Privacy Policy

Last updated: May 19, 2026

OneTapReply ("we," "us," or "our") operates the OneTapReply service at onetapreply.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

1.1 Account Information

When you sign up, we collect your name, email address, and Google account identifier via Google OAuth. We do not store your Google password.

1.2 Google Business Profile Data

With your authorization, we access your Google Business Profile to read reviews and post replies on your behalf. This includes reviewer names, review text, star ratings, and review timestamps. We request only the minimum OAuth scopes required for this functionality.

1.3 Third-Party Reviewer Information (P-3)

Review data fetched from your Google Business Profile includes personally identifiable information about third-party reviewers, such as their display names and review content. This data is used solely to generate reply suggestions and is displayed to you as the business owner. We do not sell, share, or use reviewer PII for any purpose other than providing the OneTapReply service.

1.4 Notification Data

We collect your email address, notification email address, phone number if you provide one, and notification preferences to deliver review notifications, AI draft approval requests, dashboard reminders, and account-related service messages. Current notification options may include email digests, dashboard-only notifications, WhatsApp, and SMS where SMS is available and separately enabled.

We send service emails such as new-review alerts, AI draft approval emails, free-plan digests, onboarding and lifecycle messages, billing notices, account notices, and support replies. We use Resend to deliver these emails and process delivery and engagement signals such as sent, delivered, opened, clicked, bounced, and complained events. We use these signals to operate the service, measure deliverability, suppress invalid or complained-about email addresses, and protect our sending reputation. You can unsubscribe from non-essential email notifications by using the unsubscribe link included in those emails or by contacting us.

If you enroll in SMS notifications, message frequency varies based on your review volume (up to ~10 messages per week based on your review volume). Message and data rates may apply. You can reply STOP to unsubscribe or HELP for help at any time. SMS consent and phone number information will not be shared with third parties or affiliates for marketing or promotional purposes. OneTapReply uses Twilio solely to deliver notifications to the phone number you enrolled. For full details about how our SMS notification program works, see our SMS Terms & Messaging Policy.

In-product SMS opt-in records. When an active subscriber opts into SMS notifications from Dashboard → Settings, we store their phone number, IP address, browser User-Agent, consent version, and timestamp on the corresponding business document for TCPA recordkeeping. Lawful basis: the subscriber's express consent for the consent record itself. SMS opt-in is never required at signup, payment, or as a condition of any purchase, service, or transaction. Retention: indefinite for audit defensibility unless the subscriber requests deletion via privacy@onetapreply.com.

1.5 Payment Information

Payment processing is handled by Stripe. We store your Stripe customer ID and subscription status but do not store credit card numbers or banking details on our servers.

1.6 Usage Data

We collect standard usage data such as IP addresses, browser type, pages visited, and interaction timestamps to improve our service and debug issues.

2. How We Use Your Information

• To provide, maintain, and improve the OneTapReply service
• To generate AI-powered review reply suggestions
• To deliver notifications via email, dashboard, WhatsApp, or SMS where available
• To post approved replies to your Google Business Profile
• To process payments and manage subscriptions
• To communicate with you about your account and service updates
• To measure email deliverability and suppress bounced or complained-about addresses
• To detect and prevent fraud, abuse, or security issues

3. AI Processing and Sub-Processors (INT-3)

We use OpenAI's API as an AI sub-processor to generate review reply suggestions. When a new review is received, the review text, star rating, and your business name are sent to OpenAI's API to generate a reply suggestion. OpenAI processes this data under their API data usage policy, which states that API inputs and outputs are not used to train their models.

No reviewer PII beyond what is contained in the review text is sent to OpenAI. We do not send reviewer email addresses, phone numbers, or account identifiers to any AI sub-processor.

OpenAI LLC acts as a data sub-processor under their Data Processing Addendum (DPA). Per their API data usage policy, API data is not used for model training. For details, see OpenAI's Enterprise Privacy page and DPA at openai.com/enterprise-privacy. The data processing chain is: Google Business Profile API → OneTapReply (Firestore) → OpenAI API → back to Firestore.

4. Data Sharing and Disclosure

We share your data only with the following categories of recipients:

• Google: To read reviews from and post replies to your Google Business Profile
• OpenAI: To generate AI reply suggestions (review text and business context only)
• Stripe: To process payments
• Meta (WhatsApp) / Twilio (SMS): To deliver optional mobile notifications when enabled
• Resend: To deliver service emails and process email delivery, engagement, bounce, and complaint events
• Cloudflare: For hosting, CDN, and security services
• Sentry: For error monitoring and debugging
• Google Tag Manager / Google Analytics: For analytics after you accept optional cookies

We do not sell your personal information. We may disclose information if required by law or to protect our rights, safety, or property.

5. Data Residency (P-4)

Your data is stored in Google Cloud Firestore with primary storage in the United States. Our application runs on Cloudflare's global edge network. Data may be processed in various jurisdictions as needed to provide the service. If you are located in the EU/EEA, data transfers are covered by standard contractual clauses.

6. Data Retention (P-2)

We retain your data as follows:

• Account data: Retained while your account is active and deleted when you delete your account, subject to backup, legal, tax, and security retention needs
• Review data (posted replies): Purged 12 months after the reply is posted to Google
• Review data (pending/skipped): Purged 12 months after creation
• Payment records: Retained as required by applicable tax and financial regulations
• Notification logs: Retained for 90 days for debugging purposes
• Email delivery and suppression records: Retained as needed to provide service emails, honor unsubscribes, and protect deliverability
• OAuth tokens: Deleted immediately upon account deletion or GBP disconnection
• Deleted-account abuse record: We may retain a one-way hash of your email address and deletion metadata to detect repeat abuse or accidental re-creation after deletion

7. Security

We implement industry-standard security measures to protect your data:

• All OAuth tokens are encrypted at rest using AES-256
• All data in transit is encrypted via TLS 1.2+
• Access to production systems is restricted and logged
• We use Cloudflare for DDoS protection and WAF
• Regular security reviews of our codebase and infrastructure

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Request your data in a machine-readable format
• Objection: Object to processing of your data for certain purposes
• Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at privacy@onetapreply.com. We will respond within 30 days.

9. Cookies

We use essential cookies for authentication and session management. If you accept optional cookies, we may use Google Tag Manager and Google Analytics to understand site usage, measure product funnels, and improve the service. You can reject optional cookies in the cookie banner.

10. Children's Privacy

OneTapReply is not intended for use by individuals under the age of 18. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website. Your continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy, contact us at:

• Email: privacy@onetapreply.com
• General support: support@onetapreply.com