Privacy Policy

Effective: 2026-05-12 · Last updated: 2026-05-12

Repulabs ("we") operates the reputation-management platform at repulabs.com. This policy explains what data we collect, why, and how you control it. By using the service you agree to this policy.

1. Data we collect

• Account data — your email, name, organization name, and Stripe customer ID. Magic-link tokens are hashed before storage and expire in 15 minutes.
• Business data — establishment details, brand voice, hours, and the content of any documents you upload to the AI knowledge base.
• Connection tokens — Google Business Profile OAuth tokens are stored encrypted at rest using AES-256-GCM with per-row IVs and per-org encryption context. We never log raw tokens.
• Review data — reviews, ratings, and reviewer names we sync from connected providers (Google Business Profile). We retain the original raw JSON for audit purposes.
• Outreach data — recipient phone numbers and emails you provide, along with SMS consent records (text hash, IP, timestamp).
• Operational logs — request paths, IP addresses (truncated after 30 days), user-agent strings, and audit-log entries for security-sensitive actions. Pino redaction strips authorization headers and tokens.
• Chatbot conversations — visitor messages, AI responses, and retrieved chunk IDs. Visitors are identified by a non-PII visitor token issued in a JWT — not by name or email unless they volunteer it during a handoff.

2. How we use it

• To run the service you signed up for (reviews, replies, surveys, chatbot).
• To improve AI-generated replies — we never train external models on your data without your written consent.
• To prevent abuse, fraud, and policy violations.
• To comply with legal obligations (subpoenas, court orders).

3. Sharing

We share data only with the sub-processors listed at /legal/subprocessors and only as needed to operate the service. We do not sell your data.

4. Retention

• Account and business data: until you delete your organization, then 30 days.
• Audit logs: 7 years (immutable, append-only by trigger).
• Outbound message logs: 2 years.
• Chatbot conversations: 90 days, then anonymized.

5. Your rights

You can export, correct, or delete your data at any time. Email privacy@repulabs.com. Under GDPR and CCPA you have the right to access, rectify, delete, restrict processing, and port your data. We respond within 30 days.

6. Security

Multi-tenant data isolation is enforced by Postgres row-level security on every tenant table. OAuth tokens are envelope-encrypted. Webhook signatures are verified on every request. See security.txt for vulnerability disclosure.

7. Contact

Data Protection Officer: privacy@repulabs.com. General: support@repulabs.com.