Legal Document

Privacy Policy

Effective: May 22, 2026 Last updated: May 22, 2026 Replova · getreplova.com
01

Overview

Replova ("we", "our", or "us") operates the website getreplova.com and the Replova platform — a SaaS service that helps business owners automatically respond to Google reviews using artificial intelligence.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have. It also describes how we access, use, store, and share Google user data in compliance with the Google API Services User Data Policy.

Summary: We collect only what we need to run the service. We never sell your data. Our use of data received from Google APIs is limited to the practices described in this policy and complies with the Google API Services User Data Policy, including the Limited Use requirements.

02

Data We Collect

CategoryWhat We CollectSourcePurpose
Account Info Full name, email address, hashed password You provide directly Create and manage your account
Business Info Business name, preferred reply tone You provide during onboarding Personalise AI reply style
Google OAuth Tokens Access token, refresh token, Google account email, Google Business account ID, location ID Google OAuth flow Access your Google Business Profile to read reviews and post replies
Google Review Data Reviewer name, star rating, review text, review date, reviewer profile photo URL Google Business Profile API Generate AI replies and maintain your reply history
AI Reply Data Generated reply text, reply timestamp, reply time in seconds Generated by our system Log reply history and show analytics
Usage Data Login timestamps, feature usage, reply counts Automatically collected Improve the product and detect abuse
03

Google User Data & Business Profile Access

When you connect your Google account to Replova, we access your Google Business Profile using the Google Business Profile API via OAuth 2.0. Below is a complete disclosure of every API scope we use and why.

business.manage
https://www.googleapis.com/auth/business.manage
Used to read customer reviews from your Google Business Profile listing via accounts.locations.reviews.list, and to post AI-generated owner replies via accounts.locations.reviews.updateReply. Also used to retrieve your account ID (accounts.list) and location ID (accounts.locations.list) so we can identify your business listing.
email
https://www.googleapis.com/auth/userinfo.email
Used to retrieve your Google account email address for account identification purposes only.
profile
https://www.googleapis.com/auth/userinfo.profile
Used to retrieve your name from your Google account for display in the Replova dashboard.

What we never access: We do not access your Gmail, Google Drive, Google Contacts, Google Calendar, Google Photos, Google Search Console, Google Ads, or any other Google product outside of Google Business Profile. Our scopes are strictly limited to what is listed above.

How we store Google tokens

Your Google OAuth access token and refresh token are stored encrypted in our Supabase database. They are used exclusively to make API calls on your behalf to Google Business Profile. Tokens are never logged in plain text, never included in error reports, and never shared with any third party.

Token expiry and refresh

Google access tokens expire after 1 hour. We use your refresh token to automatically obtain a new access token when needed, so the service continues to work without requiring you to sign in again. If you revoke access, the refresh token is immediately invalidated by Google and deleted from our database.

04

Google API Limited Use Policy

Replova's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Our Limited Use commitments:

✓ We only use Google user data to provide and improve the Replova service — reading reviews and posting AI replies on your behalf.

✓ We do not use Google user data for serving advertisements.

✓ We do not allow humans to read your Google user data unless you have given us explicit permission, it is necessary for security purposes such as investigating abuse, or it is required by law.

✓ We do not use or transfer Google user data for any purpose not described in this privacy policy.

✓ We do not sell Google user data to third parties.

✓ We do not transfer Google user data to third parties except as necessary to provide and improve the service, comply with applicable law, or as part of a merger, acquisition, or sale of assets where the buyer agrees to comply with these terms.

05

How We Use Your Data

We use your data solely for the following purposes:

  • Core service: Automatically fetch new Google reviews and generate AI-powered replies posted on your behalf
  • Authentication: Verify your identity and maintain your account session securely
  • Dashboard: Display your review history, reply status, and analytics inside the app
  • AI reply generation: Send your review text, business name, and tone preference to our AI provider to generate contextually appropriate replies
  • Transactional communications: Send account confirmation, password reset, and important service notification emails
  • Service improvement: Analyse aggregated, anonymised usage patterns to improve the product
  • Security: Detect, investigate, and prevent abuse, fraud, or unauthorised access
  • Legal compliance: Meet our legal obligations where applicable

We do not use your data for advertising, behavioural profiling, or any purpose not listed above.

06

Data Sharing & Third-Party Processors

We share your data with the following trusted service providers only to the minimum extent necessary to operate Replova. All processors are contractually bound to protect your data.

