Notice on the processing of personal data

The data controller for personal data collected through the public website, waitlist, commercial requests, onboarding and management of the contractual relationship with merchants is Antonino Lombardo, owner of the Repliva service.

When Repliva processes end-customer data contained in support emails, tickets or ecommerce systems connected by the merchant, Repliva normally acts as a processor on behalf of the merchant, subject to the applicable contractual arrangements and Data Processing Agreement.

This notice covers processing carried out when you browse the website, fill in a form, create or use an account, connect integrations, import emails or tickets, use AI features, or communicate with the Repliva team.

• the public Repliva website;
• the waitlist page;
• demo or commercial requests;
• the Repliva SaaS application;
• integrations authorized by the merchant, such as Gmail, Shopify, SMTP/IMAP or other operational tools;
• AI features used for ticket classification, summarization, suggestions and draft generation;
• communications with Repliva for technical, commercial or administrative support.

Repliva may process personal data in different roles depending on the context.

Repliva acts as controller when processing data relating to website visitors, waitlist users, commercial leads, merchant accounts, authorized merchant users, commercial or administrative communications, security, abuse prevention and technical platform management.

When a merchant connects Gmail, Shopify or other operational systems and Repliva processes end-customer data contained in emails, tickets, orders or support conversations, the merchant normally remains the controller of its own customer data and Repliva acts as a processor, handling the data exclusively on the merchant’s behalf and according to documented instructions.

• having a valid legal basis to use Repliva;
• informing its end customers about the use of customer support, automation and AI tools;
• configuring integrations, retention settings and permissions correctly;
• handling privacy requests from its end customers;
• ensuring that use of the platform complies with applicable laws.

Repliva may process different categories of personal data depending on the integrations, tenant and features actually used.

• Merchant account data: name and surname, email address, business role, store name, store domain, onboarding information, account settings, subscription plan or status, operational preferences.
• Public website and waitlist data: email address, name if provided, data entered in forms, commercial or demo requests, technical data strictly necessary to use the site, consent-related information where applicable.
• Email integration data: connected email address, email provider, technical configuration, OAuth tokens including Google refresh tokens, SMTP/IMAP credentials where applicable, integration status, sync timestamps, technical errors and connection logs.
• Support ticket and email data: sender, recipient, subject, snippet, message content, email thread, timestamps, labels, ticket status, attachments, operational notes, reply drafts and action history.
• Ecommerce data from Shopify or connected systems: customer name, customer email, order number, purchased products, order amount, currency, payment status, fulfillment status, tracking, shipping address when necessary for the request, operational history, order notes, return, refund or replacement details.
• Data derived from AI processing: ticket classification, request intent, conversation summary, sentiment, suggested priority, missing fields, suggested actions, reply drafts, tone suggestions, operational logs and outputs generated on the basis of merchant policies.
• Technical and security data: IP address, user agent, access logs, authentication events, application errors, diagnostic data, operational audit trail, timestamps, device and browser information, security events.

• Data provided directly when you fill in a form, request access to the waitlist, book a demo, create an account, complete onboarding, contact Repliva for support, or configure the platform.
• Data obtained from integrations authorized by the merchant, such as Google/Gmail, Shopify, SMTP/IMAP providers, email providers or other operational tools connected to the platform.
• Data generated by use of the service, such as synchronization states, created drafts, AI classifications, technical logs, operational history, user actions, errors or security events.
• Data contained in the merchant’s emails, tickets, orders or systems and processed by Repliva on the merchant’s instructions.

Where processing is based on consent, the data subject may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

• Provision of the website and platform: making the site available, creating and managing accounts, authenticating users, maintaining sessions, providing dashboard access, configuring the merchant tenant and managing settings and preferences. Legal basis: performance of a contract or pre-contractual steps.
• Waitlist, demos and commercial requests: handling waitlist registrations, responding to information requests, organizing demos, sending communications related to access to the service and managing inbound contacts. Legal basis: consent or legitimate interest.
• Email, ticket and connected-system synchronization: connecting authorized inboxes, importing support messages, displaying conversations, organizing tickets, generating drafts, suggesting responses and linking Shopify order data to tickets. Legal basis: performance of the contract with the merchant and, for end-customer data, processing on the merchant’s instructions.
• AI features: classifying tickets, summarizing conversations, identifying intent, suggesting actions and generating reply drafts. Legal basis: performance of the contract with the merchant and the legitimate interest of the merchant or Repliva in efficient service delivery, depending on the applicable privacy role.
• Security, abuse prevention and reliability: protecting accounts and tenants, preventing unauthorized access, detecting anomalies, diagnosing errors, preventing abuse, managing security incidents and maintaining technical audit trails. Legal basis: legitimate interest in protecting the service and its users.
• Legal, tax and administrative obligations: complying with legal obligations, retaining administrative records, responding to authority requests and handling disputes. Legal basis: legal obligation or legitimate interest.
• Promotional communications or newsletters, where applicable. Legal basis: consent, which may be withdrawn at any time.

