This policy explains how Sarpai Ltd (trading as ReplyFlow) collects, uses, stores, and protects personal data — both as a data controller in our own right and as a data processor acting on behalf of our business clients. It applies to our website visitors, business clients, and the end-customers of our clients whose data is processed via our Service.
Sarpai Ltd, trading as ReplyFlow, is a company registered in England and Wales (Company No. 16712039), registered office: 128 City Road, London, EC1V 2NX.
We are registered with the Information Commissioner's Office (ICO). ICO registration number: ZC062777. You can verify this at ico.org.uk.
We operate under SIC codes 82990 (Other business support service activities not elsewhere classified) and 63110 (Data processing, hosting and related activities).
For all privacy-related queries, contact us at: Help & Support. We do not have a formally appointed Data Protection Officer (DPO); all data protection queries are handled by the above contact.
This policy is governed by and complies with: the UK General Data Protection Regulation (UK GDPR) as retained and amended by the Data Protection Act 2018 (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (PECR) as amended; and, as relevant provisions come into force, the Data Use and Access Act 2025 (DUAA).
This policy covers personal data processed by Sarpai Ltd in two capacities:
We are the data controller for personal data we collect directly about:
When our business clients submit their end-customers' contact details to our Service, we act as a data processor on behalf of those clients (who are the data controllers). In this capacity, we process Customer Personal Data only on the client's instructions and in reliance on the client's lawful basis and PECR consent obligations. Specifically, before any submission is made, the client is required to obtain valid express consent directly from each Customer using our provided consent mechanism (described in Section 06 below). We record the affirmative consent provided by end-customers via our Tally Consent Form, and retain those Consent Records in Airtable as part of our processor obligations. Our full obligations in that capacity are set out in the Data Processing Agreement within our Terms of Service. This Privacy Policy does not otherwise govern that processing.
If you are an end-customer of a ReplyFlow client and have received a review request SMS or email sent by ReplyFlow on that business's behalf: the business that arranged your consent and submitted your details is the data controller for that processing. Please contact that business directly to exercise your data rights or to opt out of further communications. You can reply STOP to any SMS at any time. If you are unable to reach the business, you may contact us via Help & Support and we will assist where we are able to and forward any data rights requests to the relevant client.
| Category | Data collected | Source |
|---|---|---|
| Account information | Name, business name, email address, phone number | Provided directly by you at sign-up or during sales outreach |
| Billing information | Payment card details and billing address (processed and stored by Stripe — we do not store card data) | Provided directly at checkout |
| Communication data | Emails, support messages, and call notes | Generated through your interactions with us |
| Onboarding data | Business name, Google/Facebook review links, message preferences, job submission form responses | Provided during onboarding via Tally form |
| Usage data | Form submission history, job records, contact volumes (held in Airtable) | Generated through your use of the Service |
| Category | Data collected | Source |
|---|---|---|
| Technical data | IP address, browser type, device type, pages visited, time on site, referral source | Collected automatically via Vercel hosting and analytics |
| Cookie data | Session cookies and, where consent is given, analytics data | Collected automatically — see Section 12 |
Where our clients submit their Customers' details to the Service, we process: first name, last name, mobile phone number, email address, optional job description, consent indicator (checkbox status), and Customer signature (where collected via the Tally Consent Form). The consent indicator and signature are collected directly from the Customer via the Tally Consent Form at the point of service. We record these consent indicators in Airtable as Consent Records. This processing is governed by our DPA with each client and is not covered further in this policy. We do not use this data for our own purposes.
Under UK GDPR Article 6, we rely on the following lawful bases for our controller processing activities:
| Processing activity | Lawful basis |
|---|---|
| Delivering the Service to active clients | Contract (Art. 6(1)(b)) — processing necessary to perform our contract with you |
| Processing subscription payments via Stripe | Contract (Art. 6(1)(b)) |
| Sending service and account communications to clients | Contract (Art. 6(1)(b)) and Legitimate interests (Art. 6(1)(f)) — keeping clients informed about their service |
| Retaining financial and accounting records | Legal obligation (Art. 6(1)(c)) — Companies Act 2006, HMRC requirements |
| Outbound sales communications to prospective clients | Legitimate interests (Art. 6(1)(f)) — direct marketing to business contacts in compliance with PECR soft opt-in or prior consent |
| Website analytics and performance monitoring | Legitimate interests (Art. 6(1)(f)) — improving our website and service, using anonymised data where possible; Consent (Art. 6(1)(a)) where non-essential cookies are used |
| Enforcing our Terms of Service | Legitimate interests (Art. 6(1)(f)) — protecting our business and complying with our legal obligations |
| Website statistical analytics (Vercel) | Statistical purposes exemption under DUAA 2025 (no consent required, subject to clear information and opt-out) + Legitimate interests (Art. 6(1)(f)) where applicable |
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) and are satisfied that our interests are not overridden by the rights and interests of the individuals concerned. You may request a summary of any LIA relevant to you by contacting us at Help & Support.
