Privacy Policy

Effective Date: November 15, 2025

Last Updated: November 15, 2025

1. Introduction

ReplyQ, operated by Signum Solutions Private Limited ("ReplyQ", "we", "our", or "us"), provides AI-powered customer service automation via WhatsApp Business API. This Privacy Policy explains how we collect, use, and protect your personal data in compliance with:

Personal Data Protection Act 2012 of Singapore (PDPA)
General Data Protection Regulation (GDPR) - European Union

2. Who We Are

Business Users: We act as Data Controller for your account information and billing data.

End-Customer Messages: We act as Data Processor on behalf of your business. You remain the Data Controller for all customer conversations.

3. Data We Collect

Business Account Data

Business name and contact information
WhatsApp Business Account credentials
Payment information (via Stripe)
Subscription and usage data

Customer Communication Data

WhatsApp messages (text, media, documents)
Customer phone numbers and contact information
Message metadata (timestamps, delivery status)
Conversation history (including historical messages)
Media files (images, videos, documents)

WhatsApp Business Integration Data

Message history synced from WhatsApp Business app
Contact information synced from your WhatsApp Business account
Business profile information

AI Processing Data

FAQ knowledge base you create
AI-generated responses and conversation analysis
Website content you import (public content only)
Conversation patterns for AI personalization

Technical Data

IP addresses and device information
App usage analytics
Error logs for diagnostics
Push notification tokens (mobile apps)

4. How We Use Data

Delivering messages via WhatsApp Business Platform
Generating AI-powered customer service responses
Analyzing conversation history to personalize AI for your business
Syncing message history and contacts from WhatsApp Business app
Processing payments and managing subscriptions
Sending email notifications about account activity
Delivering push notifications for new messages
Customer support and troubleshooting
Improving service quality through analytics
Legal compliance and fraud prevention

Artificial Intelligence Processing

We use artificial intelligence and machine learning to automatically analyze customer messages and generate responses. Your conversation data and business information are processed by third-party AI service providers to deliver the Service.

AI Data Processing:

Customer messages and business data are sent to third-party AI providers for processing
AI providers are contractually prohibited from using your data to train their general models
Conversation history may be used to improve service quality for your business
Your data is isolated from other businesses and never shared between accounts
Data transfers protected by Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework

Opt-Out: You may disable AI automation through account settings, which will require manual response to all customer messages.

For information on AI provider data practices, see: OpenAI Business Terms

WhatsApp Business Platform Integration

When you connect your WhatsApp Business account:

Historical message data may be synced from your WhatsApp Business account to enable AI-powered responses and analytics
Contact information is synced for customer relationship management
Messages are delivered through WhatsApp Business Platform API
You remain the Data Controller and are responsible for compliance with WhatsApp Business Terms and WhatsApp Business Policy
For Meta's data practices, see WhatsApp Privacy Policy

Important: We process customer message data on your behalf as a Data Processor. You must ensure you have appropriate consent from your customers and comply with applicable data protection laws.

We Will NEVER:

Sell or rent your data to third parties
Use customer conversations for advertising purposes
Share data between different business accounts
Use your data for purposes unrelated to providing our service

5. Who We Share Data With

We share data with trusted third-party service providers who help us operate our service. All providers are bound by data processing agreements and required to maintain appropriate security standards.

Categories of Service Providers

Messaging Platform: Meta Platforms, Inc. (WhatsApp) - USA - Message delivery via WhatsApp Business Platform
AI Service Providers: OpenAI, L.L.C. - USA - Artificial intelligence and machine learning processing (see OpenAI Terms)
Payment Processors: Stripe, Inc. - USA - Secure payment processing and subscription management (see Stripe Privacy)
Cloud Infrastructure Providers: Singapore and USA - Database hosting, application infrastructure, and content delivery
Communication Services: USA - Email notifications and mobile push notification delivery

Data Protection: All service providers process data only according to our instructions and maintain security measures that meet or exceed industry standards. Data transferred internationally is protected by Standard Contractual Clauses (SCCs) and other appropriate safeguards as required by GDPR and PDPA.

6. Data Security

We implement industry-standard security measures to protect your data:

Encryption: All data is encrypted in transit (TLS/HTTPS) and at rest using industry-standard encryption algorithms
Authentication: Secure authentication mechanisms and access controls
Isolation: Multi-tenant data isolation ensures your data cannot be accessed by other businesses
Monitoring: Continuous security monitoring and logging
Audits: Regular security audits and vulnerability assessments
Backups: Encrypted, regular backups to prevent data loss

While we implement robust security measures, no system is completely secure. We encourage you to use strong passwords and keep your account credentials confidential.

