Privacy Policy

1. Information We Collect

1.1 Account Information

When you register for AuReply, we collect:

• Your full name
• Email address
• Phone number (optional, for WhatsApp notifications)
• Business name and business type
• Password (stored as a bcrypt hash; never visible to us in plaintext)

1.2 Google Business Profile Data

When you connect your Google Business Profile (GBP) via Google OAuth, we receive and store:

• OAuth access tokens and refresh tokens (encrypted at rest using AES-256-GCM authenticated encryption)
• Your Google account email address associated with the GBP
• Your business location identifier and account identifier
• Public review data, including reviewer names, star ratings, review text, review timestamps, and reviewer-uploaded photos (where present)
• Business profile metadata: hours, attributes, description, categories, photos, address, phone number
• Review reply history and reply timestamps
• Profile performance metrics (search keywords, impressions, calls, direction requests) from the Google Business Profile Performance API

We access this data exclusively through Google's official Business Profile APIs.

1.3 Payment Information

Subscription payments are processed through Razorpay. We do not store your credit card, debit card, UPI ID, or bank account details on our servers. Razorpay handles all payment data in accordance with PCI-DSS compliance standards. We only receive a Razorpay customer ID and subscription identifier to manage billing.

1.4 WhatsApp Number

If you opt in to WhatsApp notifications, we collect and store your WhatsApp phone number to send transactional alerts via the WhatsApp Business API.

1.5 Usage Data

We automatically collect limited technical data when you use the Service:

• IP address (for security and rate limiting)
• Browser type and operating system
• Pages visited and actions taken within the Service
• Timestamps of activity

1.6 Third-Party Data in Reviews

Google reviews submitted by your customers may contain personal information about those customers (names, profile photos, review content). This information is publicly available on Google Maps and is processed by AuReply solely to:

• Generate appropriate reply text
• Display reviews in your dashboard
• Track review trends and themes for your analytics

We do not contact reviewers directly, nor do we use their data for any purpose beyond reply generation and dashboard display within your account.

2. Google API Services User Data Policy Compliance

AuReply's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google user data solely to provide the user-facing features of the Service:

• Posting AI-generated and manual replies to your Google Business Profile reviews
• Displaying your reviews, ratings, and analytics within your AuReply dashboard
• Sending you notifications about review activity via WhatsApp and email
• Generating reports and insights about your business reputation

We do NOT:

• Transfer Google user data to third parties except as necessary to provide or improve the Service, to comply with applicable laws, or as part of a merger, acquisition, or sale of assets with prior user notice and consent
• Use Google user data for serving advertisements
• Allow humans to read Google user data unless: (a) we have your affirmative consent for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) the data has been aggregated and anonymised for internal operational analytics
• Use Google user data to train, fine-tune, or improve any generalised or non-personalised artificial intelligence or machine learning model

AI-generated replies are produced per-review through third-party large language model APIs operating under commercial API terms. Your review content is not used to train any AI provider's foundation models. We may change our underlying AI provider from time to time; in all cases, the provider must offer equivalent data protection commitments.

3. OAuth Scopes Requested

When you connect your Google Business Profile, AuReply requests the following OAuth scope:

You can revoke these permissions at any time by visiting myaccount.google.com/permissions or by disconnecting your Google Business Profile from within the AuReply dashboard.

4. How We Use Your Data

We use the information we collect to:

• Provide the automated review reply service
• Send transactional notifications about new reviews, replies, and account activity via WhatsApp and email
• Process subscription payments through Razorpay
• Generate analytics, theme detection, and reporting about your review performance
• Improve the quality and accuracy of AI-generated replies through prompt refinement (not through model training)
• Detect and prevent fraud, abuse, and security incidents
• Communicate with you about your account, service updates, and policy changes
• Comply with legal obligations

We do not sell your personal data to any third party.

5. Data Storage and Security

Your data is stored securely in a managed PostgreSQL database. We implement the following security measures:

• Google OAuth tokens are encrypted at rest using AES-256-GCM authenticated encryption with keys stored separately in environment variables and a managed secrets store
• All data transmission occurs over HTTPS/TLS 1.2 or higher
• Database access is restricted to authorised production systems only
• Multi-factor authentication is required for administrative access
• Passwords are hashed using bcrypt with industry-standard cost factors
• API keys are hashed before storage
• Session inactivity automatically logs you out after 60 minutes
• Regular security reviews and dependency audits are conducted

6. Data Location and International Transfers

Your data is primarily stored on servers located in India (Mumbai region, ap-south-1). Operational backups may be replicated to Singapore (ap-southeast-1).

