Replyy← Back to home

Privacy

Effective May 28, 2026

The short version

Replyy reads the LinkedIn conversation you're viewing, relays it to Anthropic under your own API key, and shows you back three drafted replies. We don't store the conversation. We store a small per-call activity record (thread title, tone, token counts) and your account settings (encrypted Anthropic key, voice samples, tone presets, device tokens).

What we store

  • Account: your email, a bcrypt hash of your password, your role, when you joined.
  • Configuration: system prompt, model, tones, voice samples — exactly what you put into your dashboard.
  • Anthropic API key: encrypted at rest with AES-256-GCM. Decrypted in memory only when you click Suggest. Never sent anywhere except Anthropic.
  • Device tokens: only the SHA-256 hash. The plaintext is shown to you once at generation and not stored on our side.
  • Activity log: per suggestion request — thread title, tone you picked, token counts, latency, success/error.
  • Voice examples (only on accept): when you pick a draft from the suggestions popover, we store an embedding (a 1,536-number vector) of that thread + the picked draft text. These become "style examples" the model retrieves on future suggestions to write more like you. Rejected drafts and closed-without-picking events store nothing. You can wipe these anytime by deleting your account.

What we don't store

  • The contents of your LinkedIn DMs.
  • The drafts Claude returned.
  • Recipient profile data beyond what you explicitly attach (e.g., voice samples you paste).
  • Any identifier from LinkedIn — we never see your LinkedIn account, profile URL, or who you're messaging beyond the thread title that appears in your activity log.

Who else sees your data

Anthropic processes every suggestion request under your own API key. Their data policy applies; see anthropic.com/legal/privacy.

OpenAI processes the embedding requests we use to power the "drafts that learn your voice" feature, on a platform-paid key. Only the thread text being embedded is sent — nothing about your identity. See openai.com/policies/privacy-policy.

Replyy does not sell, share, or resell any of your data to anyone else.

How long we keep it

As long as your account is active. Delete your account (email us until self-serve is shipped) and all your data — config, tokens, activity log — is removed via ON DELETE CASCADE on the user record. No soft delete, no retention.

Cookies

One cookie: lct_session, httpOnly, sameSite=lax, 30-day TTL. It's a signed JWT containing your user ID. No analytics cookies, no tracking pixels, no third-party scripts on logged-in pages.

Your rights

Under GDPR and similar regimes you can request export, correction, or deletion of your data. Email hello@replyy.click with your account email. Until we have self-serve, we'll handle it manually within 30 days.

Updates

We'll update this page with the effective date when anything material changes. We won't quietly start collecting more without telling you.