GDPRยทUpdated May 2, 2026

Built for EU & UK data rights.

INSTAREPLY W.L.L. ("InstaReply") is committed to protecting personal data and complying with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR. This page explains how we apply GDPR principles across the Chat Agent service, the rights available to data subjects, and how to exercise them.

Where local law (e.g., Bahrain PDPL, CCPA/CPRA) imposes additional or stricter requirements, we comply with those requirements. For details on processing activities, lawful bases, retention, and international transfers, see our Privacy Policy.

  1. For Customer Content (messages, media, attachments, and metadata processed on behalf of your business through Chat Agent), you are the Controller and InstaReply acts as the Processor under Article 28 GDPR. For Account Data (admin user accounts, billing/contact details, service configuration, security logs, platform analytics), InstaReply is the Controller. Where a signed Data Processing Addendum (DPA) exists, the DPA governs our Processor obligations and prevails over any inconsistency with this notice.
  2. We process personal data on the following lawful bases: Contract (Art. 6(1)(b)): delivering and operating the Service, authentication, support, and billing. Legitimate Interests (Art. 6(1)(f)): securing the Service, preventing abuse, error diagnostics, analytics, and product improvement โ€” balanced against your rights and freedoms. Legal Obligation (Art. 6(1)(c)): tax, accounting, fraud prevention, and responding to lawful requests. Consent (Art. 6(1)(a)): optional marketing communications and non-essential cookies, where required. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  3. Our DPA is incorporated by reference into our Terms when we process personal data on your behalf. It includes: Subject matter, duration, nature and purpose of processing. Categories of personal data and data subjects. Controller instructions and confidentiality undertakings. Technical and organizational security measures (Art. 32). Sub-processor obligations and notification of changes (Art. 28(2)โ€“(4)). Assistance with data subject rights and DPIAs (Arts. 28(3)(e)โ€“(f), 35). International transfer mechanisms (Chapter V). Audit rights and information obligations. Request the current DPA at privacy@instareply.io.
  4. We engage carefully vetted sub-processors to deliver the Service, including cloud hosting, managed databases, email/SMS delivery, payment processors, identity providers, analytics, security tooling, and AI inference providers. All sub-processors are bound by written terms requiring data protection commitments at least as protective as our own. We maintain a current sub-processor list and provide reasonable advance notice of material additions or changes, giving you the opportunity to object on reasonable data protection grounds, consistent with our DPA.
  5. Where personal data is transferred outside the EEA or UK, we rely on appropriate safeguards under Articles 44โ€“49 GDPR, including: Standard Contractual Clauses (SCCs) adopted by the European Commission, with the UK Addendum / IDTA where applicable. Supplementary technical measures (e.g., encryption in transit and at rest, access controls). Transfer Impact Assessments (TIAs) where required. Derogations under Article 49 only where strictly necessary and limited. A copy of relevant transfer mechanisms is available on request.
  6. Under GDPR / UK GDPR, you have the right to: Access (Art. 15): obtain confirmation and a copy of personal data we hold about you. Rectification (Art. 16): correct inaccurate or incomplete data. Erasure (Art. 17): request deletion in certain circumstances. Restriction (Art. 18): limit processing where contested or unlawful. Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format. Object (Art. 21): object to processing based on legitimate interests, including profiling and direct marketing. Not be subject to solely automated decision-making (Art. 22) producing legal or similarly significant effects without safeguards. Withdraw consent at any time where processing is based on consent. Lodge a complaint with your local supervisory authority.
  7. For Account Data we control: email privacy@instareply.io with sufficient detail to identify your account. We respond within one month (Art. 12(3)), extendable by two further months for complex requests with notice. For Customer Content we process on a customer's behalf: please contact the customer organization (the Controller). InstaReply will assist the Controller in responding, consistent with our DPA. We may request reasonable information to verify identity. We will not charge a fee unless your request is manifestly unfounded or excessive (Art. 12(5)).
  8. Chat Agent uses AI models to assist with message routing, drafting, and content generation. We do not engage in solely automated processing producing legal or similarly significant effects on individuals without human oversight by your organization. You can configure confidence thresholds, escalation rules, human-in-the-loop review, blocklists/allowlists, and channel-specific behaviors. You remain responsible for supervising AI outputs in your tenant.
  9. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: Encryption of personal data in transit (TLS) and at rest where feasible. Access controls, least-privilege, SSO/MFA on internal admin systems. Network segmentation, firewalling, and endpoint protection. Secure SDLC: code review, dependency scanning, secrets management. Logging, monitoring, anomaly detection, and incident response runbooks. Regular testing, assessment, and evaluation of measures. Business continuity and disaster recovery plans with periodic testing.
  10. If we become aware of a personal data breach affecting Customer Content, we will notify the Controller without undue delay and in any event within the timelines set out in our DPA, providing the information required to enable the Controller to meet its Article 33 obligations. For breaches affecting Account Data we control, we will notify the competent supervisory authority within 72 hours where required, and affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
  11. Where your processing of Customer Content is likely to result in a high risk to individuals, you are responsible for conducting a DPIA under Article 35. We will provide reasonable assistance and information about Service architecture, security, and data flows to support your DPIA, consistent with the DPA.
  12. InstaReply maintains records of processing activities for both Controller and Processor roles. Records are made available to supervisory authorities on request as required by Article 30(4).
  13. Personal data is retained only as long as necessary for the purposes for which it was collected, or as required by law: Customer Content: per your retention settings and the duration of your subscription; deletion on request or account closure (subject to backup cycles). Account/Contract Data: typically up to 7 years for finance/tax records, unless a longer statutory period applies. Security & Audit Logs: 90โ€“365 days, longer if required for investigations or legal claims. Backups: rolling, deleted on a schedule.
  14. The Service is not directed to children under 16 (or the age defined by local law, if higher). We do not knowingly process personal data of children. If you believe a child's data has been provided to us, contact privacy@instareply.io and we will take appropriate steps.
  15. You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State or UK region of your habitual residence, place of work, or place of the alleged infringement (Art. 77). We encourage you to contact us first at privacy@instareply.io so we can address concerns directly.
  16. Privacy & GDPR enquiries: privacy@instareply.io Legal: legal@instareply.io INSTAREPLY W.L.L. Road 5715, Block 257, Building 1722, Flat 2, Kingdom of Bahrain