Privacy Policy

1. Introduction and Scope

REPLR, Inc. ("REPLR," "we," "us," or "our") is a corporation organized under the laws of the State of Delaware, United States. We operate the REPLR.ai platform (the "Service"), an AI companion platform that enables users to engage in text and voice conversations with artificial intelligence characters.

This Privacy Policy ("Policy") describes how we collect, use, disclose, and otherwise process personal data when you access or use our website at replr.ai, our applications, and any related services (collectively, the "Service"). This Policy also explains your rights regarding your personal data and how to exercise them.

For the purposes of the EU General Data Protection Regulation ("GDPR"), REPLR, Inc. is the data controller responsible for your personal data. For the purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), REPLR, Inc. is the business that determines the purposes and means of processing your personal information.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our data practices described herein, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect personal data that you voluntarily provide when you create an account, use the Service, or otherwise communicate with us:

Account Information: When you register, we collect your email address, display name, and password. You may optionally provide a profile avatar, date of birth, and gender.
Conversation Content: Messages, prompts, and other content you submit during conversations with AI companions are stored to provide conversation history and memory features.
Voice Data: If you use voice features, we process audio recordings of your speech for speech-to-text transcription and generate audio responses using text-to-speech synthesis.
Payment Information: When you purchase a subscription or other paid features, payment card details and billing information are collected and processed by our payment processor, Stripe, Inc. We do not store your full payment card number on our servers.
Communications: If you contact us for support or other inquiries, we collect the content of your communications, your email address, and any other information you choose to provide.
User-Generated Content: Character configurations, shared conversation links, and any other content you create or publish on the Service.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information about your device and usage:

Usage Data: Pages viewed, features used, session duration, conversation frequency, and interaction patterns with AI companions.
Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
Log Data: IP address, access timestamps, referring URLs, and HTTP request metadata. For analytics purposes, IP addresses are hashed using SHA-256 before storage, rendering them pseudonymized.
Cookies and Similar Technologies: We use cookies, local storage, and similar technologies as described in Section 10 and our Cookie Policy.

2.3 Information from Third Parties

We may receive personal data from third-party sources, including:

OAuth Providers: If you choose to sign in using Google or Discord, we receive your name, email address, and profile avatar from the respective provider, as authorized by you during the OAuth consent flow.
Payment Processors: Stripe provides us with transaction confirmations, subscription status, and limited billing details (such as the last four digits of your payment card and billing postal code) necessary to maintain your account.

3. How We Use Your Information

We process your personal data for the purposes described below. For users in the European Economic Area ("EEA"), United Kingdom, or Switzerland, we have identified the legal basis under the GDPR (Article 6(1)) for each processing activity:

Purpose	Data Used	Legal Basis (GDPR Art. 6)
Provide and operate the Service, including AI conversation generation and memory features	Account data, conversation content, voice data	Performance of contract (Art. 6(1)(b))
Process payments and manage subscriptions	Email, billing information (via Stripe)	Performance of contract (Art. 6(1)(b))
Authenticate your identity and secure your account	Email, password hash, OAuth tokens, JWT session tokens	Performance of contract (Art. 6(1)(b))
Improve and optimize the Service, including AI model quality and safety	Usage data, aggregated conversation metadata	Legitimate interest (Art. 6(1)(f))
Analyze usage trends and generate aggregated analytics	Hashed IP addresses, page views, device data	Legitimate interest (Art. 6(1)(f))
Prevent fraud, abuse, and enforce our Terms of Service	IP addresses, usage patterns, account data	Legitimate interest (Art. 6(1)(f))
Send transactional communications (account verification, password resets, billing receipts)	Email address	Performance of contract (Art. 6(1)(b))
Send marketing communications and product updates	Email address, usage preferences	Consent (Art. 6(1)(a))
Respond to your support inquiries and legal requests	Communications content, account data	Performance of contract / Legal obligation (Art. 6(1)(b), (c))
Comply with applicable laws, regulations, and legal processes	As required by the specific obligation	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request a copy of this assessment by contacting us.

4. AI Data Processing

The core functionality of REPLR involves processing your inputs through artificial intelligence systems. This section provides specific transparency regarding how your data is handled during AI processing, in accordance with GDPR Article 13(2)(f) regarding automated decision-making.