When you use AI-powered features, your review content is transmitted to a third-party large language model API, which processes data on infrastructure that may be located outside India (typically in the United States or Europe). Our AI providers maintain industry-standard data protection commitments and do not retain API content for foundation model training.

WhatsApp messages are delivered through Meta's WhatsApp Business API infrastructure, which may transit Meta data centres outside India.

By using AuReply, you consent to these international transfers for the purpose of providing the Service.

7. Third-Party Services (Sub-processors)

Each sub-processor is bound by data protection commitments appropriate to its role.

8. Data Retention

• Active accounts: We retain your data for as long as your account is active.
• Account deletion: When you delete your account, we permanently remove your personal data, OAuth tokens, and review history within 30 days. We immediately revoke our access to your Google Business Profile.
• Anonymised data: Aggregated, anonymised data (such as overall reply quality metrics) may be retained for internal analytics and Service improvement.
• Legal retention: Some records (invoices, fraud logs, audit trails) may be retained for up to 7 years to comply with Indian tax, accounting, and consumer protection laws.

You can request immediate deletion at any time by emailing hello@aureply.com.

9. Your Rights

Under India's Digital Personal Data Protection Act (DPDP Act) 2023, the EU GDPR (if applicable), and other relevant data protection laws, you have the right to:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete personal data
• Deletion — Request that we delete your account and all associated personal data
• Data Export (Portability) — Request an export of your data in a machine-readable format
• Withdrawal of Consent — Disconnect your Google Business Profile or revoke WhatsApp consent at any time
• Restriction — Request that we restrict the processing of your data in specific circumstances
• Objection — Object to processing of your data for specific purposes
• Grievance Redressal — Lodge a complaint with our Grievance Officer or the relevant Data Protection Authority

To exercise any of these rights, email hello@aureply.com. We will respond within 30 days.

10. Use of AI

We use third-party large language model (LLM) APIs to generate review replies and insights. When AI features are invoked:

• Your review content and configured business context are sent to the AI provider's API
• Per the AI provider's commercial API terms, this content is not used to train their foundation models
• AI-generated replies are stored in our database and posted to your Google Business Profile only after passing your configured auto-reply rules or after manual approval
• You can disable auto-reply and require manual approval for every reply
• We may change our AI provider from time to time to deliver the best quality, latency, or cost. Any change will require equivalent data protection commitments.

We do not use your Google review data, customer messages, or business information to train, fine-tune, or improve any AI model — our own or any third party's.

11. Cookies and Tracking

AuReply uses essential session cookies to maintain your authenticated login session. These cookies are required for the Service to function correctly.

We do not use:

• Third-party advertising cookies
• Cross-site tracking pixels
• Behavioural advertising profiles

If we add usage analytics or performance monitoring in the future, we will update this Privacy Policy and notify you before collection begins. You will have the opportunity to opt out.

12. Children's Privacy

AuReply is intended for use by businesses operated by adults aged 18 or older. The Service is not directed at children, and we do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child without parental consent, we will delete it promptly. If you believe we may have collected such information, contact hello@aureply.com.

13. Data Breach Notification

We maintain technical and organisational measures to prevent unauthorised access to your data. In the unlikely event of a data breach affecting your personal information, we will:

• Notify affected users via email within 72 hours of discovery
• Notify the Data Protection Board of India and other relevant authorities as required by law
• Publish a notice in your dashboard describing the nature of the breach, data affected, and remediation steps taken
• Take immediate action to contain and mitigate the breach

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email at least 30 days before the changes take effect
• Display a prominent notice within the Service

Your continued use of AuReply after the effective date of changes constitutes acceptance of the revised Privacy Policy.

15. Contact and Grievance Officer

Data Fiduciary: AuReply
Operating Location: Kerala, India
Grievance Officer: AuReply Privacy Team
Email: hello@aureply.com
Response Timeline: We respond to all data protection requests within 30 days.

For unresolved complaints, you may approach the Data Protection Board of India as established under the DPDP Act 2023.