Privacy Policy

When you use ReplyOP we collect and store the following on your behalf:

• Account information. Your email address, full name, phone, company, job title, license or credential identifier, and email signature. You provide these when you sign up or fill in your profile.
• Email content. The full body, subject, sender, recipient, headers, timestamps, and Gmail/IMAP metadata of messages we sync from your connected mailboxes. This includes both inbound and outbound mail.
• Contacts. Names, email addresses, phone numbers, deal values, lead stages, notes, tags, lead scores, and any other CRM fields you create or that we derive from your email history.
• Instagram data (only if you connect Instagram). When you connect an Instagram professional account through Meta's official login, we collect: your Instagram account ID, username, and the access token Meta issues us; the content, sender, and timestamps of direct messages exchanged with people who message your account; and the Instagram-scoped ID and public profile name of those senders. When you enable comment-to-DM automations, we also read public comments on your posts (the comment text and commenter username) so we can auto-reply with a direct message. We only access this data for accounts you explicitly connect, and only for the permissions you grant (instagram_business_basic, instagram_business_manage_messages, and instagram_business_manage_comments).
• Calendar events. When you authorize Google Calendar, we read your free/busy data and create events on your behalf for meetings booked through ReplyOP.
• AI-generated artifacts. Drafts, summaries, classifications, lead scores, intent labels, and confidence values produced by AI on top of your data.
• OAuth tokens. Refresh and access tokens issued by Google and Meta so we can continue to sync mail and Instagram messages. These are stored encrypted at rest and never exposed in our UI.
• Operational logs. Timestamps of automation runs, counts of emails sent or drafted, and error messages — used for debugging and showing you what the automation did.

Your data powers the features you signed up for. Specifically, we use it to:

• Generate email and Instagram DM drafts in your voice.
• Reply to and qualify Instagram direct messages on your behalf (when you connect Instagram and enable it).
• Classify inbound mail (lead vs. promo vs. update vs. other).
• Score leads on intent and engagement.
• Detect meeting requests and propose calendar slots.
• Run multi-step sequences and follow-ups.
• Surface summaries, alerts, and reminders in your inbox.
• Provide audit logs of what the automation did on your behalf.

We do not sell your data. We do not share it with advertisers. We do not use your email content to train shared AI models. Your data flows through our infrastructure to power your account and nothing else.

Marketing and product communications. We use your email address to send you marketing communications about ReplyOP — new features, tips, promotional offers, and related product news — unless you've opted out. You can opt out at any time by clicking the unsubscribe link in any marketing email, or by emailing info@optovo.co. We never sell your email address to third parties for their own marketing.

Account communications. We send transactional emails required for the service: email verification, password resets, billing receipts, security alerts (new sign-ins from unrecognized devices, payment failures), and important changes to terms or pricing. These cannot be opted out of while your account is active — they're necessary for you to use the product safely.

ReplyOP could not function without a small number of essential service providers:

• Google. When you connect Gmail, we use Google's OAuth flow and their Gmail and Calendar APIs to read and send mail and to read your availability. Google's handling of your data is governed by Google's own privacy policy.
• Google Generative AI (Gemini). We send the contents of inbound emails, your past sent mail samples, contact context, and the prompts that produce drafts and classifications to Google's Generative Language API. Per Google's paid API terms, prompts and responses sent to the API are not used by Google to improve or train their generally-available models. We do not opt in to any data-sharing or improvement program. That said, the content of every email we draft for you does transit Google's API endpoints.
• Meta Platform (Instagram). When you connect Instagram, we use Meta's official Instagram Login and the Instagram Graph API to read and send direct messages on the account you authorize. Meta's handling of your data is governed by Meta's own privacy policy. We use Meta Platform Data strictly to provide the messaging features you enable and in accordance with the Meta Platform Terms and Developer Policies.
• Database and hosting. Your data is stored in a managed Postgres database, encrypted at rest, hosted on infrastructure located in the EU or US depending on your region.

We do not pass your data to any analytics, advertising, or marketing tool. Operational error reporting (when enabled) only contains stack traces and request metadata, never email bodies.

This section applies only if you connect an Instagram account. It describes how ReplyOP handles "Platform Data" obtained through Meta's APIs, in accordance with the Meta Platform Terms and Developer Policies.

• What we access. With your authorization, we access your Instagram account's direct messages, public comments on your posts (when you enable comment-to-DM automations), and the basic profile information of the people who message or comment, using only the instagram_business_basic, instagram_business_manage_messages, and instagram_business_manage_comments permissions you grant during login.
• How we use it. Solely to display your DMs inside ReplyOP, draft and send replies in your voice, qualify leads, and hand conversations off to you. We do not use Instagram data for advertising, profiling unrelated to your account, or any purpose beyond the messaging features you enable.
• What we never do. We do not sell Instagram data, do not share it with data brokers or advertisers, and do not use it to train shared or third-party AI models.
• Revoking access. You can disconnect Instagram at any time from ReplyOP (Instagram → Connect), or remove ReplyOP directly from your Instagram/Facebook account settings under "Apps and Websites." Revoking access stops all future data collection immediately.
• Deauthorization. If you remove ReplyOP from your Meta account, Meta notifies us at our deauthorize callback and we immediately mark the connection inactive and stop accessing your Instagram data.
• Data deletion. You can request deletion of all Instagram data we hold for you at any time — either through Meta's data deletion request flow (which calls our data-deletion endpoint and removes your Instagram account record, conversations, and messages), or by emailing info@optovo.co. Deletion is processed promptly and confirmed.

All data is stored in a managed Postgres database with encryption at rest and TLS in transit. OAuth tokens are stored alongside the rest of your account record. We do not ship your data to backups outside the primary region. Database backups follow standard point-in-time-recovery practices and are themselves encrypted.

We retain your data for as long as your account exists. When you delete data through the app — by removing a contact, an email, your Instagram connection, or your entire account — it is removed from the live database immediately and from rolling backups within thirty days.

We do not keep shadow copies. We do not retain "anonymized" versions of your email content for analytics.

You have the right to:

• Access and port your data. From Settings → Account you can download a complete JSON export of every record we hold for you.
• Correct inaccurate data. You can edit your profile, contacts, and templates directly in the app, or email us for help.
• Delete your account and all associated data. The Danger zone in Settings runs a full cascading deletion and revokes connected Google and Meta OAuth tokens. You can also delete just your Instagram data — see "Instagram & Meta Platform data" above.
• Opt out of automated processing. Switch autopilot to Manual to require explicit approval before any AI action is taken on your behalf.
• Lodge a complaint with your local data protection authority (for EU residents) or the California Attorney General's office (for California residents) if you believe we have not honored your rights.

California residents have specific rights under the CCPA, including the right to know what personal information we collect and the right to non-discrimination for exercising your rights. We honor those rights for all users regardless of residency.

ReplyOP is not directed at children under 16 and we do not knowingly collect data from them. If you believe a minor has signed up, contact us and we will delete the account.

If we change this policy in any material way, we'll update the "Last updated" date below and, for changes that affect how we use existing data, send you an in-app or email notice before the change takes effect.

Questions, requests, or complaints: info@optovo.co. We aim to respond within five business days.