1. Who we are
SMART Reply is a Microsoft certified Outlook add in and a LinkedIn browser extension built by bSMART AI Ltd ("we", "us"). Our registered office is in the United Kingdom and we are the data controller for the personal information described in this policy. You can reach us at [email protected] for any data question or request.
2. What SMART Reply does
SMART Reply helps individual professionals and organisations communicate better. It drafts replies inside Outlook, original posts and comments on LinkedIn, plans travel, manages booking pages, captures meeting intelligence, and files emails and attachments to OneDrive or SharePoint. The human always stays in control. Nothing is sent, posted, commented, or filed without explicit user approval.
3. The data we process
To provide the service we process the following categories of data:
- Account data — your name, email address, organisation, and Microsoft tenant identifier when you sign in. We use Microsoft single sign on, so we never see or store your Microsoft password.
- Mailbox data — message metadata and content needed to draft replies, file attachments, and analyse meetings. Your emails stay inside your Outlook tenant. SMART Reply does not mirror or copy your inbox to its own database.
- Knowledge base sources — when you onboard, SMART Reply reads your last 400 emails, your public website, documents you choose to upload, and the websites of your customers, in order to build a knowledge base that captures your voice, your business, and your audience.
- Calendar and contact data — needed for travel diary blocking, multi person availability checks for booking pages, and meeting follow ups. Read and write access is requested through Microsoft Graph permissions you approve at sign in.
- OneDrive and SharePoint folder structures — read during onboarding so SMART Reply can learn your filing rules and place emails and attachments in the correct folders.
- LinkedIn page contents — when you use the SMART Reply browser extension on LinkedIn, the extension reads the post or comment you are responding to so it can draft a reply in your voice. It does not collect your LinkedIn connections list or scrape unrelated content.
- Usage data — anonymous logs of how you use the product, used to keep the service running, fix bugs, and improve drafts.
- Billing data — name, email, billing address, and last four digits of the card used for subscription. Card details themselves are processed by Stripe and are never seen or stored by us.
4. How we use it
We use the data above to provide and improve SMART Reply. Specifically:
- To generate AI drafts of emails, posts, and comments in your voice.
- To file emails and attachments to OneDrive or SharePoint with one click.
- To plan travel and block journey time in your diary.
- To detect when attendees in your organisation are free for meetings.
- To turn meeting transcripts into structured summaries, decisions, actions, and risks.
- To bill you and provide customer support.
- To detect and prevent abuse or fraud.
5. What we never do
We think it is important to be clear about what SMART Reply will not do with your information, in plain language:
- We do not sell, rent, or share your data with advertisers or data brokers.
- We do not use your emails, meetings, documents, or any other customer content to train AI models.
- We do not paste your data into ChatGPT, Claude.ai, or any other consumer AI product. SMART Reply uses commercial AI APIs governed by contracts that prohibit training on your inputs.
- We do not move your inbox out of your Microsoft 365 tenant. The mailbox stays where it has always lived.
- We do not let one customer see another customer's data. Tenants are separated at the database row level.
- We do not send your meeting audio to OpenAI. Transcription runs on Cloudflare Workers AI or on our own servers.
6. Where your data lives
Your emails, attachments, and calendar items stay in your Microsoft 365 tenant the entire time. SMART Reply reads them through Microsoft Graph at the moment a feature runs and does not maintain a parallel store. Your knowledge base, AI behaviour rules, writing tone settings, and product configuration are stored in our Supabase managed PostgreSQL database. Marketing site assets are stored in AWS S3 and served through Cloudflare. Demo video assets are served from DigitalOcean Spaces.
Meeting audio you upload for transcription is processed by Cloudflare Workers AI running the open source Whisper model, or by a Whisper model running locally on our own servers. The audio is not retained after the transcript is produced. Only the resulting text transcript is stored in your Supabase row, and you can delete it at any time.
7. Subprocessors and what each one sees
We use a small number of carefully chosen subprocessors. Each one sees only the data it needs to do its job:
- Microsoft: Microsoft Graph API access to Outlook, OneDrive, SharePoint, and Teams. Microsoft Azure for OAuth and identity. Sees mailbox, calendar, and file content already inside your own Microsoft 365 tenant.
- Anthropic: generates AI drafts, classifications, meeting summaries, and CRM analysis using Claude Sonnet and Claude Haiku. Receives the specific email, transcript, or document being processed at the moment the feature runs. Anthropic does not train its models on data routed through their API and applies a short retention window for abuse monitoring before deletion.
- OpenAI: produces vector embeddings for knowledge base search, and runs supplementary classification and tone analysis tasks. Receives only the specific text being processed for that task. OpenAI does not train its models on data routed through their API and applies a short retention window for abuse monitoring before deletion. OpenAI does not receive your meeting audio.
- Cloudflare: content delivery network and DNS for bsmart-ai.com. Cloudflare Workers AI runs the open source Whisper model on Cloudflare's own infrastructure to transcribe meeting audio. Audio is processed in memory and not retained.
- Render: hosts the SMART Reply application servers and background workers. Sees data in transit while requests are being served.
- Supabase: managed PostgreSQL database for user accounts, knowledge base entries, AI behaviour rules, writing tone settings, transcripts, and product configuration. Encrypted at rest.
- Amazon Web Services: AWS S3 stores the marketing website source files and static assets. Does not receive customer content.
- DigitalOcean: DigitalOcean Spaces and CDN host product demo videos and large media assets. Does not receive customer content.
- Stripe: subscription billing, payment processing, and customer billing portal. Receives billing identifiers and payment details. Does not receive any mailbox, meeting, or document content.
We will notify customers of any material change to this list. A Data Processing Addendum is available on request for organisations that need one.
8. Your rights
If you are based in the UK, the European Economic Area, or another jurisdiction with similar laws, you have the right to access, correct, delete, restrict processing of, or port your personal data. You also have the right to object to processing and to lodge a complaint with your data protection authority. To exercise any of these rights, email [email protected] and we will respond within thirty days.
9. Data retention
We keep your knowledge base and product configuration for as long as you have an active account. If you cancel, we delete your data within ninety days of cancellation, unless we are required to keep specific records for legal or accounting reasons. You can request earlier deletion at any time.
10. Cookies and tracking
The bsmart-ai.com marketing site uses minimal cookies for session handling and basic analytics. We do not use third party advertising trackers. The SMART Reply application uses essential cookies only for authentication.
11. Security
We protect your data with industry standard measures. All connections to SMART Reply use TLS 1.2 or higher. Stored data is encrypted at rest. Production access is restricted to a small number of named engineers and audited. We are working towards SOC 2 Type II certification.
12. Children
SMART Reply is a business tool. It is not intended for and not knowingly used by children under sixteen.
13. Changes to this policy
If we make material changes to this policy we will notify active customers by email at least thirty days before the change takes effect. The current version is always at this URL with the date of the last update at the top.
14. Contact
For any privacy question or request, please email [email protected].