4.1 Conversation Processing

When you send a message to an AI companion, the following data may be transmitted to our AI sub-processors for response generation:

Your current message and relevant conversation history (context window);
Your display name and relevant profile attributes necessary for personalization (e.g., preferred name, gender if provided);
System-level instructions that define the AI character's persona and behavioral constraints.

Your email address, password, payment information, and IP address are never transmitted to AI sub-processors.

4.2 AI Processing

We use our proprietary AI processing infrastructure for generating conversational responses. Certain auxiliary features, such as intent classification and content analysis, may be processed by additional internal language model services. Data processed by our AI infrastructure is governed by strict internal data handling policies, which prohibit the use of your data for model training or any purpose other than providing the requested inference service.

4.3 Voice Processing

Voice interactions involve two additional processing systems:

Our speech recognition system receives your audio input for speech-to-text transcription. Audio is processed in real time and is not persistently stored after transcription is complete.
Our voice synthesis engine receives text output for text-to-speech synthesis. Text inputs are processed to generate audio and are not persistently stored after synthesis is complete.

4.4 Memory and Learning

REPLR stores conversation memories to enhance the continuity and personalization of your AI interactions. Extracted memory facts (such as your stated preferences, interests, and biographical details you share) are stored in our database using vector embeddings. These memories are used solely to improve your experience and are not shared with other users. You may view, export, and delete your stored memories at any time through your account settings.

4.5 No Automated Decision-Making with Legal Effects

We do not use your personal data for automated decision-making that produces legal effects or similarly significant effects concerning you within the meaning of GDPR Article 22. AI-generated responses are conversational outputs and do not constitute decisions affecting your legal rights or obligations.

5. Sub-Processors

Pursuant to GDPR Article 28, we engage the following sub-processors to assist in providing the Service. Each sub-processor is bound by a data processing agreement that imposes obligations consistent with this Policy:

Sub-Processor	Purpose	Data Categories Processed	Location
AI Processing Provider	Conversation and response generation	Conversation content, display name, character system prompts	United States
AI Analysis Provider	Intent classification, content analysis, auxiliary AI features	Message content, conversation context	United States
Voice Processing Provider	Text-to-speech synthesis	AI-generated text responses	United States
Speech Processing Provider	Speech-to-text transcription	User audio input	United States
Stripe, Inc.	Payment processing, subscription management	Billing name, email, payment card details, billing address	United States
Google (OAuth)	Authentication provider	Name, email, profile photo (user-authorized)	United States
Discord (OAuth)	Authentication provider	Username, email, avatar (user-authorized)	United States

We maintain an up-to-date list of sub-processors. We will notify you of any material changes to this list via the methods described in Section 14. If you object to a new sub-processor, you may terminate your account in accordance with our Terms of Service.

We do not sell, rent, or trade your personal data. We do not share your personal data with third parties for their own marketing purposes. We may disclose your personal data only in the following circumstances:

Service Providers and Sub-Processors: We share data with the sub-processors listed in Section 5 solely for the purposes of providing and improving the Service, subject to contractual data processing agreements.
Legal Requirements: We may disclose your personal data if required to do so by law, regulation, legal process, or enforceable governmental request, including to meet national security or law enforcement requirements.
Protection of Rights: We may disclose personal data where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Service, or as evidence in litigation in which we are involved.
Business Transfers: In connection with, or during negotiations of, any merger, acquisition, sale of assets, financing, or transfer of all or a portion of our business to another entity, your personal data may be transferred as part of the transaction. We will notify you via email and/or prominent notice on the Service of any change in ownership or uses of your personal data.
With Your Consent: We may share your personal data with third parties when you have provided explicit consent to do so (e.g., publishing a shared conversation link).
Aggregated or De-Identified Data: We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for any purpose, including research, analytics, and business intelligence.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention periods are as follows:

Data Category	Retention Period	Notes
Account information	Until account deletion	Deleted within 30 days of account deletion request
Conversation content and memories	Until account deletion or manual deletion	Users may delete individual conversations or all data at any time
Voice audio data	Processed in real time and discarded	Audio is not persistently stored; only transcriptions are retained as conversation content
Analytics data (hashed IPs, page views)	90 days	Automatically purged; IP addresses stored only in SHA-256 hashed form
Server and application logs	30 days	Automatically rotated and purged
Payment and billing records	As required by applicable tax and financial regulation	Typically 7 years for tax compliance; card details stored by Stripe only
Support communications	2 years after resolution	May be retained longer if related to an ongoing legal matter
Guest session data	24 hours	Temporary, automatically purged; see Section 13

Upon account deletion, we will delete or anonymize your personal data within 30 calendar days, except where retention is required by applicable law (e.g., financial records for tax compliance) or necessary for the establishment, exercise, or defense of legal claims. Backup copies may persist in encrypted form for up to an additional 90 days before being permanently purged.