Where we rely on the new statistical purposes exemption under the Data Use and Access Act 2025, we provide clear information and an easy opt-out mechanism.
The Privacy and Electronic Communications Regulations 2003 (PECR) govern electronic marketing and certain types of online communications. This section explains how PECR applies to our own communications and to the Service.
Where we contact prospective or existing business clients by email or phone for marketing purposes, we do so either:
We screen business telephone numbers against the CTPS before making outbound calls. We honour all opt-out requests promptly. To opt out of our marketing communications at any time, email Help & Support or use the unsubscribe link in any email we send you.
Review requests are sent to end-customers on behalf of our clients using our TextMagic Sender ID ("ReplyFlow") and Resend email infrastructure. We do not send these communications as our own direct marketing. We only send a review request where the client has obtained — and we have recorded — valid express consent directly from that Customer via the approved mechanism:
The consent is specific to one SMS and one email review request from ReplyFlow on behalf of the named business. Customers may withdraw consent at any time by replying STOP to any SMS or by contacting the client directly. We record each Customer's completed consent (checkbox status, contact details, and signature where collected) in Airtable as part of our processor obligations. Our clients also retain their own corresponding records. The use of soft opt-in as an alternative is a narrow fallback only, as set out in our Terms of Service.
The Data Use and Access Act 2025 introduces changes to PECR fine levels and certain exemptions. We monitor ICO guidance on these changes and will update this policy accordingly as provisions come into force.
We do not sell personal data. We share personal data only in the following circumstances:
We do not share any personal data with GoCardless or any direct debit provider. We use the following third-party providers to operate our business and deliver the Service. Each is engaged under a written contract containing data protection obligations:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Airtable | CRM, client data, and Customer Data storage | Client and Customer Data | USA |
| TextMagic | SMS delivery to end-customers | Customer phone numbers and message content | UK / EEA |
| Resend | Email delivery to end-customers | Customer email addresses and message content | USA |
| Railway / n8n | Automation infrastructure — processing logic that triggers and manages review request workflows | Customer Data passed through automation | USA |
| Tally | Job submission forms and onboarding forms | Client onboarding data and Customer Data submitted via forms | EEA (Belgium) |
| Stripe | Payment processing for client subscriptions | Client billing data only — no Customer Data is shared with Stripe | USA / EEA |
We may share personal data with our accountants, legal advisers, and insurers where necessary for the operation of our business. These parties are bound by confidentiality obligations.
We may disclose personal data where required by law, court order, or regulation — for example, to the ICO, HMRC, or law enforcement agencies. Where permitted, we will notify you of any such disclosure.
If Sarpai Ltd is involved in a merger, acquisition, or sale of all or substantially all of its assets, personal data may be transferred as part of that transaction. We will notify affected individuals and, where required, seek consent before any such transfer.
Some of our service providers are located in the USA, which does not currently hold a UK adequacy decision. Where personal data is transferred outside the UK to such providers, we ensure appropriate safeguards are in place under UK GDPR Chapter V:
We conduct Transfer Risk Assessments (TRAs) for all restricted transfers and implement supplementary technical measures (including TLS encryption in transit and 2FA on all platforms) where required.
Copies of the relevant transfer safeguards are available on written request at Help & Support.
Providers located in the UK or EEA (TextMagic, Tally) benefit from UK/EEA adequacy and do not require additional transfer safeguards.
