Smart Reply ProSmart Reply Pro

Privacy Policy

Last updated: May 1, 2026

1. Overview

This Privacy Policy explains how Smart Reply Pro ("we", "us", "our") collects, uses, and protects your information when you use our website and services at smartreplypro.aiand our Chrome Extension (collectively, the "Service"). The Chrome extension is currently in Chrome Web Store verification. Once available, it will operate only through user-triggered drafting actions.

What Smart Reply Pro is: A digital Software-as-a-Service (SaaS) productivity tool, delivered as a web application and an optional Chrome browser extension, that uses AI to suggest reply text. You paste or select an incoming message, we generate reply suggestions, and you decide what — if anything — to send. We never send, post, transmit, or share messages on your behalf. You are always the sole author and sender of any message you choose to use.

What Smart Reply Pro is NOT: Smart Reply Pro is not — and is not designed, marketed, or operable as — any of the following: spyware, stalkerware, monitoring software, parental-control software, an inbox scraper, an unattended automation or auto-responder bot, a marketing/consulting/done-for-you service, an adult or dating service, a gambling or sweepstakes product, a cryptocurrency or NFT product, a pharmaceutical or nutraceutical product, an IPTV service, a marketplace, a multi-level-marketing or PLR/MRR product, or a provider of physical goods. We only fall under the “Software & SaaS” category. We do not send, post, or transmit any message for you, and we do not scrape or read your inbox or private conversations.

We do not sell your data. We do not use your messages for advertising, do not share your personal information with third parties except as described in this policy, and do not use your content to train third-party AI models.

1a. User-Initiated Activation & No Automation

Both the web application and the Chrome Extension are strictly user-initiated. The Service performs no work in the background, on a schedule, or while you are away from your device.

  • The Extension only activates when you explicitly click the Smart Reply Pro button or use a keyboard shortcut you have triggered.
  • The Extension does not read your inbox, message list, contacts, calendar, or page content passively. It only reads the text you have explicitly selected or pasted at the moment of activation.
  • The Service never sends, replies to, posts, forwards, or schedules any message automatically. Every outgoing message is composed and sent manually by you, in your own native client (Gmail, LinkedIn, X, WhatsApp Web, etc.). You are responsible for all messages you send using suggestions from Smart Reply Pro.
  • There are no background workers, cron jobs, or automated routines that act on a user's behalf in their messaging accounts.
  • The Extension does not request or use OAuth, Gmail API, IMAP, SMTP, or any other inbox-access credential. It has no ability to read or send email on your behalf.

2. Information We Collect

Web Application

  • Account information: Email address, username, password (stored as a secure hash — never in plain text), and account preferences
  • Messages you input: The incoming message text and reply context you paste into the Service for reply generation. These are sent to OpenAI for processing and are not stored long-term on our servers (see Section 4).
  • Saved replies and profiles: If you choose to save replies or create Reply Profiles, this content is stored in your account in our database.
  • Usage data: IP address, browser type, operating system, pages visited, feature usage patterns, and general interaction data to help us improve the Service.
  • Subscription and billing data: Subscription status and billing history. Full payment card details are handled exclusively by our authorized Merchant of Record/payment provider — we never see or store your card number.

Chrome Extension

  • Selected text:When you activate the Extension's reply generation, it reads the text you have currently selected on the page and sends it to our API. No text is read passively — only when you trigger the Extension.
  • Current tab URL: The Extension reads the URL of your current tab solely to detect which messaging platform you are using (e.g., Gmail, LinkedIn, Slack, X/Twitter) so it can adapt reply suggestions accordingly. The URL is not stored or transmitted beyond this purpose.
  • Authentication token: Your login session token is stored in local Extension storage to keep you signed in. It is not shared with any third party.

