Security & Privacy - ReplyBubble

ReplyBubble is designed so that your data stays yours. This page explains how we protect your API keys, your customers’ conversations, and your business.

API Key Security

When you connect your OpenAI or Anthropic account, your API key is:

Encrypted with AES-256 at rest. Your key is never stored in plain text.
Hidden after saving. Once you save your key, it is masked in the dashboard. You cannot view it again — only replace it.
Used solely to make API calls on your behalf. ReplyBubble sends your visitors’ questions to the AI provider and returns the answer. That is the only time your key is used.
Invisible to ReplyBubble staff. Our team cannot retrieve, view, or access your API key.

How BYOK (Bring Your Own Key) Protects You

ReplyBubble uses a BYOK model. Here is what that means in practice:

A visitor asks a question in your chat widget.
ReplyBubble sends that question to your AI provider (OpenAI or Anthropic) using your API key.
The AI provider processes the question and returns an answer.
ReplyBubble delivers the answer to your visitor.

ReplyBubble is the orchestration layer. The AI processing happens entirely on your provider’s infrastructure, under their privacy policies:

ReplyBubble does not train on your data. Your conversations are never used to improve our product or any AI model.

Data Handling

Protection	Detail
Encryption in transit	All connections use TLS (HTTPS)
Encryption at rest	All stored data is encrypted at rest
Tenant isolation	Each customer’s data is fully isolated — no shared access between accounts
Data deletion	You can delete your conversation data at any time from the dashboard

Conversation Data Retention

Plan	Retention Period
Free	30 days
Pro	365 days
Enterprise	Unlimited

Conversation data beyond your plan’s retention window is not accessible. If you upgrade, access to older history is restored. If you do not upgrade, data is eventually purged after a grace period.

Visitor Data

When someone chats with your widget, ReplyBubble collects:

Conversation content — the messages exchanged between the visitor and the bot.
Browser information — browser type, language, and device type (used for analytics).
Form data — any information the visitor submits through the chat (name, email, etc.).

This data is used solely to power your chatbot and your analytics dashboard. No visitor data is sold to third parties. Ever.

ReplyBubble supports GDPR compliance for visitors and customers in the EU:

Data deletion requests. We process deletion requests promptly. Contact [email protected] to submit a GDPR request.
Consent configuration. You can enable widget-level consent prompts in your dashboard under Privacy settings. This lets you collect visitor consent before the chat session begins.

Spam & Abuse Protection

Every incoming message is automatically scored for spam and prompt manipulation. You control what happens next:

Mode	Behavior
Off	No filtering. All messages are processed normally.
Monitor	Spam is flagged in your dashboard but still processed.
Block	Spam is blocked before it reaches the AI. The visitor sees a generic response.

Blocked spam messages never consume AI tokens, which protects both your costs and your visitors from abuse. Setup time: under 1 minute. Toggle the mode in your dashboard under Settings.

Infrastructure

99.9% uptime target across all plans.
All data is hosted on secure, encrypted infrastructure.
Systems are monitored around the clock.

​API Key Security

​How BYOK (Bring Your Own Key) Protects You

​Data Handling

​Conversation Data Retention

​Visitor Data

​GDPR & Privacy

​Spam & Abuse Protection

​Infrastructure