When a merchant connects a Google/Gmail account, Repliva accesses only the data necessary to provide the functions requested by the service.

Google/Gmail data is used to import support emails, display conversations in the platform, classify tickets, generate summaries, create reply drafts, suggest operational actions, synchronize conversation state and provide assistance to the merchant.

Google/Gmail data is not sold, is not used for advertising purposes, is not used to build advertising profiles and is not used by Repliva to train general-purpose AI models unless otherwise agreed in writing with the merchant.

• connected email address;
• message metadata;
• email subject;
• sender and recipient;
• message content;
• conversation threads;
• attachments where necessary;
• drafts;
• labels;
• synchronization status;
• technical integration data.

When a merchant connects Shopify, Repliva may access the data necessary to provide operational context for support requests.

Repliva uses Shopify data to display order information within tickets, help operators respond more quickly, generate more contextual drafts, suggest actions consistent with order status and reduce the merchant’s manual workload.

Repliva does not use Shopify data for its own advertising purposes and does not sell such data to third parties.

• store data;
• customer data;
• customer email;
• order number;
• purchased products;
• order total;
• payment status;
• fulfillment status;
• tracking;
• shipping data;
• order history;
• order notes;
• return, refund or replacement information.

Repliva uses artificial intelligence systems to assist merchants in managing customer support.

Content sent to AI systems may include, where necessary, email content, conversation history, Shopify order data, text attachments, merchant policies, FAQs or guidelines provided by the merchant and technical ticket information.

AI features are designed for operational assistance and do not replace human review by the merchant. Drafts, suggestions and classifications generated by AI should be reviewed by the merchant or its operators before sending messages or taking material actions.

AI features are not designed to make automated decisions that produce legal effects or similarly significant effects on data subjects.

Unless otherwise agreed in writing with the merchant, Repliva does not use merchant data, end-customer data, emails or tickets to train its own general-purpose AI models.

• classify tickets;
• identify request intent;
• summarize conversations;
• extract relevant information;
• detect missing fields;
• suggest operational actions;
• generate reply drafts;
• adapt reply tone to merchant policies;
• improve support workflow management.

Repliva does not intentionally request the input of special categories of personal data, such as data relating to health, political opinions, religious beliefs, trade union membership, sexual orientation or biometric data.

However, such data may accidentally appear in messages sent by end customers to merchants or in attachments imported into the platform.

In those cases, Repliva processes such data only on the merchant’s instructions, within the limits necessary to provide the service, subject to the applicable security measures and in accordance with contractual arrangements and the Data Processing Agreement, where applicable.

The merchant is responsible for avoiding the import or upload of data that is not necessary for customer support purposes.

Personal data is not publicly disclosed.

Repliva may disclose personal data to third parties only where necessary to provide the service, maintain the platform, support authorized integrations, operate AI functionality, manage security and logging, comply with legal obligations, or protect the rights of Repliva, merchants or users.

Where Repliva acts as a processor, the use of subprocessors is governed by the Data Processing Agreement or other applicable contractual arrangements.

• Cloud and infrastructure providers used for hosting, database, authentication, storage, backup, logging and security.
• Integration providers voluntarily connected by the merchant, such as Google/Gmail, Shopify, SMTP/IMAP providers, email providers or other authorized operational tools.
• AI providers used for classification, summarization, draft generation, translation or operational content enhancement.
• Email and notification providers used to send transactional emails, notifications, operational communications or system messages.
• Consultants and professionals supporting Repliva on legal, administrative, tax, technical or security matters.
• Competent authorities, where required by law.

Some technology providers used by Repliva or chosen by the merchant may process personal data outside the European Economic Area.

When data is transferred outside the European Economic Area, Repliva adopts an appropriate legal basis under GDPR, such as adequacy decisions of the European Commission, Standard Contractual Clauses, supplementary technical, contractual or organizational measures, or other equivalent safeguards permitted by applicable law.

Where necessary, Repliva assesses international transfers taking into account the destination country, the type of data transferred, the provider involved, the security measures applied, the contractual safeguards available and the risk to data subjects.

• international cloud providers;
• Google services;
• Shopify;
• AI providers;
• email providers;
• logging, security or diagnostic tools.

Repliva retains personal data only for as long as necessary for the purposes for which it was collected, subject to legal, tax, administrative, contractual or defensive requirements.

Actual periods may vary depending on the tenant, the plan in use, merchant-configured settings, connected integrations, legal obligations, deletion requests and technical backup or security windows.

