Privacy Policy
Last updated: 18 May 2026
1. Who we are (data controller)
ReplyRate ("we", "us", "the service") is operated by ReplyRate Ltd, a company registered in England and Wales. We are the data controller for personal data we process about you. Contact: hyder@replyrate.ai
2. What personal data we collect
We collect and process the following categories of personal data:
2.1 Account data
- Email address (used for sign-in)
- Display name (optional, set at sign-up)
- Firebase authentication ID (a unique identifier we use internally)
- Stripe customer ID (if you subscribe)
- Subscription status, plan, and renewal date
2.2 Service usage data
- CV content you upload or generate
- Cover letter drafts
- Interview preparation notes and answers
- Saved job applications, interview events, and contacts
- Voice interview audio (transcribed by speech-to-text, then discarded)
- Email scoring inputs (the email content you paste to be scored)
- Settings, preferences, and user-specific configuration
2.3 Analytics data
- Page views, button clicks, and feature usage
- Browser type, operating system, and approximate geographic region (country-level only)
- Session duration and navigation patterns
2.4 Technical data
- IP address (used for rate limiting and abuse prevention)
- Device fingerprint (basic, for security purposes)
3. How we collect this data
- Directly from you when you create an account, fill in profile fields, or use service features
- Automatically when you interact with the service (analytics, technical data)
- From third parties only when you authorise it (e.g. signing in with Google links your Google email)
4. Why we process your data and legal basis
We process your data on the following legal bases (UK GDPR Article 6):
4.1 Performance of a contract
- To provide the service you have subscribed to
- To process payments and manage your subscription
- To enable features (CV generation, scoring, etc.)
4.2 Legitimate interests
- To improve the service (anonymised analytics)
- To prevent fraud, abuse, and unauthorised access
- To respond to support requests
4.3 Consent
- Optional analytics cookies
- Marketing communications (we do not currently send marketing email; if we do in future, opt-in only)
4.4 Legal obligation
- Where we must retain records for tax, accounting, or law enforcement reasons
5. Third-party processors
We share personal data with the following service providers. Each has its own privacy policy:
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, subscription management | US (with EU/UK Standard Contractual Clauses) |
| Firebase / Google Cloud | Authentication, database (Firestore + Data Connect Postgres), hosting | US (SCCs) |
| Vercel | Application hosting, edge functions | US (SCCs) |
| Anthropic | AI generation (CVs, cover letters, scoring, interview prep) | US (SCCs) |
| OpenAI | AI generation | US (SCCs) |
| Apollo.io | Contact enrichment in the Researcher Agent | US (SCCs) |
| Hunter | Email finder | US/EU |
| Jina | AI embeddings | EU/US |
| PostHog | Product analytics (EU-hosted instance) | EU |
| Plausible | Web analytics (privacy-preserving) | EU |
We do not sell your personal data. We do not share your data with advertisers.
6. International transfers
Some processors are based outside the UK/EEA, primarily in the United States. We rely on UK and EU Standard Contractual Clauses (SCCs) to ensure adequate protection. You can request a copy of our SCC arrangements at hyder@replyrate.ai.
7. How long we keep your data
- Account data: for as long as your account is active, plus 30 days after deletion (to satisfy any pending billing reconciliation)
- Usage data: for as long as your account is active, plus 30 days after deletion
- Analytics data: aggregated indefinitely; raw event data 90 days
- Email content you paste for scoring: processed in memory, not stored permanently
- Billing records: 6 years after the relevant tax year (UK accounting requirement)
8. Your rights (UK GDPR Articles 15-22)
You have the following rights regarding your personal data:
8.1 Right of access
Download a full export of your data via Settings > Account > Export data. The export is a JSON file containing your account info, campaigns, recipients, analytics, and JobHunter data (applications, calendar, profile, settings, drafts).
8.2 Right to rectification
Update your account info via Settings, or email us for changes you cannot self-serve.
8.3 Right to erasure ("right to be forgotten")
Delete your account permanently via Settings > Account > Delete account. This removes your data across our databases and cancels any active subscription. Some records (billing) may be retained where law requires.
8.4 Right to data portability
The data export at Settings > Account > Export data is provided in JSON format, machine-readable, and portable to other services.
8.5 Right to restrict processing
Email hyder@replyrate.ai to request restriction.
8.6 Right to object
Email hyder@replyrate.ai to object to processing based on legitimate interest.
8.7 Right to withdraw consent
You can withdraw consent for analytics cookies via the Cookie preferences link in the site footer. You can revoke all consent by deleting your account.
8.8 Right to lodge a complaint
If you are not satisfied with how we handle your data, you can complain to the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
9. Children
ReplyRate is not intended for users under 18. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data to us, please contact us and we will delete it.
10. Security
We use industry-standard security measures including:
- TLS encryption for all data in transit
- Firebase security rules for access control
- Stripe-managed payment processing (we do not see or store card numbers)
- Vercel's infrastructure security
No system is completely secure. If we discover a personal data breach affecting you, we will notify you and the ICO within 72 hours as required by UK GDPR.
11. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email or in-app. The "Last updated" date at the top will always reflect the most recent version.
12. Contact us
For any privacy questions, data subject access requests, or complaints:
Email: hyder@replyrate.ai
Postal: ReplyRate Ltd, United Kingdom