Privacy Policy

1. Introduction

Heat & Horizon LLC ("we," "us," or "our") operates the ReplyList application at app.replylist.com (the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect your information when you use our Service.

By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• First and last name
• Email address
• Password stored as a cryptographic hash; we never store plaintext passwords
• Phone number and country code
• Timezone, auto-detected from your browser
• Profile photo URL if you sign up with Google

2.2 Connected Account Data

When you connect third-party accounts such as Gmail, Outlook, Slack, Microsoft Teams, Google Chat, Asana, Monday.com, or Jira, we access and process:

• Email metadata: sender, recipients, subject line, date, message ID, labels, and a link to the message in your email provider
• Email content: message body text, which may be used for AI analysis to determine whether a response is needed
• Chat metadata: sender, channel or space name, message timestamp, and a link to the message
• Chat content: message text, which may be used for AI analysis to determine whether a response is needed
• Task or project data: task titles, comments, assignees, and status from project management tools
• OAuth tokens: access and refresh tokens that allow us to read your data from connected services

2.3 Payment Information

Payment processing is handled entirely by Stripe. We do not store your full credit card number. We retain only:

• Stripe customer ID
• Subscription status and billing period
• Last four digits of your payment card and card brand
• Invoice and payment history, including amounts, dates, and statuses

2.4 Automatically Collected Information

• IP address collected at signup for fraud prevention and rate limiting. IP addresses used for rate limiting are stored as irreversible hashes.
• reCAPTCHA data. We use Google reCAPTCHA Enterprise during signup to prevent automated abuse. Google may collect device and interaction data as part of this process, subject to Google's Privacy Policy.
• Activity timestamps recording when you last logged in and last used the Service, for account maintenance and inactivity cleanup.

2.5 Information We Do Not Collect

We do not use cookies for advertising or cross-site tracking. We may use privacy-focused analytics to understand aggregate usage patterns and improve the Service. We do not employ session recording, heatmaps, or behavioral profiling tools.

3. How We Use Your Information

We use the information we collect to:

• Provide the Service by identifying messages and tasks that need your response and notifying you through digest emails or digest chat messages
• Analyze email and chat message content to determine whether a response is needed and assign a priority level
• Send notifications by delivering digest summaries at your configured times via email or Slack
• Process payments by managing subscriptions, billing, and invoices through Stripe
• Prevent abuse through rate limiting, spam detection, and reCAPTCHA verification during signup
• Maintain and improve the Service by debugging sync errors, monitoring webhook health, and ensuring reliable operation
• Communicate with you through transactional emails such as verification emails and billing notices

4. How We Store and Protect Your Data

4.1 Infrastructure

Your data is stored on Google Cloud Platform in the United States. All data in transit is encrypted via TLS.

4.2 Encryption

We apply additional encryption to sensitive fields beyond standard at-rest encryption:

• OAuth tokens, including access tokens and refresh tokens, are encrypted before storage
• Contact names and email subjects in response-tracking records are encrypted at the application layer
• User notes, such as follow-up notes and ignore-list notes, are encrypted at the application layer

4.3 Access Controls

Administrative access to the backend is restricted to authorized personnel, protected by email allowlisting, time-based one-time password verification, and session management.

5. AI Processing and Email Content

ReplyList uses artificial intelligence to analyze your email and chat messages to determine whether they require a response from you.

We temporarily send message content to an AI provider, like Google Vertex AI, to determine whether a response is needed, then discard it. Message bodies are not stored. We retain only a limited and encrypted message record, including sender name, sender email, and subject line, and the AI's structured analysis result. Message records are automatically deleted within 7 days of being resolved. Your data is not used to train AI models.

6. Data Retention

We retain your data for the following periods:

When you delete your account, all of the above data is permanently removed.

7. Third-Party Services

We share data with the following third-party service providers to operate the Service and handle website inquiries:

We do not sell, rent, or trade your personal information to any third party. We do not share your data with advertisers or data brokers.

8. Google API Services - Limited Use Disclosure

ReplyList's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• We only use access to Google user data to provide and improve the Service's core functionality, including identifying messages needing a response and sending digest notifications.
• We do not use Google user data for advertising or to serve ads.
• We do not allow humans to read your Google user data unless we have your express consent, it is necessary for security purposes, or it is required by law.
• We do not transfer Google user data to third parties except as necessary to provide the Service, as required by law, or as part of a merger or acquisition with notice.
• Your Google user data is not used to train artificial intelligence or machine learning models.

9. Your Rights and Choices

9.1 Access and Export

You can export all of your data at any time from the Profile page in the application. The export is delivered as a JSON file containing your profile, connected accounts, response-tracking records, and settings.

9.2 Disconnect Accounts

You can disconnect any connected account at any time from the Accounts page. When you disconnect an account, we revoke the OAuth token and stop accessing data from that provider. Associated response-tracking records are closed.

9.3 Delete Your Account

You can delete your account from the Settings page or the Profile page. Account deletion permanently removes:

• Your user profile and all personal information
• All connected account records and access tokens
• All response-tracking records
• All notification and digest history
• All payment history records
• Your authentication account
• Your subscription, which is cancelled automatically
• Any team memberships; teams you own are deleted along with all associated data

If you request deletion from the Profile page, there is a 7-day grace period during which you can cancel the request. Deletion from the Settings page is immediate.

9.4 Notification Preferences

You can control when and how you receive digest notifications from the Settings page, including delivery times, days of the week, and delivery channel. You can also unsubscribe from digest emails using the link in any digest email.

9.5 VIP and Ignore Lists

You can prioritize specific contacts with a VIP list or exclude contacts and domains with ignore lists from your Settings page.

10. Teams and Shared Data

If you join or create a team, the following data is visible to other team members:

• Your display name, email address, and role within the team
• Team billing and subscription status, visible to the team owner

The following data is never shared with other team members:

• Your connected accounts and access tokens
• Your messages, emails, or chat content
• Your response-tracking records
• Your notification settings and preferences
• Your VIP contacts and ignore lists

11. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit for all connections
• Encryption at rest for all stored data
• Application-layer encryption for sensitive fields such as access tokens and message metadata
• Rate limiting and abuse prevention at multiple levels
• Restricted administrative access with multi-factor authentication

No system is 100% secure. If we become aware of a security breach that affects your personal data, we will notify you and any applicable regulator as required by law.

12. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly.

13. International Data Transfers

Your data is stored and processed in the United States on Google Cloud Platform infrastructure. If you are located outside of the United States, your information is transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice in the application before the changes take effect. Your continued use of the Service after the changes become effective constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us at support@replylist.com.