Legal
Privacy policy
Last updated 17 June 2026
1. Who we are and how this Policy works
ReplyArc is operated by Wondertabs Pte. Ltd. (UEN 202037320G), a company incorporated in Singapore (“ReplyArc”, “we”, “us”). ReplyArc is a business-to-business platform that lets companies add an AI chat agent to their websites, answer visitor questions, hand conversations to human staff, and capture leads (the “Service”). The Service is made up of the marketing site at replyarc.ai, the product application at app.replyarc.ai, our API, and the embeddable chat widget.
We handle personal data in two distinct roles, and this Policy is split accordingly:
| Whose data | Our role | Governing part | |
|---|---|---|---|
| Part A | Account holders, billing contacts, visitors to replyarc.ai, people who chat with our own demo and marketing-site assistant, people who email us | Controller (GDPR/UK GDPR) / organisation (Singapore PDPA) - we decide why and how the data is used | Sections 2-12 |
| Part B | Visitors and end users (“End Users”) of websites run by businesses that use ReplyArc (our “Customers”) | Processor (GDPR/UK GDPR) / data intermediary (PDPA) / service provider (US state laws) - we process on the Customer's instructions | Section 13 |
“Customer Data” means the data our Customers submit to the Service or that the Service collects for them - chiefly End User chat transcripts, captured contact details, and website visit data. “Sub-processor” means a third-party provider we use to help deliver the Service. “Agreement” means the contract between a Customer and us (our Terms of Service and Data Processing Agreement).
This Policy applies to people in Singapore and worldwide, including the European Economic Area, the United Kingdom, and the United States. Where a specific law gives you stronger rights, that law prevails.
Part A - Personal data we handle as controller
2. Personal data we collect
2.1 Account holders and their teams (app.replyarc.ai)
| Category | Examples | Source |
|---|---|---|
| Account and profile | Name, email address, password (stored only as a hash by our authentication provider), display name shown to End Users during live chat, workspace role | You |
| Sign-in data | Google account profile (name, email) if you sign in with Google; magic-link delivery records | You / Google |
| Workspace content | Agent configuration, knowledge-base documents and website pages you upload or crawl, team membership | You |
| Usage and security data | Sign-in events, audit events, request logs, conversation counts and quota counters, agent online/away presence | Generated by your use |
| Support communications | Emails you send us and our replies | You |
2.2 Billing
Paid plans are live, and we use Stripe as our payment processor. When you subscribe, Stripe collects and holds your payment card details on Stripe-hosted fields - we never receive or store your card number. We store your Stripe customer id and subscription records (subscription id, plan, status, and billing-period dates), payment-method metadata, your billing contact details, and the metered-usage figures we report to Stripe; invoice and charge history is held by Stripe and retrieved from Stripe for display.
2.3 Visitors to replyarc.ai (marketing site)
| Category | Examples |
|---|---|
| Server logs | IP address (in transient infrastructure logs), requested pages, browser type |
| Security checks | Cloudflare Turnstile anti-bot verification on signup and password-reset forms |
| First-party visit analytics | Our own chat widget runs on every replyarc.ai page and starts measuring before you open the chat: pages viewed and their titles, time on page, the referring site, campaign tags and ad-click IDs in the address, browser language, timezone, screen size, device and browser type, and a random visitor ID stored in your browser. For these analytics your IP address is kept only as a one-way hash. Details, including how to control this, are in our Cookie Policy (section 10) |
| Third-party analytics | On our public pages only - the replyarc.ai marketing site and the sign-in and sign-up pages - we run two third-party analytics tags. Google Analytics 4 (Google LLC, United States) gives us aggregate website analytics - the pages you view, your device and browser, an approximate location from your IP address - and sets its own _ga cookies. Contentsquare (experience analytics and session replay) records the pages you view and how you interact with them, and sets its own cookies. Neither tag is loaded in the signed-in dashboard (app.replyarc.ai), so they do not capture your workspace data, chat transcripts, or captured-lead details. How they work, the cookies they set, and the region-aware consent banner that governs them are in our Cookie Policy (sections 3 and 5) |
| Demo and assistant chats | Messages you type to the ReplyArc assistant on our own site, the website URL you ask the demo to read, and contact details you choose to share. If you start the website demo, we also record your IP address to enforce the per-IP demo limit (see section 7) |
On our public pages only, we use third-party analytics and advertising providers: Google Analytics 4 (Google LLC, US) for aggregate website analytics, Contentsquare for experience analytics and session replay, and the Meta Pixel with Meta's Conversions API (Meta Platforms Ireland, Ltd.) to measure the performance of our advertising. For that advertising measurement our servers send Meta a limited set of conversion events (account sign-up and subscription purchase) matched with a hashed email address and IP address; we never send Meta your chat content or any signed-in dashboard data. All three run on our marketing and sign-in pages only - never the signed-in dashboard - as described above and in our Cookie Policy, and all are governed by our region-aware cookie-consent banner (opt out at any time via Cookie preferences; we honour Global Privacy Control).
