Remly

Privacy Policy

Last updated: May 19, 2026

This Privacy Policy describes how Remly ("we", "us", or "our") collects, uses, and shares personal information when you visit goremly.com, sign up as a customer, or interact with chatbots powered by our platform.

Scope. This policy covers two groups: (1) site visitors and paying customers of Remly, and (2) end-customers who chat with a Remly-powered chatbot on a third party's website. For end-customer chat conversations, the business operating the chatbot (our "Customer") is the data controller and its own privacy policy governs how that data is used. Remly acts as a data processor on behalf of that Customer. See Scope of this Policy below for details.

1. What we collect

From site visitors

• Pages viewed, IP address, browser/device type, and referrer (server logs).
• Anything you submit through forms (contact, demo requests, onboarding).

From paying customers

• Account details: name, email, business name, phone, address.
• Billing information processed by Stripe (we do not store full card numbers).
• Configuration you upload: services, FAQs, pricing, business hours, branding.
• Integrations you connect: Google account email, QuickBooks company ID, Twilio phone number.
• Audit log entries (login times, configuration changes, IP addresses).

From end-customers chatting with a Remly-powered bot

• Messages typed into the chat widget, plus any photos or files attached.
• Contact details the end-customer provides (name, phone, email, address).
• Channel metadata: timestamps, source (website/SMS/WhatsApp), session ID.

2. How we use it

• To provide the chatbot service, deliver leads to our Customer, and route messages between channels.
• To bill, support, and communicate with our paying Customers.
• To detect abuse, debug errors, and improve the platform (in aggregate or with identifying details removed where practical).
• To comply with legal obligations.

We do not sell personal information, and we do not use end-customer chat content to train AI models. See AI below.

3. Legal bases (EEA/UK visitors)

Where the GDPR applies, we rely on these legal bases:

• Contract — to deliver the service you signed up for.
• Legitimate interests — to operate, secure, and improve the platform.
• Consent — for optional cookies and marketing communications, where required.
• Legal obligation — for tax, accounting, and lawful requests.

4. Who we share with (subprocessors)

We use the following third-party services to operate Remly. We share only what each one needs.

Subprocessor	Purpose	Data shared
Amazon Web Services (AWS Lightsail, US)	Hosting and database storage	All data, encrypted in transit
Anthropic, PBC	AI chat responses (Claude API)	Chat messages and configuration prompts
Stripe, Inc.	Payment processing	Billing details, customer name and email
Twilio, Inc.	SMS, voice, missed-call routing	Phone numbers, message bodies
Google LLC	Workspace email (info@goremly.com), Sheets export, OAuth login	Email content, sheet rows, account email
Intuit, Inc. (QuickBooks Online)	Customer, invoice, and estimate sync	Customer name, contact, invoice line items
Meta Platforms, Inc. (WhatsApp Cloud API)	WhatsApp messaging (when enabled)	Phone numbers, message bodies, media

We may also disclose information when required by law (subpoena, court order), to enforce our Terms, or to protect rights and safety. We will give notice where legally permitted.

If we are involved in a merger, acquisition, or sale of assets, your information may transfer to the successor entity, subject to the protections in this policy.

5. AI and large language models

Remly uses Anthropic's Claude API (Haiku model family) to generate chatbot responses. When an end-customer sends a message:

• The message and the relevant business configuration are sent to Anthropic's API.
• Anthropic processes the request and returns a response.
• Per Anthropic's commercial terms, your data is not used to train Anthropic's models. Anthropic may retain inputs and outputs for up to 30 days for trust and safety purposes.
• Prompt caching may temporarily store portions of the prompt for up to a few minutes to reduce latency and cost.

AI-generated responses can be inaccurate. For the avoidance of doubt: chatbot answers are not professional advice (legal, medical, electrical, etc.) and should not be relied on as such. Pricing, availability, and scheduling shown by the bot are estimates until confirmed by the business.

Per California Business & Professions Code §17940 (the Bot Disclosure Law) and similar rules, our chatbot identifies itself as automated when interacting with users.

