PrivacyยทUpdated May 2, 2026

Your data, handled with care.

This Privacy Policy explains how INSTAREPLY W.L.L. ("InstaReply," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with the Chat Agent service and related websites, dashboards, APIs, plugins, and support channels (collectively, the "Service").

This document is intended to be globally compliant, including with the EU/UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA), and the Bahrain Personal Data Protection Law (Law No. 30 of 2018) (Bahrain PDPL). Where local law imposes stricter requirements, we will comply with those requirements.

  1. Legal entity: INSTAREPLY W.L.L Address: Road 5715, Block 257, Building 1722, Flat 2, Kingdom of Bahrain Email (privacy): privacy@instareply.io Email (general): hello@instareply.io
  2. This Policy applies to: Web properties we operate (marketing sites, dashboards, documentation). Platform Services (Chat Agent interfaces, APIs, integrations, admin and analytics tools). Support channels (email, chat, helpdesk). Role definitions: For Customer Content (messages, media, attachments, and related metadata processed on behalf of your business through Chat Agent), you (the business customer) are the Controller and InstaReply is the Processor under GDPR / Data Manager under Bahrain PDPL. For Account Data (your admin user account, billing/contact details, Service configuration, security logs, platform analytics), InstaReply is the Controller. If there is any inconsistency between this Policy and a signed Data Processing Addendum (DPA) with you, the DPA governs our Processor obligations.
  3. Customer Content: Any content, personal data, or media your organization submits to or through the Service for processing on your behalf. Account Data: Registration, billing, payment, team member details, plan, usage metrics, and system configuration. Technical Data: Device, browser, IP, timestamps, headers, event logs, diagnostic logs, and telemetry created by your use of the Service. Integrations Data: Data exchanged via authorized connectors (e.g., Meta/WhatsApp, Instagram, Facebook Messenger, Google Business Messages, email providers, SMS gateways, CRM/POS/Helpdesk tools). Sensitive Data: Data considered sensitive under applicable law (e.g., health data, government identifiers). You must not intentionally submit sensitive data unless our contract explicitly permits it and you implement appropriate controls.
  4. A. Information you provide directly Account & Profile: Name, email, phone, job title, company name, industry, plan selection, language preferences. Billing & Payments: Billing address, tax IDs, plan details, transaction records (processed by our payment processor; we do not store raw card numbers). Support/Comms: Messages, attachments, satisfaction ratings, and related metadata. B. Customer Content (as your Processor) End-user messages and attachments flowing through Chat Agent, message timestamps, channel identifiers, conversation routing details, and model output. C. Automatically collected Technical/Device Data: IP address, user-agent, OS/browser type and version, approximate location (derived from IP), time zone, system performance. Usage & Telemetry: Feature use, API calls, latency, error rates, admin actions (e.g., role changes), authentication events. D. From third parties (with your authorization or under contract) Integrations: Account IDs, profiles, message content and metadata from connected channels (e.g., WhatsApp Business API, Instagram, Facebook Messenger, email/SMS gateways), CRM/Helpdesk records, and webhooks. Vendors & Partners: Fraud prevention and payment processors (e.g., address verification results), analytics and security vendors. E. Cookies and similar technologies See Section 15 (Cookies & Tracking) for details on session cookies, analytics, and consent choices.
  5. We use personal data for the following purposes and legal bases: Deliver & operate the Service โ€” routing messages, generating model outputs, authentication, authorization, uptime, scaling. Legal basis: Contract (Art. 6(1)(b)). Improve & secure the Service โ€” error diagnostics, analytics, security monitoring, QA, model performance measurement. Legal basis: Legitimate Interests (Art. 6(1)(f)). Support & communications โ€” responding to tickets, incident notices, service announcements. Legal basis: Contract; Legitimate Interests. Billing & fraud prevention โ€” payments, invoicing, chargeback handling. Legal basis: Contract; Legal Obligation (tax/records). Marketing (optional) โ€” product updates, newsletters. Legal basis: Consent (Art. 6(1)(a)) where required; otherwise Legitimate Interests. Compliance & enforcement โ€” recordkeeping, audits, enforcing terms, responding to lawful requests. Legal basis: Legal Obligation; Legitimate Interests. AI training & model improvement: We do not use Customer Content to train third-party foundation models (e.g., model providers) unless you explicitly opt in via an admin control or written agreement. We may use de-identified, aggregated telemetry and synthetic test data to improve reliability and safety (Legitimate Interests). Optional opt-in features that learn from your Customer Content (e.g., per-tenant fine-tuning, FAQs, canned responses) operate only within your tenant and are covered by Contract.