8. International Data Transfers

REPLR is based in the United States, and your personal data is primarily processed and stored on servers located in the United States. If you are accessing the Service from outside the United States, please be aware that your data may be transferred to, processed, and stored in the United States and other countries where our sub-processors operate.

For transfers of personal data from the EEA, United Kingdom, or Switzerland to the United States or other countries not deemed to provide an adequate level of data protection, we rely on the following transfer mechanisms in accordance with GDPR Articles 44–49:

Standard Contractual Clauses (SCCs): We execute the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with sub-processors that receive personal data outside the EEA, supplemented by additional technical and organizational measures where necessary based on transfer impact assessments.
EU-U.S. Data Privacy Framework: Where applicable, we rely on our sub-processors' self-certification under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework as a valid transfer mechanism.
Supplementary Measures: In accordance with the CJEU's Schrems II decision, we implement supplementary technical measures including encryption in transit (TLS 1.2+), encryption at rest, access controls, and pseudonymization where feasible.

You may request a copy of the Standard Contractual Clauses or further information about our transfer mechanisms by contacting us at privacy@replr.ai.

9. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data. We are committed to facilitating the exercise of these rights. To submit a request, please contact us at privacy@replr.ai or use the data management tools available in your account settings.

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under the GDPR (Articles 15–22):

Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access a copy of your personal data along with information about the purposes of processing, the categories of data concerned, the recipients, and the envisaged retention periods.
Right to Rectification (Art. 16): You have the right to obtain the correction of inaccurate personal data and to have incomplete personal data completed.
Right to Erasure (Art. 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, you withdraw consent, you object to processing and there are no overriding legitimate grounds, or the data has been unlawfully processed.
Right to Restriction of Processing (Art. 18): You have the right to request that we restrict processing of your personal data where you contest its accuracy, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.
Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON) and to transmit that data to another controller without hindrance.
Right to Object (Art. 21): You have the right to object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. As noted in Section 4.5, we do not engage in such automated decision-making.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

We will respond to your request within one month, which may be extended by up to two additional months for complex or numerous requests, in accordance with GDPR Article 12(3). We will inform you of any such extension within the first month.

9.2 Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199):

Right to Know (Cal. Civ. Code § 1798.100): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
Right to Delete (Cal. Civ. Code § 1798.105): You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal compliance, completing transactions, security).
Right to Correct (Cal. Civ. Code § 1798.106): You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing (Cal. Civ. Code § 1798.120): REPLR does not sell your personal information and does not share it for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out. Should this change, we will provide a "Do Not Sell or Share My Personal Information" link.
Right to Non-Discrimination (Cal. Civ. Code § 1798.125): We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, a different quality of service, or be denied service for exercising your rights.

Categories of Personal Information Collected: In the preceding twelve months, we have collected the following categories of personal information as defined by the CCPA: identifiers (name, email, IP address); commercial information (subscription and payment records); internet or electronic network activity (usage data, logs); audio information (voice data for STT processing); inferences (conversation memories, AI-generated user preferences); and sensitive personal information (account credentials). We collect these categories for the business purposes described in Section 3.

Categories of Personal Information Disclosed for a Business Purpose: We disclose identifiers, internet activity, and audio data to our service providers/sub-processors as described in Section 5, solely for the business purposes of providing the Service.

To submit a verifiable consumer request, contact us at privacy@replr.ai. We will verify your identity before fulfilling any request by matching information you provide with information we have on file. You may also designate an authorized agent to submit requests on your behalf by providing written authorization.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate, secure, and improve the Service. A cookie is a small data file placed on your device that enables certain functionality and helps us understand how you interact with our Service.

Cookie Type	Purpose	Duration
Session Token	Authentication and session management (strictly necessary)	Session / 7 days
Theme Preference	Stores your selected UI theme (functional)	1 year
Analytics	Aggregated usage statistics with hashed identifiers (analytics)	90 days

Strictly Necessary Cookies are essential for the Service to function and cannot be disabled. They include session authentication tokens and security-related cookies.

