Privacy Policy

Effective date: April 18, 2026 · Last updated: April 18, 2026

1. Who we are

SureReply ("SureReply," "we," "us," or "our") is a software-as-a-service platform, operated by a limited liability company based in North Carolina, United States, that helps businesses manage their Google Business Profile reviews. Our primary contact for privacy matters is hello@surereply.ai.

2. Scope of this policy

This Privacy Policy describes how we collect, use, store, and share information when you:

• Visit surereply.ai or any subdomain we operate;
• Create an account and use the SureReply application ("the Service");
• Connect a Google Business Profile account to SureReply; or
• Communicate with us by email or other channels.

If you are an end-user leaving a review on a Google Business Profile managed by a SureReply customer, this policy does not govern how Google handles your review. Google's own privacy policy applies to that data. SureReply receives a copy of your public review solely for the purpose of helping the business respond to it.

3. Information we collect

3.1 Information you give us

• Account information. Name, email address, and profile details provided when you sign up. Authentication is handled by Clerk; we receive your name and email from Clerk.
• Business profile configuration. Practice name, office addresses, phone numbers, operating hours, staff names and roles, brand voice preferences, and other details you enter to configure how SureReply drafts responses on your behalf.
• Billing information. When we begin charging for the Service, billing will be processed by a third-party payment processor. We do not store full card numbers on our systems.
• Support communications. Messages you send us by email or through in-app support.

3.2 Information we collect automatically

• Usage data. Pages viewed, features used, actions taken in the app, timestamps.
• Device and log data. IP address, browser type, operating system, referring URLs, error logs, session identifiers.

3.3 Information we receive from Google

When you connect your Google Business Profile account, we receive data through the Google Business Profile API. See Section 4 (Google user data) for full detail.

4. Google user data

SureReply integrates with Google APIs, including the Google Business Profile API and Google OAuth 2.0 for authentication. When you authorize SureReply to access your Google account, we receive and process the following data on your explicit instruction:

• Business location data: names, addresses, phone numbers, categories, website URLs, operating hours, and other publicly visible details of the Google Business Profiles you manage and authorize us to access.
• Reviews: the full text, star rating, reviewer display name, reviewer profile photo (if public), language, and timestamp of reviews posted to your authorized Google Business Profiles.
• Review responses: any existing owner responses on those profiles, plus any new responses you publish through SureReply.
• Account identifiers: your Google account ID, email address, and the account/location identifiers needed to make API calls on your behalf.
• OAuth access and refresh tokens: the credentials Google issues so SureReply can continue to read reviews and publish responses you have approved, without requiring you to re-authenticate on every action.

We only request the minimum Google OAuth scopes necessary to provide the Service: specifically, scopes that allow us to read your Google Business Profile locations and reviews, and to publish responses to those reviews on your authorized profiles. We will clearly disclose each scope during the Google OAuth consent flow, and you can revoke access at any time from your Google Account permissions page.

5. Google API Services User Data Policy: Limited Use disclosure

Specifically, SureReply commits to the following with respect to data received from Google APIs:

• We use Google user data only to provide or improve user-facing features of SureReply that are prominent in the app's user experience: reading your reviews, drafting AI-assisted response suggestions, allowing your staff to approve or edit those drafts, and publishing approved responses to your Google Business Profile.
• We do not use Google user data to serve advertisements of any kind.
• We do not sell Google user data to any party, for any purpose.
• We do not transfer Google user data to third parties except:
  • as necessary to provide or improve user-facing features of SureReply (for example, sending review text to our AI subprocessor so it can generate a draft response you will review);
  • for security purposes, such as investigating abuse; or
  • to comply with applicable law or as part of a merger, acquisition, or sale of assets, in which case we will provide notice to affected users.
• We do not allow humans to read Google user data except:
  • with your affirmative agreement for specific messages (for example, when a staff member at your practice opens the review dashboard to approve a response);
  • as necessary for security purposes, such as investigating abuse or a security incident;
  • to comply with applicable law; or
  • where the data has been aggregated and anonymized such that it cannot be used to identify an individual.
• We do not use Google user data to train generalized or third-party AI models. Review content sent to our AI subprocessor (Anthropic) is processed under Anthropic's commercial terms, which prohibit training of their foundation models on customer inputs.

6. How we use information

We use the information described above to:

• Authenticate you and keep your account secure;
• Read your Google reviews and display them in your SureReply dashboard;
• Generate AI-assisted draft responses based on the review content, your configured brand voice, and your staff directory;
• Publish approved responses back to your Google Business Profile;
• Detect when a reviewer edits a review after you have responded ("review drift") and alert you;
• Send transactional emails (for example, daily digests, account notifications);
• Provide customer support;
• Monitor, maintain, and improve the Service, including debugging issues;
• Prevent fraud, abuse, and security incidents; and
• Comply with our legal obligations.

7. AI processing

SureReply uses large language models provided by Anthropic (the Claude model family) to generate draft responses to your reviews. When you view or interact with a review in SureReply, we may send the following to Anthropic's API:

• The text of the review;
• The reviewer's public display name and star rating;
• Your configured practice profile (name, industry, office location, staff directory, tone preferences); and
• Any in-app instructions you give to the AI (for example, "refine this response to be shorter").

