Privacy Policy
Last updated: November 17, 2025
This Privacy Policy explains how BoltReply.io ("Company," "we," "us," or "our") collects, uses, shares, and safeguards personal information when you use BoltReply.io (the "Service"), visit our website, or communicate with us.
If you have any questions or privacy requests, contact us at privacy@BoltReply.io.
1. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account & billing data | Name, email, business details, plan selection, billing addresses | Provided directly when creating an account, subscribing, or contacting support |
| Payment data | Card details processed via Paddle (we never store full card numbers) | Paddle stores sensitive payment info; we receive tokens, purchase IDs, VAT status |
| Product usage data | Workspace actions, feature usage, plan status, credit consumption | Automatically captured through our app logs and Supabase database |
| Device & technical data | IP address, browser type, operating system, cookie IDs, session timestamps | Collected automatically when you access the Service |
| Content you submit | Form inputs, uploaded files, support tickets, AI prompts | Provided directly by you or your teammates |
| Marketing preferences | Newsletter opt-ins, cookie consent choices | Provided by you when interacting with banners or email settings |
Sensitive data: We do not intentionally collect special categories of personal data (e.g., health, biometric, government IDs). Please avoid uploading it.
2. How We Use Personal Data
We process personal data only when we have a lawful basis:
| Purpose | Legal Basis |
|---|---|
| Provide, secure, and maintain the Service (authentication, workspaces, credits, dashboards) | Contract necessity |
| Process payments, subscriptions, tax receipts, and fraud screening | Contract necessity & legitimate interests |
| Send transactional emails (invoices, critical updates, security alerts) | Contract necessity & legal obligation |
| Send product announcements or marketing emails (if you opt in) | Consent or legitimate interest with opt-out |
| Improve the Service (debugging, usage analytics, feature metrics) | Legitimate interests |
| Provide support and answer to requests | Contract necessity |
| Comply with legal obligations (accounting, tax, regulatory requests) | Legal obligation |
You can object to processing based on legitimate interests by emailing us.
3. Cookies & Tracking
We use essential cookies to keep you signed in and remember preferences, plus optional analytics cookies (e.g., Google Analytics 4 via vanilla-cookieconsent) to understand feature usage. Analytics cookies run only after you grant consent in the cookie banner. You can:
- Manage consent via the banner at any time (Cookie Settings link in the footer).
- Block cookies in your browser (note: some features may break).
- Opt out of marketing emails via the unsubscribe link.
We do not use third-party behavioral advertising pixels.
4. Service Providers & Sub-processors
We share data with trusted vendors that help us run the Service. Each acts as a processor bound by data processing agreements and security controls:
- Vercel – application hosting and CDN.
- Supabase – database, authentication, and storage.
- Paddle – payments, invoicing, tax/VAT compliance.
- Sanity – marketing/blog content management.
- Email provider – transactional emails.
- Analytics provider – optional analytics when consented.
We may add or replace processors; we'll update this list and, when required, notify customers beforehand.
We do not sell personal data.
5. International Data Transfers
We operate globally and host infrastructure primarily in the United States (Vercel, Supabase, Paddle). When we transfer data across borders, we rely on:
- Standard Contractual Clauses (SCCs) or other approved safeguards with processors.
- Technical controls such as encryption in transit and at rest.
By using the Service, you understand your data may be processed outside your home country where laws may differ.
6. Retention
- Account & billing data: retained while your account is active and for up to 24 months after cancellation for tax, audit, and dispute purposes.
- Payment records: retained per Paddle's legal obligations (typically 7 years).
- Usage logs & telemetry: kept for 90 days unless needed longer for security investigations.
- Support tickets & email threads: retained for 24 months for context.
- Cookie preferences: stored until you reset or delete cookies.
We delete or anonymize data once it is no longer needed, unless law requires longer retention.
7. Security
We implement administrative, technical, and physical safeguards, including:
- HTTPS/TLS encryption for all network traffic.
- Encryption at rest through our hosting providers.
- Least-privilege access controls and audit logging.
- Automated backups and incident response procedures.
- Vendor reviews and DPAs for all processors.
However, no system is perfectly secure. If you suspect a vulnerability or unauthorized access, contact security@BoltReply.io so we can investigate immediately.
8. Your Rights
Depending on your location (e.g., EU/EEA, UK, California), you may have the right to:
- Access a copy of your data.
- Correct inaccurate data.
- Delete data ("right to be forgotten").
- Port data to another service.
- Restrict or object to certain processing.
- Withdraw consent (without affecting prior lawful processing).
- Lodge a complaint with your local supervisory authority.
Submit requests via privacy@BoltReply.io. We will verify identity (e.g., via account email) and answer within 30 days where legally required.
9. Children's Privacy
Our Service is not directed to individuals under 16 (or the age required by your jurisdiction). We do not knowingly collect personal data from children. If you learn that a child provided data, contact us so we can delete it.
10. Third-party Links
The Service may contain links to third-party sites (e.g., blog articles or integrations). We are not responsible for their privacy practices. Review those policies before sharing personal data.
11. Changes to This Policy
We may update this Privacy Policy to reflect new features, legal requirements, or security practices. When material changes occur, we will email account owners or post an in-app notice at least 14 days before the new policy takes effect. The "Last updated" date reflects the latest revision.
Continuing to use the Service after a revision indicates you accept the updated Policy.
12. Contact
- Email: privacy@BoltReply.io
- Support portal: https://BoltReply.io/contact
If you need a signed Data Processing Agreement (DPA) or list of current sub-processors, email us and we'll send the latest documents.