Privacy Policy
Last updated: April 2026
TitanReply (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered Google review response service (the “Service”). Please read this policy carefully. By using TitanReply, you consent to the practices described herein.
1. Information We Collect
We collect the following categories of information to provide and improve the Service:
a) Account Information
- Name and email address (provided during sign-up via Google OAuth)
- Profile picture (from your Google account)
- Billing information (processed by Stripe; we never see or store card numbers)
b) Google Business Data
- Business name, address, and category
- Google Business Profile reviews (star rating, reviewer name, review text)
- AI-generated and user-approved review responses
c) OAuth Tokens
When you connect your Google account, we receive OAuth 2.0 access and refresh tokens. These tokens allow us to read your Google Business Profile reviews and post responses on your behalf. We never collect or store your Google password. Tokens are stored server-side only and are encrypted at rest.
d) Usage Data
- Pages visited, features used, and interaction patterns
- Device type, browser, IP address, and approximate location
- Error logs and performance metrics
2. How We Use Your Information
- To provide the Service: monitoring reviews and generating AI-powered responses
- To process payments and manage your subscription via Stripe
- To send transactional emails and review notifications via Resend
- To improve response quality and develop new features
- To comply with legal obligations and enforce our Terms of Service
2.5 Lawful Basis for Processing (GDPR)
We process personal data on the following lawful bases under GDPR:
- Consent: We collect and process Google OAuth credentials and your email address for service provision based on your explicit consent at sign-up.
- Contract Performance: Processing of review data, responses, and usage information is necessary to perform our contractual obligations and provide the Service.
- Legitimate Interests: We process analytics data and implement security measures for fraud prevention, system integrity, and service improvement.
- Legal Compliance: Billing records and transaction data are retained and processed for tax compliance, fraud prevention, and legal obligations.
2.6 Data Controller & International Transfers
Data Controller: TitanReply acts as the data controller for your account information, usage data, and Google Business Profile review data. For review content processed by third parties, we act as both controller (for analytics purposes) and processor (when sending data to Google and OpenAI for response generation).
International Data Transfers: Your data may be transferred to and processed in the United States, where our infrastructure partners (Supabase, OpenAI) operate. These transfers are authorized under the GDPR Standard Contractual Clauses. By using TitanReply, you consent to such transfers.
Data Processing Agreements: Business customers and organizations may request a Data Processing Agreement (DPA) for enhanced compliance requirements. Contact us at support@titanreply.com with “DPA Request” in the subject line.
3. AI Processing & Third-Party Services
3.1 AI Processing via OpenAI
TitanReply uses OpenAI’s API to generate review responses. When you request an AI response, the following data is sent to OpenAI servers:
- Review text (the customer’s review content)
- Business name and category
- Tone preferences and brand guidelines you’ve configured
- Previous similar reviews for context (anonymized)
OpenAI processes this data according to their API Privacy Policy. We have opted out of OpenAI using your data for model training. OpenAI retains API request data for 30 days for abuse monitoring and service improvement.
3.2 Google API & OAuth Compliance
We request the following OAuth scopes:
- openid, email, profile: Authentication and account identification
- business.manage: Read and manage Google Business Profile reviews
We comply with Google’s Limited Use Policy and use OAuth tokens only for the stated purposes. You can revoke TitanReply’s access at any time by visiting myaccount.google.com/permissions.
3.3 Third-Party Services
We integrate with the following services:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| OpenAI | AI response generation | Review text, business name, context | openai.com/privacy |
| Supabase | Database hosting | Account data, reviews, analytics | supabase.com/privacy |
| Stripe | Payment processing | Email, subscription data, card tokens | stripe.com/privacy |
| Resend | Email delivery | Email address, notifications | resend.com/privacy |
| Google APIs | OAuth & Business Profile sync | OAuth tokens, review data | policies.google.com/privacy |
| Cloudflare | CDN & deployment | Request logs, IP addresses | cloudflare.com/privacy |
3.5 AI Transparency & Limitations
Our AI response generation works by analyzing your review’s tone, prompting the AI model with business context and your preferences, and returning a suggested response. AI-generated responses require your approval before posting. You remain responsible for reviewing your settings and monitoring posted responses.
