Privacy Policy
Nikolaos Manolis, operating as Replyo — an AI guest-messaging automation service for short-term rental hosts.
Contact: hello@replyo.gr
1. Who We Are
Replyo is a B2B SaaS platform that helps Airbnb and Booking.com hosts in Greece automate guest communication using artificial intelligence. We act as a data controller for host account data and as a data processor when handling guest messages on behalf of hosts.
2. What Data We Collect
We collect the minimum data necessary to provide the service:
- Account data: your email address (used for login via magic link)
- Property data: property name, address, check-in/check-out times, Wi-Fi details, house rules, and any other information you enter during onboarding
- Guest message excerpts: inbound messages from your guests that arrive via email forwarding or platform webhooks, used solely to generate AI replies
- Usage logs: timestamps of AI replies, whether a reply was sent automatically, and which property was involved — used for your dashboard and our own service improvement
We do not collect payment card details, government IDs, or any special-category data under Article 9 GDPR.
3. Legal Basis for Processing
- Contract performance (Art. 6(1)(b) GDPR): processing your account and property data is necessary to deliver the service you signed up for
- Consent (Art. 6(1)(a) GDPR): we collect your explicit consent before creating your account (the checkbox on the sign-up form)
- Legitimate interests (Art. 6(1)(f) GDPR): security logging and abuse prevention
4. How We Use Your Data
- Authenticate you securely via passwordless magic link (Supabase Auth)
- Store your property configuration so the AI can answer guest questions accurately
- Generate and optionally send AI replies to your guests on your behalf
- Display your conversation history and statistics in your dashboard
- Send you transactional emails (magic links, important service notices)
We do not use your data for advertising, profiling, or sell it to third parties.
5. Third-Party Sub-processors
To deliver the service, we share data with these trusted sub-processors — all operate under GDPR-compliant agreements:
- Supabase Inc. (USA, EU data residency available) — database and authentication
- Anthropic PBC (USA) — AI language model used to generate guest replies; messages are processed under Anthropic's data processing agreement and are not used to train models
- Postmark / ActiveCampaign (USA) — inbound and outbound email processing
- Cloudflare Inc. (USA) — CDN, DNS, and static file hosting for replyo.gr
- Render.com (USA) — backend API hosting
Transfers to the USA are covered by Standard Contractual Clauses (SCCs) under Art. 46 GDPR.
6. Data Retention
- Account & property data: retained for as long as your account is active, plus 30 days after deletion to allow recovery
- Conversation logs: retained for 12 months, then automatically deleted
- Authentication tokens: expire automatically (1 hour for magic links, 1 week for sessions)
7. Your Rights Under GDPR
As a data subject under EU/Greek law, you have the right to:
- Access (Art. 15): request a copy of all personal data we hold about you
- Rectification (Art. 16): correct inaccurate or incomplete data
- Erasure (Art. 17): request deletion of your account and all associated data ("right to be forgotten")
- Portability (Art. 20): receive your data in a machine-readable format (JSON)
- Restriction (Art. 18): ask us to pause processing while a dispute is resolved
- Objection (Art. 21): object to processing based on legitimate interests
- Withdraw consent: at any time, without affecting prior processing
To exercise any of these rights, email us at hello@replyo.gr. We will respond within 30 days as required by GDPR. If you are unhappy with our response, you may lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.
8. Cookies & Tracking
The replyo.gr website uses only a single functional session cookie to maintain your login state. We do not use advertising cookies, tracking pixels, or analytics services that process personal data. No cookie banner is required as we use only strictly necessary cookies.
9. Security
We implement industry-standard safeguards including TLS encryption in transit, row-level security on all database tables, environment-variable secret management (no hardcoded credentials), and access scoped to the minimum necessary. No system is 100% secure; in the event of a data breach affecting your rights, we will notify you and the HDPA within 72 hours as required by Art. 33–34 GDPR.
10. Changes to This Policy
We may update this policy to reflect changes in the service or applicable law. We will notify active users by email before material changes take effect. The "Last updated" date at the top of this page always reflects the current version.
11. Contact
For any privacy-related questions, requests, or complaints:
- Email: hello@replyo.gr
- Website: replyo.gr