Privacy Policy

This Privacy Policy describes how InstantReply (“we,” “us,” or “our”) collects, uses, stores, and discloses information about you when you use our website and platform (collectively, the “Service”). By using the Service, you agree to the practices described in this policy.

Last updated: April 18, 2026 | Effective date: April 18, 2026

1. Who we are

InstantReply is an AI-powered omnichannel inbox platform that helps businesses manage customer conversations across WhatsApp, Instagram, email, and other channels. We are the data controller for personal data collected through our marketing site and the data processor for customer conversation data processed on behalf of our business customers (“Customers”).

Contact: privacy@instantreply.co

2. Information we collect

2.1 Information you provide

Account data: name, email address, password (hashed), organization name, and billing contact details when you register.
Payment data: billing address and payment method details. Card numbers are handled exclusively by Stripe and are never stored on our servers.
Communications: messages you send to our support team or through contact forms.
Integration credentials: API keys and OAuth tokens for third-party channels you connect. These are encrypted at rest using AES-GCM.

2.2 Information collected automatically

Usage data: pages visited, features used, session duration, and in-app actions.
Device and browser data: IP address, browser type and version, operating system, and referring URLs.
Log data: server-side request logs, error reports, and performance signals.
Cookies and tracking: as described in our Cookie Policy.

2.3 Customer conversation data

When Customers use the platform, we process conversation data on their behalf (messages, contact records, attachments). This data belongs to the Customer. We process it only as instructed and do not use it for our own marketing or product development without explicit consent.

3. How we use your information

Providing, operating, and improving the Service.
Processing payments and managing billing, subscriptions, and entitlements.
Sending transactional emails (account confirmations, receipts, security alerts).
Sending product and marketing communications where you have opted in or where we have a legitimate interest, with opt-out available at any time.
Providing customer support and responding to inquiries.
Monitoring for fraud, abuse, and security threats, and enforcing our Terms of Service and Acceptable Use Policy.
Complying with applicable laws, regulations, and valid legal requests (subpoenas, court orders).
Aggregating and anonymizing data for internal analytics and product improvement.

4. Legal basis for processing

4.1 GDPR and UK GDPR (EEA and UK users)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

Contract performance (Art. 6(1)(b)): to deliver the Service you signed up for, process payments, and manage your account.
Legitimate interests (Art. 6(1)(f)): fraud prevention, security monitoring, improving the Service, and sending direct marketing communications to existing customers. We have conducted and documented a Legitimate Interest Assessment (LIA) for each purpose to confirm our interests are not overridden by your rights. You may object to legitimate interest processing at any time by contacting privacy@instantreply.co.
Legal obligation (Art. 6(1)(c)): retaining financial records for statutory periods, responding to lawful government requests, and complying with court orders.
Consent (Art. 6(1)(a)): optional analytics cookies and promotional emails to prospects. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4.2 UAE Federal Decree-Law No. 45 of 2021 (PDPL)

InstantReply is based in Abu Dhabi, United Arab Emirates and complies with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021 and its Executive Regulations). We process personal data only where we have a lawful basis under the PDPL, including where processing is necessary to perform a contract, to comply with a legal obligation, to protect vital interests, or where you have given explicit consent. UAE residents may exercise their data rights by contacting privacy@instantreply.co.

4.3 CCPA/CPRA (California users)

See Section 9 for California-specific rights and disclosures.

5. How we share your information

We do not sell your personal data. We share it only in the following circumstances:

Service providers (subprocessors): Supabase (database and auth), Stripe (billing), Google Analytics (website analytics), Vercel (hosting and analytics), Meta (WhatsApp and Instagram channel delivery), and Sentry (error monitoring). Each subprocessor is bound by data processing agreements.
Business transfers: if we merge with or are acquired by another company, your data may transfer as part of that transaction. We will notify you with at least 30 days notice.
Legal requirements: to comply with a legal obligation, protect our rights, or prevent fraud or harm.
With your consent: for any other purpose you explicitly authorize.

6. International data transfers

Our subprocessors may store and process data in the United States and other countries. Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure an adequate level of protection.

7. Data retention

Account data: retained for the life of your account plus up to 90 days after deletion to allow for recovery and dispute resolution.
Billing records: retained for 7 years to comply with financial regulations.
Conversation data: retained per your workspace configuration. Customers can delete conversations at any time through the platform.
Server logs: retained for up to 90 days, then purged or anonymized.
Backups: encrypted backups may persist for up to 30 days after deletion before being overwritten.

8. Your rights

Depending on your location, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Correction: request correction of inaccurate or incomplete data.
Deletion: request deletion of your personal data, subject to legal retention requirements. See our Data Deletion page.
Portability: receive your data in a structured, machine-readable format.
Restriction and objection: restrict or object to certain types of processing, including direct marketing.
Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Lodge a complaint: you have the right to complain to your local data protection authority.

To exercise any of these rights, email privacy@instantreply.co. We will respond within 30 days.

9. California residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to know: the categories and specific pieces of personal information we collect, use, disclose, and sell.
Right to delete: request deletion of personal information we have collected, subject to legal exceptions.
Right to correct: request correction of inaccurate personal information.
Right to opt out of sale or sharing: we do not sell or share personal information for cross-context behavioral advertising. No opt-out is currently required, but you may contact us to confirm.
Right to limit sensitive data use: we do not use or disclose sensitive personal information beyond the purposes permitted under CPRA Section 7027(m).
Right to non-discrimination: we will not discriminate against you for exercising any of these rights.

To submit a verifiable CCPA/CPRA request, email privacy@instantreply.co with the subject line “CCPA Request.” We will respond within 45 days, with a possible 45-day extension where reasonably necessary.

10. Security

We implement technical and organizational measures to protect your data, including encryption at rest and in transit, role-based access controls, webhook signature verification, CSRF protections, and structured logging with secret redaction. No system is perfectly secure. If you discover a security issue, report it to security@instantreply.co.

11. Children's privacy

The Service is intended for business use and is not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that we have done so, we will delete it promptly.

12. Changes to this policy

We may update this policy periodically. For material changes, we will notify you by email or by a prominent notice in the platform at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact us

For any privacy-related questions, data subject requests, or concerns about this policy, contact our privacy team:

Privacy email: privacy@instantreply.co

Security disclosures: security@instantreply.co

Legal: legal@instantreply.co

Mailing address:

InstantReply

Attn: Privacy

Abu Dhabi, United Arab Emirates

We aim to respond to all privacy requests within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.