GDPR Compliance
Last updated: March 18, 2026
This page explains how Replisk complies with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), United Kingdom, and Switzerland.
Legal Basis for Processing
We process personal data under the following legal bases:
- Contract performance (Article 6(1)(b)): Processing your email, subscription data, and analysis history is necessary to provide the Replisk service you signed up for.
- Legitimate interests (Article 6(1)(f)): IP-based rate limiting for security and abuse prevention. Aggregate usage analysis for service improvement.
- Consent (Article 6(1)(a)): Transactional email notifications (analysis complete, subscription changes). Consent can be withdrawn at any time via the unsubscribe link.
International Data Transfers
Replisk's infrastructure and third-party processors are located in the United States:
- DigitalOcean — Server hosting (New York, USA)
- Anthropic — AI analysis processing (USA)
- Clerk — Authentication (USA)
- Lemon Squeezy — Payment processing (USA)
- Resend — Transactional email (USA)
These transfers are covered by the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) maintained by our processors. Each processor listed above has committed to GDPR-compliant data processing.
Your Rights Under GDPR
| Right | How to Exercise |
|---|---|
| Right of access (Art. 15) | Email privacy@replisk.com or GET /api/v1/me |
| Right to rectification (Art. 16) | Update via account settings or email us |
| Right to erasure (Art. 17) | Email privacy@replisk.com — processed within 30 days |
| Right to restrict processing (Art. 18) | Email privacy@replisk.com |
| Right to data portability (Art. 20) | Email privacy@replisk.com for JSON export |
| Right to object (Art. 21) | For marketing: use unsubscribe link. For other processing: email us |
| Right to lodge a complaint | Contact your local Data Protection Authority (DPA) |
We respond to all data subject requests within 30 days. If we need more time (up to 60 additional days for complex requests), we will notify you within the initial 30-day period.
Data Processing Agreement
Enterprise users who require a formal Data Processing Agreement (DPA) for compliance purposes can request one at privacy@replisk.com.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Articles 33 and 34 of the GDPR.
Automated Decision-Making
Replisk uses automated analysis (crawling + AI) to generate replicability scores. These scores are informational only and do not produce legal effects or similarly significant effects on individuals. Analysis scores are not used for profiling, credit scoring, or employment decisions.
EU Representative
As required by Article 27 of the GDPR, we are in the process of appointing a representative in the European Union. Until a formal representative is designated, all inquiries from EU data subjects and supervisory authorities can be directed to privacy@replisk.com. This page will be updated once the appointment is finalized.
Data Controller
Miguel Fornero
CUIT: 20-39644850-6
Buenos Aires, Argentina
privacy@replisk.com
All GDPR requests: privacy@replisk.com