2.4 What we deliberately do not collect
- We do not store raw IP addresses against chat or visitor-analytics records: visitor analytics keep only a one-way hash of the IP, consent records keep a truncated one-way identifier, and rate-limiting counters that reference an IP expire automatically within minutes. The exceptions, stated plainly: if you start the website demo on our homepage we record your IP address to enforce the per-IP demo limit (section 7), and security records - administrator audit logs and abuse blocklists - can hold IP addresses captured or entered for security purposes.
- We do not collect government identifiers (such as NRIC numbers) and ask that you never share them in chat.
- We do not buy personal data from data brokers.
3. Why we use personal data, and our legal bases
For people in the EEA/UK, the GDPR and UK GDPR require us to name a lawful basis for each purpose. For everyone, this table is our notice of purposes.
| Purpose | Data used | GDPR / UK GDPR lawful basis |
|---|---|---|
| Creating and running your account; providing the dashboard, API, and widget | Account, sign-in, workspace content | Contract (Art. 6(1)(b)) |
| Sending service emails (sign-in links, security notices, quota notices, scheduled reports you configure) | Account data | Contract (Art. 6(1)(b)) |
| Billing, invoicing, and tax records for paid plans | Billing data | Contract and legal obligation (Art. 6(1)(b), (c)) |
| Securing the platform: abuse and fraud prevention, rate limiting, free-tier guardrail counters, audit logging, Turnstile checks | Usage and security data | Legitimate interests (Art. 6(1)(f)) - our interest in keeping the Service secure, available, and within its free-usage limits |
| Improving the Service (aggregate usage analysis, debugging) | Usage data, minimised content where strictly needed to fix a fault | Legitimate interests (Art. 6(1)(f)) - our interest in operating and improving the product |
| Answering questions through our own marketing-site assistant and demo | Demo chat messages | Legitimate interests (Art. 6(1)(f)) - responding to questions you ask us |
| Measuring visits to our own sites through our first-party widget analytics (section 2.3) | Visit analytics: pages viewed, campaign parameters, device data, hashed-IP sessions | Legitimate interests (Art. 6(1)(f)) - understanding how our own sites are used; where ePrivacy rules require consent for storing or reading information on your device, consent - see the Cookie Policy |
| Third-party analytics of our public pages through Google Analytics 4 and Contentsquare (section 2.3) | On the replyarc.ai marketing site and the sign-in and sign-up pages only: page paths and interaction events, device and browser data, approximate location from IP, and each provider's own cookies (including the _ga cookies set by Google Analytics 4 and the session recordings captured by Contentsquare); neither tag runs in the signed-in dashboard | Consent, through our region-aware cookie-consent banner - visitors in the EEA, the UK, and Switzerland must opt in before either tag loads; elsewhere the tags load by default with an opt-out, and we honour the Global Privacy Control signal as an opt-out. See the Cookie Policy (section 5) |
| Responding to support requests | Support communications | Legitimate interests (Art. 6(1)(f)) / contract where you are a Customer |
| Occasional product-update emails to account holders | Account email | Legitimate interests (Art. 6(1)(f)), with an unsubscribe link in every message |
| Complying with law (e.g. responding to lawful requests, tax record-keeping) | As required | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that the processing is limited, expected, and does not override your rights. You can object - see section 9.
Account and sign-in data are required to open and maintain an account: without them we cannot provide the Service. All other personal data is optional unless we tell you otherwise when we ask for it.
We do not send marketing text messages or make marketing calls to Singapore telephone numbers without clear consent or a check of the Do Not Call Registry, and any bulk email we send complies with the Spam Control Act - every message identifies us and carries a working unsubscribe.
We do not sell personal data. We do not use Customer Data or your conversations to train AI models. What we send to the AI model provider, and why, is described in section 12.
4. Singapore PDPA: consent, deemed consent, and exceptions
For individuals in Singapore, our processing rests on the following PDPA grounds:
- Deemed consent by contractual necessity - creating an account, signing in, and using the dashboard reasonably requires the account, sign-in, and workspace data above.
