Privacy Policy

Information You Provide

• Account information: email address, name, and profile details when you create an account.
• Payment information: billing details processed securely by Stripe. We do not store your full credit card number on our servers.
• Connected accounts: when you link third-party services (iMessage, WhatsApp, Slack, Gmail, etc.), we receive authentication tokens and the permissions you grant. We access only the data necessary to provide the Service.
• Support communications: messages you send to our team via email or in-app support.

Information Collected Automatically

• Usage analytics: anonymised data about feature usage, session duration, and interaction patterns, collected via our analytics providers to help us improve the product.
• Device and diagnostic data: device type, macOS version, app version, crash reports, and performance metrics to maintain stability.

Message Content

RPLY accesses your messages from connected platforms to display them in your unified inbox and to power features like search, triage, and AI draft suggestions. How this data is processed depends on your settings, see Section 3: AI Features and Data Processing below.

We use your information to:

• Provide, maintain, and improve RPLY's core functionality, including syncing messages across connected platforms.
• Power AI features such as draft reply suggestions, semantic search, and message triage.
• Process payments and manage your subscription through Stripe.
• Send transactional communications (account verification, billing, security alerts).
• Analyse anonymised usage patterns to improve the product.
• Respond to support requests and communicate with you about the Service.
• Detect, prevent, and address technical issues or security threats.

We do not use your personal messages to train generalised AI models. We do not sell your data to advertisers or other third parties.

RPLY includes AI-powered features that process message content to generate draft replies, summarise conversations, enable semantic search, and triage your inbox. Here is how that works:

Local Processing

Where possible, RPLY processes message data directly on your device using local models. When processing happens locally, your message content never leaves your Mac.

Server-Side Processing

Certain advanced AI features may require server-side processing. When this occurs:

• Message content is transmitted using end-to-end encryption.
• Data is processed transiently and is not persisted on our servers beyond the time required to complete the request (typically seconds).
• We do not use your message content to train, fine-tune, or improve AI models, ours or any third party's.
• Our AI infrastructure providers are contractually prohibited from retaining or using your data for their own purposes.

Your Control

You can disable server-side AI features at any time in RPLY's settings, restricting all processing to your local device.

RPLY connects to third-party messaging and email platforms. Each integration accesses only the data necessary to display your messages and provide RPLY's features.

Apple iMessage

RPLY reads iMessage data from your local device database. This data stays on your Mac and is not uploaded to our servers unless you use server-side AI features on specific conversations.

WhatsApp

RPLY accesses WhatsApp messages to display them in your unified inbox. Your use of WhatsApp through RPLY remains subject to Meta's WhatsApp Terms of Service and Privacy Policy.

Slack

When you connect a Slack workspace, RPLY accesses messages within the scope of permissions you authorise. Slack workspace administrators may have additional controls over data access. Your use of Slack through RPLY is subject to Slack's Terms of Service.

Gmail and Email

RPLY's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access only the email data necessary to provide the Service and do not use Gmail data for advertising or any purpose unrelated to RPLY's functionality.

Other Platforms

As we add support for additional messaging platforms, this policy will be updated to reflect the data practices specific to each integration.

We do not sell your personal information. We share data only with the following categories of service providers, each bound by contractual obligations to protect your data:

• Payment processing: Stripe processes your payment information. See Stripe's Privacy Policy.
• Analytics: We use anonymised analytics to understand feature usage and improve the product. Analytics data does not include message content.
• Cloud infrastructure: Our servers are hosted by reputable cloud providers with industry-standard security certifications.
• AI infrastructure: When server-side AI features are used, message content may be processed by our AI infrastructure providers under strict data processing agreements that prohibit retention or secondary use.

We may also disclose information if required by law, legal process, or government request, or to protect the rights, safety, or property of NOX, our users, or others.

We retain your data as follows:

• Account information: retained while your account is active and for up to 30 days after deletion to allow for account recovery.
• Payment records: retained as required by applicable tax and financial regulations (typically 7 years for transaction records).
• Message content: not stored on our servers. When server-side processing occurs, data is held transiently (typically seconds) and not persisted.
• Analytics data: anonymised analytics are retained for up to 24 months, after which they are deleted.
• Diagnostic data: crash reports and performance logs are retained for up to 90 days.

You may request deletion of your data at any time (see Your Rights and Choices).

We implement technical and organisational measures to protect your data, including:

• Encryption in transit (TLS) and at rest for all stored data.
• Local-first architecture, message data stays on your device whenever possible.
• Transient server-side processing with no persistent storage of message content.
• Regular security reviews and access controls.

No system is completely secure, and we cannot guarantee absolute security. If we become aware of a data breach affecting your personal information, we will notify you and relevant authorities in accordance with applicable law.

Depending on your location, you may have some or all of the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data, subject to legal retention requirements.
• Portability: request your data in a structured, machine-readable format.
• Restriction: request that we limit processing of your data in certain circumstances.
• Objection: object to processing of your data for certain purposes.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at team@heynox.com. We will respond within 30 days.

Additional Controls in RPLY

• Local-only mode: disable server-side AI processing so all message data stays on your device.
• Disconnect integrations: revoke access to any connected platform at any time from RPLY's settings.
• Delete your account: remove your account and associated data from RPLY's settings or by contacting us.

If you are in the EEA or UK, we process your personal data under the following lawful bases as defined by the General Data Protection Regulation (GDPR):

• Contract: processing necessary to provide you with the Service (account management, message syncing, AI features).
• Legitimate interest: analytics, security, and product improvement, balanced against your privacy rights.
• Consent: where required, such as for optional data processing or marketing communications.
• Legal obligation: where we are required to retain data by law.

Your data may be transferred to and processed in the United States. When we transfer data outside the EEA/UK, we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection.

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to know: what personal information we collect, use, and disclose.
• Right to delete: request deletion of your personal information.
• Right to correct: request correction of inaccurate information.
• Right to opt-out: of the sale or sharing of personal information. We do not sell or share your personal information as defined by the CCPA/CPRA.
• Non-discrimination: we will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at team@heynox.com.

RPLY is operated from the United States. If you access RPLY from outside the US, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

We take steps to ensure that international transfers of personal data are protected by appropriate safeguards, including Standard Contractual Clauses, data processing agreements, and encryption.

RPLY is not intended for users under the age of 18. We do not knowingly collect personal information from children. If we discover that we have collected data from a person under 18, we will promptly delete that information. If you believe a minor has provided us with personal data, please contact us at team@heynox.com.

We may update this Privacy Policy from time to time to reflect changes to our practices, the Service, or legal requirements. For material changes, we will provide notice via email or in-app notification at least 30 days before the changes take effect. The “Last updated” date above indicates the most recent revision.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

NOX Devices, Inc.
team@heynox.com

For data protection inquiries from the EEA or UK, you may also contact us at the email above with the subject line “GDPR Request.”