  6. Customer Content: Retained for the duration of your subscription and per your retention settings (conversation history, log windows). You can delete content or close the account to trigger deletion. Account/Contract Data: Retained as needed for ongoing Service, financial records, and legal obligations (typically 7 years for finance/tax in many jurisdictions, unless a longer statutory period applies). Security & Audit Logs: Typically 90โ€“365 days depending on event type, unless needed for investigations or legal claims. Backups: Rolling backups are kept for disaster recovery and are deleted on a schedule; deleted records may persist in backups for a limited time before being overwritten.
  7. We do not sell personal information. We share information only as described below: 1. Service Providers / Sub-processors Cloud hosting, managed databases, queueing, content delivery networks, error monitoring, logging, analytics, communications, identity, and payments. Examples (subject to change): cloud infrastructure providers, managed databases, email/SMS delivery, payment processors, identity/auth providers, analytics/security tools, and model providers for AI inference strictly under Processor terms. 2. Integrations (at your direction) If you connect third-party channels or systems, we share and receive data as needed to operate those integrations (e.g., WhatsApp Business API provider, Instagram/Facebook Messenger, CRM/helpdesk). Their use of your data is governed by their own policies and contracts. 3. Corporate transactions In connection with a merger, acquisition, financing, or sale of assets, personal data may be transferred subject to confidentiality and appropriate safeguards. 4. Legal disclosures We may disclose information to comply with laws, lawful requests, or legal process; to protect our rights, users, or the public; to enforce agreements; or to detect/prevent fraud, abuse, or security incidents.
  8. We operate internationally. Where personal data is transferred outside its origin jurisdiction: EEA/UK: We rely on Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum/IDTA, plus supplementary measures. Bahrain PDPL: Cross-border transfers occur under permitted grounds (e.g., adequate protection, consent where required, or other PDPL transfer conditions). Other regions: We use contractual and technical safeguards appropriate to the destination and the nature of the data.
  9. We implement administrative, technical, and physical safeguards designed to protect personal data, including: Encryption in transit (TLS) and at rest for primary data stores where feasible. Access controls and least-privilege role assignments; SSO/MFA for internal admin systems. Network segmentation, firewalling, and endpoint protection. Secure software development lifecycle (code review, dependency scanning, secrets management). Logging, monitoring, and anomaly detection. Vendor due diligence and sub-processor data protection terms. Business continuity and disaster recovery plans with periodic testing. Incident response: If we learn of a breach affecting personal data, we will investigate promptly and notify you and/or authorities as required by law and our DPA/contract commitments (e.g., GDPR Arts. 33/34 timelines).
  10. You are responsible for: Providing legally adequate privacy notices to your end users. Choosing lawful bases for processing Customer Content and honoring data subject rights. Configuring retention, access, permissions, and integrations appropriately. Avoiding the submission of Sensitive Data unless permitted by our agreement and protected by appropriate technical and organizational measures.
  11. Your rights depend on your location and applicable law. Subject to exceptions, you may have rights to: Access your personal data. Rectify inaccurate or incomplete data. Erase data ("right to be forgotten"). Restrict or object to processing (including objection to direct marketing). Portability (obtain a copy in a structured, commonly used, machine-readable format). Withdraw consent where processing is based on consent (without affecting prior processing). Appeal a decision on your request where required by law. How to exercise: For Account Data we control: email privacy@instareply.io. For Customer Content we process on your organization's behalf: contact your organization (the Controller). We will assist the Controller upon request, consistent with our DPA. We may ask for verification of identity and scope. We will not discriminate against you for exercising your rights.
  12. A) European Economic Area (EEA) & United Kingdom Controller/Processor roles: As stated in Section 2. Legal bases: See Section 5. Automated decision-making: Chat Agent may use AI models to assist with responses. Fully automated decisions producing legal or similarly significant effects are not made by us without human oversight by your organization. You can configure automation levels and escalation rules. Complaints: You may lodge a complaint with your local supervisory authority. We welcome you to contact us first at privacy@instareply.io. B) California (CCPA/CPRA) and certain U.S. States Categories collected (in the last 12 months): identifiers; commercial information (subscription details); internet/network activity; geolocation (coarse, from IP); professional information; inferences (limited, e.g., segmenting for product adoption); audio/visual only if you submit it in support or Customer Content. Sources: You, your organization, your end users, devices, cookies, integrated platforms, and service providers. Purposes & disclosures: As described in Sections 5 and 7. "Sale" or "Sharing" of personal information: We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising except via optional marketing cookies on our websites. You can opt out via our cookie banner or by enabling Global Privacy Control (GPC), which we honor for our web properties where technically feasible. Sensitive personal information: We do not use or disclose SPI for inferring characteristics. Any credentials/API keys you store are used solely to provide the Service. Your rights: Right to know/access, deletion, correction, portability, opt-out of sale/sharing, limit use of SPI (where applicable), and non-discrimination. Submit requests to privacy@instareply.io. You may appoint an authorized agent per CCPA rules. C) Bahrain PDPL Legal grounds: Consent (where required), contract necessity, legal obligation, or other PDPL-recognized bases. Rights: Access, rectification, erasure, objection, and complaint to the competent authority. Direct marketing: We will obtain consents required by Bahrain law and honor opt-outs. Cross-border transfer: Per Section 8 and PDPL transfer conditions.
  13. The Service is not directed to children under 16 (or the age defined by local law, if higher). We do not knowingly collect personal data from children. If you believe a child has provided data, contact privacy@instareply.io and we will take appropriate steps.
  14. We use AI to assist with message handling and content generation. You can configure confidence thresholds, human-in-the-loop review, escalation workflows, blocklists/allowlists, and channel-specific behaviors. We do not engage in solely automated processing that produces legal or similarly significant effects on individuals without human oversight by your organization.
  15. We use: Strictly necessary cookies for login sessions, security, and load balancing. Functional cookies to remember preferences (e.g., language). Analytics cookies to understand usage and improve performance. Optional marketing cookies on our marketing sites (never in the logged-in product) with your consent where required. Consent management: Our web properties display a cookie banner where required, allowing you to accept, reject, or granularly manage categories. You can withdraw consent at any time via the banner link or browser settings. We honor GPC signals on supported properties.
  16. The Service may link to or interoperate with third-party services. Their privacy practices are governed by their own policies. Please review those policies before enabling integrations.
  17. When we process Customer Content on your behalf, our DPA applies and is incorporated by reference into our Terms. The DPA includes: subject matter and duration, nature and purpose of processing, types of personal data, categories of data subjects, Controller instructions, confidentiality, security measures, sub-processor obligations, assistance with data subject rights, international transfers, and audit terms.
  18. You are responsible for the accuracy of information you provide. We apply data minimization principles and limit collection to what is necessary for the stated purposes.
  19. Admins can configure retention for conversations and logs where available, and may export or delete data via dashboard or API. Upon account closure, we will delete or anonymize Customer Content within a commercially reasonable period, subject to backup cycles and legal holds.
  20. We may update this Policy to reflect operational, legal, or regulatory changes. We will post the updated Policy with a new "Last Updated" date and, where required, provide notice (e.g., email or in-product message). Material changes will take effect no sooner than the notice period required by law or our contract.
  21. Questions, requests, or complaints: privacy@instareply.io We will respond within the timeframes required by applicable law.
  22. If any provision of this Policy conflicts with local law in your jurisdiction, the stricter requirement prevails for data subject rights and protections.
  23. This Policy describes our practices and does not create legal rights or obligations beyond those required by law or set out in our Terms or DPA.