- Deemed consent by conduct - when you voluntarily give us data for an obvious purpose, for example emailing support or typing your contact details into our demo chat so we can follow up.
- Legitimate interests exception (PDPA First Schedule, Part 3) - we rely on this exception, and disclose that reliance here, for security monitoring, fraud and abuse prevention, and enforcement of free-tier usage guardrails. We have assessed that these interests outweigh any likely adverse effect on individuals, and we mitigate effects by hashing IP addresses and limiting access.
- Business improvement exception - for using existing account and usage data to improve and develop the Service, within the limits the PDPC's guidelines set.
- Express consent - for anything else, which we will ask for at the time.
New purposes get fresh notice and, where required, fresh consent before we start. You may withdraw consent at any time (section 9); we will explain the consequences (usually that some or all of the Service stops working for you) and will not prohibit withdrawal.
5. Who we share personal data with
We share personal data only with:
- Sub-processors - the infrastructure and service providers that run the Service: Supabase (database, authentication, file storage, and real-time messaging - database hosted in Singapore), Fly.io (application hosting, Singapore), Cloudflare (CDN, security, and Turnstile), Upstash (Redis cache and rate limiting), OpenRouter, Inc. routing to Anthropic PBC (chat-answer AI inference, United States, under a platform API key held by ReplyArc), OpenAI (text embeddings and chat fallback, under API keys held by ReplyArc), Resend (email delivery), Sentry (error monitoring), Stripe (payment processing - active; handles billing and customer contact, payment-method metadata, and subscription/charge records; card numbers are entered into Stripe-hosted fields and are not stored by ReplyArc), Google Analytics 4 (Google LLC, US - aggregate analytics of our public marketing and sign-in pages only; sets
_gacookies, receives no dashboard data), Contentsquare (experience analytics and session replay on our public marketing and sign-in pages only - no longer loaded in the signed-in dashboard), Telegram (optional alerts to workspace owners, only where a Customer enables them), Expo with the Apple and Google push networks (mobile notifications), and Google Fonts (the chat widget's display font - Google receives the requesting visitor's IP address). The authoritative list, each provider's location, what it receives, and how to be notified of changes are maintained on our sub-processor page. - Professional advisers and authorities - lawyers, accountants, and public authorities where the law requires or permits it. We review every government request for legality, disclose the minimum necessary, and where lawful will tell affected Customers.
- A buyer or successor - if we are involved in a merger, acquisition, or asset sale, in which case this Policy continues to apply and we will notify you of any change in controller.
Aside from the limited, hashed conversion data we share with Meta to measure our own advertising (described in section 2 and our Cookie Policy, and subject to consent), we do not share personal data with advertisers or data brokers, and we never share Customer chat content for advertising.
6. International transfers
Our primary infrastructure is in Singapore: the application runs on Fly.io in the ap-southeast-1 region and the database and authentication run on Supabase in Singapore. Some processing necessarily leaves Singapore:
| What leaves Singapore | Recipient and location | Why |
|---|---|---|
| Chat messages and recent conversation history, agent persona and business facts, knowledge-base passages, and uploaded document text for embeddings - including the supporting flows in section 12 (summaries, drafts, knowledge-gap analysis, reports) | OpenRouter, Inc. routing to Anthropic PBC (United States), under a platform API key held by ReplyArc; OpenAI (United States), under API keys held by ReplyArc, for text embeddings and as a chat fallback | AI inference and embeddings; under each provider's API terms this content is not used to train models, and it may be retained by the provider for limited abuse monitoring (currently up to 30 days) |
| Email content and recipient addresses (sign-in links, invitations, lead alerts, scheduled reports, notifications) | Resend (United States) | Sending sign-in links and service email |
| Web traffic passing through the CDN and security layer | Cloudflare (global edge network) | Content delivery, DDoS protection, bot filtering |
| Error reports with technical request context and account identifiers; session replays captured on errors | Sentry (United States) | Error and performance monitoring |
| Cached operational data: short-lived rate-limiting keys referencing IP addresses, cached responses, presence and usage counters | Upstash (Singapore region, operated by a US entity) | Caching and rate limiting |
| Device push tokens and notification text, which may include lead names | Expo (United States), via the Apple and Google push networks | Mobile notifications to Customer agents |
| Lead name and contact line in optional alerts a Customer enables | Telegram (globally distributed) | Workspace-owner alerts |
| The visitor's IP address when the chat widget loads its display font | Google Fonts (Google LLC, global) | Font delivery |
| Billing and customer contact details, payment-method metadata, and subscription/charge records (card numbers go into Stripe-hosted fields and are not stored by ReplyArc) | Stripe (United States) | Payment processing |
For transfers out of Singapore we comply with the PDPA's transfer limitation obligation by ensuring each recipient is bound by legally enforceable obligations that provide a standard of protection comparable to the PDPA - in practice, each Sub-processor's data processing agreement and standard contractual terms.
