Centre d'aide Essai gratuit 14 jours — aucune carte bancaire requise Mon Dashboard

Privacy Policy

Effective Date: March 30, 2026

1. Data Controller

The data controller responsible for your personal data is:

Reepli.ai
14 Avenue du Général de Gaulle, 94160 Saint-Mandé, France
Email: [email protected]

Reepli.ai ("Reepli", "we", "us", or "our") is a platform that provides AI-powered WhatsApp messaging assistants for businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website at reepli.ai, our dashboard application, and any related WhatsApp-based interactions (collectively, the "Service").

This policy applies to two categories of individuals:

  • Business users ("Tenants"): professionals and businesses who subscribe to Reepli.ai to manage their WhatsApp communications
  • End users: individuals who interact with a business through WhatsApp, where the conversation is handled by our AI assistant on behalf of that business

2. Information We Collect

From business users (Tenants)

  • Account registration details: name, email address, phone number, business name
  • Billing information processed securely through Stripe, Inc. (we do not store credit card numbers)
  • Business configuration data: business description, operating hours, services offered, appointment settings, and custom message templates
  • Dashboard usage data: pages visited, features used, interaction patterns

From end users (via WhatsApp)

  • WhatsApp phone number
  • WhatsApp profile name
  • Message content exchanged with the AI assistant operating on behalf of the business
  • Conversation metadata: timestamps, message status (sent, delivered, read)

Collected automatically

  • Device information: browser type, operating system, screen resolution
  • Log data: IP addresses, access times, referring URLs
  • Cookies and similar technologies (see Section 11)

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data only when we have a valid legal basis to do so. The table below summarises our processing activities and their corresponding legal bases:

Processing activity Legal basis (Art. 6 GDPR)
Providing the Service to Tenants (account management, AI messaging, scheduling) Performance of a contract (Art. 6(1)(b)) — necessary to fulfill our service agreement with the Tenant
Processing end-user messages via the AI assistant on behalf of the Tenant Legitimate interest (Art. 6(1)(f)) — the Tenant's legitimate interest in managing customer communications; balanced against end-user expectations when they initiate a WhatsApp conversation with a business
Processing payments and billing Performance of a contract (Art. 6(1)(b))
Sending service-related communications (updates, security alerts) Legitimate interest (Art. 6(1)(f)) — keeping users informed about the service they use
Fraud prevention, abuse detection, and platform security Legitimate interest (Art. 6(1)(f)) — protecting the Service and its users
Compliance with legal obligations (e.g., tax records, law enforcement requests) Legal obligation (Art. 6(1)(c))
Non-essential cookies and analytics Consent (Art. 6(1)(a)) — obtained via our cookie banner

Where we rely on legitimate interest, we have conducted a balancing test to ensure that your rights and freedoms are not overridden. You may object to processing based on legitimate interest at any time (see Section 8).

4. How We Use Your Information

  • To provide, maintain, and improve the Service, including AI-powered WhatsApp messaging on behalf of businesses
  • To process conversations through our AI systems in order to generate appropriate responses for end users
  • To manage appointment scheduling and send reminders on behalf of businesses
  • To process payments and manage subscriptions
  • To send service-related communications (e.g., updates, security alerts, support messages)
  • To monitor usage for billing purposes, including tracking message volumes and AI processing costs
  • To detect, prevent, and address fraud, abuse, and technical issues
  • To comply with legal obligations

5. Data Sharing and Recipients

We do not sell your personal data. We may share data with the following categories of recipients:

  • Meta Platforms, Inc. (WhatsApp Business API): Message data is transmitted through the WhatsApp Cloud API. Meta acts as a joint controller or independent controller for certain data processed through its platform. This data is subject to Meta's own privacy policies and WhatsApp's encryption protocols.
  • AI language model providers (data processors): Message content is sent to third-party AI providers to generate responses. We use providers that process data under our instructions, do not retain message data beyond what is needed to produce a response, and do not use your data to train their models. Current providers include DeepSeek (primary) and Google Gemini (fallback).
  • Stripe, Inc. (data processor): Payment and billing data is processed by Stripe under their Data Processing Agreement.
  • Infrastructure providers (data processors): Hosting and database services used to operate the platform.
  • The business (Tenant) you are communicating with: If you are an end user messaging a business through WhatsApp, the Tenant has access to conversation history and your contact information through their dashboard. In this context, the Tenant is an independent data controller for data related to their customer relationship with you.
  • Legal and regulatory authorities: We may disclose data if required by applicable law, regulation, or valid legal process.