Anthropic processes this data under their commercial API terms. Anthropic does not train its foundation models on inputs or outputs submitted through its commercial API. Data sent to Anthropic is retained by Anthropic only for the period described in their data retention policies, which is limited and applied for safety and abuse-prevention purposes only.

You can read Anthropic's data handling terms at anthropic.com/legal/commercial-terms and their privacy policy at anthropic.com/legal/privacy.

8. Sharing and disclosure

We do not sell your personal information or your Google user data. We share information only in these limited circumstances:

• Subprocessors. Vendors that host our infrastructure, send emails, or process AI requests on our behalf. See Section 9.
• Within your organization. If your practice has multiple staff accounts on SureReply, reviews and responses are visible to other authorized staff at your practice.
• Legal requirements. When required by law, court order, or valid government request, or to protect the rights, property, or safety of SureReply, our users, or the public.
• Business transfers. In the event of a merger, acquisition, bankruptcy, or sale of assets, information may be transferred to the acquiring party. We will notify you before your information becomes subject to a different privacy policy.

9. Subprocessors

SureReply uses the following subprocessors to operate the Service:

• Cloudflare, Inc. - Hosting, content delivery, databases, storage, and DDoS protection.
• Clerk.com - User authentication, session management, and multi-factor authentication.
• Anthropic, PBC - AI model inference for generating response drafts and analysis.
• Resend - Transactional email delivery.
• Google LLC - Source of the reviews and business profile data you authorize us to access.

We review each subprocessor for security and privacy practices before engagement. Current subprocessors are listed above; we will update this list when it changes.

10. Data retention

We retain information for as long as your account is active and as long as reasonably necessary to provide the Service. Specifically:

• Account and profile data: retained until you delete your account, then deleted within 30 days (subject to legal retention obligations).
• Reviews and responses: retained while your Google Business Profile remains connected to SureReply, plus up to 90 days after disconnection for operational continuity, then deleted.
• OAuth tokens: retained only while your Google integration is active. When you revoke access or delete your account, tokens are deleted from our systems within 7 days.
• Logs and usage data: retained for up to 90 days for debugging and security purposes, then deleted or aggregated.
• Backups: our encrypted backups may retain residual data for up to 35 days beyond the deletion dates above. Backups are only restored in the event of a disaster.

11. Security

We take reasonable measures to protect your information:

• All traffic to and from SureReply is encrypted in transit using TLS 1.2 or higher.
• Data stored in our databases is encrypted at rest.
• OAuth tokens and other secrets are stored encrypted and are accessible only to authorized parts of our infrastructure.
• Staff access to production systems requires multi-factor authentication and is limited to the minimum personnel needed.
• We log and monitor access to sensitive data.

No system is perfectly secure. If we learn of a security incident that affects your data, we will notify you as required by applicable law.

12. Your rights and choices

Depending on your location, you may have the following rights:

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate or incomplete information.
• Deletion. Ask us to delete your personal information (subject to legal retention obligations).
• Portability. Request a machine-readable copy of certain information you have provided.
• Objection or restriction. Object to or ask us to restrict certain processing.
• Withdraw consent. Where processing is based on your consent, withdraw it at any time.

To exercise any of these rights, email hello@surereply.ai. We will respond within 30 days. You can also revoke SureReply's access to your Google account at any time at myaccount.google.com/permissions.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right not to be discriminated against for exercising your rights. SureReply does not sell personal information as that term is defined under California law.

If you are in the European Economic Area, United Kingdom, or Switzerland, you have rights under the GDPR. The legal basis for our processing is (a) performance of our contract with you, (b) your consent where applicable, (c) our legitimate interests in operating and securing the Service, and (d) compliance with legal obligations.

13. Account and data deletion

You can request deletion of your SureReply account and all associated data at any time by emailing hello@surereply.ai from the email address on file. We will:

• Confirm your request within 3 business days;
• Revoke and delete all OAuth tokens for your connected Google accounts within 7 days;
• Delete your account, profile data, reviews cache, and response history from production systems within 30 days; and
• Purge residual data from encrypted backups within 35 days thereafter.

You can also revoke SureReply's access to your Google data directly from your Google account, independent of your SureReply account status.

14. Cookies and tracking

SureReply uses a small number of cookies and similar technologies, all of which are strictly necessary for the Service to function:

• Authentication cookies set by Clerk to keep you logged in.
• Session cookies to preserve your in-app state.

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking. We do not sell or share your browsing activity for advertising purposes.

15. Children's privacy

SureReply is a business-to-business service intended for use by adults. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, email us at hello@surereply.ai and we will delete it.

Note: although many of our customers operate pediatric practices, the SureReply Service itself is used by adult staff at those practices, not by children.

16. International users

SureReply is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our subprocessors operate. Where required by law, we rely on appropriate safeguards such as Standard Contractual Clauses for international data transfers.

17. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or in the app before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

18. Contact

Questions, requests, or concerns about this policy or our privacy practices? Get in touch:

Email: hello@surereply.ai
Subject line: Privacy inquiry