For personal data of people in the EEA or UK, Singapore does not hold an EU or UK adequacy decision, so transfers to us and onward to our Sub-processors are protected by the European Commission's 2021 Standard Contractual Clauses and, for UK data, the UK International Data Transfer Addendum, together with supplementary measures (encryption in transit, hashed identifiers, tenant isolation, a documented policy of challenging overbroad government requests). You can request a copy of the relevant clauses by emailing privacy@replyarc.ai. Where a US Sub-processor is certified under the EU-US Data Privacy Framework, we take that certification into account.
7. How long we keep personal data
| Data | Retention |
|---|---|
| Account and workspace data | While your account is active. If you ask us to close your account, we will delete or irreversibly anonymise your Customer Data within 30 days of confirming the request, except records we must keep to comply with law and residual copies in encrypted backups, which are removed on our standard backup-rotation cycle. Account closure is request-based: write to privacy@replyarc.ai. If you do not request deletion, we may retain Customer Data and may delete it after a reasonable period (see our Terms of Service). |
| Billing and tax records | 5 years (Singapore tax law), once paid plans exist |
| Demo sessions on replyarc.ai (the “try it with your website” demo) | Demo agents expire after about 24 hours; an hourly job then deletes the expired demo agent and its documents, conversations, and messages. The demo session record itself - including the IP address recorded to enforce the per-IP demo limit - is kept for abuse prevention and service statistics and is not currently deleted automatically; you may request its deletion (section 9) |
| Marketing-site assistant chats | Kept while we need them to answer you and review quality; they are retained until deleted, and you may request deletion at any time (section 9) |
| Audit events | Deleted automatically after 90 days |
| Consent and data-subject-request records | Kept as evidence of compliance for as long as the underlying relationship plus applicable limitation periods |
| Server and security logs | Application logs follow our hosting provider's standard rolling retention; database-side audit events are deleted after 90 days and background-job run records after 30 days |
| Backups | Deleted data leaves active systems at deletion and falls out of encrypted backups as those backups expire on the provider's rolling schedule |
Where data no longer serves its purpose we delete it or anonymise it so it no longer identifies anyone. Customers can additionally configure automatic purging of their conversation transcripts and leads - see section 13.4.
8. How we protect personal data
The following measures are implemented:
- Tenant isolation: customer data is segregated per workspace. Every tenant-scoped table carries database row-level-security policies keyed on tenant membership, restricting all client-facing database paths (including real-time delivery), and our application servers additionally enforce tenant isolation in application code, scoping every query to the workspace resolved from the authenticated session or API key.
- Encryption: TLS for all data in transit; encryption at rest on our database provider. Third-party credentials you connect (channel access tokens, integration and connector secrets) are encrypted at rest with AES-256-GCM and decrypted only at the moment of use. ReplyArc REST API keys are never stored - we keep only a SHA-256 hash; the full key is shown exactly once. Platform AI provider keys are held as deployment secrets. We do not write credentials to application logs, and integration error logs pass through automatic secret redaction.
- Authentication: handled by Supabase Auth (email/password, magic link, Google OAuth); we never store plaintext passwords.
- Abuse controls: Cloudflare Turnstile on exposed forms, rate limiting, per-conversation and per-workspace usage caps, and platform spend ceilings.
- Access control and logging: staff access to production data is restricted to what is needed to operate and support the Service, and administrative actions are audit-logged.
No system is perfectly secure. If a data breach occurs we will assess it promptly and notify the PDPC, other competent authorities, affected Customers, and affected individuals where and when the law requires (including the PDPA's three-day notification to the PDPC for notifiable breaches and the GDPR's 72-hour rule where it applies to us).
9. Your rights and how to exercise them
Email privacy@replyarc.ai (or our DPO, section 14) from the address associated with your data, or write to us at our registered office. We will verify your identity before acting. Exercising your rights is free; if a request is manifestly unfounded or excessive we may charge a reasonable fee or decline, and for PDPA access requests we will tell you of any fee estimate before proceeding (corrections are always free).
