ContactReplyAI ("we", "us", "our") is committed to protecting the privacy of the businesses that use our service ("subscribers") and the end-customers who contact those businesses. This policy explains what data we collect, how we use it, and your rights.
1. Who We Are
ContactReplyAI is operated by Marcus Webb, based in Australia. Contact:
For GDPR purposes, we act as a data processor on behalf of our subscribers (who are the data controllers for their customers' personal data). We act as a data controller for our subscribers' own account and billing data.
2. Data We Collect
2.1 From Subscribers (business owners)
- Business name, trade type, and service area
- Contact details (email, phone number)
- Knowledge base content (services, pricing, FAQ — as provided by you)
- PayPal subscription ID and billing status (we do not store card or bank details)
- Dashboard usage data (conversations reviewed, overrides made, settings changes)
- Web Push notification subscription tokens
2.2 From End-Customers (people contacting subscriber businesses)
- Phone number (SMS/WhatsApp conversations)
- Email address (email conversations)
- Name (where provided in the conversation)
- Message content (the full text of each conversation)
- Inferred data: trade enquiry type, urgency level (derived from message content)
End-customer data is processed on behalf of the subscriber. The subscriber is responsible for ensuring their customers are aware that an AI service is handling initial responses. We provide AI Disclosure guidance to subscribers for this purpose.
3. How We Use Data
| Purpose | Legal Basis (GDPR) | Applies To |
|---|---|---|
| Generating AI responses to customer enquiries | Contract performance / legitimate interests | End-customer messages + subscriber KB |
| Storing conversation history for dashboard | Contract performance | End-customer messages |
| Sending push notifications to subscriber | Contract performance | Subscriber |
| Billing and subscription management | Contract performance | Subscriber |
| Safety/emergency response detection | Vital interests / legitimate interests | End-customer messages |
| Service improvement and debugging | Legitimate interests | Anonymised/aggregated data |
| Compliance with legal obligations | Legal obligation | As required by law |
We do not sell personal data. We do not use customer conversation data to train AI models (messages are processed by Anthropic's API; Anthropic's API terms prohibit using API inputs for training).
4. Third-Party Processors
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic (Claude API) | AI response generation | Message content + subscriber knowledge base | USA (SCCs apply for EU data) |
| Twilio | SMS and WhatsApp delivery | Phone numbers, message content | USA (SCCs apply for EU data) |
| Resend | Email delivery and inbound webhooks | Email addresses, message content | USA (SCCs apply for EU data) |
| Cloudflare | Web infrastructure, CDN, DDoS protection | IP addresses, HTTP headers | Global |
| PayPal | Subscription billing | Subscriber email, subscription ID | USA/Global |
All processors are contractually bound to process data only for the stated purpose and in accordance with applicable privacy law.
Overseas disclosure and APP 8. Where we disclose personal information to overseas recipients (principally the United States), we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles, consistent with Australian Privacy Principle 8.1. By using the Service, you consent to the disclosure of your personal information to these overseas recipients for the purposes described in this Privacy Policy, and you acknowledge that by giving this consent, the accountability in APP 8.1 will not apply if the overseas recipient handles the information in breach of the APPs (APP 8.2(b)).
Portal chat assistant (Marcus) and LLM page context. When a subscriber uses the Marcus chat assistant on the CRAI portal (contactreply.app), contextual information from the current portal page is transmitted to OpenRouter (and onward to Anthropic) to generate a relevant help response. This is limited to the subscriber's own session data on CRAI's own portal — it is not data belonging to, or sent on behalf of, any third-party business or end-customer. Before transmission, all form field values are partially redacted: email addresses are reduced to first character + *** + domain (e.g. j***@gmail.com), phone numbers to the last three digits only (e.g. ***491), and ABN values to the token <ABN>. Raw PII — full email addresses, full phone numbers, and full ABNs — is not sent to OpenRouter or Anthropic. The processors involved in portal chat are OpenRouter (USA) and Anthropic (USA); both are subject to the APP 8 disclosure above.
5. Data Retention
- Conversation messages: Retained for 24 months, then automatically deleted.
- Subscriber account data: Retained for the duration of the subscription plus 12 months, then deleted on request.
- Billing records: Retained for 7 years as required by Australian tax law.
- Safety/emergency logs: Retained for 3 years for liability protection purposes.
6. Data Security
We implement reasonable technical and organisational security measures, including: PostgreSQL row-level security (each subscriber's data is isolated), encrypted connections (TLS 1.2+), no plaintext storage of passwords or API keys, and access controls limiting who can query production data. We are not SOC 2 certified (planned for Phase 4 per our roadmap).
7. Your Rights
As a subscriber, you have the right to:
- Access the personal data we hold about your account
- Correct inaccurate data
- Delete your account and all associated data (submit request via ; processed within 30 days)
- Export your conversation history (available in dashboard; CSV format)
- Object to processing based on legitimate interests
- Lodge a complaint with the OAIC (Australia), ICO (UK), or your local data protection authority
If you are an end-customer of a business using ContactReplyAI and wish to exercise your rights, please contact that business directly. They are the data controller for your information.
8. Cookies
Our website (contactreplyai.com) uses no analytics cookies or tracking cookies. The only cookies set are session cookies required for the dashboard login, and the PayPal SDK sets cookies required for payment processing. We do not use Google Analytics, Facebook Pixel, or any ad tracking.
9. Children's Data
The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has sent messages through the Service, contact us and we will delete the data.
10. Changes to This Policy
We will notify subscribers of material changes by email with 30 days' notice. The current version is always at contactreplyai.com/legal/privacy.php.
11. Contact
Privacy queries & Data Processing Agreement requests (GDPR Art. 28):