Privacy Policy

Written By Simon from Replaiy

Last updated About 1 month ago

Replaiy B.V.
Last updated: May 7, 2026
Version 1.1

1. Introduction and Scope

Replaiy B.V. ("Replaiy," "we," "us," or "our"), a private limited company incorporated under Dutch law, registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 42000154, with its registered office at Bovenkamp 7A, 1391 LH Abcoude, the Netherlands, operates the AI-powered LinkedIn outreach and conversation platform accessible at https://replaiy.ai (marketing website) and https://replaiy.app (product application), together with related services (collectively, the "Services").

This Privacy Policy ("Policy") explains how we collect, use, disclose, and protect personal data when you visit our website, create an account, use our Services, or otherwise interact with us. By accessing or using our Services, you acknowledge that you have read and understood this Policy.

1.1 Regulatory Framework

As a company established in the Netherlands and serving customers across the European Union and beyond, we comply with:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")

  • The Dutch Implementation Act of the GDPR (Uitvoeringswet AVG)

  • The Dutch Telecommunications Act (Telecommunicatiewet)

  • Directive 2002/58/EC on Privacy and Electronic Communications (ePrivacy Directive)

  • The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) ("AI Act")

  • Applicable data protection laws in jurisdictions where our Customers operate

1.2 Scope of this Policy

This Policy applies to visitors of our website, Users of our Services (employees, contractors, or representatives of our Customers), and Recipients of communications sent through our Services ("Leads"), to the extent we process their personal data on behalf of our Customers.

Where Replaiy acts as a processor on behalf of our Customers, this Policy is supplemented by, and subject to, the Data Processing Agreement entered into between Replaiy and the Customer.

2. Definitions

Customer — A business or organization that subscribes to the Services.

User — An individual authorized by a Customer to access and use the Services.

Lead — A recipient of a message sent through the Services, typically a LinkedIn user contacted by a User.

Personal Data — Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

Processing — Has the meaning given in Article 4(2) GDPR.

Controller and Processor — Have the meanings given in Article 4(7) and 4(8) GDPR respectively.

AI Provider — A third-party large language model provider (e.g., Anthropic, xAI, Google) accessed through OpenRouter.

Co-Pilot Mode — The default operating mode of the Services in which a User reviews and approves each AI-generated draft before it is sent.

Auto-Pilot Mode — The optional operating mode in which AI-generated messages may be sent without per-message User review, subject to safeguards described in our AI Policy.

3. Data Controller Information

For the processing activities described in Sections 6.1 to 6.5 below, Replaiy B.V. acts as the Controller.

For the processing of Lead data and conversation content carried out on behalf of our Customers (Sections 6.6 and 6.7), Replaiy acts as a Processor, and the Customer is the Controller.

Contact details for privacy matters:

Replaiy B.V.
Attn: Privacy Office
Bovenkamp 7A
1391 LH Abcoude
The Netherlands
Email: dpa@replaiy.ai

We are not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, but our Privacy Office handles all data protection matters and can be reached at the address above.

4. Categories of Personal Data We Process

We process the following categories of Personal Data when you use our Services. The exact categories depend on how you interact with Replaiy and which features your Customer has enabled.

4.1 Account and Identity Data

Name, business email address, job title, employer, profile photo, password hash, language preferences, and time zone. This data is provided when a User registers or is invited to a workspace.

4.2 LinkedIn Account Data

LinkedIn profile URL, profile name, profile picture, headline, connection status, and authentication tokens required to operate the integration via Unipile. Authentication tokens are stored encrypted at rest.

4.3 Conversation Content

Messages drafted, sent, and received through the Services, including AI-generated drafts, User-edited drafts, sent messages, and incoming replies from Leads. This content is processed to deliver the core functionality of the Services.

4.4 Lead Data

Information about Leads with whom Users communicate, including name, LinkedIn profile URL, headline, employer, and any data shared by the Lead in the course of conversation. Replaiy processes Lead Data on behalf of the Customer in its role as Processor.

4.5 Usage and Technical Data

IP address, browser type, device identifiers, operating system, referrer URL, pages viewed, features used, session duration, and performance and error logs. This data is used for security, troubleshooting, and product analytics.

4.6 Billing Data

Company name, billing address, VAT number, and transaction history. Payment card details are processed exclusively by Stripe and are never stored on Replaiy's systems.

4.7 Communications Data

Records of correspondence with our support team, sales conversations, and feedback submitted through the Services or other channels.

4.8 Calendar Data

Where Users connect Google Calendar, we process meeting metadata (title, time, attendees) strictly to enable scheduling functionality within the Services.

4.9 Media Assets

Profile pictures and company logos associated with Users and Leads, stored in Cloudflare R2 (EU region).

We do not knowingly process special categories of Personal Data as defined in Article 9 GDPR (e.g., health, religion, political views), and we instruct Customers and Users not to use the Services for such data.

