Updated November 17, 2025
GDPR Readiness
BoltReply serves businesses worldwide, including those operating in the EU/EEA and UK. This page summarizes how we prepare for the General Data Protection Regulation (GDPR), what data rights you have, and how to contact us.
Quick Navigation
How We Comply
What is GDPR?
¶GDPR is the EU’s comprehensive privacy regulation that took effect on May 25, 2018. It governs how organizations collect, process, and transfer personal data for individuals in the EU/EEA and UK. The law applies globally if you handle data belonging to those residents.
BoltReply’s GDPR Readiness Plan
¶Data inventory & minimization
We map every data flow (app, support, analytics, billing) and collect only the data needed to operate BoltReply.
Product safeguards
Accounts require verified emails, data is encrypted in transit and at rest, and access is limited to the founder and trusted contractors under NDA.
Cookie & consent controls
Optional analytics run only after consent via our vanilla-cookieconsent banner.
Data Processing Agreement (DPA)
Customers can request a signed DPA covering processor obligations, incident response, and sub-processor controls by emailing hello@BoltReply.io.
Data subject request workflow
We verify identity via the account email before exporting or deleting data. Requests are logged and resolved within 30 days.
Vendor due diligence
Every sub-processor signs DPAs or relies on SCCs when data leaves the EU/EEA.
Data Subject Requests
¶We keep account data while your subscription remains active and for a short retention period afterward. To exercise GDPR rights (access, rectification, deletion, portability, objection), email hello@BoltReply.io with the subject “GDPR Request.” Include the workspace email, the type of request, and any regulatory deadline. We confirm receipt within five business days and honor requests within 30 days unless a legal exemption applies.
Data Processing Agreements
¶Our standard DPA defines roles (customer as controller, BoltReply as processor), processing purposes (AI review replies, analytics, billing), and technical controls (encryption, access logging, incident response). Customers may request a signed copy via hello@BoltReply.io.
Current Sub-processors
¶We limit data sharing to vendors essential to delivering BoltReply. Each sub-processor signs GDPR-compliant agreements (SCCs or equivalent). We notify customers about material changes when required.
| Vendor / Purpose | Location | Data Types | Documentation |
|---|---|---|---|
| Vercel – hosting, CDN | EU/US regions | IP, request metadata | View |
| Supabase – auth, database, storage | EU/US regions | Account data, workspace data, review content | View |
| Paddle – payments & tax | EU/UK | Billing details, payment metadata | View |
| Sanity – marketing CMS | EU/US regions | Marketing content and contact info | View |
| Postmark / Resend – transactional email | US/EU | Email addresses, notification details | View |
| Google Analytics 4 (consent-based) | EU/US | Pseudonymous usage metrics | View |
Questions & Contact
¶Need to escalate something or request a DPA? Reach out anytime.
Email: hello@BoltReply.io
Mailing address: Guemes 3662, 7602, Mar del Plata, Argentina
Support portal: https://www.BoltReply.io/contact