• Waitlist and lead data: until consent is withdrawn, deletion is requested, the campaign is closed or the commercial need ends, subject to defensive requirements.
• Merchant account and configuration data: for the duration of the contractual relationship and, after account closure, for the period necessary to comply with legal, tax or administrative obligations, resolve disputes, prevent abuse and protect Repliva’s rights.
• Support emails, tickets and conversation data: for as long as necessary to provide the service to the merchant and according to tenant retention settings.
• Shopify and order data: for as long as needed to provide operational context for tickets, manage support requests and comply with merchant-configured retention settings.
• AI outputs, drafts and classifications: for as long as needed to provide the requested functionality, maintain the ticket’s operational history and allow the merchant to work on conversations.
• Tokens, credentials and integration data: while the integration remains active; upon revocation or disconnection, Repliva stops access to new data and proceeds with token removal or deactivation within the necessary technical timeframe, subject to backups, legal obligations or security needs.
• Technical, security and diagnostic logs: for the period strictly necessary to prevent abuse, diagnose errors, maintain service security and integrity, investigate incidents, meet regulatory obligations and protect Repliva’s rights.
• Backups: for a limited technical period, with progressive deletion according to backup and disaster recovery procedures.

A merchant may disconnect Gmail, Shopify or other integrated providers at any time from the Repliva dashboard, from the external provider settings or by contacting Repliva support.

After disconnection, Repliva stops synchronization with the disconnected integration, no longer accesses new data through that integration, and related tokens or technical credentials are revoked, disabled or removed according to applicable technical timing.

Data already imported may still be retained according to retention settings, legal obligations, technical backup needs or deletion requests.

The merchant may request deletion of tenant data according to the procedures available in the service or under applicable contractual arrangements. When Repliva acts as a processor, requests concerning end-customer data are handled according to the merchant’s instructions.

The Repliva website and application may use technical cookies and similar identifiers required for authentication, session management, security, load balancing, essential preferences, technical platform functionality, localization and abuse prevention.

As of the latest update, the public website uses only technical cookies necessary for operation, unless otherwise indicated in the banner or cookie policy.

If analytics, advertising, remarketing or non-technical tracking tools are introduced, Repliva will update this notice and, where required, implement the relevant consent mechanisms.

Repliva adopts technical and organizational measures that are reasonable and proportionate to the nature of the data processed.

No measure can guarantee absolute security, but Repliva implements controls aimed at reducing the risks of unauthorized access, loss, alteration, disclosure or misuse of data.

In the event of a security incident involving personal data, Repliva will take the measures required by applicable law and, where necessary, will inform merchants, users or competent authorities within the timeframes and using the methods required by law.

• user authentication;
• authorization controls;
• logical tenant segregation;
• application access policies;
• principle of least privilege;
• encryption or equivalent protection for tokens, credentials and secrets;
• technical logging;
• operational audit trails;
• anomaly and abuse monitoring;
• backup and recovery procedures;
• infrastructure hardening;
• separation of operational access;
• limitation of access to data to authorized personnel or systems;
• incident management procedures.

To exercise their rights, data subjects may contact Repliva through the privacy or support channels indicated by the service and the applicable contractual documentation. We may request additional information to verify the requester’s identity and properly handle the request.

If you are an end customer of a merchant using Repliva, you should contact the merchant from whom you purchased goods or to whom you sent a support request.

When Repliva acts as a processor, it will assist the merchant in handling data subject requests in accordance with the Data Processing Agreement or other applicable arrangements.

• obtain confirmation that personal data concerning them exists;
• access their personal data;
• request rectification, updating or completion;
• request erasure where permitted by law;
• request restriction of processing;
• object to processing where applicable;
• receive their data in a structured format and, where technically feasible, exercise data portability;
• withdraw consent at any time for processing based on consent;
• lodge a complaint with the competent supervisory authority.

The Repliva service is not directed to children under 16 and is not designed to knowingly collect personal data from children.

If you believe that a child has provided personal data to Repliva, you may contact us to request removal.

Data relating to minors may accidentally appear in support messages or data imported by merchants. In those cases, Repliva processes such data only on the merchant’s instructions and only to the extent necessary to provide the service.

Repliva may update this Privacy Policy to reflect legal, technical, organizational or functional changes to the service.

If relevant changes occur, Repliva will publish the updated version on this page together with the revised last-updated date.

Where necessary, Repliva may also provide an additional notice through the service, by email or through other appropriate channels.

For questions about this notice or the processing of personal data, you may contact Antonino Lombardo at replivacustomer@gmail.com.

If your organization has entered into a DPA, specific contractual terms or other additional agreements with Repliva, those documents also govern the allocation of privacy roles and responsibilities where applicable.