Privacy Policy

Last updated: 25 May 2026

This Privacy Policy explains how Pravi Ltd (“Pravi”, “we”, “us”) handles personal data in connection with Replied (the “Service”), available at getreplied.io.

Pravi Ltd is a company registered in England and Wales (No. 15897581) with its registered office at 54 Manor Park, Barnstaple, Devon EX31 2DH. For privacy questions, contact us at hello@getreplied.io.

Pravi is the data controller for personal data about you (our customer). When you use Replied to process emails sent to you by third parties (for example, founders pitching your firm), you are the controller of that personal data and we act as your processor.

1. What we collect

Account & profile data

  • Your name and work email address
  • OAuth tokens granted via Microsoft to access your mailbox
  • Your organisation and subscription plan

Configuration you provide

  • Investment criteria, referral funds, draft preferences, signature, blocklist entries
  • Any other settings you choose to store in the Service

Mailbox-derived content

  • Inbound emails identified as pitches: sender, subject, body, headers, attachments (e.g. pitch decks)
  • Metadata we derive: verdicts, scores, criterion assessments, reasoning, extracted fields
  • Draft replies we generate and store in your Drafts folder

Billing data

  • Your Stripe customer ID and subscription state
  • Invoice history (Stripe holds your payment card details, not us)

Usage & technical data

  • Logs of API requests, errors, and feature usage
  • IP address, browser and device information
  • If you consent to analytics cookies: anonymised product-usage events via Vercel Analytics, PostHog (EU region), and SEO traffic data via ClickRank

2. How we use your data and why

  • To provide the Service — reading your mailbox, evaluating pitches, drafting replies, persisting your configuration.Legal basis: performance of contract.
  • To bill you — managing subscriptions and payments via Stripe.Legal basis: performance of contract; legal obligation (tax/accounting).
  • To secure and operate the Service — monitoring for abuse, preventing fraud, debugging errors, maintaining backups.Legal basis: legitimate interests in operating a reliable, secure service.
  • To improve the Service — analysing usage patterns and feedback.Legal basis: legitimate interests; consent where cookies are involved.
  • To communicate with you — replying to support requests, sending service updates, and (where you have agreed) product news.Legal basis: legitimate interests; consent for marketing emails.

We do not use the contents of your mailbox to train AI models. We do not sell your personal data to anyone.

3. Mailbox content: your role and ours

When Replied processes emails in your mailbox, those emails often contain personal data about other people — founders, colleagues, contacts. For that personal data:

  • You are the controller — you decide what mailbox to connect and for what purpose.
  • We are the processor — we process that data only on your instructions and only to provide the Service.
  • Rights requests from senders (e.g. founders) should be directed to you, not us. We will assist you in responding within a reasonable time.

You confirm that you have a lawful basis (usually legitimate interests) to share this content with us for the purposes of running the Service.

4. Cookies and similar technologies

We use a small number of cookies and local storage entries:

  • Strictly necessary — session cookies (e.g. replied_session) to keep you signed in, and the consent record itself. These are always on.
  • Analytics (opt-in) — Vercel Analytics, PostHog (EU region) and ClickRank for product usage and SEO. These only fire after you accept analytics cookies in our consent banner.

You can change your choice at any time by clicking “Cookie preferences” in the footer.

5. Who we share data with

We share personal data only with the sub-processors listed below, each of which is under a written contract that restricts their use of the data to providing services to us:

  • Amazon Web Services — application hosting, database, storage
  • Microsoft — mailbox access (Microsoft Graph API)
  • OpenAI — AI evaluation and draft generation
  • Stripe — payment processing and billing
  • Mailgun — inbound and transactional email infrastructure
  • Vercel — marketing site hosting and (with consent) analytics
  • PostHog — product analytics (with consent), EU region
  • ClickRank — SEO and traffic analytics (with consent)
  • HubSpot — demo booking forms on our marketing site

We may also disclose personal data when required by law, court order, or to protect the rights, property or safety of Pravi, our users, or others.

If we are involved in a merger, acquisition or sale of assets, personal data may be transferred as part of that transaction; we will notify you and give you a meaningful opportunity to object before any such transfer takes effect.

6. International transfers

Some of our sub-processors are based outside the UK and EEA, including in the United States. Where personal data is transferred to a country without an adequacy decision, we rely on appropriate safeguards such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses, together with any additional measures required.

7. How long we keep data

  • Account & configuration data: for as long as your account is active, then for a short retention window (around 30 days) before deletion, to allow account recovery.
  • Mailbox-derived content (submissions, drafts, verdicts):retained while your account is active; deleted on account closure (subject to the same recovery window).
  • Billing records:retained for as long as required by tax and accounting law (typically 6–7 years in the UK).
  • Logs and security telemetry: retained for a limited period appropriate to the purpose (typically up to 90 days), then deleted or anonymised.

8. Your rights

If you are in the UK or EEA, you have the right under data protection law to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Have your data erased in certain circumstances
  • Restrict or object to certain processing
  • Port your data to another service
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, email hello@getreplied.io. We will respond within one month.

9. Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, encrypted storage, access controls, audit logging, and regular review of our sub-processors. No system is perfectly secure, and we cannot guarantee absolute security; if a personal data breach occurs that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority in line with our legal obligations.

10. Children

Replied is a B2B product not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect when it last changed. For material changes, we will give reasonable notice in-app or by email.

12. Contact us

Privacy questions, rights requests, or sub-processor information: hello@getreplied.io.