Legal · Privacy Policy

Privacy Policy

Last updated: 2026-05-06

DraftThis document is in draft and pending lawyer review. The substance is operationally accurate but not yet legally binding. Last reviewed by counsel: pending. For early questions, reply to hello@replyion.com.

1. Who we are

Replyion SL (in formation) ("Replyion", "we", "us") operates the AI patient-coordinator service available at replyion.com and at any subdomain. Registered office: Sitges, Spain. For privacy questions, contact privacy@replyion.com. Our designated Data Protection Officer can be reached at the same address.

2. Data we collect

Clinic admin data: name, email, role, clinic name, country, vertical, phone — submitted via the beta application form.
Patient conversation data: when a clinic uses Replyion in production, patient WhatsApp messages, phone numbers (stored as one-way hashes after first contact), and qualification answers are processed on the clinic's behalf.
Usage data: page views, demo conversation events, performance metrics. No third-party advertising trackers.

3. How we use it

Clinic admin data: to evaluate beta applications, deliver the service, and bill it. Patient data: to operate the conversational agent on the clinic's behalf as a data processor under the clinic's instructions. Usage data: to improve the product and detect abuse. We do not sell data and do not use patient data to train foundation models.

4. Legal basis under GDPR Article 6

Contract (Art. 6(1)(b)): for service delivery to clinics.
Legitimate interests (Art. 6(1)(f)): for security monitoring and product improvement.
Consent (Art. 6(1)(a)): for non-essential cookies. Withdrawable at any time.
Public-interest health data (Art. 9(2)(h)): when patients voluntarily disclose health information in WhatsApp conversations, processed under the clinic's controller status.

5. Your rights (GDPR Articles 15–22)

You have the right to access, rectify, erase, restrict processing of, port, and object to the processing of your personal data. To exercise any of these rights, email privacy@replyion.com. We respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

6. Retention

Clinic admin data: for the lifetime of the contract + 6 years (commercial-records obligation).
Patient conversation data: per the clinic's retention policy. Default 12 months, configurable.
Usage analytics: 14 months.
Demo conversations: anonymized, retained 30 days.

7. International transfers

Patient data is hosted in the EU (Frankfurt). Some sub-processors process data outside the EU. Where applicable, transfers are governed by Standard Contractual Clauses (SCCs) per Commission Implementing Decision (EU) 2021/914. See our subprocessors page for the full list.

8. Sub-processors

We use carefully selected sub-processors. The current list, with location and purpose, is published at /legal/subprocessors. We notify customers of any addition or removal at least 30 days in advance.

9. Updates

We may update this policy. Material changes are notified by email to clinic admins at least 30 days in advance. The "Last updated" date above always reflects the current version.