Privacy Policy
Last updated: 4 July 2026
This Privacy Policy explains how Replyay collects, uses, stores and protects personal data when you visit replyay.com, join the Replyay early-access list, contact us or, once available, use the Replyay email assistance service.
Replyay is an AI-assisted email productivity service designed to monitor a connected inbox for new messages, understand the context of an email conversation and prepare a suggested reply for the user to review. Replyay does not send generated replies automatically unless a separate feature and explicit user instruction are introduced and clearly disclosed.
1. Who we are
Replyay is operated by:
- Website: replyay.com
- Privacy contact: contact@cojocarudavid.me
For personal data collected through the website, early-access list, support communications and account administration, the entity identified above acts as the data controller.
When a business customer connects an inbox and Replyay processes email content solely on that customer’s instructions, Replyay may act as a data processor on behalf of that customer. In those circumstances, the customer is generally responsible for determining the purposes and legal basis of the processing, and the processing will also be governed by an applicable Data Processing Agreement.
2. Scope of this policy
This policy currently applies to the Replyay public website and early-access list.
Replyay is still under development. Before the email processing service becomes generally available, this policy will be updated where necessary to identify the final infrastructure providers, artificial intelligence providers, email integration providers, data locations and service-specific retention periods.
3. Personal data we collect
Early-access list
When you join the Replyay early-access list, we collect:
- Your email address;
- The date and time of your registration;
- Your IP address, used for security, abuse prevention and submission throttling;
- Technical information generated when your browser communicates with our website.
You are not required to join the early-access list. If you do not provide an email address, we will not be able to notify you when Replyay launches.
Website and server information
When you access the website, our hosting infrastructure may automatically record standard technical information, including:
- IP address;
- Browser and device type;
- Operating system;
- Requested page or resource;
- Date and time of the request;
- Referring website, where available;
- Server errors and security events.
This information is used to deliver the website, troubleshoot technical problems, maintain security and prevent malicious or automated activity.
Communications with us
If you contact us by email or through another communication channel, we may collect your name, email address, company information, the content of your message and any other information you choose to provide.
Replyay account and service data
Once the Replyay service is available, we may process the following information where necessary to provide it:
- Account details, such as your name, email address and organisation;
- Authentication information and secure authorisation tokens used to connect supported email services;
- Your Replyay preferences, settings and selected AI provider;
- Email metadata, such as sender, recipient, subject, message identifiers and timestamps;
- The content of email threads that must be analysed to prepare a reply;
- Attachments, only where the relevant feature requires them and you choose to enable it;
- Prompts, generated reply drafts and user edits or feedback;
- Service usage, diagnostic, security and error information;
- Subscription, billing and transaction information, where applicable.
We will only request access to information that is reasonably necessary for the features you activate.
4. How we use personal data
We may use personal data to:
- Manage the Replyay early-access list;
- Send the launch notification and closely related product information you requested;
- Respond to enquiries and support requests;
- Operate, maintain and secure the website;
- Detect spam, automated submissions, fraud and other misuse;
- Create and manage Replyay accounts once the service is available;
- Connect to supported email providers at the user’s request;
- Read the necessary conversation context and generate a suggested reply;
- Save or display generated drafts according to the user’s settings;
- Monitor reliability, investigate errors and improve service performance;
- Comply with legal, accounting, tax or regulatory obligations;
- Establish, exercise or defend legal claims.
5. Legal bases for processing
Depending on the context, we rely on one or more of the following legal bases:
- Consent: when you voluntarily join the early-access list or agree to receive optional communications;
- Performance of a contract: when processing is necessary to create an account, provide Replyay or deliver a feature you requested;
- Steps taken before entering into a contract: when you ask questions about Replyay or request access to the service;
- Legitimate interests: to operate and secure the website, prevent abuse, respond to communications, diagnose technical problems and improve the reliability of the service;
- Legal obligation: when processing is required by applicable law;
- Legal claims: where information must be retained or used to establish, exercise or defend legal rights.
Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect processing that took place before the withdrawal.
6. Email content and AI processing
Replyay is designed to analyse the context of an email conversation so that it can prepare a relevant suggested response. This may require processing the full thread rather than only the most recent message.
Email content may include personal data relating to the account holder, senders, recipients and other individuals mentioned in the conversation. Users are responsible for ensuring that they have an appropriate legal basis and authority to connect an inbox and use Replyay for the messages being processed.
Replyay is intended to generate drafts for human review. Generated text may be inaccurate, incomplete or inappropriate. Users should review every draft before sending it and remain responsible for the final communication.
Bring Your Own Key
If you choose to use your own API key or AI provider account, the information required to generate a draft will be sent to the provider you selected. That provider may process the information under its own agreement, settings and privacy terms.
You should review the privacy and data retention settings offered by your selected provider before connecting it to Replyay.
Replyay Cloud
If you choose Replyay Cloud, the content required to generate a reply may be processed by AI infrastructure selected and managed by Replyay. Replyay Cloud is currently planned to use DeepSeek-powered infrastructure, although providers may change before or after launch.
The active AI providers and relevant subprocessors will be disclosed before the service is made generally available and will be updated when material changes occur.
Replyay does not sell inbox content. We do not intend to use private email content to train general-purpose AI models. We will use contractual, account-level and technical controls intended to prevent service providers from using customer content for unrelated model training, except where a user gives separate, explicit consent.
7. Automated decision-making
Replyay uses automated systems to analyse text and generate suggested email replies. This is automated content generation, but it is not intended to make decisions that produce legal or similarly significant effects about individuals.