Managing Cookies: You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling strictly necessary cookies may impair your ability to use the Service. For detailed information, please refer to our Cookie Policy.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or real-time bidding.

11. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. This is in compliance with the U.S. Children's Online Privacy Protection Act ("COPPA", 15 U.S.C. §§ 6501–6506) and GDPR Article 8 regarding conditions applicable to children's consent.

If we become aware that we have inadvertently collected personal data from a child under the age of 13 (or under 16 in the EEA, where the applicable member state has not lowered the age of digital consent), we will take prompt steps to delete such data from our systems.

Parental Rights: If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us immediately at privacy@replr.ai. We will verify the claim and delete the child's data within a reasonable timeframe.

Users between the ages of 13 and 17 (or the applicable age of majority in their jurisdiction) must have parental or guardian consent to use the Service, as set forth in our Terms of Service.

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with GDPR Article 32. These measures include, but are not limited to:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at Rest: Sensitive data stored in our databases is encrypted at rest using industry-standard encryption algorithms.
Password Security: User passwords are hashed using bcrypt with a per-user salt before storage. We never store plaintext passwords.
IP Address Pseudonymization: For analytics purposes, IP addresses are irreversibly hashed using SHA-256 before storage, ensuring that raw IP addresses are not retained in our analytics systems.
Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. Administrative access requires multi-factor authentication.
Infrastructure Security: Our servers are hosted in facilities with physical security controls. We employ firewalls, intrusion detection systems, and regular security audits.
Incident Response: We maintain an incident response plan to address potential data breaches. In the event of a breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with GDPR Article 33 (within 72 hours) and applicable state breach notification laws.
Secure Token Management: Session authentication is managed via JSON Web Tokens (JWT) with appropriate expiration periods and secure storage practices.

While we implement robust security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any vulnerabilities or incidents.

13. Guest Sessions

REPLR allows limited use of the Service without creating an account through guest sessions. The following terms apply specifically to guest session data processing:

No Account Creation: Guest sessions do not require or result in the creation of a user account. No email address, display name, or other registration information is collected.
Temporary Data: Conversation content generated during a guest session is stored temporarily and is automatically purged within 24 hours. Guest session data is not associated with any persistent user profile.
Rate Limiting: To prevent abuse, we use a SHA-256 hash of your IP address solely for the purpose of enforcing rate limits on guest sessions. This hashed identifier is not linked to any personal data and is purged with the session.
Limited Features: Guest sessions have reduced functionality compared to registered accounts. Features such as conversation history, memory, voice, and personalization are not available.
AI Processing: Conversation content from guest sessions is processed by the same AI sub-processors described in Sections 4 and 5, subject to the same data handling practices.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

Non-Material Changes: We will update the "Effective date" at the top of this Policy and post the revised version on our website. We encourage you to review this Policy periodically.
Material Changes: For changes that materially affect how we process your personal data (including changes to the categories of data collected, the purposes of processing, or the introduction of new sub-processors), we will provide prominent notice via email to the address associated with your account and/or a conspicuous notice within the Service at least 30 days prior to the changes taking effect.
Consent Where Required: Where applicable law requires your consent for a material change to our data practices, we will obtain such consent before implementing the change. If you do not agree to the revised Policy, you may delete your account before the changes take effect.

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the updated terms, to the extent permitted by applicable law.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through the following channels:

Privacy Inquiries: privacy@replr.ai
Data Controller: REPLR, Inc., a Delaware corporation.
Data Protection Officer: You may contact our Data Protection Officer at privacy@replr.ai with the subject line "Attn: DPO."

Supervisory Authority

If you are located in the EEA, United Kingdom, or Switzerland, and you believe that our processing of your personal data infringes your rights under the GDPR, you have the right to lodge a complaint with your local supervisory authority (as provided in GDPR Article 77). A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For the United Kingdom, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.

We encourage you to contact us first so that we may address your concerns directly. We are committed to resolving any complaint about our collection or use of your personal data.

Was this page helpful?

