Privacy Policy

"Personal Data" means any information relating to an identified or identifiable natural person. We collect and process the following categories of Personal Data in connection with the Service.

Account Data: information provided upon registration and account management, including full name, email address, and account credentials. Passwords are stored in cryptographically hashed form and are not stored in plain text.

Usage Data: information generated by your interaction with the Service, including IP address, timestamp and duration of access, browser type and version, device identifiers, and log data necessary for the operation and security of the Service.

Payment Data: subscription and billing are processed by Stripe, Inc. ("Stripe"). We do not store, retain, or have access to full payment card numbers or card verification codes on our systems. All payment card data is transmitted directly to Stripe and handled in accordance with Stripe's privacy policy and applicable payment card industry (PCI DSS) standards. We may retain billing identifiers, subscription status, and transaction metadata for accounting and dispute resolution.

Chat Data and User-Provided Content: messages and other content submitted by you or your end users through the chatbot interface; product catalogs, knowledge base content, and other data you upload to the Service for processing. You act as data controller (or joint controller, as applicable) in respect of such content. You represent and warrant that you have all necessary rights and legal basis to upload, process, and permit us to process such data, and that such data does not violate any applicable law or third-party rights. We process Chat Data solely as data processor (or sub-processor) for the purpose of providing the Service.

We process Personal Data for the following purposes: (a) provision, operation, and maintenance of the Service, including delivery of AI-generated responses and integration with your systems; (b) improvement of the Service, product development, and quality assurance; (c) analytics and statistical analysis in aggregated or pseudonymized form where feasible; (d) customer support and communication with you; (e) billing, subscription management, and enforcement of our Terms of Service; (f) compliance with legal obligations and protection of our legitimate interests, including fraud prevention and security of our systems and users.

Processing is carried out in accordance with applicable law. Where the GDPR applies: we rely on (i) performance of a contract (Art. 6(1)(b) GDPR) for account and Service-related processing; (ii) legitimate interests (Art. 6(1)(f) GDPR) for security, analytics, and product improvement, where such interests are not overridden by your rights; (iii) consent (Art. 6(1)(a) GDPR) where we have requested your consent (e.g. optional marketing communications, non-essential cookies). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We may disclose Personal Data to the following categories of recipients, in each case only to the extent necessary for the stated purposes and subject to appropriate contractual or legal safeguards: (a) payment processor Stripe (United States), for payment processing; (b) providers of large language model (LLM) and related AI services (e.g. OpenAI, or other providers we engage) that process Chat Data to deliver the chatbot functionality, pursuant to data processing agreements that impose equivalent obligations to those under applicable data protection law; (c) hosting, infrastructure, and cloud service providers that host or process data on our behalf; (d) analytics and monitoring services. All sub-processors are bound by written agreements requiring compliance with applicable data protection legislation.

Where Personal Data is transferred to countries outside the European Economic Area (EEA) or the United Kingdom that have not been recognized as providing an adequate level of data protection, we implement appropriate safeguards, including where applicable the Standard Contractual Clauses approved by the European Commission or the UK equivalent, and supplementary measures as necessary to ensure a level of protection equivalent to that under GDPR.

We make available a Data Processing Agreement ("DPA") for business and enterprise customers who require documented assurances for compliance (e.g. under Art. 28 GDPR). You may request a DPA by contacting support@startreply.com.

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.

Account Data and content associated with your account are retained for the duration of the account lifecycle. Upon termination of your account or upon your request for deletion, we will delete or irreversibly anonymize your Personal Data within thirty (30) days, except where retention is required by law (e.g. tax, legal claims) or for legitimate business purposes (e.g. dispute resolution, enforcement of agreements). In such cases, data will be retained only for the minimum period required.

Log data and technical records may be retained for a period of up to twelve (12) months for security monitoring, incident response, and troubleshooting, after which they are deleted or anonymized.

Under applicable data protection law (including the GDPR where it applies to you), you may have the right to: (a) request access to and a copy of your Personal Data; (b) request rectification of inaccurate or incomplete Personal Data; (c) request erasure of your Personal Data in certain circumstances; (d) request restriction of processing in certain circumstances; (e) object to processing based on legitimate interests or to processing for direct marketing; (f) where processing is based on consent or contract and is carried out by automated means, request data portability; (g) withdraw consent at any time where processing was based on consent; (h) lodge a complaint with a supervisory authority in the Member State of your residence, place of work, or place of the alleged infringement.

To exercise any of the above rights, please contact us at support@startreply.com with the subject line "Privacy" or "Data Subject Request." We will respond within the timeframes required by applicable law (e.g. one month under GDPR, subject to extensions where permitted).

We use cookies and similar technologies to enable the Service to function (e.g. session and authentication cookies), to remember your preferences, and, where you have consented, for analytics and product improvement. You may manage your preferences for non-essential cookies through the cookie consent banner displayed on our website or through your browser settings.

Your continued use of our website after the display of the cookie notice, and where applicable your acceptance of non-essential cookies via the banner, constitutes your consent to the use of cookies as described in this Policy. You may withdraw consent at any time by adjusting your browser or cookie settings.