Replyay drafts are intended to be reviewed by a person before they are sent. Replyay does not independently decide whether a message should be sent, accepted, rejected or acted upon.
8. Cookies and similar technologies
At the date of this policy, Replyay does not intentionally use advertising cookies or third-party behavioural tracking cookies on the public landing page.
Strictly necessary cookies may be used for website administration, security, authentication or other functionality that cannot operate correctly without them. For example, WordPress may set authentication and preference cookies for authorised administrators who log in to manage the website.
If we introduce analytics, advertising or other non-essential cookies, we will update this policy and, where required, request consent before placing them.
9. Comments, accounts and media uploads
The public Replyay website does not currently provide visitor comments, public account registration or visitor media uploads.
If these features are introduced, this policy will be updated before or when they become available.
10. Embedded content and external links
The website may contain links to external websites. Following an external link may allow the destination website to collect information under its own privacy policy. Replyay does not control and is not responsible for the privacy practices of independent third-party websites.
If articles later include embedded videos, images, forms or other content from third-party services, that embedded content may behave as though you visited the third-party website directly. We will update this policy and implement any required consent controls before intentionally adding tracking-based embedded services.
11. Who we share personal data with
We may disclose personal data only where reasonably necessary to the following categories of recipients:
- Website hosting, infrastructure, storage and security providers;
- Email delivery providers used to send the launch notification or service communications;
- Email providers that you choose to connect to Replyay;
- AI providers selected by you or used to operate Replyay Cloud;
- Payment and billing providers, once paid subscriptions are available;
- Professional advisers, including legal, accounting and security specialists;
- Government authorities, courts or regulators where disclosure is legally required;
- A purchaser, investor or successor in connection with a merger, financing, acquisition, restructuring or sale of assets, subject to appropriate confidentiality and legal safeguards.
Service providers are permitted to process personal data only for the relevant service or as otherwise permitted by applicable law.
We do not sell personal data.
12. International data transfers
Some hosting, email, infrastructure or AI providers may process personal data outside Romania or the European Economic Area.
Where an international transfer requires additional protection, we will use an applicable legal transfer mechanism, such as an adequacy decision, approved Standard Contractual Clauses or another safeguard recognised by applicable data protection law.
When you independently select an AI or email provider through a Bring Your Own Key configuration, transfers made by that provider may also be governed by your own agreement with that provider.
13. How long we retain personal data
We retain personal data only for as long as reasonably necessary for the purpose for which it was collected, including security, contractual, legal and accounting requirements.
- Early-access information: retained until you withdraw your consent, request deletion or the early-access list is no longer required, generally no longer than 12 months after the public launch of Replyay;
- IP and anti-abuse information: retained for as long as necessary to prevent abuse, investigate security incidents and protect the website;
- Contact and support communications: generally retained for up to 24 months after the conversation ends, unless a longer period is necessary for an ongoing relationship or legal claim;
- Account information: retained while the account is active and for a limited period after closure where needed for support, fraud prevention, accounting or legal compliance;
- Email content and generated drafts: retained according to the service configuration, customer instructions and the minimum period needed to provide the selected feature;
- Billing and legal records: retained for the period required by applicable accounting, tax and legal obligations;
- Security logs: retained for a limited period appropriate to the security risk, unless a specific event requires longer investigation.
We may retain limited information after a deletion request where it is necessary to comply with law, resolve disputes, enforce agreements, prevent fraud or demonstrate that a request was completed.
14. How we protect personal data
We use reasonable technical and organisational measures intended to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.
Depending on the service and stage of development, these measures may include access controls, encrypted connections, restricted administrator permissions, secure authentication, logging, backups, rate limiting, provider reviews and encryption of sensitive credentials.
No online service can guarantee absolute security. Users should also protect their accounts, email provider credentials and API keys and should notify us promptly if they suspect unauthorised access.
15. Your data protection rights
Subject to applicable law and any relevant limitations, you may have the right to:
- Request access to the personal data we hold about you;
- Request correction of inaccurate or incomplete data;
- Request deletion of your personal data;
- Request restriction of processing;
- Object to processing based on legitimate interests;
- Withdraw consent at any time where processing is based on consent;
- Receive certain personal data in a structured, commonly used and machine-readable format;
- Request transmission of eligible data to another controller where technically feasible;
- Object to direct marketing at any time;
- Lodge a complaint with a competent data protection supervisory authority.
To exercise a right, email contact@cojocarudavid.me and clearly describe your request.
We may need to request information necessary to confirm your identity and prevent unauthorised disclosure or deletion. We will respond within the period required by applicable law.
16. Early-access emails and opting out
When you join the early-access list, we may use your email address to notify you when Replyay becomes available and to send closely related early-access information.
You may withdraw from the list at any time by using an unsubscribe option included in an email, where available, or by contacting contact@cojocarudavid.me.
After opting out, we may keep limited suppression information to ensure that we respect your request and do not add the same address back to marketing communications unintentionally.
17. Children’s privacy
Replyay is intended for professional and business email productivity and is not directed to children.
If you believe that a child has provided personal data to us without appropriate authorisation, contact us so that we can review and delete the information where required.
18. Changes to this Privacy Policy
We may update this Privacy Policy when Replyay changes, when new integrations or providers are introduced or when legal requirements change.
The latest version will be published on this page with an updated “Last updated” date. Where a change materially affects registered users or the use of their data, we may also provide an additional notice through the service or by email.
19. Contact and complaints
For privacy questions, requests or concerns, contact:
- Email: contact@cojocarudavid.me
We encourage you to contact us first so that we have an opportunity to investigate and resolve your concern.