This document governs your use of ReplyFlow. It includes our Terms of Service, Data Processing Agreement (Article 28 UK GDPR), Acceptable Use Policy, and Cookie & Tracking Notice. By completing payment and ticking the agreement checkbox at checkout, you confirm you have read and accept these Terms in full.
"ReplyFlow", "we", "us", "our" means Sarpai Ltd trading as ReplyFlow, a company registered in England and Wales (Company No. 16712039), registered office: 128 City Road, London, EC1V 2NX. Sarpai Ltd is registered with the Information Commissioner's Office (ICO registration number ZC062777) and operates under SIC codes 82990 (Other business support service activities not elsewhere classified) and 63110 (Data processing, hosting and related activities).
"Client", "you", "your" means the business — whether a sole trader or limited company — that subscribes to the Service and accepts these Terms. These Terms apply to B2B commercial relationships only. The Service is not directed at consumers, and the Consumer Rights Act 2015 does not apply to this Agreement.
The following defined terms apply throughout this document:
This Agreement is formed when you complete payment of the Setup Fee via our payment processor and tick the agreement checkbox at checkout confirming you have read and accept these Terms. Any verbal discussion prior to payment does not constitute a binding agreement.
If you are entering into this Agreement on behalf of a limited company or other legal entity, you represent that you have authority to bind that entity. If you do not have such authority, you must not proceed with payment.
For any material updates to these Terms, we will notify you by email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance. If you do not accept the revised Terms you may cancel before the effective date without penalty.
We reserve the right to decline to provide the Service to any business at our sole discretion. In such cases we will issue a full refund of any fees received.
ReplyFlow provides an automated post-job review request service for local and mobile businesses. After you submit a completed job via our form, the system sends a personalised SMS and email to your Customer requesting a Google review on your behalf.
The Service currently covers post-job review request automation via SMS and email only. Any future expansion will be communicated and may be subject to updated Terms.
Subject to full compliance with this Agreement and payment of all applicable fees, we grant you a limited, non-exclusive, non-transferable, revocable right to access and use the Service for your own legitimate internal business purposes during the subscription term.
This Acceptable Use Policy ("AUP") forms part of this Agreement. Breach of this AUP may result in immediate suspension or termination of your account without refund.
You may only use the Service to send post-job review requests to Customers with whom you have a genuine, recent, direct commercial relationship — meaning you have completed a paid job or delivered a service to that Customer shortly before submitting their details — and in respect of whom valid Customer-completed consent has been obtained and recorded using the Approved Consent Wording and the approved Consent Form as described in Section 6.
Every review request sent via the Service must clearly identify your business as the sender and include a clear and easy opt-out mechanism. Where a Customer opts out, you must notify us immediately at Help & Support so we can suppress them from further processing.
Consent Records (comprising the Customer's completed consent checkbox, contact details, and signature where collected) are recorded and held by ReplyFlow in Airtable as part of the Service and constitute the primary consent evidence for each submission. You must retain your own corresponding records — including copies of completed Consent Forms — for a minimum of 6 years. You must maintain records of any TPS/CTPS screening checks you conduct separately. We may share Consent Records with you on written request for the purposes of demonstrating compliance. You must be able to provide evidence of compliance to us or the ICO on request.
You must not submit the same Customer's details more than once within a 90-day period. Excessive or abusive volumes that harm our provider relationships or deliverability rates may result in account suspension.
You are solely responsible for ensuring your use of the Service complies with all applicable laws including UK GDPR, DPA 2018, and PECR. We act as your data processor; legal obligations in respect of your Customers' personal data rest with you as the data controller.
You acknowledge that automated review requests sent by SMS or email — even following a completed transaction — are likely to constitute direct marketing under PECR (regulation 22) and ICO guidance, as they encourage action by the recipient. PECR rules apply to these communications whether sent by you directly or by us on your behalf as your processor. We do not send these communications as our own direct marketing.
