Privacy Policy

Instant Reply ("we," "us," "our," or "Company") is committed to protecting your privacy and the privacy of your customers. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our omnichannel inbox platform and services (collectively, the "Services"). This policy applies to information collected through our website, application, and any related services.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

1. DEFINITIONS AND KEY TERMS

For purposes of this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
• "Customer" means the business or organization that subscribes to our Services.
• "End User" means individuals who interact with our Customers through our platform (e.g., customers messaging your business).

2. OUR ROLE IN DATA PROCESSING

2.1 As Data Controller

For information we collect directly from you as our Customer (account information, billing information, usage data), we act as the Data Controller and determine how this information is processed.

2.2 As Data Processor

For End User data that you collect through our platform (customer messages, contact information, conversation data), you act as the Data Controller and we act as the Data Processor. You are responsible for ensuring you have appropriate legal bases to collect and process End User data, and for providing End Users with appropriate privacy notices.

3. INFORMATION WE COLLECT

3.1 Customer Account Information

When you register for our Services, we collect:

• Full name and business name
• Email address and phone number
• Billing address and payment information (processed through third-party payment processors)
• Company information (industry, size, location)
• Authentication credentials (encrypted)

3.2 End User Data (Processed on Your Behalf)

When End Users interact with you through our platform, we process:

• Messages and conversation content (text, images, attachments)
• Contact information (names, phone numbers, social media handles)
• Metadata (timestamps, read receipts, delivery status)
• Platform-specific identifiers (Instagram user IDs, WhatsApp numbers, etc.)
• Any custom fields or tags you create within the platform

3.3 Usage and Technical Data

We automatically collect:

• Device information (type, operating system, browser type and version)
• IP address and general location data
• Log data (access times, pages viewed, actions taken)
• Performance metrics and error reports
• Feature usage statistics and interaction data

3.4 Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to enhance user experience, analyze usage patterns, and improve our Services. See our Cookie Policy for detailed information.

4. HOW WE USE YOUR INFORMATION

4.1 Customer Data

We use Customer information to:

• Provide, maintain, and improve our Services
• Process transactions and send related information (invoices, renewal notices)
• Respond to customer support requests and technical issues
• Send administrative information, updates, and security alerts
• Detect, prevent, and address fraud, security issues, or technical problems
• Comply with legal obligations and enforce our agreements
• Conduct analytics and research to improve our platform
• Send marketing communications (with your consent, where required)

4.2 End User Data

We process End User data solely to provide Services to you. We do not use End User data for our own marketing purposes or sell it to third parties. Your instructions govern how we process End User data, subject to applicable law.

5. LEGAL BASES FOR PROCESSING (GDPR)

We process Personal Data based on the following legal grounds:

• Contract Performance: Processing necessary to provide Services under our agreement with you
• Legitimate Interests: Improving our Services, preventing fraud, ensuring security, and conducting analytics
• Legal Obligation: Complying with applicable laws, regulations, and legal processes
• Consent: Where required by law (e.g., marketing communications), which you may withdraw at any time

6. HOW WE SHARE YOUR INFORMATION

6.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our Services:

• Cloud infrastructure providers (AWS, DigitalOcean)
• Payment processors (Stripe, PayPal)
• Email and communication service providers
• Analytics and monitoring tools
• Customer support platforms

All service providers are contractually obligated to maintain data confidentiality and security, and may only use data to perform services on our behalf.

6.2 Social Media Platforms

Our Services integrate with third-party platforms (Instagram, WhatsApp, Facebook Messenger, TikTok, Reddit). When you connect these integrations, we access and process data according to each platform's API terms and your authorization. We are not responsible for the privacy practices of these third-party platforms.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before any such transfer.

6.4 Legal Requirements

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service or other agreements
• Protect our rights, property, or safety, or that of our customers or the public
• Detect, prevent, or address fraud, security, or technical issues
• Protect against legal liability

6.5 Aggregated and De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you or End Users for research, analytics, marketing, or other business purposes.

7. DATA RETENTION

7.1 Customer Data

We retain your account information for as long as your account is active or as needed to provide Services. Following account termination, we retain data for up to 90 days for recovery purposes, then securely delete or anonymize it unless legally required to retain it longer.

7.2 End User Data

End User data is retained according to your instructions and settings within the platform. Upon your request, we will delete End User data within 30 days, except where retention is required by law or to resolve disputes.

7.3 Backups

Deleted data may persist in backup systems for up to 90 days. Backup data is encrypted and stored securely, accessible only for disaster recovery purposes.

8. DATA SECURITY

We implement industry-standard security measures to protect your information:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for account access
• Regular security audits and vulnerability assessments
• Role-based access controls and principle of least privilege
• Secure development practices and code reviews
• Intrusion detection and prevention systems
• Regular backups with geographic redundancy
• Employee security training and background checks

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

9. INTERNATIONAL DATA TRANSFERS

Our Services are operated from the United Arab Emirates. If you are located in the European Economic Area (EEA), United Kingdom, Switzerland, or other regions with data protection laws, your information may be transferred to and processed in countries that may not provide the same level of data protection as your jurisdiction.

When transferring data internationally, we use appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Data Processing Agreements with adequate data protection provisions
• Compliance with applicable data transfer mechanisms and regulations

10. YOUR PRIVACY RIGHTS

Depending on your location and applicable law, you may have the following rights regarding your Personal Data:

• Access: Request a copy of the Personal Data we hold about you
• Rectification: Correct inaccurate or incomplete Personal Data
• Erasure: Request deletion of your Personal Data ("right to be forgotten")
• Restriction: Request limitation of how we process your Personal Data
• Portability: Receive your Personal Data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests or for direct marketing
• Withdraw Consent: Withdraw consent for processing where consent is the legal basis
• Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at privacy@instantreply.co. We will respond to your request within 30 days (or as required by applicable law). We may require verification of your identity before processing your request.

For End Users: If you are an End User and wish to exercise privacy rights regarding data our Customer has collected about you, please contact the Customer directly. We process this data on their behalf and can only act upon their instructions.

California Residents: Under the California Consumer Privacy Act (CCPA), you have additional rights, including the right to know what Personal Data we collect, the right to opt-out of sales (we do not sell Personal Data), and the right to non-discrimination for exercising your rights.

11. CHILDREN'S PRIVACY

Our Services are not intended for individuals under the age of 18. We do not knowingly collect Personal Data from children. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@instantreply.co, and we will promptly investigate and delete such information.

12. THIRD-PARTY LINKS AND SERVICES

Our Services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access through our platform.

13. DATA BREACH NOTIFICATION

In the event of a data breach that compromises the security of Personal Data, we will notify affected individuals and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by applicable law. Notifications will include the nature of the breach, the data affected, and steps being taken to address it.

14. DO NOT TRACK SIGNALS

Some web browsers have a "Do Not Track" (DNT) feature. Because there is no common understanding of how to interpret DNT signals, our Services do not currently respond to browser DNT signals. However, you can manage cookies and tracking through your browser settings or our Cookie Consent Manager.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Provide notice via email to your registered email address
• Display a prominent notice on our website or within the application

Your continued use of our Services after the effective date of the updated Privacy Policy constitutes acceptance of the changes. If you do not agree to the updated policy, you must stop using our Services and may request deletion of your account.

17. ACKNOWLEDGMENT