Privacy Policy

Effective May 18, 2026. Last updated May 18, 2026.

This Privacy Policy describes how ReplyBird ("we", "us") collects, uses, and protects information about you when you use the ReplyBird service (the "Service") at replybird.app. ReplyBird is currently operated by Quincy Hutchison, an individual sole proprietor located in Ghana. We intend to transfer operations to Voltari, Inc., a Delaware corporation, following its incorporation; your continued use of the Service following that transfer will constitute consent to the assignment of this Policy and the Terms of Service.

1. Information we collect

1.1 Account information

When you sign up, we collect your email address and any profile information you provide (name, organization, profession). We use Clerk Inc. to manage authentication; Clerk processes your password (if any), session tokens, and login history on our behalf.

1.2 Gmail content (processed on your behalf)

When you connect a Gmail account, we receive an OAuth token that lets us read messages and metadata from your inbox and sent folder, and send messages on your behalf. We use this access to provide the core functionality you signed up for:

  • Reading recent emails to categorize them for your digest
  • Reading your sent folder to build a private "voice profile" we use when drafting replies in your style
  • Generating reply drafts and, when you enable auto-send, sending replies you would otherwise type yourself
  • Extracting commitments you make in outbound emails so we can prompt follow-ups

1.3 Google API Services User Data Policy (Limited Use)

ReplyBird's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not use Gmail data to train, fine-tune, or otherwise improve any generalized or third-party machine-learning models, including the language models we use to draft replies.
  • We do not transfer Gmail data to third parties except (a) to the language model provider strictly to process the specific email you are acting on, (b) to provide or improve features you explicitly use, (c) to comply with applicable law, or (d) as part of an acquisition or insolvency event with notice to you.
  • We do not allow humans to read your email data except (a) with your explicit consent for a specific support issue you have raised, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.
  • We do not use Gmail data for serving advertisements.

1.4 Usage and operational data

We collect logs about how you use the Service (pages visited, features used, errors encountered) so we can operate, secure, and improve the Service. We collect billing identifiers from LemonSqueezy when you subscribe.

1.5 Cookies

We use strictly necessary cookies to keep you signed in (set by Clerk) and to remember subscription state. We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that profile you.

2. How we use information

  • To provide and improve features you have signed up for
  • To send service-related communications (account, billing, security)
  • To detect and prevent abuse or fraud
  • To comply with legal obligations

We process Gmail content only to render the features above. We do not sell personal information, and we do not share it for marketing.

3. AI and automated decision-making

ReplyBird uses large language models (Claude by Anthropic) and embedding models (Voyage AI) to categorize emails and draft replies. These are tools to assist you; they do not make decisions about you. When auto-send is enabled, the Service may send a reply on your behalf based on classifier confidence; you control the categories that trigger auto-send and can disable it at any time. We disclose this so you can make an informed choice about using AI-assisted replies.

4. Sub-processors

We rely on the following third parties to operate the Service. See the sub-processors list for the current set and what each one accesses.

5. Data retention

  • Account data: retained while your account is active and for up to 90 days after deletion to handle disputes and comply with law.
  • Email content cache: recent inbound + sent emails cached for the lifetime of your Gmail connection. Wiped within 30 days of disconnecting Gmail or deleting your account.
  • Voice profile and embeddings: regenerated weekly from your sent folder; deleted with your account.
  • Billing records: retained for 7 years for tax purposes.

6. Security

  • All traffic uses TLS 1.2 or higher.
  • OAuth tokens for Gmail are encrypted at rest using AES-256-GCM with a key held outside the database.
  • Application data is stored on managed Postgres (Railway), with access restricted to least-privilege internal credentials.
  • We do not allow humans to read your Gmail content. Access is mediated by automated pipelines.

7. Your rights

7.1 Everyone

You can disconnect Gmail at any time from /app/settings, which revokes our access and triggers deletion of cached email content within 30 days. You can delete your account, which removes all personal data within 90 days (financial records retained as required by law).

7.2 European Economic Area, UK, and Switzerland (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, you have rights under GDPR including the right to access, correct, erase, restrict, or port your personal data, and to object to certain processing. Our legal bases are: (a) performance of a contract with you, (b) legitimate interest in operating and securing the Service, (c) consent for any processing we have specifically asked you to consent to, and (d) compliance with legal obligations. To exercise rights, contact us using the address below.

7.3 California (CCPA / CPRA)

California residents have the right to request the categories and specific pieces of personal information collected, the right to delete personal information, the right to correct, the right to opt out of any "sale" or "sharing" (we do neither), and the right not to be retaliated against for exercising these rights.

7.4 Ghana (Data Protection Act, 2012, Act 843)

Ghana residents have the right to access, correct, and request erasure of their personal data, and to complain to the Ghana Data Protection Commission.

8. International transfers

ReplyBird is operated from Ghana. Our infrastructure providers (Vercel, Railway, Anthropic, Voyage, Clerk, LemonSqueezy, Google) process data primarily in the United States and European Union. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for transfers out of the EEA/UK.

9. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from anyone under 16.

10. Changes to this Policy

We will post any material changes here with a new effective date. For material changes that reduce your rights, we will give at least 30 days' notice by email.

11. Contact

Privacy questions, requests, or complaints: legal@replybird.app.