The default and required method for obtaining PECR-compliant consent under this Service is express consent obtained directly from the Customer using the Approved Consent Wording via the approved Consent Form:
You must use the Approved Consent Wording without material alteration. The consent must be:
You must not tick the consent checkbox yourself, assume consent on behalf of a Customer, or submit a Customer's details where the Consent Form has not been personally completed by that Customer.
Approved Consent Wording: "Yes, I consent to receive one SMS & Email review request from ReplyFlow on behalf of [Business Name] after today's service. I understand this is optional and I can reply STOP anytime."
ReplyFlow records each Customer's completed consent (checkbox status, contact details, and signature where collected via Tally) in Airtable as part of the Service infrastructure. These Consent Records are held by us as processor and constitute the primary evidential record of consent for each submission. You may request a copy of any Consent Record by contacting us via Help & Support. You must retain corresponding records of your own (copies of completed Consent Forms) for a minimum of 6 years in accordance with the AUP.
The soft opt-in exemption under regulation 22(3) PECR is available as a narrow fallback where express consent via the Consent Form mechanism cannot practically be obtained for a particular Customer — for example, where an existing customer relationship pre-dates the introduction of the Consent Form and the Customer has not yet completed it. Soft opt-in is not the standard or preferred route for this Service. Where you wish to rely on soft opt-in as a fallback, you must satisfy all five conditions in the warranty below and be able to evidence this independently.
By submitting any Customer's details on the basis of soft opt-in, you represent and warrant that all of the following conditions under regulation 22(3) PECR are satisfied:
If you cannot satisfy all of the above soft opt-in conditions for any Customer, you must obtain that Customer's prior express consent via the Consent Form before submitting their details to the Service. We reserve the right to suspend or refuse any submission where we reasonably believe PECR compliance has not been met.
Before submitting any Customer's telephone number to the Service, you must screen that number against the TPS (individual subscribers) and CTPS (corporate subscribers). If a number is registered and you do not hold that Customer's prior express consent overriding their registration, you must not submit it. You warrant that you have completed this screening for every number you submit.
Where you additionally rely on legitimate interests (Article 6(1)(f) UK GDPR) as your lawful basis for processing Customer Personal Data, you confirm that you have conducted and documented an LIA in accordance with ICO guidance, and that you can provide a copy on request to us or the ICO. Note that for PECR purposes, express consent via the Consent Form is the required basis — UK GDPR lawful basis and PECR consent are separate legal requirements that must both be satisfied.
PECR enforcement notice: Following the Data Use and Access Act 2025, ICO fines for PECR breaches can reach up to 4% of global annual turnover or £17.5 million. It is your responsibility to ensure PECR compliance before submitting any Customer's details. We will cooperate with any ICO investigation but accept no liability for your non-compliance.
We aim to provide the highest possible level of service availability. However, we do not guarantee uninterrupted or error-free operation. The Service depends on third-party infrastructure — including n8n (hosted on Railway), Airtable, TextMagic, Resend, Stripe, and Tally — over which we have no direct control.
We will use reasonable endeavours to monitor the Service, address issues promptly, communicate planned maintenance in advance where possible, and restore service following unplanned outages as quickly as practicable.
We are not liable for any delay or failure caused by third-party provider outages, force majeure events, scheduled maintenance, your own actions, Google review policy changes, or circumstances beyond our reasonable control. We do not offer formal service credits for downtime.
We provide email support to all active Clients at Help & Support. We aim to respond within one business day during UK business hours (Monday to Friday, 9am–5pm, excluding UK public holidays), though this is not guaranteed.
Support covers issues directly related to the ReplyFlow Service. We do not provide support for third-party platforms, your Google Business Profile, or issues caused by your own hardware, software, or network.
All intellectual property rights in the Service — including our automations, systems, software, templates, processes, branding, and website — are and remain the exclusive property of Sarpai Ltd. Nothing in this Agreement transfers any IP rights to you.
You retain all rights in your Customer Data and business content. You grant us a limited, non-exclusive licence to use your business information and Customer Data solely to the extent necessary to provide the Service during the subscription term.
We may use anonymised and aggregated data derived from use of the Service (which does not identify you or your Customers) for internal service improvement and product development.
Each party agrees to keep confidential any information received from the other party that is marked as confidential or that a reasonable person would understand to be confidential, and not to disclose it to any third party (other than employees, contractors, or advisers who need to know it and are bound by equivalent obligations) or use it for any purpose other than performing this Agreement.
This obligation does not apply to information that: (a) is or becomes publicly available other than through breach; (b) was already known to the recipient; (c) is independently developed without use of the Confidential Information; or (d) is required to be disclosed by law or court order, subject to reasonable prior notice where possible. Confidentiality obligations survive termination for three (3) years.
We warrant that we have the right to enter into this Agreement, will provide the Service with reasonable skill and care, and will comply with our data processor obligations under UK GDPR and DPA 2018 as set out in Section 17.
Except as expressly stated above, the Service is provided on an "as is" and "as available" basis. To the fullest extent permitted by law, we exclude all implied warranties, including those of satisfactory quality, fitness for a particular purpose, and non-infringement.
We do not warrant that the Service will meet your specific requirements, result in any particular volume of reviews, ensure successful delivery of all SMS or emails, or that third-party platforms will operate without interruption. Nothing in this clause limits any warranty that cannot lawfully be excluded.
Our total aggregate liability to you — whether in contract, tort (including negligence), breach of statutory duty, or otherwise — shall not exceed the total Subscription Fees actually paid by you in the six (6) calendar months immediately preceding the event giving rise to the claim.
To the fullest extent permitted by applicable law, we shall not be liable for any: loss of profits, revenue, or anticipated savings; loss of business, contracts, or opportunities; loss of goodwill or reputational damage; loss or corruption of data; indirect, special, or consequential loss; losses arising from your failure to comply with PECR, UK GDPR, or any applicable law; losses caused by third-party provider failures (including Google, TextMagic, Resend, Airtable, Railway, Stripe, or Tally); losses from Google review policy changes; or failure of a Customer to leave a review.
We do not exclude liability for: death or personal injury caused by our negligence; fraud or fraudulent misrepresentation; or any other liability that cannot be excluded or limited by applicable UK law.
You shall indemnify, defend, and hold harmless Sarpai Ltd, its officers, employees, and contractors from and against any claims, damages, fines, penalties, losses, and costs (including reasonable legal fees) arising out of or relating to: your breach of this Agreement (including the AUP); your failure to comply with PECR, UK GDPR, DPA 2018, TPS/CTPS obligations, or any other applicable law; any claim by a Customer or third party arising from communications sent on your instructions via the Service; any claim by the ICO or other regulatory authority arising from your conduct as data controller; or any third-party IP claim arising from content or data you provide to us.
We shall indemnify you against any third-party claim that the ReplyFlow platform itself (excluding your content or data) infringes that party's UK intellectual property rights, provided you promptly notify us, give us sole control of the defence, and cooperate reasonably.
This Agreement commences on the date you complete payment of the Setup Fee and continues on a rolling monthly basis, with the Subscription Fee collected automatically each month. The subscription auto-renews monthly until cancelled.
You may cancel at any time with no notice period required. To cancel, log in to your Stripe customer portal and cancel your plan directly. No refunds are issued for the current billing period. Setup Fees are non-refundable.
We may terminate or suspend immediately on written notice if: you breach this Agreement and fail to remedy within 7 days of notice; you fail to pay fees due within 7 days of notice; you become insolvent or subject to a winding-up petition; or we reasonably believe continued provision would expose us to legal, regulatory, or reputational risk. We may also terminate for convenience with 30 days' written notice.
On termination: your right to use the Service ceases; all Customer Data will be securely deleted within 30 days; your business account data will be retained for 6 years for legal and accounting compliance; and any suspension or deletion of Customer Data mid-subscription due to non-payment will be communicated with a minimum of 7 days' notice before permanent deletion.
We are committed to resolving complaints promptly and fairly. If you have a complaint about the Service, please contact us first at Help & Support with a clear description of the issue.
We will acknowledge your complaint within 2 business days and aim to provide a full response within 14 calendar days. Where a complaint is complex and requires more time, we will keep you informed of progress.
If your complaint relates to our handling of personal data, you also have the right to escalate to the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113 at any time.
This complaints process reflects our obligations under the Data Use and Access Act 2025, which introduces an internal complaints handling duty for data processors. We will update this process as further DUAA provisions come into force.
This Agreement is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.
Neither party shall be in breach or liable for any delay or failure resulting from circumstances beyond their reasonable control, including acts of God, pandemics, government actions, internet outages, third-party provider failures, or Google platform and policy changes. If such circumstances persist for more than 30 days, either party may terminate on written notice.
You may not assign or transfer this Agreement without our prior written consent. We may assign to a successor entity in connection with a merger, acquisition, or sale of substantially all of our assets, with reasonable notice to you.
If any provision of this Agreement is found invalid or unenforceable, it shall be severed and the remaining provisions shall continue in full force.
This Agreement constitutes the entire agreement between the parties regarding the Service and supersedes all prior representations, agreements, and understandings.
Failure to exercise any right or remedy does not constitute a waiver of that right or remedy.
Notices should be sent to us at Help & Support and to you at the email address provided at sign-up. Email notices are deemed received on the next business day.
The Service is not intended to be used with personal data relating to individuals under the age of 18. You must not submit contact details belonging to a person you know or reasonably believe to be under 18.
This section constitutes the Data Processing Agreement ("DPA") between you (the Data Controller) and Sarpai Ltd trading as ReplyFlow (the Data Processor), as required by Article 28 UK GDPR and the Data Protection Act 2018. This DPA forms part of and is incorporated into the Agreement.
In plain terms: your Customers' data is yours. You decide why it is collected and the lawful basis for processing it. We only process it to send review requests on your behalf — for the purposes of post-transaction business improvement and customer satisfaction — and only in accordance with your documented instructions. Express consent is obtained directly from Customers via our Consent Form before any submission occurs.
You are the Data Controller in respect of Customer Personal Data submitted to the Service. Sarpai Ltd is your Data Processor when processing that data to deliver the Service. Sarpai Ltd is also a Data Controller in its own right for personal data it holds about you as a client (name, business name, email, billing information, and communications). That processing is governed by our Privacy Policy at reply-flow.online/privacy, which sets out the lawful bases, retention periods, and your data subject rights in relation to your own personal data.
| Field | Detail |
|---|---|
| Subject matter | Personal data of the Client's end-customers |
| Duration | For the term of the Agreement, plus up to 30 days post-termination for secure deletion |
| Nature of processing | Collection of Customer contact details and consent indicators via Tally Consent Form; temporary storage in Airtable (including Consent Records); transmission via SMS (TextMagic Sender ID: "ReplyFlow") and email (Resend) on behalf of the Client's business |
| Purpose | Sending automated post-job review requests on behalf of the Client for the purposes of business improvement and customer satisfaction; recording Customer-completed consent as evidence of PECR compliance |
| Categories of personal data | First name, last name, mobile phone number, email address, job description (optional), consent indicator (checkbox status), Customer signature (where collected via Tally Consent Form) |
| Categories of data subjects | End-customers of the Client who have had a paid job or service completed by the Client |
| Special category data | None — you must not submit special category data under any circumstances |
Sarpai Ltd, as Data Processor, agrees to:
You confirm and warrant that:
By accepting this Agreement you grant us general written authorisation to use the sub-processors listed below. We will update this list when we add, replace, or remove a sub-processor. If you have a legitimate objection to a new sub-processor, contact us at Help & Support and we will discuss it in good faith. Where an objection cannot be resolved and the sub-processor is essential to the Service, either party may terminate on written notice without penalty.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| TextMagic | SMS delivery to Customers | UK / EEA | 2FA enabled · UK/EEA adequacy |
| Resend | Email delivery to Customers | USA | 2FA enabled · IDTA / UK Addendum in place |
| Airtable | CRM, Client data storage, Customer Data storage, and Consent Records | USA | 2FA enabled · IDTA / UK Addendum in place |
| Railway | Automation hosting (n8n) | USA | 2FA enabled · IDTA / UK Addendum in place |
| Tally | Consent Form and job submission forms — Customer-facing consent collection and data entry | EEA (Belgium) | 2FA enabled · EEA adequacy |
| Stripe | Payment processing — Client billing only. No Customer Personal Data is processed by Stripe. | USA / EEA | 2FA enabled · IDTA in place · PCI DSS compliant |
We impose data protection obligations on all sub-processors by written contract and remain liable to you for their performance of those obligations.
Resend, Airtable, and Railway are based in the USA, which does not currently hold a UK adequacy decision. For all restricted transfers outside the UK we use the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs as applicable. We conduct and document Transfer Risk Assessments (TRAs) for all restricted transfers and apply supplementary technical measures (including TLS encryption) where required. Copies of transfer safeguards are available on written request.
If any Customer exercises a UK GDPR right (access, rectification, erasure, restriction, portability, or objection), notify us promptly at Help & Support and we will assist you in responding within the statutory period (generally one calendar month from receipt).
Sarpai Ltd ICO registration number: ZC062777. Verify at ico.org.uk. You are separately responsible for your own ICO registration if required.
The DUAA received Royal Assent in 2025. Some provisions — including changes to recognised legitimate interests, automated decision-making, expanded cookie exemptions, and PECR fine alignment — are not yet fully in force as of the date of these Terms. We will monitor ICO guidance and update this Agreement as relevant provisions come into effect, notifying you of any material changes. We continue to operate in full compliance with UK GDPR, DPA 2018, and PECR as currently in force.
Data protection complaints: contact us first at Help & Support. You may also complain to the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113 at any time.
This notice explains how we use cookies and similar technologies on the ReplyFlow website (reply-flow.online) in accordance with PECR and UK GDPR, including relevant DUAA 2025 provisions as they come into force.
Cookies are small text files placed on your device when you visit a website. They help websites function, remember preferences, and in some cases collect analytics data.
| Type | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Essential for the website to function. Cannot be disabled. Includes session state, security tokens, and form submission state. | No — exempt under PECR regulation 6(4) and DUAA 2025 low-risk exemptions |
| Analytics / statistical | Help us understand how visitors use our website. We may use anonymised analytics such as Vercel Analytics. Where analytics data is linked to an identifiable person, consent is required before setting. | Yes, where linked to an identifiable individual. No, where fully anonymised. |
| Marketing / retargeting | We do not currently use third-party advertising, tracking pixels, or retargeting cookies. | N/A — not in use |
Our website is hosted on Vercel and our job submission forms are powered by Tally. These providers may set their own strictly necessary cookies. We do not control these. Please refer to Vercel's and Tally's own privacy policies for details.
You can control and delete cookies through your browser settings. Disabling strictly necessary cookies may affect website functionality. Where we use non-essential cookies, you will be offered a clear opportunity to accept or reject them before they are set. For more information visit aboutcookies.org.
The DUAA 2025 introduces expanded exemptions for low-risk statistical and functional cookies. We will update this notice as ICO publishes final guidance. Our current approach is consistent with PECR as in force and conservative in applying new exemptions until further ICO guidance is confirmed.
Questions about these Terms, this DPA, or your data?
Email: Help & Support
Sarpai Ltd trading as ReplyFlow · 128 City Road, London, EC1V 2NX
Company No. 16712039 · ICO Registration No. ZC062777