Legal

Privacy Policy.

Last updated: 29 May 2026

This page describes what data BestReply collects when you use the Chrome extension or this website, where it lives, who can see it, and what you can do about it. We've tried to keep it short and specific. If anything below is unclear, email contact@bestreply.app.

What we collect

When you install the extension and sign in:

• Google account identity. Through Google OAuth (scopes: openid, email, profile), we receive your email address and a stable Google user ID. Google may also share your name and profile picture in the OAuth response; if so, these are stored in our authentication provider's metadata (Supabase Auth) but are not used elsewhere in the product.
• Review and reply text. When you click "Suggest reply" on a Google review, the review's text, the reviewer's display name (as shown on Google), and the star rating are sent to our backend so we can generate a reply. The generated reply is stored in our database, alongside any answers you provide during the 1–2 star triage flow and any "internal notes" you optionally add to guide the reply.
• Your settings. Default tone, default length, reply language, optional signature text, optional signature separator. (A "business voice" field exists in the database from an earlier iteration but is not used by the current product.) These personalise the reply output.
• Usage counters. A monthly count of how many replies you've generated, keyed to your account.
• Waitlist email. If you submit your email on the landing page before installing the extension, we store that address in our Supabase database (in the same project as the rest of our account data) so we can email you when the product is ready.

We do not collect: your Google Business Profile login, your business's customer list, your billing data, or your browsing history outside the BestReply UI. (Network-level information such as IP address is logged by our infrastructure providers — see "Third parties we use".)

How we use it

• Reply generation. The review text, reviewer name, star rating, and your settings are passed to an AI provider (see "Third parties") to draft a reply suggestion. You always edit and post the reply yourself in Google's native UI; BestReply never posts automatically.
• Personalisation. Your saved tone, length, language, and signature are read on each generation so replies sound like you.
• Abuse prevention and debugging. Edge function logs (without review content) are kept for short-term debugging.

We do not sell your data, use it for advertising, or share it with parties other than the service providers listed below.

Where it's stored

All account data, settings, reply history, and triage sessions are stored in Supabase (Postgres + Auth + Edge Functions), in the AWS us-east-1 region (N. Virginia, United States). Connections are TLS-encrypted. Row-Level Security (RLS) is enabled on every user-facing table so you can only read your own rows.

Third parties we use

• Google — used only for sign-in (OAuth identity). Google's own privacy policy governs the data they hold about you.
• Supabase — our database, authentication, and Edge Function host. Supabase processes every API call and stores all of the data described above.
• OpenAI — we send the review text, reviewer name, star rating, your selected tone/length/language, and your business signature (if set) to the OpenAI Chat Completions API to draft each reply. Primary model is gpt-4o-mini; a stronger fallback model (gpt-5.4-mini) is occasionally used when the primary reply fails an internal quality check. Internal notes you provide during the triage flow are also included in the prompt. We have the option to switch to Anthropic's Claude API as a backup provider; if that change is ever made, this page will be updated.
• Vercel — hosts this website. Vercel's standard request logs include IP address and User-Agent. We also use Vercel Web Analytics on this site, which counts page views without storing cookies and without cross-site tracking.
• Polar (Polar Software, Inc.) — handles BestReply Pro subscriptions as our Merchant of Record. When you upgrade, you're redirected to Polar's hosted checkout page. We send your email and account ID so Polar can attach the subscription back to your account; Polar uses Stripe as its underlying payment processor. Card details, billing addresses, and invoice records live with Polar and Stripe — we never see or store them. To view invoices, update your payment method, or cancel, use the customer portal.

AI training

Your data is not used to train AI models. Under OpenAI's API data-usage policy, content submitted through the API is not used to train OpenAI models by default (and we have not opted in). If we ever switch to or add another AI provider, we will only do so with a provider that offers the same guarantee, and we will update this page first.

Data retention

• Account, settings, and usage counters — kept while your account exists.
• Triage sessions (which include the review text, your triage answers, internal notes, and the generated reply) — currently kept indefinitely on your account so you can refer back to past replies. Triage sessions have a 24-hour active-edit window; after 24 hours you can no longer continue editing a session, but the stored record remains. We will add an automatic deletion option in a future update; in the meantime you can request deletion at any time (see below).
• Waitlist email — kept until launch or until you ask us to remove it.
• Edge function logs — retained by Supabase for a short window (typically a few days) for debugging; they do not contain the full review or reply body.

Your rights

You can:

• Sign out at any time from the extension popup. Your session token is removed from the browser.
• Request an export of your data — email contact@bestreply.app from the address on your account and we will send you a JSON dump within 30 days.
• Request deletion of your account and all associated data — email contact@bestreply.app. We will confirm the deletion and remove all rows (users, usage, triage_sessions) within 30 days.

If you're in the EU/UK, the legal basis for processing your account data is your consent (which you give when you install the extension and sign in) and our legitimate interest in operating the service. You have the right to lodge a complaint with your local data protection authority.

Children

BestReply is intended for business owners and is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has provided data to us, please email contact@bestreply.app and we will remove it.

Cookies and analytics

This website does not set tracking cookies. Vercel Web Analytics counts page views using a privacy-friendly hashing approach that does not store identifiers in your browser. The extension stores your Supabase session token and a local copy of your saved settings (tone, length, language, signature) in chrome.storage.local (Chrome's per-extension storage, not a cookie). The settings cache exists so the extension can apply your defaults instantly without waiting for a network call; it's cleared when you sign out.

Changes to this policy

If we make material changes to this policy, we'll update the "Last updated" date above and surface a notice in the extension popup or on this site. For minor wording fixes (typos, clarifications), we'll just update the page.

Contact

Questions, deletion requests, or anything else: contact@bestreply.app.