If you are an End User of a Customer's website, please contact that business first - see section 13.5.
9.1 Singapore (PDPA)
You may request access to your personal data and information about how it has been used or disclosed within the past year, request correction, and withdraw consent. We respond as soon as reasonably possible; if we cannot respond within 30 days, we will tell you in writing within those 30 days when we will.
9.2 EEA and UK (GDPR / UK GDPR)
You have the rights of access, rectification, erasure, restriction, portability, and objection (including to processing based on legitimate interests), and the right to withdraw consent where consent is the basis. We respond within one month, extendable by two further months for complex or numerous requests (we will tell you within the first month if so). We do not make automated decisions about you that have legal or similarly significant effects.
9.3 United States (state privacy laws)
Wondertabs Pte. Ltd. is not currently a covered “business” under the CCPA/CPRA thresholds. We do not sell personal information for money. We do share a limited, hashed set of conversion data (account sign-up and subscription purchase) with Meta to measure and improve our own advertising, which may be considered a “share” for cross-context behavioural advertising under the CCPA/CPRA. You can opt out at any time: decline or withdraw advertising/analytics consent through our cookie banner or the Cookie preferences link in the footer, which stops both the Meta Pixel and the server-side sharing. We also honour the Global Privacy Control signal as an opt-out from this sharing and from the third-party website analytics described in section 3 (Google Analytics 4 and Contentsquare on our public pages); we do not respond to the older Do Not Track signal. Residents of California and other states with comprehensive privacy laws may request access, correction, or deletion through the contacts above, and we will honour those requests on the GDPR timelines in section 9.2. We do not discriminate against anyone for exercising privacy rights.
10. Cookies and similar technologies
We use cookies and similar storage for authentication, session continuity, security, and (in the chat widget) keeping your conversation working. Details of each item, its purpose and lifespan, what is strictly necessary versus optional, and how to manage them are in our Cookie Policy.
11. Children
The Service is built for businesses and our sites and accounts are not directed at children. We do not knowingly collect personal data from children under 13 (or the higher minimum age where local law sets one), and account holders must be at least 18. If you believe a child has provided us personal data, contact privacy@replyarc.ai and we will delete it promptly. Customers must not deploy the widget on child-directed websites (see our Terms of Service).
12. AI in the Service
- Chat replies are AI generated. When you chat with a ReplyArc agent (including our own marketing-site assistant), responses are generated by a large language model unless a human agent has taken over. The widget identifies AI and human participants, and a human can take over a conversation at any time. AI answers can be wrong or incomplete - verify important information with the business you are chatting with.
- What the model receives. To generate each reply, we send our model provider the conversation so far (up to the 20 most recent messages, including anything you typed earlier in the chat), the agent's configured persona and business facts, and passages retrieved from the relevant knowledge base. Shorter excerpts of stored conversations also power supporting features: intent and sentiment classification, human-handoff summaries, suggested inbox reply drafts, knowledge-gap analysis, and report generation. Documents uploaded to a knowledge base are sent to the provider's embedding API so they can be searched. We do not send visitor IP addresses, account credentials, or billing data to the model providers. Under each provider's API terms this content is not used to train models, but a provider may retain it for a limited period (currently up to 30 days) for abuse monitoring.
- Who the provider is. All AI features run on platform-managed AI under API keys held by ReplyArc. Chat-answer inference is generated by Anthropic PBC's Claude models, accessed through OpenRouter, Inc. (both in the United States); OpenAI (United States) provides the text embeddings used to search your knowledge base and serves as a chat fallback. Our marketing-site assistant runs on a separate, cost-isolated platform key. We do not offer a bring-your-own-key option and never store an AI provider API key belonging to you.
- No training. We do not use Customer Data, End User conversations, or your demo chats to train AI models, and under each of our platform model providers' API terms your content is not used to train their models.
- Automated classification. The Service automatically classifies messages for intent and sentiment, keeps an aggregated tone profile per conversation (for example frustration, confusion, or urgency), and scores captured leads, so conversations can be prioritised and routed - including in chats with our own marketing-site assistant. This profiling produces no legal or similarly significant effects on you, and a human can take over a conversation at any time.
- No significant automated decisions. ReplyArc agents answer questions, capture contact details, and route conversations. They do not make lending, housing, employment, insurance, health, or similar consequential decisions about individuals.
