Privacy Policy

Last updated: May 20, 2026

1. Controller

The controller for account, billing, website, and customer relationship data is RADOM UG, Telemannstr. 2, 60323 Frankfurt am Main, Germany. For privacy requests, contact support@reply-intern.com.

2. Role for Google review data

When a business connects a Google Business Profile, Reply Intern normally acts as a processor for the business customer. The customer decides which locations to connect, whether Reply Intern should draft replies, and whether positive public Google replies may be posted automatically. The business customer remains responsible for the lawful handling of its customer reviews.

The Data Processing Addendum is part of the service terms for business customers that use Reply Intern to process review data.

3. Data we process

  • Account data: email address, name if provided, password hash, sign-in method, sessions.
  • Google connection data: provider IDs, OAuth tokens, scopes, connected account/location IDs.
  • Business data: business names, location names, country code, type, language, tone, context, settings.
  • Review data: reviewer name, rating, review text, review date, Google review ID, reply status.
  • Reply data: AI-generated draft, edited final text, sent status, sent date.
  • Billing data: Stripe customer/subscription IDs, plan status, paid location count, renewal dates.
  • Support/contact data: messages sent through contact or support channels.
  • outreach lead data: business email, business name, website, country, source URL, review quick-look URL, send status, opt-out records.
  • Server logs: IP address, timestamp, request metadata, and error/security logs required to operate the service.

4. Legal bases

  • Contract performance: account creation, dashboard access, review sync, reply drafting, reports, billing.
  • Legitimate interests: service security, fraud prevention, operational logging, limited B2B outreach.
  • Consent: Google OAuth authorization and any optional communication choices where consent is required.
  • Legal obligations: invoice, tax, accounting, and abuse-prevention records where required by law.

5. AI processing

Reply Intern uses Azure OpenAI hosted in the EU region configured for the service to draft, rewrite, and summarize Google review replies. Prompts can include the business name, business context, reviewer name, review text, rating, selected language, selected tone, and user editing instructions. Review data is used to provide the service and is not used by Reply Intern to train foundation models.

Drafts are marked as AI-generated in the product. If automation is enabled for a subscribed location, positive public Google replies may be posted automatically according to the customer's configured rules. Negative or sensitive reviews are designed to remain review-first unless the customer deliberately changes those settings.

6. Retention schedule

  • Account data: kept for the customer relationship, then deleted on account deletion unless legal retention applies.
  • Google OAuth tokens: kept until Google is disconnected or the account is deleted.
  • Reviews and replies: kept while a location is connected, then removed 30 days after disconnect by default, or immediately when the business/location is deleted.
  • Billing records: kept as long as required for payment, accounting, tax, chargeback, and fraud-prevention purposes.
  • Password reset tokens: expire after one hour and are removed by cleanup after expiry or use.
  • Outreach lead data: kept for 180 days by default unless a suppression record is needed to honor opt-outs.
  • Suppression records: kept as long as necessary to avoid contacting opted-out addresses or domains again.
  • Server logs: kept for 30 days by default unless needed for security, abuse investigation, or legal obligations.
  • Backups: may persist for a limited backup cycle before being overwritten.

7. Subprocessors

Reply Intern uses the following subprocessors and service providers:

  • Google Ireland Limited: Google sign-in, Google Business Profile APIs, Gmail sending, Google Workspace email.
  • Microsoft Ireland Operations Limited / Azure: Azure OpenAI processing and related cloud services.
  • Stripe Payments Europe, Ltd.: payment processing, subscriptions, invoices, and payment security.
  • Hosting and database infrastructure used to operate reply-intern.com in the configured EU environment.
  • Brave Search API or similar search provider for internal B2B lead discovery when outreach is enabled.

8. Security

Reply Intern uses HTTPS, role-based dashboard access, hashed passwords, server-side sessions, environment-based secret handling, and encrypted storage for Google OAuth tokens when the production encryption key is configured. Access to production systems is restricted to operational administrators.

9. Your rights

Depending on your role and jurisdiction, you may request access, correction, deletion, restriction, portability, objection, or withdrawal of consent. Logged-in users can download account data and delete their account from Settings. You may also contact support for manual assistance.

10. Supervisory authority

You may contact a data protection authority. In Hesse, the competent authority is the Hessian Commissioner for Data Protection and Freedom of Information.