Privacy Policy
Last updated: April 1, 2026
OneTapReply ("we," "us," or "our") operates the OneTapReply service at onetapreply.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
1. Information We Collect
1.1 Account Information
When you sign up, we collect your name, email address, and Google account identifier via Google OAuth. We do not store your Google password.
1.2 Google Business Profile Data
With your authorization, we access your Google Business Profile to read reviews and post replies on your behalf. This includes reviewer names, review text, star ratings, and review timestamps. We request only the minimum OAuth scopes required for this functionality.
1.3 Third-Party Reviewer Information (P-3)
Review data fetched from your Google Business Profile includes personally identifiable information about third-party reviewers, such as their display names and review content. This data is used solely to generate reply suggestions and is displayed to you as the business owner. We do not sell, share, or use reviewer PII for any purpose other than providing the OneTapReply service.
1.4 Notification Data
We collect your phone number and messaging preferences (WhatsApp or SMS) to deliver review notifications and reply approval requests.
1.5 Payment Information
Payment processing is handled by Stripe. We store your Stripe customer ID and subscription status but do not store credit card numbers or banking details on our servers.
1.6 Usage Data
We collect standard usage data such as IP addresses, browser type, pages visited, and interaction timestamps to improve our service and debug issues.
2. How We Use Your Information
- To provide, maintain, and improve the OneTapReply service
- To generate AI-powered review reply suggestions
- To deliver notifications via WhatsApp or SMS
- To post approved replies to your Google Business Profile
- To process payments and manage subscriptions
- To communicate with you about your account and service updates
- To detect and prevent fraud, abuse, or security issues
3. AI Processing and Sub-Processors (INT-3)
We use OpenAI's GPT-4o-mini model as an AI sub-processor to generate review reply suggestions. When a new review is received, the review text, star rating, and your business name are sent to OpenAI's API to generate a reply suggestion. OpenAI processes this data under their API data usage policy, which states that API inputs and outputs are not used to train their models.
No reviewer PII beyond what is contained in the review text is sent to OpenAI. We do not send reviewer email addresses, phone numbers, or account identifiers to any AI sub-processor.
OpenAI LLC acts as a data sub-processor under their Data Processing Addendum (DPA). Per their API data usage policy, API data is not used for model training. For details, see OpenAI's Enterprise Privacy page and DPA at openai.com/enterprise-privacy. The data processing chain is: Google Business Profile API → OneTapReply (Firestore) → OpenAI API → back to Firestore.
4. Data Sharing and Disclosure
We share your data only with the following categories of recipients:
- Google: To read reviews from and post replies to your Google Business Profile
- OpenAI: To generate AI reply suggestions (review text and business context only)
- Stripe: To process payments
- Meta (WhatsApp) / Twilio (SMS): To deliver notifications to your phone
- Cloudflare: For hosting, CDN, and security services
- Sentry: For error monitoring and debugging
We do not sell your personal information. We may disclose information if required by law or to protect our rights, safety, or property.
5. Data Residency (P-4)
Your data is stored in Google Cloud Firestore with primary storage in the United States. Our application runs on Cloudflare's global edge network. Data may be processed in various jurisdictions as needed to provide the service. If you are located in the EU/EEA, data transfers are covered by standard contractual clauses.
6. Data Retention (P-2)
We retain your data as follows:
- Account data: Retained while your account is active and for 30 days after deletion
- Review data (posted replies): Purged 12 months after the reply is posted to Google
- Review data (pending/skipped): Purged 12 months after creation
- Payment records: Retained as required by applicable tax and financial regulations
- Notification logs: Retained for 90 days for debugging purposes
- OAuth tokens: Deleted immediately upon account deletion or GBP disconnection
7. Security
We implement industry-standard security measures to protect your data:
- All OAuth tokens are encrypted at rest using AES-256
- All data in transit is encrypted via TLS 1.2+
- Access to production systems is restricted and logged
- We use Cloudflare for DDoS protection and WAF
- Regular security reviews of our codebase and infrastructure
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data (subject to legal retention requirements)
- Portability: Request your data in a machine-readable format
- Objection: Object to processing of your data for certain purposes
- Restriction: Request restriction of processing in certain circumstances
To exercise any of these rights, contact us at privacy@onetapreply.com. We will respond within 30 days.
9. Cookies
We use essential cookies for authentication and session management. We do not use third-party advertising cookies. Analytics cookies, if any, are anonymized and used solely to improve the service.
10. Children's Privacy
OneTapReply is not intended for use by individuals under the age of 18. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website. Your continued use of the service after changes constitutes acceptance of the updated policy.
12. Contact
If you have questions about this Privacy Policy, contact us at:
- Email: privacy@onetapreply.com
- General support: support@onetapreply.com