The TL;DR: We collect what we need to run OyeReply for you. We don't sell or share your data. We don't train AI on your messages. You can export or delete everything, anytime.
1. About this policy
This policy explains how OyeReply Technologies, Inc. ("OyeReply", "we", "us") collects and uses personal data when you use our Service. It covers GDPR, CCPA/CPRA, and India's DPDP Act 2023.
2. What we collect
Information you give us
- Account info: name, email, password (hashed), profile photo
- Billing info: payment details processed by Stripe — we never see your card
- Workspace content: flows, templates, contacts, tags, notes
Information from Instagram (with your permission)
- Connected page/account ID, username, profile photo
- Messages, comments and mentions sent or received during automation
- Public engagement signals (replies, reactions) needed to run flows
Information collected automatically
- Device, browser and IP for security/fraud prevention
- Usage events to improve the product (page views, clicks, errors)
3. How we use your information
- To run flows, send replies, and deliver the Service you've asked for
- To bill you, prevent fraud, and meet legal obligations
- To support you when you contact us
- To send essential service emails, and (only with your opt-in) product updates
We don't: sell your data, share it with data brokers, or use your customers' messages to train large language models.
4. Sharing
We share data only with vetted sub-processors needed to run the Service. The current list is at oyereply.com/sub-processors and includes:
- AWS (eu-central-1 / us-east-1) — hosting & encrypted storage
- Stripe — payments
- Postmark — transactional email
- Sentry — error monitoring
- Intercom — in-app help chat
We may disclose data if required by law, but we'll push back where we can and tell you unless legally prohibited.
5. Cookies
We use first-party cookies for sign-in and a small set of analytics cookies (PostHog, self-hosted) to understand how the product is used. You can opt out from the cookie banner or your browser. We don't run third-party advertising trackers.
6. Your rights
Wherever you live, you can:
- Access — see what we have on you
- Export — get it in CSV or JSON
- Correct — fix anything wrong
- Delete — wipe your account
- Object — to certain processing
Email privacy@oyereply.com; we respond within 30 days.
7. Security
Encryption in transit (TLS 1.3) and at rest (AES-256). Access is least-privilege, audited and 2FA-required for our team. We run quarterly penetration tests and publish a public trust report.
8. Retention
While you're a customer, we keep what's needed to run the Service. After cancellation, primary copies are deleted within 60 days; encrypted backups roll out within 90 days.
9. International transfers
OyeReply is built and operated globally. Where we move data across borders we rely on Standard Contractual Clauses, the EU–US Data Privacy Framework, and equivalent safeguards. EU customers' data is hosted in eu-central-1 by default.
10. Children
OyeReply isn't for kids under 16. If we find we've collected data from a child, we'll delete it.
11. Changes
We'll email you 30 days before any material change. The "Last updated" date at the top always shows the current version.
12. Contact / DPO
Data Protection Officer · Anjali Pillai · dpo@oyereply.com
OyeReply Technologies, Inc. · 401 Indiranagar 100ft Rd, Bengaluru 560038, India