Chrome Extension permissions (least-privilege)

  • activeTab / scripting: used only at the moment you click the Smart Reply Pro button, to read your current text selection and inject the reply suggestion into the compose field you already have open.
  • storage: used to keep you signed in and to remember your preferences (tone, language, Reply Profile).
  • host permissions are limited to the messaging surfaces the Extension supports (e.g. mail.google.com, www.linkedin.com, x.com / twitter.com, web.whatsapp.com) and are used solely to render the in-page button and read the text you have selected when you click it.
  • The Extension does not request “all_urls”, tabs history, webRequest, cookies, downloads, geolocation, microphone, camera, or any background-monitoring permissions.

What we do NOT collect: We do not collect your full browsing history, the content of pages you visit (except selected text you explicitly trigger), contacts, calendars, message metadata, recipient lists, or any data from platforms you use beyond what is described above.

3. How We Use Your Information

  • Operate, maintain, and improve the Smart Reply Pro Service
  • Generate AI reply suggestions based on your input
  • Manage your account, authenticate your identity, and process payments
  • Send you essential service emails (security alerts, subscription receipts, policy updates)
  • Analyse usage patterns to identify bugs and improve performance
  • Comply with legal obligations and enforce our Terms of Use

We do not: sell your data, use your messages for advertising, use your messages to train AI models, or share your personal information with third parties except as described in Section 5.

4. AI Processing and Data Retention

OpenAI processing:To generate reply suggestions, your input message is sent to OpenAI's API. OpenAI processes your message as a data processor on our behalf, subject to their Privacy Policy. OpenAI's API terms prohibit them from using your data to train their models without consent.

Messages you submit for reply generation:When you generate a reply, the input message is sent to OpenAI for processing and is also stored in our database so we can (a) show you your reply history, (b) improve future reply quality for your account through on-account style learning, and (c) power the “Reply Profile” personalisation feature. These messages are linked to your account and are retained for as long as your account is active, or until you delete them.

Generated replies: Replies produced by the AI are stored in your account's reply history so you can view, favourite, or re-use them. When you use the “Delete from history” action, the reply is hidden from your history immediately and permanently purged from our database within 30 days.

Generation diagnostics: For quality and safety monitoring, we retain a short technical trace of each generation (the strategy the model chose, style signals, and a hash of the input) for up to 90 days. Traces are accessible only to you (for your own generations) and to our engineering team for debugging.

Account data: Your account information (email, username, preferences, saved replies, and Reply Profiles) is retained for as long as your account is active. You may request deletion of your account and all associated data at any time (see Section 8); we will erase it within 30 days of a verified request, subject to limited legal retention (e.g. billing records, see below).

Usage logs: Aggregated, anonymised usage analytics are retained indefinitely for service improvement. Individual IP-level logs are retained for up to 90 days.

Billing records: Transaction records are retained for up to 7 years as required by tax and financial regulations.

5. Third-Party Services

We use trusted third-party services to operate Smart Reply Pro. Each has access only to the data they need to perform their function:

  • Supabase— Authentication, database hosting, and account data storage. Your account data resides in Supabase's infrastructure.
  • OpenAI— AI reply generation. Your input messages are sent to OpenAI's API for processing.
  • Payment provider / Merchant of Record — When paid billing becomes available, checkout, payment card data, invoices, tax calculation/collection, refunds, and payment-related support may be handled by our authorized Merchant of Record/payment provider. We receive only the limited billing information needed to manage account access, such as customer ID, order ID, subscription status, and payment status.
  • Vercel — Web hosting and edge infrastructure. Request logs may be retained by Vercel per their privacy policy.

We recommend reviewing each service's privacy policy to understand how they handle your data. We are not responsible for the privacy practices of these third parties.

6. Cookies and Local Storage

Authentication cookies: We use session cookies set by Supabase to keep you signed in. These are strictly necessary for the Service to function and cannot be disabled while using an authenticated account.

Chrome Extension local storage:The Extension stores your authentication token and user preferences in Chrome's local extension storage. This data stays on your device and is not transmitted except as part of authenticated API requests.

Analytics: We may use anonymised, cookieless analytics to understand how features are used. No personally identifiable information is included in analytics data.