Important limitations: AI responses may produce inaccurate claims, factual errors, or inappropriate commitments that you cannot fulfill. The model may exhibit implicit biases from training data. Responses have a knowledge cutoff date and may be outdated. We provide no warranty on the accuracy, appropriateness, legality, or effectiveness of AI-generated content. You remain fully responsible for all posted responses.
We may analyze aggregated, anonymized response data to improve the quality of our AI model and service. Individual responses cannot be traced to specific users.
4. Data Security
We implement industry-standard security measures to protect your data:
- All data is encrypted in transit using TLS 1.2+
- Data at rest is encrypted using AES-256 encryption
- OAuth tokens are stored server-side only, never exposed to the browser
- Row Level Security (RLS) policies ensure users can only access their own data
- Regular security audits and dependency updates
5. Data Retention
We retain different categories of data for varying periods, as outlined below:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account & Profile Data | Duration of account + 30 days after deletion | Service delivery & audit trail |
| Review Text & Responses | Duration of account + 30 days after deletion | Historical access & reference |
| OAuth Tokens (Google) | Duration of active session; refreshed on login | Authentication & service provision |
| Payment & Billing Records | 7 years | Tax compliance & fraud prevention |
| Server Logs & Analytics | 90 days | Security & performance monitoring |
| Email Communication | 2 years | Customer support records |
| Deleted Account Data | Purged within 30 days; backups up to 90 days | Compliance & disaster recovery |
You may request deletion of your account and all associated data at any time by contacting us at support@titanreply.com or through your account settings.
6. Your Rights
6.1 GDPR Rights (EU/EEA Residents)
If you are resident in the European Union or European Economic Area, you have the following rights:
- Right of Access: Obtain a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data (the “right to be forgotten”)
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing of your data for specific purposes
- Right to Restrict Processing: Request limitation of data processing in certain circumstances
- Right to Withdraw Consent: Withdraw consent for processing at any time
- Right to Lodge Complaint: File a complaint with your data protection supervisory authority
To exercise any of these rights, contact us at support@titanreply.com with “GDPR Data Subject Request” in the subject line. We will respond within 30 days.
6.2 California Residents (CCPA/CPRA Rights)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: Request what personal information we collect, use, or share
- Right to Delete: Request deletion of personal data we have collected from you
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt-out of the sharing of your personal information
- Right to Limit Use: Limit how we use sensitive personal information
We do NOT sell your personal information to third parties. We do not share personal information for cross-context behavioral advertising.
To exercise any of these rights, contact us at support@titanreply.com with “CCPA Request” in the subject line. We will verify your identity and respond within 45 days.
7. Cookies & Tracking
Essential Cookies
We use the following essential cookies to maintain core functionality:
| Cookie Name | Purpose | Expiration |
|---|---|---|
| session-token | User session authentication | 30 days or logout |
| preferences | Remember user preferences (theme, language) | 1 year |
| csrf | CSRF protection for form submissions | Session |
Analytics Cookies
We do not currently use analytics cookies to track user behavior across sessions. We rely on aggregate server-side analytics to understand service usage patterns.
Marketing Cookies
We do not currently use marketing cookies or third-party advertising trackers.
You can manage cookie preferences and withdraw consent through your browser settings or our cookie consent banner. For more details, see our Cookies Policy.
8. Children’s Privacy
TitanReply is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 13, we will delete it within 24 hours and take appropriate steps to cease any further collection from that individual.
COPPA Compliance:We comply with the Children’s Online Privacy Protection Act (COPPA). If you suspect we have collected data from a child under 13, please report it to support@titanreply.com with “COPPA Violation Report” in the subject line.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Service. Your continued use of TitanReply after changes are posted constitutes acceptance of the revised policy.
10. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:
TitanReply
Email: support@titanreply.com
Data Protection Officer: support@titanreply.com (include “DPO” in subject line for GDPR data protection inquiries)