Privacy Policy

ReplyKit ("the Service", "we", "our") is a SaaS tool that helps HVAC business owners draft and post safe, professional replies to their Google Business Profile (GBP) reviews. Operated at usereplykit.com.

• Account info.Your email address (from email signup or Sign in with Google) and authentication credentials managed by Supabase Auth. If you sign in with Google, we also receive your name and profile picture as supplied by Google's OAuth response.
• Business profile. Business name, service area, phone, website, voice/tone preference, target HVAC services, and your configured reply rules. Provided by you during onboarding.
• Google Business Profile data. When you explicitly connect a Google account via OAuth, we receive the reviews, existing replies, reviewer display names, ratings, dates, and basic location metadata (business name, address, phone, website) for the GBP locations you choose to manage. See Google Data Usage for the full scope detail.
• Generated replies. The AI-drafted reply text, your edits, and a record of which were approved + posted.
• Billing. Stripe handles all payment information. We receive only subscription status, plan ID, customer ID, and period dates — never card numbers, CVV, or full billing addresses.
• Operational + audit logs. Records of significant actions (signup, reply generated, reply posted, subscription changed) for support, debugging, and security audit. We never log Google OAuth tokens (encrypted or otherwise), encryption keys, or payment details.

• Display your reviews and reply drafts inside your dashboard.
• Generate AI reply suggestions tailored to your business voice and the review's rating.
• Post replies to Google on your behalf only after you have explicitly approved each one. We never auto-post.
• Send transactional emails (new review, negative review alert, reply posted, payment issue, Google connection expired).
• Provide customer support and debug your account on request.

When you click "Generate reply," we send the following to Anthropic (our AI provider — they run the Claude model that drafts the reply):

• The review text, reviewer first name, star rating, and review date
• Your business name, service area, and voice preference
• Your configured reply rules (e.g. "never admit fault")

We do notsend your email, phone, billing data, other reviews, other users' data, or Google OAuth tokens.

Anthropic processes this data solely to return the reply text. Per Anthropic's commercial terms, customer inputs and outputs are not used to train their models. Generated text is returned to our servers, validated by our safety system, and shown to you. We retain the generated text alongside the review so you can edit or regenerate; we do not share it with any other party.

We do not sell your data. We do not rent it. We do not share it with third-party advertisers or data brokers. The only third parties that process your data are the operational vendors we need to run the Service:

• Supabase — database, authentication, file hosting
• Vercel — application hosting and serverless functions
• Anthropic — AI model (see "How AI processing works" above)
• Stripe — subscription billing
• Resend — transactional email delivery
• Google — only as the data source you connect; we read your reviews and post replies you approve

Use of Google data complies with Google's API Services User Data Policy, including the Limited Use requirements.

Application data is stored in Supabase (Postgres) and hosted on Vercel — both in United States data centers. Google OAuth tokens are encrypted at rest with AES-256-GCM before being written to the database. The encryption key is held only in server-side environment variables and is never transmitted to any browser or third party.

Different data has different retention rules:

• Google Business Profile data (reviews, replies, location info, OAuth tokens) is kept while your Google connection is active. When you disconnect Google or delete your account (whichever happens first), all GBP data and tokens are removed within 30 days.
• Generated reply drafts are kept while the underlying review is in our system.
• Account and business profile data is kept while your account is active. After you delete your account, it is removed within 30 days.
• Billing records are retained for up to 7 years to satisfy tax and accounting requirements.
• Audit logs are retained for up to 12 months for security and support purposes, then deleted.

1. Disconnect Google. Open Settings → Google connection → click Disconnect. Your encrypted OAuth tokens are deleted immediately; the related reviews are removed within 30 days.
2. Cancel subscription. Open Settings → Billing → Manage billing → Cancel. Access continues until the end of your billing period.
3. Delete your account and data. Email support@usereplykit.com from your account email and say "delete my account." We confirm receipt within 2 business days and complete deletion within 30 days (billing records retained per the section above).
4. Export your data. Email support@usereplykit.com with "export request." We send you a JSON export of your business profile, reviews, replies, and subscription status within 7 days.
5. Revoke at Google directly. You can also revoke our access at myaccount.google.com/permissions. After revocation, our next API call fails and we flag your connection as "reconnect required."

We use industry-standard practices: TLS in transit, AES-256-GCM for Google token storage, Postgres row-level security so each user can only access their own data, server-side rate limiting, and an audit log of every meaningful action. We never expose Google tokens or service-role credentials to the browser.

The Service is for businesses and is not directed to children under 16. We do not knowingly collect data from children.

We may update this policy. Material changes will be announced in-app or by email at least 14 days before they take effect.

Privacy questions, deletion requests, export requests: support@usereplykit.com