Privacy Policy
Last updated: 8 June 2026
ReplyPen is an email-automation service operated by ProBackup BV (see §1). This Privacy Policy explains what personal data we process, why, on what legal basis, how long we keep it, with whom we share it, and what rights you have. It pays particular attention to Google user data, because ReplyPen connects to Gmail mailboxes on your behalf.
1. Who we are
ReplyPen is owned and operated by:
ProBackup BV
Kroonwinningstraat 113, 3500 Hasselt, Belgium
Company (enterprise) number: 0555.782.383
Email: [email protected]
For the personal data described in this policy, ProBackup BV acts as the data controller in respect of our own business and account data, and as a data processor in respect of the mailbox content we process on behalf of our business customers ("tenants"). Where we act as a processor, the tenant is the controller and their own privacy notice also applies.
2. Scope of this policy
This policy covers the ReplyPen website (replypen.com), the ReplyPen application (app.replypen.com), and the email-processing pipeline that runs when a mailbox is connected to ReplyPen. It does not cover third-party websites or services we link to, which have their own privacy policies.
3. What ReplyPen does
ReplyPen is a multi-tenant SaaS service that automates inbox processing for Gmail and Microsoft Outlook. When you connect a mailbox, ReplyPen:
- reads incoming email threads, messages, attachments and labels;
- uses AI to triage which threads need a reply and to clean up thread content;
- generates draft replies and places them back in your mailbox as drafts;
- can send approved replies, apply labels, and add internal notes inside a thread; and
- sends the cleaned thread to the tenant's own processing system (the "processor") so it can produce a reply.
ReplyPen never sends mail on its own initiative without the configured approval flow. Drafts are prepared for human review; sending happens within the limits your tenant configures.
4. Google user data we access
When you connect a Gmail mailbox, you grant ReplyPen the following Google OAuth scopes. We request only what the service needs to function:
| Scope | What it lets us do | Why we need it |
|---|---|---|
gmail.modify |
Read your messages, threads, attachments and labels; apply or change labels; move/trash messages. | To read incoming threads, triage and clean them, and organise the mailbox (e.g. labelling processed threads). |
gmail.compose |
Create, update and send drafts and messages. | To place AI-generated draft replies in your mailbox and, where approved, send them. |
userinfo.email |
Read the email address of the connected Google account. | To identify which mailbox is connected and label data correctly. |
We do not request your Google contacts, calendar, Drive files, or any scope beyond those listed above.
5. How we use Google user data
We use the data we access from your Gmail mailbox solely to provide and improve the user-facing features of ReplyPen, namely:
- triaging threads (deciding which need a reply);
- cleaning thread content (stripping quoted history, signatures and noise);
- scanning for prompt-injection and abuse before further processing;
- describing image attachments so a reply can take them into account;
- generating draft replies and internal notes; and
- placing drafts, sending approved replies, and applying labels in your mailbox.
We do not use Gmail data for advertising, and we do not build user profiles for purposes unrelated to providing the service.
6. AI processing & sub-processors
To perform the AI steps above, the relevant email content — the cleaned thread text and image attachments eligible for description — is transmitted to third-party Large Language Model (LLM) providers acting as our sub-processors:
- OpenRouter (routing layer) and the underlying OpenAI (and other model) endpoints it forwards to, for triage, content cleaning, image description and draft generation.
These providers process the content only to return the AI output we request; we use providers under terms that do not permit using our submitted content to train their general models. This transfer is performed on your behalf, to provide the user-facing features you connected ReplyPen for.
In addition, the cleaned thread is sent via a signed webhook to the tenant's own processor endpoint. That endpoint is operated and controlled by the tenant (our business customer), not by us; the tenant determines what happens to the data once it reaches their own system.
We also rely on infrastructure sub-processors, principally Amazon Web Services (hosting and database, in the EU — see §8).
Limited Use disclosure (Google API Services User Data Policy)
ReplyPen's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular:
- We only use Google user data to provide and improve the user-facing features described in this policy.
- We only transfer Google user data to others as necessary to provide or improve those features (the AI sub-processors and the tenant's processor described above), to comply with applicable law, or as part of a merger/acquisition with user consent.
- We do not use Google user data for serving advertisements, and we do not sell Google user data.
- We do not allow humans to read Google user data unless: (a) we first obtain your affirmative agreement for specific messages; (b) it is necessary for security purposes (e.g. investigating abuse) or to comply with applicable law; (c) the data is aggregated and anonymised and used to improve the service; or (d) it is necessary for internal operations and the data has been de-identified or aggregated. AI processing described above is automated and not human reading.
7. Where we store data and how we secure it
- OAuth tokens for connected mailboxes are encrypted at rest using AES-256-GCM before being stored.
- Application data is stored in a PostgreSQL database on Amazon Web Services in the
eu-central-1(Frankfurt, EU) region. - All connections to ReplyPen use TLS/HTTPS. Outbound and inbound webhooks are signed (HMAC-SHA256) so their authenticity can be verified.
- Access to production systems is restricted and secrets are never written to logs.
8. International transfers
Primary storage and processing take place within the EU (Frankfurt). Some sub-processors (e.g. LLM providers) may process data outside the EU/EEA. Where that occurs, transfers are covered by appropriate safeguards such as the European Commission's Standard Contractual Clauses, or the provider's participation in an approved transfer framework.
9. Legal bases (GDPR)
Where ProBackup BV is the controller, we rely on the following legal bases under the GDPR:
- Performance of a contract — to provide the ReplyPen service to tenants and their authorised users.
- Legitimate interests — to operate, secure and improve the service and prevent abuse, balanced against your rights.
- Consent — where you connect a mailbox and grant OAuth scopes, and for any non-essential cookies (see our Cookie Policy).
- Legal obligation — where we must process data to comply with the law.
Where we act as a processor on a tenant's behalf, the legal basis is determined by the tenant as controller, and processing is governed by our agreement with that tenant.
10. Retention
We keep mailbox-derived data only as long as needed to provide the service:
- Thread, message, attachment, draft and note records are retained while the mailbox is connected and for the operational period needed to run and audit the pipeline.
- When a mailbox is disconnected or an account is deleted, the associated OAuth tokens are revoked/removed and the related stored content is deleted within a reasonable period, except where we must retain limited records to comply with a legal obligation.
- Business and billing records are retained for the period required by law (in line with our general retention practice of the contract duration plus the legally required period).
11. How to disconnect and revoke access
- You (or your tenant administrator) can disconnect a mailbox in ReplyPen at any time, which stops further processing and removes the stored OAuth token.
- You can also revoke ReplyPen's access directly from your Google Account at myaccount.google.com/permissions (and the equivalent Microsoft account page for Outlook mailboxes).
- To request deletion of data we hold, email [email protected].
12. Your rights
Subject to the GDPR, you have the right to: access your personal data; have inaccurate data corrected; have your data erased; restrict or object to processing; data portability; and to withdraw consent at any time (without affecting processing already carried out). To exercise these rights, contact [email protected]. If your data is processed on behalf of a tenant, we may direct your request to that tenant as controller, or act on their instructions.
You also have the right to lodge a complaint with a supervisory authority. In Belgium this is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit), Drukpersstraat 35, 1000 Brussels — [email protected].
13. Children
ReplyPen is a business service not directed at children, and we do not knowingly process the personal data of children.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will change the "Last updated" date above and, for material changes, take reasonable steps to notify tenants. Continued use of the service after an update constitutes acceptance of the revised policy.
15. Contact
Questions about this policy or your data? Email [email protected] or write to ProBackup BV, Kroonwinningstraat 113, 3500 Hasselt, Belgium.