ProviderRoleData SharedLocation
Supabase Database & authentication All account, business, token, and review data stored encrypted at rest US / EU
OpenAI / OpenRouter AI reply generation Review text, business name, tone preference only. No tokens, emails, or account IDs are sent. US
Google APIs Business Profile access OAuth tokens used to call the Google Business Profile API on your behalf Google infrastructure
Netlify Website hosting Static files only — no personal data processed by Netlify US / EU
n8n (Railway) Automation workflow Business ID, review data, and access tokens used within our private workflow only US

We may also disclose your data if required by law, court order, or government request, or to protect the legal rights, safety, or property of Replova or its users.

07

We Never Sell Your Data

Replova does not sell, rent, trade, or monetise your personal data or your Google user data in any way. We are a subscription SaaS product. Our revenue comes from subscription fees, not from data.

We do not share your data with advertisers. We do not build advertising profiles. We do not allow third parties to use your data for their own marketing purposes.

08

Data Retention

We retain data for as long as necessary to provide the service or as required by law:

  • Account data — Retained until you delete your account
  • Google OAuth tokens — Deleted immediately when you disconnect Google or delete your account
  • Review and reply history — Retained for 24 months, then automatically deleted
  • Usage logs — Retained for 90 days for security monitoring
  • Backups — Encrypted backups purged within 30 days of account deletion

When you delete your account, all personal data including Google tokens, review data, and business information is permanently deleted from our live systems within 7 days and from all backups within 30 days.

09

Security

We implement industry-standard security measures to protect your data:

  • All data transmitted over HTTPS / TLS 1.2+ encryption
  • Google OAuth tokens stored encrypted at rest in our database
  • Passwords stored using bcrypt hashing — we never store plain-text passwords
  • Row-level security (RLS) policies enforcing strict data isolation between accounts — each user can only access their own data
  • OAuth scopes requested are the minimum necessary for the service to function
  • Automated token refresh with no human access to tokens in transit
  • Private automation workflows inaccessible to external parties

If you discover a security vulnerability in Replova, please report it immediately to security@getreplova.com. We will respond within 48 hours.

10

Your Rights

You have the following rights regarding your personal data:

  • Access — Request a copy of all personal data we hold about you
  • Correction — Request correction of inaccurate or incomplete data
  • Deletion — Request permanent deletion of your account and all associated data, including Google tokens
  • Portability — Request an export of your data in JSON format
  • Objection — Object to certain types of processing
  • Withdraw consent — Disconnect your Google account at any time (see section 11)
  • Complaint — Lodge a complaint with a data protection authority if you believe your rights have been violated

To exercise any of these rights, email us at privacy@getreplova.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

11

Revoking Google Access

You can disconnect your Google Business Profile from Replova at any time using either of these methods:

Method 1 — Inside Replova

  1. Sign in to your Replova account at getreplova.com/replova-app.html
  2. Click Settings in the left sidebar
  3. Go to Connected Accounts
  4. Click Disconnect Google
  5. Your access token and refresh token are immediately deleted from our database

Method 2 — Via Google Account Settings

  1. Go to myaccount.google.com/permissions
  2. Find Replova in the list of third-party apps
  3. Click Remove Access
  4. Google will immediately invalidate the tokens

After disconnecting, Replova will no longer be able to read your Google reviews or post replies. Existing reply records in our database are retained per our retention policy (section 8) unless you request deletion.

12

Cookies & Local Storage

Replova uses minimal cookies and browser storage strictly for the service to function:

  • Authentication session cookies — Set by Supabase to keep you logged in. Expire when you sign out or after 7 days of inactivity.
  • Local storage — Used to cache your UI preferences (e.g. selected tone) locally in your browser. No personal data is stored.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. You can clear cookies at any time via your browser settings, which will sign you out of Replova.

13

Children's Privacy

Replova is a business tool intended for users aged 18 and over. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal data, please contact us at privacy@getreplova.com and we will delete it promptly.

14

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to all registered users at least 14 days before the change takes effect
  • Display a prominent notice inside the Replova app

For minor changes (grammar, formatting, clarifications that don't affect your rights), we will update the page without prior notice. Your continued use of Replova after any changes constitutes acceptance.

15

Contact Us

For privacy questions, data requests, security reports, or to exercise your rights:

Privacy & Data Requests

We respond to all privacy enquiries within 30 days.

privacy@getreplova.com

Replova
Website: getreplova.com
Privacy: privacy@getreplova.com
Security: security@getreplova.com