in the reviewer's language, which we show to you for approval
• Post replies back to Google on your explicit instruction (you click Post)
• Show you basic analytics about your reply rate and review trends

We do not transfer Google user data to third parties except as strictly necessary to provide the service (for example, sending review text to our AI provider for draft generation — see §6), for security or legal compliance, or as part of a merger/acquisition with equivalent protections. We do not use Google user data for advertising. We do not allow humans to read it, except (a) with your explicit consent, (b) for security investigations, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised.

5. Legal basis (GDPR / PDPA)

• Contract: processing is necessary to provide the service you signed up for.
• Consent: for the Google Business Profile OAuth scope, which you can revoke any time at myaccount.google.com/permissions.
• Legitimate interest: security logging and fraud prevention.

6. Who we share data with

We share data only with subprocessors needed to operate ReplyAI:

• Supabase (database and authentication hosting)
• Groq and/or Google Gemini API (AI reply generation — the review text and your tone settings are sent; results are not retained by the provider for training when we use their paid tiers)
• Stripe (payments)
• Vercel and Cloudflare (hosting and CDN)
• Resend (transactional email)

Each subprocessor is bound by contract to handle data only to provide their service to us. We do not sell your data.

7. How long we keep data

• Reviews fetched from Google: cached up to 30 days, then auto-deleted (we refetch live when needed).
• Generated reply drafts: stored until you publish or discard them; discarded drafts are deleted within 7 days.
• Account data: kept while your account is active; deleted within 30 days of account closure.
• Billing records: kept 7 years as required by tax law.

8. Security

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
• OAuth tokens encrypted with a key only our application can access.
• Strict access controls; only named operators at TroveDeck Solution can access production systems, and only when investigating specific issues.
• Automatic daily backups retained for 30 days, weekly for 3 months.

9. Your rights

You can:

• See what data we hold on you
• Export it in machine-readable form
• Correct anything inaccurate
• Delete your account and all associated data
• Revoke ReplyAI's access to your Google Business Profile at any time via Google account permissions

To exercise any of these, email [email protected]. We respond within 30 days.

10. International transfers

Our servers and subprocessors may be located outside Malaysia (including the EU, US, and Singapore). Where required by law we rely on Standard Contractual Clauses or equivalent safeguards.

11. Children

ReplyAI is not intended for anyone under 16. We do not knowingly collect data from children.

12. Changes

If we change this policy materially, we will email you at least 14 days before the change takes effect. Minor clarifications may be made without notice; the "Last updated" date above always reflects the current version.

13. Contact

Questions, requests, or complaints: [email protected]

TroveDeck Solution · Malaysia