5. Legal Bases for Processing

We rely on the following legal bases under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)) — for providing the Services to Customers and Users.

  • Customer's legal basis — when processing Lead Data on behalf of Customers, the Customer determines the legal basis (typically legitimate interest under Art. 6(1)(f)).

  • Legal obligation (Art. 6(1)(c)) — for billing, accounting, and tax records.

  • Legitimate interest (Art. 6(1)(f)) — for product analytics, security monitoring, and direct marketing to existing Customers.

  • Consent (Art. 6(1)(a)) — for marketing communications to prospects, non-essential cookies on our marketing website, and AI Model Improvement (see Section 6.7).

Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests do not override the rights and freedoms of data subjects. You may request a summary of any such assessment by contacting dpa@replaiy.ai.

6. Purposes of Processing

6.1 Account Management

To create and maintain User accounts, authenticate access, and provide customer support.

6.2 Service Delivery

To enable Users to draft, send, and manage AI-assisted LinkedIn outreach and conversations.

6.3 Billing

To invoice Customers, process subscription payments via Stripe, and meet our tax and accounting obligations.

6.4 Product Analytics and Improvement

To understand feature usage, diagnose issues, and improve the Services. We use PostHog (EU Cloud) within our product application (replaiy.app) for this purpose, with IP-anonymization enabled. On our marketing website (replaiy.ai), we use Microsoft Clarity and Google Analytics with prior visitor consent.

6.5 Security and Fraud Prevention

To detect, investigate, and prevent unauthorized access, abuse, or violations of our Terms of Service.

6.6 Operational AI Processing (Processor Role)

To generate message drafts, classify replies, and assist conversations on behalf of our Customers. AI inference is performed via OpenRouter with Zero Data Retention enabled, routing to Anthropic, xAI, and Google models.

6.7 AI Model Improvement (Opt-In Only)

Where a User explicitly opts in (per LinkedIn account), and provided the Customer's workspace admin has not disabled the feature, we use de-identified conversation data to improve our proprietary AI systems for the benefit of all Replaiy users. Personal identifiers (names, email addresses, employer names, phone numbers, URLs) are stripped before data enters any training pipeline. This processing is governed by Section 11 (Your Rights) and may be withdrawn at any time.

We do not train AI models on Google Workspace user data, including data accessed via Google Workspace APIs (e.g., Google Calendar). Google Workspace data is processed solely to deliver the requested integration functionality and is excluded from any AI Model Improvement, with or without opt-in.

7. Data Retention

We retain Personal Data only for as long as necessary for the purposes described in this Policy. Default retention periods are:

  • Account data — Lifetime of the account, plus 30 days after deletion.

  • Conversation content (operational) — 24 months from creation.

  • De-identified data used for AI improvement — Retained indefinitely after irreversible anonymization.

  • Billing and tax records — 7 years (required under Dutch tax law, Algemene Wet inzake Rijksbelastingen).

  • Server, security, and audit logs — 12 months.

  • Support tickets — 24 months from resolution.

  • Marketing contacts — Until opt-out, or 24 months of inactivity.

  • Backup data — Up to 35 days after primary deletion.

After the applicable retention period, we delete or irreversibly anonymize the data.

8. Data Sharing and Disclosure

We do not sell Personal Data. We share data only with:

8.1 Subprocessors

Trusted third parties that process data on our behalf under written agreements compliant with Article 28 GDPR. The complete list is available in our Subprocessors page.

8.2 Customers

Where Replaiy acts as Processor, we share processed data with the Customer that initiated the processing.

8.3 Professional Advisors

Lawyers, accountants, auditors, and insurers under confidentiality obligations.

8.4 Authorities

When required by law, court order, or to protect our legal rights, the safety of users, or the integrity of the Services.

8.5 Business Transfers

In the event of a merger, acquisition, or asset sale, Personal Data may be transferred, subject to the protections of this Policy.

9. International Data Transfers

Our primary infrastructure and data storage are located in the European Union (Railway, EU-West Amsterdam region; Cloudflare R2, WEUR region). Most of our Subprocessors operate within the EU.

Where transfers outside the European Economic Area are necessary (e.g., certain AI Providers, LinkedIn's global infrastructure, marketing website analytics), we rely on:

  • Standard Contractual Clauses ("SCCs") adopted by the European Commission (Decision 2021/914)

  • Adequacy decisions where applicable

  • Supplementary technical measures including encryption in transit and at rest, and Zero Data Retention configurations with AI Providers

A list of Subprocessors and applicable transfer mechanisms is available in our Subprocessors page. You may request copies of relevant SCCs by contacting dpa@replaiy.ai.

10. Data Security

We implement appropriate technical and organizational measures pursuant to Article 32 GDPR, including:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)

  • Access controls with role-based permissions and least-privilege principles

  • Multi-factor authentication required for all employee accounts and offered to all Users

  • Strict password policies with industry-standard hashing

  • Audit logging of administrative and security-relevant actions

  • Regular security reviews of code, infrastructure, and dependencies

  • Vendor security assessments before onboarding new Subprocessors

  • Backup and disaster recovery procedures with EU-based redundancy

  • Incident response procedures including breach notification to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours where required

A more detailed overview is available in our Security FAQ.