We do not use third-party advertising cookies or tracking pixels.

7. Security

We follow defence-in-depth and least-privilege principles. Our current technical and organisational controls include:

  • Encryption in transit: all traffic between your browser, the Extension, our API, and our infrastructure providers is encrypted with HTTPS/TLS 1.2+.
  • Encryption at rest: account data, reply history, and backups are stored encrypted at rest by our infrastructure providers (Supabase / managed Postgres on AWS).
  • Authentication: passwords are never stored in plain text — they are hashed by Supabase Auth using a modern, salted, computationally hard algorithm. Sessions use short-lived JWTs that are rotated regularly.
  • Authorisation & Row-Level Security: our database enforces Postgres Row-Level Security so that each user can only read or modify their own rows. Privileged service operations use a separate, server-only key that is never exposed to the browser or Extension.
  • Webhook integrity: billing webhooks from our authorized Merchant of Record/payment provider are verified using HMAC-SHA256 signatures (or an equivalent provider-secure signature scheme) with a shared secret before any subscription state is changed; unsigned or invalid requests are rejected.
  • Secret management: API keys and signing secrets are stored as encrypted environment variables in our hosting provider (Vercel) and are never committed to source control. Access is restricted to the production runtime and the founder.
  • Least privilege: the Chrome Extension requests the minimum set of permissions required (see Section 2), and our backend services run with the narrowest database role needed for their function.
  • Rate limiting & abuse protection: reply-generation endpoints are rate-limited per account and per IP to deter abuse, scraping, and credential-stuffing.
  • Logging & monitoring: we monitor application logs and error traces for anomalies. Logs are retained for a limited period (see Section 4) and access is restricted.
  • Payment data isolation: we never see or store full payment card numbers, CVCs, or bank credentials. All card data is handled by our authorized Merchant of Record/payment provider on PCI-DSS-compliant infrastructure.
  • Vendor review: we only integrate sub-processors with established privacy and security programmes (see Section 5).
  • Breach response: in the event of a confirmed personal-data breach affecting you, we will notify you and, where required, the relevant supervisory authority within 72 hours, in line with GDPR Article 33.

No security system is perfect. If you believe your account has been compromised, or if you are a security researcher who has identified a vulnerability, please contact us at support@smartreplypro.aiwith the subject line “Security”. We commit to acknowledging reports within 72 hours and to handling them in good faith without legal action against good-faith researchers.

8. Your Rights and Choices

You have the right to control your personal data. Depending on your location, you may have the following rights:

All users

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your account and associated personal data
  • Portability: Request your data in a machine-readable format
  • Withdraw consent: Withdraw consent for specific uses where we rely on consent as the legal basis

EU / EEA users (GDPR)

  • Right to object: Object to processing of your data where we rely on legitimate interests
  • Right to restriction: Request restriction of processing in certain circumstances
  • Right to lodge a complaint: You may lodge a complaint with your local data protection authority. EU/EEA residents may contact their national supervisory authority. If you wish to contact the supervisory authority of the country where Smart Reply Pro is operated, that is the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (Poverenik) at poverenik.rs.

California users (CCPA)

  • Right to know: Know what personal information we collect, use, and share
  • Right to delete: Request deletion of your personal information
  • Right to opt-out of sale: We do not sell personal information. This right is therefore automatically satisfied.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, email us at support@smartreplypro.ai. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Data Transfers

Smart Reply Pro is operated from the Republic of Serbia and uses infrastructure providers (Supabase, OpenAI, our authorized Merchant of Record/payment provider when paid billing becomes available, and Vercel) that may process your data in the United States or other countries. Where required by law (e.g., GDPR for EU/EEA residents, or the Serbian Personal Data Protection Act), we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection of your data when it is transferred internationally.

10. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at support@smartreplypro.ai and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact and Data Controller

Smart Reply Pro is the data controller for personal data processed through the Service.

For privacy questions, data access requests, or to report a concern, contact us at: support@smartreplypro.ai. We aim to respond within 5 business days.