Relaay

Legal

Privacy policy

Last updated 13 July 2026

This policy explains how Relaay handles personal data when you visit our website, use the service, or communicate with Mia through WhatsApp, Telegram or the web workspace.

1. Who is responsible for your data

Relaay provides the service and is responsible for the personal data described here. Our public privacy contact is Tristan Nicolaides at [email protected].

A customer organisation controls the CRM data its team submits to Relaay. In that situation, the customer decides why the data is processed and Relaay processes it on the customer's instructions. Relaay remains responsible for account, website and direct business-contact data collected for its own purposes.

2. Data we collect

We collect only the information needed to operate, secure and improve the service.

  • Account and team data, such as names, email addresses, roles, permissions and authentication records.
  • Channel identity data, such as phone numbers, WhatsApp or Telegram identifiers, connected business numbers and pairing status.
  • Conversation data, including inbound and outbound messages, sender and recipient identifiers, provider message identifiers, timestamps, delivery status and the provider payload needed to process a message.
  • CRM data created or supplied by users, including contacts, companies, opportunities, tasks, notes, custom fields and activity history.
  • Operational and security data, such as service diagnostics, request metadata, error reports and audit events. We limit or remove message bodies, credentials, cookies and user identity from diagnostics wherever possible.
  • Website contact data when you email, call or ask for early access.

3. Why we use personal data

We use personal data to provide and administer Relaay, route messages to the correct workspace, turn authorised instructions into CRM actions, send replies, maintain conversation context, prevent abuse, secure accounts, troubleshoot failures, support customers and meet legal obligations.

Depending on the relationship and location, we rely on performance of a contract, legitimate interests in operating and securing Relaay, consent where required, and compliance with law. A customer using Relaay is responsible for having a valid basis to submit its team and client data.

4. WhatsApp, Meta and Anthropic

Relaay uses the WhatsApp Business Platform provided by Meta to receive and send messages. Meta and WhatsApp process phone numbers, message content and delivery information as service providers or processors under their applicable terms. Data that remains in WhatsApp is also subject to Meta's privacy terms.

To understand an instruction, Relaay sends Anthropic the current message text, limited recent conversation context, relevant compact topic summaries and the available action definitions. Anthropic returns an intent, structured action input or reply. For longer WhatsApp conversations, Anthropic may also create a short topic summary. Relaay does not give Anthropic unrestricted access to the CRM database.

We may use infrastructure, communications and error-monitoring suppliers that process limited data only to provide their services to us. We do not sell personal data or use message content for advertising.

5. How we protect data

Message bodies and raw provider payloads are encrypted at rest using AES-256-GCM with a fresh random value for every encryption. Internal events carry a message record identifier instead of the message body, so clear message text does not travel on the internal event bus.

Inbound webhooks are signature-checked in production. Every request is scoped to a workspace, and inbound channel tenancy is derived from the connected account and paired sender rather than accepted from message content. Roles, permissions and optional human approval limit access and sensitive actions.

No security measure guarantees absolute protection. We review safeguards as the service evolves and respond to suspected incidents according to their risk.

6. Retention

We keep messages, conversation identifiers, contacts, phone numbers and CRM records while the relevant workspace is active and for as long as needed to provide the service, resolve disputes, prevent abuse or meet legal obligations. Reversible action-change audit records are retained for 30 days by default unless a different valid period is configured.

When data is no longer needed, or after a verified deletion request, we delete or anonymise it unless retention is required by law or necessary for security and legal claims. Residual copies may remain temporarily in protected backups until the ordinary backup cycle expires.

7. International transfers

Some providers, including Meta and Anthropic, may process data outside your country or the European Economic Area. Where required, we rely on recognised safeguards, such as adequacy decisions or standard contractual clauses, together with technical and organisational protections.

8. Your rights and deletion requests

Depending on your location, you may request access, correction, deletion, restriction, portability or objection, and may withdraw consent where processing depends on consent. Send a request to [email protected] with enough information to identify the relevant workspace, account or phone number. We may ask for verification before acting.

If a customer organisation supplied your data, we may refer the request to that organisation or help it respond. A request to Relaay covers data held by Relaay. Copies held independently by WhatsApp, Meta or another channel provider must be handled under that provider's process.

You may also complain to the data-protection authority where you live or work.

9. Website, children, changes and contact

The public marketing website does not currently use advertising or analytics cookies. The authenticated application may use essential storage to secure a session and remember necessary preferences.

Relaay is a business service and is not directed to children. Do not submit a child's data unless you are authorised and have a valid legal basis.

We may update this policy when the service or law changes. We will publish the revised date and give additional notice when a change materially affects your rights. Questions and requests can be sent to [email protected].