Part B - End User data we process for Customers
13. If you chatted with a business that uses ReplyArc
13.1 The business is in charge of your data
When you chat with the widget on a Customer's website, that Customer is the controller (the “organisation” under the PDPA, the “business” under US state laws) of your personal data. We process it on the Customer's behalf as their processor, data intermediary, and service provider, under a written Data Processing Agreement. The Customer decides what the agent says, what it asks for, how long your data is kept, and who sees it.
13.2 What we process on the Customer's behalf
- Conversation data: your chat messages, AI and human-agent replies, and any files or details you share in chat.
- Contact details you choose to share: typically name, email address, or phone number, captured as a lead or so the business can follow up.
- Website visit data: pages viewed, session events, referrer and campaign parameters, browser language, timezone, screen size, and server-derived browser/device type. For this analytics data your raw IP address is not stored - only a one-way hash.
- Connected messaging channels: if the business has connected a messaging channel such as WhatsApp, Messenger, Instagram, Telegram, Slack, Microsoft Teams, or Discord, we relay messages between you and the business in both directions and process the channel identifiers involved - for WhatsApp, this includes the phone number you message from, which identifies your conversation.
- AI derived classifications: your messages are automatically classified for intent and sentiment, your conversation carries an aggregated tone profile (for example frustration, confusion, or urgency, and a dominant tone), and captured leads are scored - all so the business can prioritise and route conversations. This produces no legal or similarly significant effects on you, and a human agent can take over at any time.
- Handoff and presence data: whether a human agent joined, and conversation status.
If you tap a link-out channel button in the widget (WhatsApp, Messenger, LINE, phone, or a booking link), you leave the widget and deal with that channel directly - its own terms and the Customer's arrangements govern from there. That is different from the connected channels above, where the business runs its ReplyArc agent inside the channel and we process those messages on the business's behalf.
13.3 What ReplyArc itself does with this data
Only what is needed to run the Service for the Customer: storing and displaying conversations in the Customer's inbox, generating AI replies (section 12), enabling human takeover, and producing analytics for that Customer. We also use it in strictly limited ways for platform security, abuse prevention, and enforcing usage guardrails. We do not sell it, share it for advertising, combine it across Customers, or use it to train AI models.
13.4 Retention of End User data
End User conversation transcripts and leads are kept for as long as the Customer keeps them, subject to: (a) optional automatic purging the Customer can enable, which deletes transcripts and/or leads older than the number of days the Customer sets, enforced by a scheduled job; (b) deletion when the Customer removes a contact using the dashboard's “forget” control, which deletes the contact's profile; (c) deletion following account closure, which the Customer requests in writing - if the Customer asks us to close the account, we will delete or irreversibly anonymise Customer Data within 30 days of confirming the request, except records we must keep to comply with law and residual copies in encrypted backups, which are removed on our standard backup-rotation cycle; and (d) erasure in response to a data subject request, which anonymises lead records and overwrites linked message content with an erasure marker.
13.5 Your rights as an End User
Please direct requests about your data - access, correction, or deletion - to the business whose website you used; they control your data and can act on it directly. If you contact us instead, we will forward your request to the relevant Customer without undue delay and assist them in responding. Where the law gives you rights directly against us as a processor or data intermediary, we honour them.
14. Data Protection Officer and contacting us
Our Data Protection Officer can be reached at dpo@replyarc.ai. General privacy questions: privacy@replyarc.ai. Legal notices: legal@replyarc.ai.
Postal address: Wondertabs Pte. Ltd. (UEN 202037320G), Singapore - registered office address available from ACRA records and on request.
We have not yet appointed local representatives for individuals in the EEA (GDPR Article 27) or the UK. We will appoint an EU representative and a UK representative, and publish their names and contact details on this page, before we actively market the Service to, or onboard, Customers in the EEA or the UK.
15. Complaints
We would like the chance to resolve any concern first - email dpo@replyarc.ai and we will acknowledge your complaint within 30 days and respond without undue delay. You can also complain to a supervisory authority at any time:
- Singapore: Personal Data Protection Commission (PDPC), https://www.pdpc.gov.sg
- EEA: your local data protection supervisory authority (list at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en)
- United Kingdom: Information Commissioner's Office (ICO), https://ico.org.uk
- United States: your state attorney general or, in California, the California Privacy Protection Agency
16. Changes to this Policy
We update this Policy as the Service and the law evolve. The “Last updated” date above always reflects the current version. For material changes we will give account holders at least 14 days' notice by email before the changes take effect, and the prior version is available on request.