6. How long we keep data

We retain personal information for as long as it is needed to provide the service or to comply with our legal obligations. In practice:

• Account and billing records: retained while your account is active and for up to 7 years afterward for tax and accounting purposes.
• Lead and chat records: retained until the Customer requests deletion or closes the account.
• Server logs: retained for up to 90 days.
• Audit log: retained for up to 2 years.

We do not currently auto-delete data on a fixed schedule. If you want your data removed sooner, see Your rights.

7. Security

We protect data with administrative and technical safeguards reasonable for a small SaaS:

• TLS 1.2+ encryption for all traffic to and from the platform (Let's Encrypt certificate, auto-renewing).
• Access-controlled infrastructure (SSH key authentication, no public database ports).
• Secrets stored in OS-level environment variables, not in source files.
• Cross-site request forgery (CSRF) protection, secure session cookies, and rate limiting on sensitive endpoints.
• Stripe handles cardholder data; we never see or store full card numbers.

What we do not currently do: our database files are not encrypted at rest at the disk level. Daily snapshots of the server are taken by AWS Lightsail and are subject to AWS's security controls. We may add at-rest encryption as we grow. No system is perfectly secure; you use the service at your own risk.

8. Your rights

You can ask us to:

• Confirm what personal information we hold about you.
• Provide a copy of that information.
• Correct information that is wrong.
• Delete your information (subject to legal retention obligations like tax records).
• Restrict or object to certain processing.
• Receive your information in a portable format.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, email privacy@goremly.com. We aim to respond within 30 days. We may need to verify your identity before acting on a request.

If you are an end-customer of one of our paying Customers, please contact that business first — they control the data and we act on their instructions. We will help them respond.

9. California, Texas, and other state rights

Residents of certain U.S. states (including California, Virginia, Colorado, Connecticut, Utah, Texas, and others as laws come into effect) have additional rights, including the right to access, correct, delete, and obtain a copy of their personal information, and the right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising.

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We do not knowingly process sensitive personal information for purposes that would trigger TDPSA disclosure obligations. If you would like to exercise a state-law right, email privacy@goremly.com.

You may also designate an authorized agent to make a request on your behalf. We may verify the request directly with you.

California "Shine the Light" requests can be sent to the same address.

10. Cookies and tracking

We use a small number of cookies:

• Session cookies for login state and CSRF protection (essential).
• Stripe cookies on checkout pages, set by Stripe to prevent fraud (essential).

We do not currently use third-party advertising or analytics cookies. If we add analytics in the future, we will update this policy and provide a way to opt out where required.

11. SMS, calls, and WhatsApp

If you give a phone number to a Remly-powered chatbot, the operating business may contact you by SMS, voice, or WhatsApp. Message and data rates may apply. SMS opt-in is collected at the point where you provide the number; you can reply STOP to any SMS to opt out, or HELP for assistance.

Mobile information (phone number, opt-in status, message content) is not shared with third parties or affiliates for marketing or promotional purposes. It is shared only with subprocessors that deliver the messaging itself (Twilio, Meta WhatsApp).

12. Scope of this Policy

This policy applies to data Remly collects directly: visits to goremly.com and the accounts of paying Customers.

For chat conversations between an end-customer and a Customer's chatbot, the Customer is the data controller. They decide what data to collect, how long to keep it, and what to do with it. Remly processes that data on the Customer's instructions under our Data Processing Addendum, which is incorporated by reference into the Terms of Service. End-customers should consult the Customer's own privacy policy for the complete picture.

13. Children

Remly is not directed to children under 13 (or under 16 in the EEA/UK), and we do not knowingly collect their personal information. If you believe we have, contact us and we will delete it.

14. Changes

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated to active Customers by email.

15. Contact

Questions, requests, or complaints:

• Email: privacy@goremly.com
• General: info@goremly.com

Remly is operated by REMLY LLC, a New York limited liability company based in the United States. EU/UK residents may also lodge a complaint with their local data protection authority.

Portions of this policy are adapted from 37signals' open-source policies under the Creative Commons Attribution 4.0 license.