1. Introduction and Scope

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our data practices described herein, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect personal data that you voluntarily provide when you create an account, use the Service, or otherwise communicate with us:

Account Information: When you register, we collect your email address, display name, and password. You may optionally provide a profile avatar, date of birth, and gender.
Conversation Content: Messages, prompts, and other content you submit during conversations with AI companions are stored to provide conversation history and memory features.
Voice Data: If you use voice features, we process audio recordings of your speech for speech-to-text transcription and generate audio responses using text-to-speech synthesis.
Payment Information: When you purchase a subscription or other paid features, payment card details and billing information are collected and processed by our payment processor, Stripe, Inc. We do not store your full payment card number on our servers.
Communications: If you contact us for support or other inquiries, we collect the content of your communications, your email address, and any other information you choose to provide.
User-Generated Content: Character configurations, shared conversation links, and any other content you create or publish on the Service.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information about your device and usage:

Usage Data: Pages viewed, features used, session duration, conversation frequency, and interaction patterns with AI companions.
Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
Log Data: IP address, access timestamps, referring URLs, and HTTP request metadata. For analytics purposes, IP addresses are hashed using SHA-256 before storage, rendering them pseudonymized.
Cookies and Similar Technologies: We use cookies, local storage, and similar technologies as described in Section 10 and our Cookie Policy.

2.3 Information from Third Parties

We may receive personal data from third-party sources, including:

OAuth Providers: If you choose to sign in using Google or Discord, we receive your name, email address, and profile avatar from the respective provider, as authorized by you during the OAuth consent flow.
Payment Processors: Stripe provides us with transaction confirmations, subscription status, and limited billing details (such as the last four digits of your payment card and billing postal code) necessary to maintain your account.

3. How We Use Your Information

Purpose	Data Used	Legal Basis (GDPR Art. 6)
Provide and operate the Service, including AI conversation generation and memory features	Account data, conversation content, voice data	Performance of contract (Art. 6(1)(b))
Process payments and manage subscriptions	Email, billing information (via Stripe)	Performance of contract (Art. 6(1)(b))
Authenticate your identity and secure your account	Email, password hash, OAuth tokens, JWT session tokens	Performance of contract (Art. 6(1)(b))
Improve and optimize the Service, including AI model quality and safety	Usage data, aggregated conversation metadata	Legitimate interest (Art. 6(1)(f))
Analyze usage trends and generate aggregated analytics	Hashed IP addresses, page views, device data	Legitimate interest (Art. 6(1)(f))
Prevent fraud, abuse, and enforce our Terms of Service	IP addresses, usage patterns, account data	Legitimate interest (Art. 6(1)(f))
Send transactional communications (account verification, password resets, billing receipts)	Email address	Performance of contract (Art. 6(1)(b))
Send marketing communications and product updates	Email address, usage preferences	Consent (Art. 6(1)(a))
Respond to your support inquiries and legal requests	Communications content, account data	Performance of contract / Legal obligation (Art. 6(1)(b), (c))
Comply with applicable laws, regulations, and legal processes	As required by the specific obligation	Legal obligation (Art. 6(1)(c))

4. AI Data Processing

4.1 Conversation Processing

When you send a message to an AI companion, the following data may be transmitted to our AI sub-processors for response generation:

Your current message and relevant conversation history (context window);
Your display name and relevant profile attributes necessary for personalization (e.g., preferred name, gender if provided);
System-level instructions that define the AI character's persona and behavioral constraints.

Your email address, password, payment information, and IP address are never transmitted to AI sub-processors.

4.2 AI Processing

4.3 Voice Processing

Voice interactions involve two additional processing systems:

Our speech recognition system receives your audio input for speech-to-text transcription. Audio is processed in real time and is not persistently stored after transcription is complete.
Our voice synthesis engine receives text output for text-to-speech synthesis. Text inputs are processed to generate audio and are not persistently stored after synthesis is complete.

4.4 Memory and Learning

4.5 No Automated Decision-Making with Legal Effects

5. Sub-Processors

Sub-Processor	Purpose	Data Categories Processed	Location
AI Processing Provider	Conversation and response generation	Conversation content, display name, character system prompts	United States
AI Analysis Provider	Intent classification, content analysis, auxiliary AI features	Message content, conversation context	United States
Voice Processing Provider	Text-to-speech synthesis	AI-generated text responses	United States
Speech Processing Provider	Speech-to-text transcription	User audio input	United States
Stripe, Inc.	Payment processing, subscription management	Billing name, email, payment card details, billing address	United States
Google (OAuth)	Authentication provider	Name, email, profile photo (user-authorized)	United States
Discord (OAuth)	Authentication provider	Username, email, avatar (user-authorized)	United States