We require all data processors to enter into Data Processing Agreements (DPAs) in compliance with Article 28 GDPR, ensuring they process personal data only on our documented instructions and implement appropriate security measures.

6. Data Received from Meta Platforms

Through our integration with the WhatsApp Business API, we receive data from Meta Platforms, including incoming message content, sender phone numbers, message timestamps, and delivery status updates. We use this data solely to provide our messaging service to businesses and their customers. We do not use data received from Meta Platforms to:

  • Build or augment user profiles for advertising purposes
  • Transfer or sell data to third parties for advertising or monetization
  • Provide data to data brokers or information resellers

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), in particular:

  • The United States (Meta Platforms, Stripe)
  • Other jurisdictions where our AI service providers or infrastructure providers operate

When we transfer personal data outside the EEA, we ensure an adequate level of protection through one or more of the following safeguards, in accordance with Chapter V of the GDPR:

  • European Commission adequacy decisions (Article 45 GDPR)
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) GDPR)
  • Other appropriate safeguards as required by applicable law

You may request a copy of the relevant safeguards by contacting us at [email protected].

8. Your Rights Under the GDPR

Under the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy of it
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations
  • Right to restriction (Art. 18): Request that we restrict the processing of your data in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interest or for direct marketing purposes. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds
  • Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal
  • Right not to be subject to automated decision-making (Art. 22): See Section 9 below

To exercise any of these rights, contact us at [email protected]. We will respond within one month of receiving your request, as required by the GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. As our company is established in France, our lead supervisory authority is:

CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Website: www.cnil.fr

9. Automated Decision-Making and AI Processing

Our Service uses artificial intelligence (AI) language models to generate responses in WhatsApp conversations on behalf of businesses. This means that when an end user sends a message to a business using Reepli.ai, the response they receive is generated by an AI system.

This AI processing operates as follows:

  • The AI generates conversational responses based on the business's configuration (services, hours, tone) and the context of the conversation
  • The AI may qualify prospects, suggest appointments, and provide information configured by the business
  • The AI does not make decisions that produce legal effects or similarly significantly affect end users (e.g., it does not approve or deny services, make credit decisions, or determine eligibility for anything)

Because the AI assistant functions as a communication tool rather than an automated decision-making system producing legal or similarly significant effects, Article 22 GDPR does not apply. Nevertheless, any end user may request human intervention by asking to speak with the business owner directly during a WhatsApp conversation.

10. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law. Our retention periods are as follows:

Data category Retention period
Tenant account data Duration of the account + 30 days after deletion request
Conversation data (messages) As configured by the Tenant, up to a maximum of 24 months
End-user contact information Duration of the Tenant's account, or until deletion is requested
Billing and invoicing records 10 years (French commercial and tax law obligation)
Server logs (IP, access logs) 12 months
Cookie consent records 13 months (CNIL recommendation)

When data is no longer needed and no legal retention obligation applies, we delete or irreversibly anonymize it.

11. Cookies and Similar Technologies

Our website and dashboard application may use cookies and similar technologies. We categorize them as follows:

  • Strictly necessary cookies: Required for the platform to function (e.g., authentication session cookies). These do not require consent.
  • Analytics cookies: Used to understand how users interact with our dashboard, so we can improve the experience. These are only placed with your consent.

We do not use advertising or tracking cookies. When you first visit our site, a cookie banner will allow you to accept or refuse non-essential cookies. You can change your preferences at any time through your browser settings or our cookie management interface.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data in accordance with Article 32 GDPR, including:

  • Encryption of data in transit using TLS/SSL
  • Database-level access controls and row-level security (RLS) policies ensuring strict tenant data isolation
  • Rate limiting and abuse detection on all API endpoints
  • Prompt injection detection and security filtering on all AI interactions
  • Regular security reviews of our infrastructure
  • Access to personal data restricted to authorized personnel on a need-to-know basis

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours in accordance with Article 33 GDPR, and will inform affected individuals without undue delay where the breach is likely to result in a high risk (Article 34 GDPR).

13. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information without undue delay. If you believe we may have collected data from a child, please contact us at [email protected].

14. Third-Party Links and Services

The Service may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of these third parties and encourage you to review their privacy policies independently.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify Tenants via email or an in-app notification, and update the "Effective Date" at the top of this page. Your continued use of the Service after the changes take effect constitutes your acceptance of the updated policy.

16. Contact Us

For any questions, concerns, or to exercise your data protection rights, please contact us: