DigiReply Privacy Policy

Table of Contents

• Introduction
• Scope of this Policy
• Information We Process
• How We Use Your Information
• How We Share Your Information
• Data Security and Retention
• International Data Transfers
• Additional Information
• DigiReply PDF Editor Chrome Extension

Introduction

DigiReply ("DigiReply", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you interact with our website DigiReply.com, platform, and services, including our AI chatbot, support ticketing system, Taskboard, Social Media Scheduler, and Omnichannel Dashboard (collectively, the "Services").

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Effective Date" and will be effective as soon as it is accessible. We encourage you to review this policy periodically.

By accessing or using our Services, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service. If you do not agree with the terms, please do not access or use our Services.

Capitalized terms not defined in this Privacy Policy have the meanings given to them in our Terms of Service.

1. Scope of this Policy

1.1. This Privacy Policy applies to all personal information processed by DigiReply through our Services and interactions, including our DigiReply PDF Editor Chrome Extension, regardless of your location or residency. Your use of our Services is subject to this policy.

2. Information We Process

2.1. How We Obtain Information

We collect information when:

• You register for and use our Services (as a "Customer").
• You visit our Website, contact our support, or interact with our marketing materials (as a "Visitor" or "Prospect").
• You provide information directly to us through forms, communications, or service usage.
• Our systems automatically collect data during your interaction with our Services.
• We receive information from third-party services you choose to integrate with DigiReply.
• You utilize features that involve processing by third-party AI services.

2.2. Our Role in Data Processing

• Data Controller: DigiReply acts as a data controller for the personal information we collect directly from you (e.g., your account details, billing information, marketing interactions). We determine the purposes and means of processing this data.
• Data Processor: When you use our Services to process information relating to your own customers, contacts, or team members (e.g., end-user chat logs, ticket content submitted via your website, task details assigned to your team, documents uploaded for AI training, queries sent for AI fallback responses), DigiReply acts as a data processor. We process this data solely on your behalf and according to your instructions (as outlined in our Terms of Service and any applicable Data Processing Addendum). You are the data controller for this information.

2.3. Legal Basis for Processing (as Controller)

When acting as a data controller, we process your personal information based on one or more of the following legal grounds:

• To Perform Our Contract: Processing necessary to provide the Services you subscribed to and fulfill our obligations under the Terms of Service.
• To Comply with Legal Obligations: Processing required to meet our legal duties (e.g., tax, accounting, responding to lawful authorities).
• Your Consent: Where you have given us specific permission for a particular processing activity (e.g., subscribing to newsletters). You can withdraw consent at any time.
• Legitimate Interests: Processing necessary for our legitimate business interests, provided these interests are not overridden by your rights and freedoms. This includes operating and improving our Services, ensuring security, providing support, understanding user needs, and marketing relevant DigiReply offerings.

2.4. Types of Information We May Process

Depending on your interaction with us, we may process various types of personal and non-personal information:

• Account & Contact Information: Name, email address, phone number, physical address, company name, username, password, user roles/permissions.
• Commercial & Billing Information: Subscription plan details, transaction history, payment information (processed securely by third-party payment providers), support interaction records.
• Usage Data: Information about how you interact with our Website and Services platform: IP address, login data, browser type/version, device information, operating system, pages visited, features used, time spent, clickstream data, diagnostic logs, error reports.
• Content Processed on Your Behalf (as Processor): Any data you input, generate, or manage using the Services. This includes, but is not limited to:
  • Chatbot training data (questions, answers, flows, and source documents (e.g., text files, PDFs, or other supported formats) you upload for automated Q&A generation via AI).
  • Conversation logs between your chatbots/agents and your end-users, including specific end-user queries sent to third-party AI services (like Google Gemini) to generate fallback responses when your bot lacks a pre-defined answer.
  • Support tickets submitted through your integrated forms or generated from chats (subject, description, attachments, submitter details if provided).
  • Task information (titles, descriptions, deadlines, assignees) entered into the Taskboard.
  • Content scheduled for posting via the Social Media Scheduler.
  • Data within the Omnichannel Dashboard originating from your integrated channels.
• Communications & Feedback: Information you provide when contacting support, participating in surveys, providing feedback, or posting in any community forums we might offer.
• Integration Data: Information exchanged with third-party services (e.g., Shopify, WooCommerce, Facebook, Instagram, email platforms) when you authorize an integration.
• Location Information: General geographic location derived from your IP address.

We may also collect information using cookies and similar technologies (see Section 3.10 and our Cookie Policy). This policy does not cover third-party websites or services linked from or integrated with our Services.

2.5. Sensitive Information

Our Services are not designed for processing sensitive personal information (e.g., health data, genetic/biometric data, detailed financial account numbers, racial/ethnic origin, political opinions, religious beliefs, sexual orientation). Please do not input such data into the Services, including within documents uploaded for AI training, as this may violate applicable laws or our Terms and could result in unintended data sharing with third-party AI providers. You are responsible for ensuring any data you process through our Services complies with applicable laws, including restrictions on sensitive data.

3. How We Use Your Information

3.1. Purposes of Use

We use the information we process for purposes including:

• Providing & Managing Services: To operate, maintain, secure, and deliver the features and functionality of the Services you subscribe to, including user authentication, team collaboration, integrations, and dashboard visibility.
• Service Improvement & Development: To analyze usage patterns, troubleshoot issues, gather feedback, and develop new features, functionalities, and improvements for our Services. This may involve using aggregated and anonymized data, including for refining underlying AI models' general capabilities without using your specific identifiable content for training general models shared across customers.
• Customer Support: To respond to your inquiries, provide technical assistance, and resolve problems related to the Services.
• Billing & Account Management: To process payments, manage subscriptions, send invoices and service-related communications.
• Security & Fraud Prevention: To monitor for security threats, prevent fraudulent activity, enforce our terms, and protect the integrity of our Services and user data.
• Legal & Compliance: To comply with applicable laws, regulations, court orders, or other legal processes.
• Communication & Marketing: To communicate with you about your account, service updates, policy changes, and (where permitted) to send you information about DigiReply products, services, and promotions that may interest you. You can manage marketing preferences.
• AI Functionality: To enable the AI features within the Services. Specifically:
  • Training Data Generation: When you upload source documents (e.g., text files, PDFs, or other supported formats) for AI-powered Q&A generation, we send this content to a designated third-party AI provider (currently Google Gemini) for processing. The sole purpose of this processing is to transform the text you provided into structured Q&A pairs to train your specific chatbot instance within DigiReply.
  • AI Fallback Responses: When an end-user asks your chatbot a question that it is not trained to answer, we may send that specific query to our third-party AI provider (currently Google Gemini) to generate a relevantöng fallback response to be delivered to the end-user through the chatbot interface.

You can choose whether to enable these AI features. Disabling them will prevent the associated data from being sent to third-party AI providers.

3.2. Customer Content & AI Training

Content you provide for using the Services (e.g., chatbot training data, ticket content, social posts, uploaded source documents) is processed to deliver the service to you. As described in Section 3.1, specific content may be shared with third-party AI providers like Google Gemini solely to enable requested AI features (Q&A generation, fallback responses) for your account. We require our AI providers to handle this data securely and confidentially according to our instructions and agreements. We do not use your specific, identifiable customer conversation data, proprietary training inputs (including uploaded source documents or individual queries sent for fallback), or ticket content to train general AI models shared across different DigiReply customers. We may analyze aggregated, anonymized usage data derived from service operation (including AI feature usage patterns) to improve the overall platform and underlying AI models' general performance, but not using your identifiable content.

3.3. Your Responsibilities (as Data Controller)

When using DigiReply to process personal information about your end-users or team members, or when providing content (like training documents) that may contain personal information, you are responsible for:

• Ensuring you have a lawful basis (e.g., consent, contractual necessity) for collecting and processing that data, including any sharing with third-party AI providers necessary for the features you enable.
• Providing clear and adequate privacy notices to individuals whose data you process via our Services.
• Complying with all applicable data protection laws regarding that data.
• Managing requests from individuals regarding their data processed through the Services (e.g., access, deletion).
• Ensuring that content uploaded for AI processing (like training documents) does not contain sensitive personal information or other data prohibited by law or our Terms.
• Informing your end-users, where required by law, that their queries may be processed by third-party AI providers to generate responses when using AI-enabled chatbot features.

3.4. Managing Your Information

You can typically review and update your account information through your DigiReply account settings. For requests regarding access, correction, or deletion of your personal information held by us as a controller, please contact privacy@digireply.com.

3.5. Data Deletion

We retain your personal information as described in Section 5. You can request deletion of your account and associated controller data by contacting us. Data processed on your behalf (as processor), including uploaded training documents and logs potentially containing AI interactions, is typically deleted according to the terms of your Agreement upon termination. Data associated with expired or inactive 14-day Free Plan trials may be deleted shortly after the trial period ends.

3.6. Communications Preferences

You can opt-out of receiving promotional emails from us by following the unsubscribe instructions in those emails or by contacting us. You will continue to receive essential service-related communications.

3.7. Customer Logos

Unless you notify us otherwise in writing, you grant DigiReply a limited license to use your company name and logo on our Website and marketing materials for the purpose of identifying you as a customer.

3.8. Children's Privacy

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected such information, we will take steps to delete it.

3.9. Integrations

When you connect Third-Party Services, you authorize DigiReply to access and exchange information with that service as necessary to provide the integration features. Your use of Third-Party Services is governed by their respective terms and privacy policies.

3.10. Cookies and Tracking Technologies

We use cookies and similar technologies (pixels, beacons) to operate and secure the Services, remember your preferences, analyze usage, and support marketing efforts. For detailed information and choices regarding cookies, please see our separate Cookie Policy.

3.11. Analytics

We use third-party analytics services (like Google Analytics) to help understand how users engage with our Website and Services. These services use cookies and may collect information like your IP address and usage patterns. This helps us improve our offerings.

4. How We Share Your Information

We do not sell your personal information. We share information only in the following limited circumstances:

4.1. Affiliated Companies

We may share information with companies within the DigiReply corporate group (subsidiaries, parent company) as needed for operational, administrative, and service delivery purposes, consistent with this Privacy Policy.

4.2. Third-Party Vendors & Service Providers

We engage trusted third-party companies and individuals to perform services on our behalf (acting as our processors or sub-processors). These include providers of hosting, infrastructure (e.g., cloud platforms), payment processing, security, analytics, customer support tools, communication services, and specialized AI processing (such as Google, for features leveraging the Gemini model). We share only the information necessary for them to perform these tasks and require them to uphold strict confidentiality and security obligations compatible with this Policy and our agreements. Specifically, when you utilize AI features like Q&A generation from documents or AI fallback responses, the relevant content (the text from your uploaded document or the specific end-user query) is shared with the designated AI provider solely for the purpose of providing that specific functionality to you.

4.3. Third-Party Integrations

When you choose to enable integrations with Third-Party Services (e.g., Shopify, WooCommerce, Facebook, Instagram), you direct us to share certain information with that service. This sharing is based on your configuration and is governed by the terms and privacy policies of the Third-Party Service.

4.4. Legal Requirements & Protection

We may disclose your information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is reasonably necessary to:

• Comply with applicable laws or respond to lawful requests from public authorities.
• Enforce our Terms of Service or protect the rights, property, or safety of DigiReply, our users, or the public.
• Prevent or investigate potential fraud, security issues, or illegal activity.

4.5. Business Transfers

If DigiReply is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction, subject to standard confidentiality arrangements and provided the successor entity honours the commitments in this Privacy Policy or provides notice of changes.

5. Data Security and Retention

5.1. Security Measures

We implement appropriate technical and organizational security measures designed to protect your personal information from unauthorized access, use, alteration, or destruction. These include measures like encryption (e.g., 256-bit SSL for data in transit and at rest where feasible), access controls, secure infrastructure, and regular security assessments. When data is shared with third-party providers, including AI services, we require them contractually to implement appropriate security measures. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security. You are also responsible for maintaining the confidentiality of your account credentials.

5.2. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law, or by our agreement with you.

• Account Information: Retained while your account is active and for a reasonable period afterward for legal, accounting, or dispute resolution purposes.
• Data Processed on Your Behalf: Retained according to your instructions and the terms of our Agreement. Typically deleted within a defined period (e.g., 30-90 days) after your agreement ends, unless subject to legal holds. This includes chatbot conversation logs, uploaded training documents, and generated Q&As.
• Data Processed by AI Providers: Data sent to third-party AI providers (like Google Gemini) for processing (e.g., uploaded documents for Q&A generation, fallback queries) is processed temporarily and not retained by the provider beyond the time necessary to deliver the service result, in accordance with our agreements with the provider and their data protection policies.
• Free Trial Data: Data from expired or inactive 14-day Free Plan trials may be deleted shortly after the trial period ends, unless you upgrade to a paid plan.
• Anonymized Data: We may retain aggregated or anonymized data indefinitely for analytics and service improvement.

5.3. Sensitive Data Storage and Processing

DigiReply employs industry-standard encryption protocols to protect sensitive user data throughout its lifecycle. All sensitive information, including third-party API tokens, authentication credentials, and user-generated content, is secured using advanced encryption methods:

• 256-bit AES Encryption: We utilize AES-256-CBC encryption, the industry gold standard, for storing sensitive data at rest. This includes API tokens for Gmail, Google Calendar, social media platforms, and other third-party integrations.
• Hybrid Encryption for Enhanced Security: Where SSL certificates are available, we implement hybrid encryption combining RSA public key encryption with AES symmetric encryption for optimal security and performance.
• Encrypted Data Transmission: All data transmitted between your browser and our servers is protected using 256-bit SSL/TLS encryption, ensuring secure communication channels.
• Token Security: Third-party API tokens (OAuth tokens, refresh tokens, access tokens) are encrypted before storage and only decrypted when needed for authorized API calls. This ensures that even if our database is compromised, your sensitive tokens remain protected.
• Secure Key Management: Encryption keys are stored separately from encrypted data and are protected using industry-standard key management practices, including secure key rotation and access controls.
• Processing Security: When processing sensitive data for service functionality (such as sending emails, creating calendar events, or posting to social media), data is decrypted only in secure, isolated processing environments and is never stored in plain text.
• Database Security: Our database infrastructure employs multiple layers of security including encrypted storage, access controls, network isolation, and regular security audits.

This comprehensive encryption approach ensures that your sensitive data remains protected whether it's stored in our systems, transmitted over networks, or processed for service delivery. We continuously monitor and update our security measures to maintain the highest standards of data protection.

6. International Data Transfers

Your personal information is primarily stored and processed on servers located within the European Union (specifically, in France, hosted by OVH, which adheres to GDPR standards). However, certain aspects of the Services may involve transferring your personal information to, storing it in, and processing it in countries other than your own, including the United States, where some of our third-party service providers or AI processing partners (like Google) may be located. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal information originating from regions like the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to countries outside the EEA/UK (such as the US for specific processing activities), we rely on appropriate legal mechanisms to ensure adequate protection. These typically include:

• The European Commission-approved Standard Contractual Clauses (SCCs).
• The UK's International Data Transfer Addendum (IDTA) or equivalent agreements.
• Transfers based on an Adequacy Decision where applicable.
• Other valid transfer mechanisms recognized under applicable data protection laws.

Our primary hosting in France with OVH provides a strong foundation for GDPR compliance. For any necessary transfers outside this region, we take steps to ensure that any third parties receiving your data, including AI service providers, provide a level of protection consistent with applicable legal requirements.

7. Additional Information

7.1. Third-Party AI Provider Terms

For more information on how our AI provider, Google Gemini, processes data, please refer to Google's Data Processing Terms at https://cloud.google.com/terms/data-processing-terms.

7.2. Policy Updates

We may update this Privacy Policy to reflect changes in our practices, including our use of third-party AI providers. Please check the Effective Date and review the policy periodically.

7.3. Compliance with Data Protection Laws

We are committed to complying with applicable data protection laws, including but not limited to:

• General Data Protection Regulation (GDPR) (European Union): For users in the EEA, we act as a data controller for your personal data as described in Section 2.2, ensuring lawful processing (Section 2.3), secure storage (Section 5.1), and appropriate international transfers (Section 6). You have rights to access, rectify, erase, restrict processing, object to processing, and data portability. To exercise these rights, contact privacy@digireply.com. You may also lodge a complaint with an EEA supervisory authority.
• California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (California, USA): For California residents, we do not sell or share your personal information for cross-context behavioral advertising as defined under the CCPA/CPRA. You have rights to know, delete, correct, and opt-out of certain data uses, as well as to limit the use of sensitive personal information. To exercise these rights, contact privacy@digireply.com. We provide a "Do Not Sell/Share My Personal Information" link on our Website footer where applicable.
• New Zealand Privacy Act 2020 (New Zealand): For users in New Zealand, we adhere to the Privacy Act's principles, ensuring transparency in data collection and use (Sections 2 and 3), secure handling (Section 5.1), and your rights to access and correct your personal information. To exercise these rights, contact privacy@digireply.com. Complaints can be directed to the New Zealand Office of the Privacy Commissioner.
• Australian Privacy Act 1988 (Australia): For users in Australia, we comply with the Australian Privacy Principles (APPs), ensuring lawful and transparent data handling (Sections 2 and 3), secure storage (Section 5.1), and your rights to access and correct your personal information. To exercise these rights, contact privacy@digireply.com. Complaints can be directed to the Office of the Australian Information Commissioner.

When you use our Services to process personal information (as a data controller), you are responsible for ensuring compliance with these laws for that data, including providing necessary notices and obtaining consents (Section 3.3). We support your compliance through our role as a data processor, including via our Data Processing Addendum and secure processing practices.

8. DigiReply PDF Editor Chrome Extension

8.1. Overview

DigiReply PDF Editor Chrome Extension is designed with privacy and security as core principles. This section outlines how the Extension handles your data and the privacy measures in place to protect your information when using our browser-based PDF editing tools.

8.2. Local-First Data Processing

The Extension is built on a privacy-first architecture:

• Local Processing: The Extension processes PDF files entirely within your browser. Your documents remain on your device and are never uploaded to our servers.
• No Document Retention: The Extension does not retain copies of your PDF files.
• Browser-Based Operations: All PDF editing operations (viewing, annotating, editing) are performed locally in your browser using client-side libraries.

8.3. Local Storage

The Extension stores the following information locally on your device using Chrome's secure storage APIs:

• User Preferences: Settings such as dark mode, zoom level, and compression preferences.
• Digital Signatures: Saved signature templates for reuse within the Extension (stored locally and encrypted).
• Recent File Information: Filenames and thumbnails of recently accessed files for convenience (no file content is stored).
• Authentication Tokens: If you use premium features, secure authentication tokens to verify your subscription status with DigiReply servers.

8.4. Data Collection and Communication

The Extension follows minimal data collection principles:

• Authentication Data: When you access premium features, the Extension securely communicates with our servers to validate your subscription status using encrypted authentication tokens.
• Security Validation: Periodic integrity checks to ensure the Extension hasn't been tampered with, protecting both your security and ours.
• Error Reporting: If the Extension encounters technical issues, anonymized diagnostic information may be sent to help resolve problems. This information never includes your document content or personal data.
• Usage Analytics: Basic, anonymized usage metrics (such as feature usage frequency) may be collected to improve the Extension's functionality, consistent with our analytics practices described in Section 3.11.

8.5. Premium Feature Integration

When you use premium features:

• Local Processing: All premium features (crop, draw, sign, merge, split, compress, OCR) are processed entirely within your browser using advanced client-side libraries.
• Authentication Only: The only server communication for premium features is to verify your subscription status - no document data is ever sent to our servers.
• Secure Verification: Premium feature access is validated through encrypted authentication tokens, but all actual processing remains local.
• Complete Privacy: Your PDF documents and edits never leave your device, even when using premium features.

8.6. Extension Security Measures

The Extension implements multiple layers of security:

• Local Encryption: Sensitive data stored locally (such as signatures and authentication tokens) is encrypted using industry-standard encryption methods.
• Secure Communication: All communication between the Extension and DigiReply servers uses 256-bit SSL/TLS encryption, consistent with our security standards in Section 5.1.
• Anti-Tampering: The Extension includes integrity checks and anti-tampering measures to protect against unauthorized modifications.
• Isolated Processing: PDF processing occurs in isolated browser contexts, preventing unauthorized access to your documents by other websites or extensions.
• Token Expiration: Authentication tokens automatically expire after 30 days and must be renewed, reducing long-term security risks.

8.7. Third-Party Libraries and Services

The Extension uses carefully selected third-party libraries that operate entirely within your browser:

• PDF.js: Mozilla's open-source PDF rendering library processes documents locally without external communication.
• Local Processing Libraries: All PDF manipulation libraries operate client-side and do not transmit your document data externally.
• No External Data Sharing: The Extension does not share your document data with third-party services unless explicitly required for premium features you choose to activate.

8.8. Your Rights and Control

You maintain complete control over your Extension data:

• Data Access: You can access all locally stored Extension data through your browser's storage settings (Chrome Settings > Privacy and Security > Site Settings > All Sites > chrome-extension://[extension-id]).
• Data Deletion: You can clear all Extension data through Chrome's extension management interface or by uninstalling the Extension.
• Document Portability: All edited documents can be downloaded and saved to your device in standard PDF format.
• Feature Control: You can disable specific features, including premium features that communicate with our servers.
• Privacy Settings: The Extension includes privacy controls allowing you to customize what data is stored and how features operate.

8.9. Compliance and Data Protection

The Extension adheres to the same privacy standards as our main platform:

• GDPR Compliance: For users in the EEA, the Extension processes personal data in accordance with GDPR principles, with most processing occurring locally on your device.
• Data Minimization: We collect only the minimum data necessary for the Extension to function effectively.
• Transparency: This policy and in-app privacy notices clearly explain what data is collected and how it's used.
• User Consent: Premium features requiring server communication obtain explicit user consent before activation.

8.10. Extension Updates and Changes

When we update the Extension:

• Privacy-Preserving Updates: Extension updates maintain the same privacy-first principles and do not change fundamental data handling practices.
• Notification of Changes: Significant changes to data handling will be communicated through the Extension interface and updates to this privacy policy.
• Continued Protection: Updates include security improvements while maintaining local processing capabilities.

Contact Us

For questions about this Privacy Policy, including our Chrome Extension practices, please contact us at privacy@digireply.com.