Service Providers and Sub-Processors: We share data with the sub-processors listed in Section 5 solely for the purposes of providing and improving the Service, subject to contractual data processing agreements.
Legal Requirements: We may disclose your personal data if required to do so by law, regulation, legal process, or enforceable governmental request, including to meet national security or law enforcement requirements.
Protection of Rights: We may disclose personal data where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Service, or as evidence in litigation in which we are involved.
Business Transfers: In connection with, or during negotiations of, any merger, acquisition, sale of assets, financing, or transfer of all or a portion of our business to another entity, your personal data may be transferred as part of the transaction. We will notify you via email and/or prominent notice on the Service of any change in ownership or uses of your personal data.
With Your Consent: We may share your personal data with third parties when you have provided explicit consent to do so (e.g., publishing a shared conversation link).
Aggregated or De-Identified Data: We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for any purpose, including research, analytics, and business intelligence.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention periods are as follows:

Data Category	Retention Period	Notes
Account information	Until account deletion	Deleted within 30 days of account deletion request
Conversation content and memories	Until account deletion or manual deletion	Users may delete individual conversations or all data at any time
Voice audio data	Processed in real time and discarded	Audio is not persistently stored; only transcriptions are retained as conversation content
Analytics data (hashed IPs, page views)	90 days	Automatically purged; IP addresses stored only in SHA-256 hashed form
Server and application logs	30 days	Automatically rotated and purged
Payment and billing records	As required by applicable tax and financial regulation	Typically 7 years for tax compliance; card details stored by Stripe only
Support communications	2 years after resolution	May be retained longer if related to an ongoing legal matter
Guest session data	24 hours	Temporary, automatically purged; see Section 13

8. International Data Transfers

Standard Contractual Clauses (SCCs): We execute the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with sub-processors that receive personal data outside the EEA, supplemented by additional technical and organizational measures where necessary based on transfer impact assessments.
EU-U.S. Data Privacy Framework: Where applicable, we rely on our sub-processors' self-certification under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework as a valid transfer mechanism.
Supplementary Measures: In accordance with the CJEU's Schrems II decision, we implement supplementary technical measures including encryption in transit (TLS 1.2+), encryption at rest, access controls, and pseudonymization where feasible.

You may request a copy of the Standard Contractual Clauses or further information about our transfer mechanisms by contacting us at privacy@replr.ai.

9. Your Rights

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under the GDPR (Articles 15–22):

Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access a copy of your personal data along with information about the purposes of processing, the categories of data concerned, the recipients, and the envisaged retention periods.
Right to Rectification (Art. 16): You have the right to obtain the correction of inaccurate personal data and to have incomplete personal data completed.
Right to Erasure (Art. 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, you withdraw consent, you object to processing and there are no overriding legitimate grounds, or the data has been unlawfully processed.
Right to Restriction of Processing (Art. 18): You have the right to request that we restrict processing of your personal data where you contest its accuracy, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.
Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON) and to transmit that data to another controller without hindrance.
Right to Object (Art. 21): You have the right to object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. As noted in Section 4.5, we do not engage in such automated decision-making.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

9.2 Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199):

Right to Know (Cal. Civ. Code § 1798.100): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
Right to Delete (Cal. Civ. Code § 1798.105): You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal compliance, completing transactions, security).
Right to Correct (Cal. Civ. Code § 1798.106): You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing (Cal. Civ. Code § 1798.120): REPLR does not sell your personal information and does not share it for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out. Should this change, we will provide a "Do Not Sell or Share My Personal Information" link.
Right to Non-Discrimination (Cal. Civ. Code § 1798.125): We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, a different quality of service, or be denied service for exercising your rights.

10. Cookies and Tracking Technologies

Cookie Type	Purpose	Duration
Session Token	Authentication and session management (strictly necessary)	Session / 7 days
Theme Preference	Stores your selected UI theme (functional)	1 year
Analytics	Aggregated usage statistics with hashed identifiers (analytics)	90 days

Strictly Necessary Cookies are essential for the Service to function and cannot be disabled. They include session authentication tokens and security-related cookies.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or real-time bidding.

11. Children's Privacy

Users between the ages of 13 and 17 (or the applicable age of majority in their jurisdiction) must have parental or guardian consent to use the Service, as set forth in our Terms of Service.

