CallOnReply
CallOnReply← Back home

Legal

Privacy Policy

Last updated 9 May 2026

This policy explains what personal data CallOnReply collects, why we process it, and the rights you have. The controller is liebhardt.io UG (haftungsbeschränkt), Nußbaumstr. 29, 66121 Saarbrücken, Germany (see Impressum).

1. Data we process

  • Account data — email address and authentication tokens you provide when signing in.
  • Gmail data — once you connect Gmail via OAuth, we read message metadata and bodies for the threads relevant to your outreach so we can detect replies and link clicks. We process the minimum scopes required.
  • IMAP/SMTP credentials — if you connect a non-Gmail inbox via direct IMAP/SMTP, we store the host, port, username, and password you supply. Passwords are encrypted at rest using AES-256-GCM and bound to your account identifier as authenticated additional data; the plaintext password is never retrievable through the UI. We use these credentials read-only to poll for inbound replies; SMTP credentials are stored alongside IMAP for completeness but are not used to send mail at this time.
  • IMAP message records — for messages detected as replies from a known lead, we store the RFC822 message-id, sender address, and a short body excerpt used for reply classification. Other messages observed during polling are not retained.
  • Lead data — contact details you upload or enter (name, email, company, phone) so we can attribute signals to leads.
  • Tracking events — clicks on tracked links and website engagement events, including page URL, time on page, scroll depth, IP, and user-agent of the visitor, used to fire signals.
  • Push subscriptions — endpoint and keys returned by your browser when you enable notifications, used to deliver pushes.
  • Operational logs — request logs, error traces, and basic usage telemetry needed to keep the service running.

2. Legal basis

We process the data above on the basis of contract performance (Art. 6 (1)(b) GDPR) where required to deliver the service, and legitimate interest (Art. 6 (1)(f) GDPR) for security and operational logs. Push notifications and Gmail access require your explicit consent.

3. Sub-processors

We share data with the following service providers:

  • Convex (Convex, Inc., USA) — application database and backend functions.
  • Google — Gmail OAuth and message access; subject to Google API Services User Data Policy.
  • Web Push services (Apple, Google, Mozilla) — delivery of push notifications to your device.

Direct IMAP/SMTP servers you configure (e.g., your hosting provider or Microsoft 365) are not sub-processors of CallOnReply: they are services you separately authorize. CallOnReply transmits the credentials you supplied to those servers only to poll for inbound replies.

4. How we protect your data

We apply technical and organisational measures appropriate to the sensitivity of the data we handle, including Gmail message content and OAuth tokens:

  • Encryption in transit — all traffic between your browser, our servers, and sub-processors (including Google APIs) is protected with TLS 1.2+.
  • Encryption at rest — application data stored with our backend provider (Convex) is encrypted at rest using industry-standard AES-256.
  • OAuth token handling — Google OAuth refresh and access tokens are stored encrypted, scoped to the minimum permissions required, never exposed to the client, and revoked immediately when you disconnect Gmail or delete your account.
  • IMAP/SMTP credential security — passwords for IMAP/SMTP inboxes are encrypted at rest with AES-256-GCM using a master key held only in our backend environment. Each ciphertext is bound to your account identifier as authenticated additional data, so a stored password cannot be re-used outside of your account. Plaintext passwords are kept only transiently during validation against your mail server and are never logged or returned to the browser. Loss of the master encryption key would render stored credentials unrecoverable; we maintain offline backups of the key consistent with operational security best practice.
  • Access controls — production data is accessible only to authenticated personnel with a need-to-know basis, secured via SSO with mandatory multi-factor authentication. Application access is gated by per-user authentication and authorisation checks on every request.
  • Limited Use of Google user data— CallOnReply's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Gmail data for advertising, do not sell it, do not allow humans to read it except (a) with your explicit consent, (b) for security purposes (e.g. investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operations.
  • Secrets management — API keys, signing keys, and other credentials are kept in a managed secret store, rotated regularly, and never committed to source control.
  • Monitoring and incident response — we maintain audit and error logs, review them for anomalous activity, and will notify affected users and the competent supervisory authority of any personal data breach in line with Art. 33–34 GDPR.
  • Data minimisation — we request only the Gmail scopes strictly required to detect replies to your outreach and do not store message content beyond what is needed to surface those signals to you.

5. Retention

We retain account, lead, and signal data for as long as your account is active. Operational logs are retained for up to 90 days. When you disconnect Gmail, the associated OAuth tokens are revoked and stored message content is removed. When you delete a connected IMAP inbox from the integrations page, its stored credentials and message records are erased immediately. When you delete your account, all stored credentials, OAuth tokens, and lead data are erased. You may request deletion at any time.

6. Your rights

  • Access, rectification, and deletion of your data.
  • Restriction of processing and data portability.
  • Withdrawal of consent at any time.
  • Complaint to a supervisory authority.

To exercise any of these, contact support@callonreply.com.

7. International transfers

Some sub-processors may be located outside the EU/EEA. Where this is the case, transfers rely on Standard Contractual Clauses or an adequacy decision.

8. Cookies and storage

We use only first-party storage strictly necessary for authentication and session management. We do not use advertising or cross-site tracking cookies.

9. Changes

We will update this policy if our processing changes. The “Last updated” date above reflects the current revision.

Template document. Review with counsel before publication; verify the sub-processor list matches the production stack.