11. Your Rights Under GDPR

Subject to the conditions set out in the GDPR, you have the right to:

  • Access (Art. 15) — Obtain a copy of your Personal Data.

  • Rectification (Art. 16) — Correct inaccurate or incomplete data.

  • Erasure (Art. 17) — Request deletion of your data ("right to be forgotten").

  • Restriction (Art. 18) — Limit how we process your data.

  • Data Portability (Art. 20) — Receive your data in a structured, machine-readable format.

  • Objection (Art. 21) — Object to processing based on legitimate interests or for direct marketing.

  • Withdraw Consent (Art. 7(3)) — Where processing is based on consent, including opting out of AI Model Improvement at any time.

  • Not be subject to automated decision-making (Art. 22) — We do not make decisions producing legal or similarly significant effects solely by automated means.

  • Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisory authority in your country of residence.

To exercise your rights, contact dpa@replaiy.ai. We will respond within one month, with a possible extension of two further months for complex requests. Where you are a Lead and we process your data on behalf of a Customer, we will forward your request to the relevant Customer or instruct you accordingly.

12. Cookies and Tracking Technologies

We use a limited set of cookies and similar technologies. Strictly necessary cookies (authentication, session, security) are set without consent. On our marketing website (replaiy.ai), we use Microsoft Clarity and Google Analytics for analytics purposes, which are set only with your consent via our cookie banner. Within our product application (replaiy.app), we use PostHog (EU Cloud) configured without setting non-essential cookies. We do not use advertising cookies.

For full details, see our Cookie Policy.

13. Children's Privacy

Our Services are intended exclusively for business use by professionals aged 18 or older. We do not knowingly collect Personal Data from individuals under 18. If we become aware that such data has been collected, we will delete it promptly. Parents or guardians may contact dpa@replaiy.ai with concerns.

14. Third-Party Links and Integrations

Our Services integrate with third-party platforms, including LinkedIn (via Unipile), Google Workspace (Calendar), and Stripe (payments). These third parties operate under their own privacy policies, which we encourage you to review:

  • LinkedIn — linkedin.com/legal/privacy-policy

  • Unipile — unipile.com/privacy

  • Google (Workspace + Gemini) — policies.google.com/privacy

  • Stripe — stripe.com/privacy

  • PostHog — posthog.com/privacy

  • Anthropic — anthropic.com/privacy

  • xAI — x.ai/legal/privacy-policy

  • OpenRouter — openrouter.ai/privacy

  • Railway — railway.com/legal/privacy

  • Cloudflare — cloudflare.com/privacypolicy

  • Microsoft — privacy.microsoft.com/privacystatement

We are not responsible for the privacy practices of these third parties.

15. Data Processing Agreements

Where a Customer engages Replaiy to process Personal Data on its behalf, the parties enter into a Data Processing Agreement (DPA) that meets the requirements of Article 28 GDPR. Our standard DPA is available in this Help Center and is incorporated by reference into our Terms of Service. A signed copy is available on request.

16. Privacy by Design and Default

We apply the principles of Article 25 GDPR throughout our product development:

  • Privacy considerations are reviewed at the design phase of new features.

  • Default settings minimize data collection — for example, AI Model Improvement is opt-in only and off by default.

  • Data minimization is applied at every layer of the stack.

  • Pseudonymization and anonymization are used where reasonably possible.

  • Access is restricted on a need-to-know basis.

  • Retention periods are enforced through automated deletion routines.

17. Accountability and Compliance

We maintain internal records of processing activities (Article 30 GDPR), conduct Data Protection Impact Assessments (DPIAs) where appropriate, train staff on data protection responsibilities, and review our Subprocessors regularly. We document our compliance posture and make summaries available to Customers on request.

In our role under the EU AI Act, Replaiy is the provider of an AI system intended to generate text content for direct interaction with natural persons. Customers act as deployers and are responsible for their own deployer obligations, including any disclosure obligations toward recipients of AI-assisted communications. Further information is set out in our AI Policy.

18. Updates to This Policy

We may update this Policy from time to time. Material changes will be communicated by email and/or in-app notice at least 30 days before they take effect. The "Last updated" date at the top of this Policy reflects the most recent revision. Historical versions are available on request.

19. Contact Information

For any questions, requests, or concerns regarding this Privacy Policy or our processing of Personal Data:

Replaiy B.V.
Bovenkamp 7A
1391 LH Abcoude
The Netherlands
Email: dpa@replaiy.ai
Web: https://replaiy.ai

Dutch supervisory authority:

Autoriteit Persoonsgegevens
Postbus 93374, 2509 AJ Den Haag
autoriteitpersoonsgegevens.nl