12. Security Measures

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at Rest: Sensitive data stored in our databases is encrypted at rest using industry-standard encryption algorithms.
Password Security: User passwords are hashed using bcrypt with a per-user salt before storage. We never store plaintext passwords.
IP Address Pseudonymization: For analytics purposes, IP addresses are irreversibly hashed using SHA-256 before storage, ensuring that raw IP addresses are not retained in our analytics systems.
Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. Administrative access requires multi-factor authentication.
Infrastructure Security: Our servers are hosted in facilities with physical security controls. We employ firewalls, intrusion detection systems, and regular security audits.
Incident Response: We maintain an incident response plan to address potential data breaches. In the event of a breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with GDPR Article 33 (within 72 hours) and applicable state breach notification laws.
Secure Token Management: Session authentication is managed via JSON Web Tokens (JWT) with appropriate expiration periods and secure storage practices.

13. Guest Sessions

REPLR allows limited use of the Service without creating an account through guest sessions. The following terms apply specifically to guest session data processing:

No Account Creation: Guest sessions do not require or result in the creation of a user account. No email address, display name, or other registration information is collected.
Temporary Data: Conversation content generated during a guest session is stored temporarily and is automatically purged within 24 hours. Guest session data is not associated with any persistent user profile.
Rate Limiting: To prevent abuse, we use a SHA-256 hash of your IP address solely for the purpose of enforcing rate limits on guest sessions. This hashed identifier is not linked to any personal data and is purged with the session.
Limited Features: Guest sessions have reduced functionality compared to registered accounts. Features such as conversation history, memory, voice, and personalization are not available.
AI Processing: Conversation content from guest sessions is processed by the same AI sub-processors described in Sections 4 and 5, subject to the same data handling practices.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

Non-Material Changes: We will update the "Effective date" at the top of this Policy and post the revised version on our website. We encourage you to review this Policy periodically.
Material Changes: For changes that materially affect how we process your personal data (including changes to the categories of data collected, the purposes of processing, or the introduction of new sub-processors), we will provide prominent notice via email to the address associated with your account and/or a conspicuous notice within the Service at least 30 days prior to the changes taking effect.
Consent Where Required: Where applicable law requires your consent for a material change to our data practices, we will obtain such consent before implementing the change. If you do not agree to the revised Policy, you may delete your account before the changes take effect.

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the updated terms, to the extent permitted by applicable law.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through the following channels:

Privacy Inquiries: privacy@replr.ai
Data Controller: REPLR, Inc., a Delaware corporation.
Data Protection Officer: You may contact our Data Protection Officer at privacy@replr.ai with the subject line "Attn: DPO."

Supervisory Authority

We encourage you to contact us first so that we may address your concerns directly. We are committed to resolving any complaint about our collection or use of your personal data.

Was this page helpful?

1. Introduction and Scope

2. Information We Collect

2.1 Information You Provide

2.2 Information Collected Automatically

2.3 Information from Third Parties

3. How We Use Your Information

4. AI Data Processing

4.1 Conversation Processing

4.2 AI Processing

4.3 Voice Processing

4.4 Memory and Learning

4.5 No Automated Decision-Making with Legal Effects

5. Sub-Processors

6. Data Sharing and Disclosure

7. Data Retention

8. International Data Transfers

9. Your Rights

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

9.2 Rights Under the CCPA (California Residents)

10. Cookies and Tracking Technologies

11. Children's Privacy

12. Security Measures

13. Guest Sessions

14. Changes to This Policy

15. Contact Us

Supervisory Authority

Privacy Policy

1. Introduction and Scope

2. Information We Collect

2.1 Information You Provide

2.2 Information Collected Automatically

2.3 Information from Third Parties

3. How We Use Your Information

4. AI Data Processing

4.1 Conversation Processing

4.2 AI Processing

4.3 Voice Processing

4.4 Memory and Learning

4.5 No Automated Decision-Making with Legal Effects

5. Sub-Processors

6. Data Sharing and Disclosure

7. Data Retention

8. International Data Transfers

9. Your Rights

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

9.2 Rights Under the CCPA (California Residents)

10. Cookies and Tracking Technologies

11. Children's Privacy

12. Security Measures

13. Guest Sessions

14. Changes to This Policy

15. Contact Us

Supervisory Authority