We conduct and document Transfer Risk Assessments (TRAs) for all restricted transfers and apply supplementary measures such as TLS encryption.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are:
| Data category | Retention period | Reason |
|---|---|---|
| Client account data (name, email, business details) | Duration of the subscription, plus 6 years after termination | Legal and accounting compliance (Companies Act 2006, HMRC) |
| Client billing records | 6 years from the date of the transaction | Legal and accounting compliance |
| Client communication records (emails, support) | 3 years after the end of the client relationship | Legitimate interests — resolving disputes, evidence of service delivery |
| Customer Data (submitted by clients for review requests) | Deleted within 30 days of subscription termination | Processor obligation under our DPA — data minimisation |
| Website analytics data | Up to 12 months in anonymised form | Legitimate interests — website improvement |
| Prospective client data (sales outreach) | Up to 2 years from last contact, or until opt-out | Legitimate interests — sales and business development, subject to PECR compliance |
When data is no longer required, we securely delete or anonymise it. You may request early deletion of your personal data by contacting us (subject to our legal retention obligations — see Section 11).
We take the security of personal data seriously and implement appropriate technical and organisational measures in accordance with Article 32 UK GDPR, including:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay where required by law.
No system is completely secure. If you become aware of any actual or suspected security incident involving your data, please contact us immediately at Help & Support.
Under UK GDPR, you have the following rights in respect of your personal data that we hold as a data controller. These rights do not apply to processing we carry out as a data processor on behalf of our clients — in those cases, please contact the relevant client directly.
| Right | What it means |
|---|---|
| Right of access | You can request a copy of the personal data we hold about you (a Subject Access Request or SAR) |
| Right to rectification | You can ask us to correct inaccurate or incomplete personal data |
| Right to erasure | You can ask us to delete your personal data in certain circumstances (e.g. where it is no longer necessary for the purpose it was collected, or where you withdraw consent) |
| Right to restriction | You can ask us to pause processing of your data in certain circumstances (e.g. while accuracy is contested) |
| Right to data portability | Where processing is based on consent or contract and carried out by automated means, you can ask for your data in a structured, commonly used, machine-readable format |
| Right to object | You can object to processing based on legitimate interests, including for direct marketing. We must stop unless we have compelling legitimate grounds that override your interests |
| Rights related to automated decision-making | You have the right not to be subject to solely automated decisions that produce legal or similarly significant effects. We do not currently carry out such processing. |
| Right to withdraw consent | Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
To exercise any of these rights, contact us at Help & Support. We will respond within one calendar month of receipt, free of charge in most cases. We may ask you to verify your identity before processing a request. In some cases we may need to extend our response time by up to a further two months for complex requests — we will notify you if this applies.
Note that certain rights are subject to limitations. For example, we may need to retain some data to comply with our legal obligations (e.g. accounting records) even if you request erasure.
We use limited statistical technologies provided by our hosting platform (Vercel) solely to understand how our website is used and to improve the service. These qualify for the statistical purposes exemption under the Data Use and Access Act 2025 and do not require prior consent.
Full details of all technologies we use, including any strictly necessary cookies from Tally forms, are set out in the Cookie & Tracking Notice (Section 18 of our Terms of Service).
You can opt out of statistical analytics at any time via the simple link in our website footer. Disabling strictly necessary cookies may affect basic site functionality.
The ReplyFlow Service is directed at businesses (B2B) only. We do not knowingly collect personal data from individuals under the age of 18 through our website or Service. Our Terms of Service prohibit clients from submitting contact details belonging to any person they know or reasonably believe to be under 18.
If you believe we have inadvertently collected personal data relating to a child, please contact us immediately at Help & Support and we will take prompt steps to delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or ICO guidance — including changes arising from the Data Use and Access Act 2025 as its provisions come into force.
We will notify active clients of any material changes by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the date of the most recent revision. We recommend checking this page periodically.
Continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.
We will also update this policy to reflect any further guidance from the ICO on the Data Use and Access Act 2025 as it becomes available.
For any privacy-related queries, data subject rights requests, or data protection concerns, please contact us:
Sarpai Ltd trading as ReplyFlow
Email: Help & Support
Address: 128 City Road, London, EC1V 2NX
Company No. 16712039 · ICO Registration No. ZC062777
We will acknowledge your query within 2 business days and aim to provide a full response within one calendar month.
If you are not satisfied with our response, or if you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We would always appreciate the opportunity to resolve any concern directly before you escalate to the ICO.