Privacy Policy

Last updated: 30 June 2026

1. Who we are

RelayOS (“RelayOS”, “we”, “us”, “our”) is an AI-native operational communications platform that lets businesses run customer conversations across WhatsApp, Facebook Messenger, and Instagram Direct from a single operator inbox, alongside AI assistants. RelayOS is a product operated by Numobel, a sole proprietorship of Tushar Agrawal registered in India (GSTIN 09ABOPA6149F1ZL), based at B-62, Sector-63, Noida, Uttar Pradesh 201301, India.

This Privacy Policy explains what personal data we process, how, and your rights. It applies to our website at relayos.xyz, the RelayOS application at app.relayos.xyz, and the messaging integrations we provide. RelayOS is a business tool intended for use by businesses and their staff in a professional context. Questions: privacy@relayos.xyz.

2. Our two roles: controller and processor

Your relationship with us determines who is responsible for your data:

  • We are the controller for data about the businesses that subscribe to RelayOS, their operators/staff who log in, website visitors, and prospects. We decide how that data is used.
  • We are a processor for the conversation data that flows through RelayOS on behalf of a business customer — the messages and contact identifiers of end-users who message a business using RelayOS. In that case the business is the controller and we process the data only on their instructions. If you are an end-user who messaged a business, please direct privacy requests to that business; we will assist them as their processor. You may also use the deletion route in Section 11.

3. Information we process

3.1 Account and operator data (controller). Name, email, username, display name, optional avatar, role/permissions, and authentication data for people who sign in to a RelayOS workspace; business/workspace name; and billing-related contact details.

3.2 Customer Data — conversations (processor). When a business connects a channel, we process the content needed to deliver and display their conversations: message content and attachments (text, media, files); contact identifiers such as a Messenger PSID, Instagram-scoped ID, or WhatsApp phone number, and any profile name the platform exposes; conversation metadata (timestamps, delivery/read status, assignment, labels, notes); and knowledge-base content the business uploads for its AI assistants.

3.3 Data we receive from Meta platforms. To provide the messaging service we receive data from the Meta platforms a business connects (Facebook Messenger, Instagram, and the WhatsApp Business Platform), via Meta's APIs and webhooks. This includes the data in 3.2 and the access tokens/asset IDs (Page, Instagram account, or WhatsApp Business Account) the business grants during connection. We use Meta platform data only to provide the RelayOS service to the connecting business. We do not sell it, and we do not use it for advertising or to build cross-business profiles. Our use of Meta platform data complies with the Meta Platform Terms and Developer Policies, including their data-use and deletion requirements.

3.4 Automatic / technical data. Device and connection data (IP address, browser/OS, identifiers) and usage/log data (pages and features used, timestamps, errors) needed to operate, secure, and improve the service.

4. How we use data and our legal bases (GDPR)

  • Provide, operate, and maintain the service and your account — Contract.
  • Deliver and display conversations on behalf of a business — Processor, on the business's instructions.
  • Generate AI assistant replies and suggestions (Section 6) — Contract / the business's instructions.
  • Secure the service, prevent fraud and abuse, debug and audit — Legitimate interests.
  • Communicate service, security, and support messages — Legitimate interests / Contract.
  • Improve and develop the service — Legitimate interests.
  • Comply with legal obligations (e.g. tax, lawful requests) — Legal obligation.

5. Sharing and sub-processors

We do not sell personal data. We share data only with service providers (“sub-processors”) that help us run RelayOS, under contract and only as needed:

  • Meta Platforms, Inc. — to send and receive messages over Messenger, Instagram, and WhatsApp (only for businesses that connect those channels).
  • Hetzner Online GmbH — application and database hosting in Falkenstein, Germany (EU).
  • AI / LLM providers (optional, per the business's configuration) — where a business enables a hosted AI model, the relevant conversation context is sent to that provider to generate a response. Available providers are Google (Gemini), OpenAI, and Anthropic. A business may instead use self-hosted models, in which case AI inference happens on our own infrastructure and no conversation data is sent to a third-party model provider.

We may also disclose data where required by law or lawful request, to protect rights, safety, and security, or in connection with a business transfer (with notice where required).

6. AI and automated processing

RelayOS uses AI to draft replies, summarize, and assist operators. We are model-agnostic — a business chooses whether AI is enabled and which provider is used (self-hosted, Google Gemini, OpenAI, or Anthropic; all optional).

  • No training on your data. We do not use Customer Data to train our own models, and we use third-party AI providers under terms that prohibit them from using Customer Data to train or improve their models.
  • Human oversight. AI output may contain inaccuracies; operators review and control what is sent to end-users. AI does not make legal or similarly significant decisions about individuals.
  • Minimization. Only the conversation context needed to generate a response is sent to the selected provider.

7. International transfers

RelayOS data is hosted in the European Union (Hetzner, Falkenstein, Germany). Some processing involves transfers outside the EEA: our operator administers the service from India, and any optional AI provider a business enables (Google, OpenAI, Anthropic) may process data in the United States. For those transfers we rely on appropriate safeguards, including the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and — for US providers that are self-certified — the EU-US Data Privacy Framework.

8. Security

  • Encryption at rest — AES-256-GCM with per-tenant keys. Customer message content, contact identifiers, knowledge-base content, and related personal data are encrypted using AES-256-GCM with per-tenant data-encryption keys (envelope encryption with key versioning for rotation).
  • Tenant isolation. Enforced in the database with PostgreSQL row-level security, so one business's data cannot be accessed in another's context.
  • Searchable-data protection. Fields that must be searchable are indexed with keyed HMAC blind indexes rather than stored in plaintext.
  • Encryption in transit. All traffic to the service uses TLS.
  • Access controls, audit logging, and least-privilege administrative access.

More detail is on our Security page. No method of storage or transmission is 100% secure, but we work to protect your data and will notify you and any applicable authority of a qualifying breach as required by law.

9. Retention

We retain Customer Data for as long as the business's account is active and as needed to provide the service, then delete or anonymize it within a reasonable period after account closure or on a verified deletion request (Section 11). We retain account and limited records longer only where required for legal, tax, or fraud-prevention purposes, and only for as long as necessary.

10. Your rights

Subject to your location and applicable law, you may have the right to access, correct, delete, restrict, or object to processing of your personal data, to data portability, and to withdraw consent. If you are in the EEA/UK you may also lodge a complaint with your local supervisory authority. California and other US-state residents have rights to know, delete, correct, and opt out of “sale” or “sharing” — we do not sell or share personal data for cross-context behavioral advertising. To exercise any right, contact privacy@relayos.xyz. If we process your data as a processor on behalf of a business, we will refer your request to that business.

11. Data deletion

You can request deletion of your data at any time. See our Data Deletion instructions, or email privacy@relayos.xyz with the subject “Data Deletion Request”. You can also revoke RelayOS's access to a connected Facebook/Instagram account from that platform's Settings → Business integrations / Apps and websites; revoking access stops further processing but does not by itself delete previously stored data. We confirm completion normally within 30 days of verifying the request.

12. Children

RelayOS is a business tool not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child's data has reached us, contact privacy@relayos.xyz and we will delete it.

13. Changes

We may update this Policy. We will post the new version here and update the “Last updated” date; for material changes we will take additional steps to notify affected businesses.

14. Contact

Tushar Agrawal (RelayOS) — privacy@relayos.xyz