7. Data Retention

We retain your data based on the following criteria:

Active Account Data: Retained while your account is active to provide the Service, including conversation history and analytics
Closed Account Data: Retained for a limited period after account closure to address disputes, legal requirements, or service transition needs
Financial Records: Retained for 7 years as required by Singapore tax and accounting laws
Backups: Encrypted backups maintained according to our standard retention schedule (up to 90 days) and purged periodically
Technical Logs: Retained for operational, security, and troubleshooting purposes based on industry best practices

Upon account deletion, your data is removed from active systems within 30 days and fully purged from all systems including backups within 90 days (excluding financial records retained for legal compliance).

Note: Deleted data cannot be recovered. Please export any data you need before deleting your account.

8. International Data Transfers

Your data may be transferred internationally to provide our service. We ensure appropriate safeguards for all international transfers:

Transfer Locations: Data is processed and stored in Singapore and the United States
Legal Safeguards: Standard Contractual Clauses (SCCs), Data Processing Agreements, and EU-US Data Privacy Framework compliance
GDPR Compliance: All transfers comply with GDPR Chapter V requirements for adequate safeguards
PDPA Compliance: Transfers meet Singapore PDPA Section 26 requirements for cross-border data transfers
Service Provider Obligations: All international service providers are contractually bound to implement appropriate technical and organizational security measures

9. If You Are a Customer Messaging a Business Using ReplyQ

Important: If you are receiving messages from a business that uses ReplyQ, the following applies to you:

AI-Powered Responses: Messages you receive may be generated by artificial intelligence trained on that specific business's conversation patterns
Data Controller: The business you're messaging is the Data Controller for your conversation data - not ReplyQ
Data Isolation: Your messages are isolated to that business and are never shared with or used to train AI for other businesses
AI Training: Your conversation history may be used to improve AI response quality for that specific business
Your Rights: To access, correct, or delete your data, or to opt-out of AI processing, please contact the business directly
Complaints: For privacy concerns, first contact the business. If unresolved, you may contact us at support@replyq.app

10. Your Rights (Business Users)

Under PDPA (Singapore) and GDPR (EU)

You have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Receive your data in machine-readable format (JSON)
Restriction: Limit how we process your data
Object: Object to processing based on legitimate interests
Withdraw consent: Where processing is based on consent

Automated Decision-Making (GDPR Article 22)

We use artificial intelligence to automatically generate customer service responses without human review. This automated processing analyzes customer messages and generates appropriate responses based on your business information.

Important: AI responses are informational only and do not produce legal effects or similarly significantly affect individuals (as defined by GDPR Article 22). They do not make decisions about:

Credit, loans, or financial services
Employment or contract termination
Account access or service denial
Pricing or insurance premiums
Legal rights or obligations

Your Rights: You may opt-out of automated AI processing entirely through account settings.

How to Exercise Your Rights

In-app: Settings → Data Export / Delete My Data
Email: support@replyq.app
Response time: Within 30 days

Lodge a Complaint

If you believe we violated your rights, you can lodge a complaint with:

Singapore: Personal Data Protection Commission (www.pdpc.gov.sg)
EU: Your local Data Protection Authority (directory)

11. Legal Basis for Processing (GDPR)

For users in the European Union, we process your personal data based on the following legal bases:

Processing Activity	Legal Basis
Service delivery and message processing	Contract performance
AI response generation	Contract performance
AI processing of conversation data	Legitimate interests (providing quality AI service)
Analytics and conversation analysis	Legitimate interests (service improvement)
WhatsApp message and contact sync	Contract performance
Payment processing	Contract performance
Email and push notifications	Contract performance
Security & fraud prevention	Legitimate interests
Analytics and service improvement	Legitimate interests
Legal compliance and record keeping	Legal obligation

12. Children's Privacy

ReplyQ is a B2B service intended for business use only and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at support@replyq.app.

13. Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

Notify affected users within 72 hours of becoming aware of the breach
Report to relevant supervisory authorities as required by law (PDPA, GDPR)
Provide details about the nature of the breach and data affected
Recommend protective measures you should take
Take immediate action to contain and remediate the breach

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified via:

Email notification to account administrators
In-app notification banner
30-day notice period before changes take effect
Version history available upon request

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Signum Solutions Private Limited
Singapore

Email: support@replyq.app

Response Time: We aim to respond to all privacy inquiries within 30 days.