Do I need my own AI API key to use reply2mail?

No. AI usage is included in the subscription. You don't need to enter any API key during setup.

Is my email data secure?

reply2mail only accesses the account you connect; your mail content is never shared with third parties. Your IMAP/SMTP password is encrypted at rest (Fernet). The Business plan also offers deployment on a VPS dedicated to you.

Which email providers are supported?

Gmail, Outlook/Office 365, Yandex and any provider that supports IMAP/SMTP.

Will the agent send mail without my approval?

No. Every destructive action — sending mail, deleting, cancelling a meeting — asks for explicit on-screen approval. Nothing is sent or deleted unless you confirm.

Can I cancel anytime?

Yes. The subscription is monthly and cancellable with one click from the dashboard. No commitment.

What happens if I run out of credits?

The agent pauses for that period. You can upgrade your plan, buy a 1,000-credit top-up pack, or wait for the next renewal.

Does reply2mail handle Turkish email?

Yes. It replies in the language of the incoming email and switches between English and Turkish on demand. Turkish characters, dates and money formats are handled correctly.

Business — dedicated install

Your own email agent. On your own server, at your own pace.

reply2mail Business installs on a server that is never shared with another customer. Speed and control stay with you; we install and operate it under contract. Data lives in the region you pick, with your own backups and your own audit log — and the legal/compliance paperwork is ready when your team asks.

Get in touch How it works ↓

Pricing and scope are tailored per customer; no list price is shown on this page. After we understand your profile we send a written quote.

Why a dedicated VPS?

A shared SaaS, even when contractually safe, architecturally puts your data on the same CPU, the same disk and the same database as other customers. Business changes that at the root.

Single tenant

You’re alone on the server. Another customer’s traffic, queries or errors can’t reach you in any form; isolation is architectural, not just policy.

Choose your region

You pick the server location: EU, Turkey, US, or elsewhere. Your data never leaves the jurisdiction KVKK or GDPR requires.

Your database

A PostgreSQL instance dedicated to you alone — users, identities, mail content, audit log, everything in a single database. Portable on demand.

Operated under contract

We install, update, monitor and back up — under contract: scope, SLA, confidentiality and limits on engineer access to customer data are explicit.

Audit log retention

Every sensitive action by the agent (sent a mail, deleted a mail, added a rule, updated memory) is kept for at least 3 years. Who did what, when — ready for forensic review.

Secrets and keys

IMAP/SMTP passwords and API keys are encrypted at rest with Fernet; rotation runs without downtime. No plaintext storage.

What you get

Single-tenant isn’t only a compliance argument — it changes daily operation too.

No noisy neighbours

Nobody else on the box; inbox growth doesn’t mean delays caused by someone else’s traffic.

You own the release

Update windows are agreed with you; no surprise rollouts, no surprise behaviour changes.

Your data, fully

A PostgreSQL dump and the file volume are yours on demand — portable to any provider.

Custom tailoring

Your own prompt policy, approval rules and integrations are built in.

A single contact

Contracted support staff are named; you know who is authorised, and at what level.

Legal ready

KVKK and GDPR contract and DPA pack are ready — saves your compliance team hours.

Architecture and data flow

Where an inbound mail goes, which components it crosses, which boundaries it does not cross:

Customer / end-user

Their email provider (Gmail, Outlook, your Exchange, IMAP).

Your VPS

The reply2mail app, hosted only for you, pulls the new email over IMAP. Traffic is TLS.

Your PostgreSQL

Mail content, agent decision and audit entry are written only to your DB. Never shared with another tenant.

LLM provider

A model is called via OpenRouter for generation. Call content isn’t logged on our side; only token counts are tallied.

Reply

The draft enters your approval flow; nothing is sent until you confirm. Each step is logged in the audit table.

No co-tenancy

Web server, app, database, disk — each dedicated to a single tenant. No neighbours.

Code and data split

Code comes from us, data stays with you. You can take your backup and move it to another provider whenever you choose.

OpenRouter BYOK

Bring your own LLM key if you prefer — usage charges go to your OpenRouter account, not ours.

Backup region choice

PostgreSQL backups are written, encrypted, to an object store of your choice (e.g. Cloudflare R2 in an EU region).

Security layers

Protection at three distinct levels: in transit, at rest, in action.

TLS in transit

IMAP/SMTP runs over TLS. API traffic at https://api.reply2mail.app with HSTS enabled.

Encryption at rest

IMAP/SMTP passwords and LLM keys are Fernet-encrypted. Key rotation via MultiFernet, with no downtime.

Approval gate

Sending mail, deleting mail, cancelling a meeting — every destructive action asks for explicit on-screen approval; the agent can’t trigger them automatically.

Audit log (3 years)

Each tool call and sensitive action is retained for 3 years. Which user, which mail, which model — a single table.

Data minimisation

Mail bodies are not written to application logs. Error logs carry meta info (timestamp, id) only, never content.

Versioning and change

The exact commit running on your VPS is visible from the UI; every update is preceded by a written notice and a backup.

Legal framing

KVKK & GDPR — in brief

The first four points your legal/compliance team will ask about. The full machinery (DPA, sub-processor list, breach notification, access policy) arrives in writing during contracting.

You’re the data controller

For your end-users you are the controller; we act as processor within contractually defined limits. KVKK art. 3 / GDPR art. 4 definitions carry into the written agreement.

Data residency

You choose the server region. If a cross-border transfer is required, we agree the right mechanism together; SCCs are used for the EU.

Retention & erasure

Retention windows are configurable. On erasure requests, records visible to the agent are removed with a single command; audit-log entries are retained but anonymised.

Portability

A PostgreSQL dump is yours on demand. On exit, the whole dataset is delivered in SQL form; our copies are irreversibly deleted within the contractual window.

Legal note: this page is not legal advice. Loop in your own counsel for your jurisdiction. Contracting delivers a written package: DPA/AVB, sub-processor list and compliance documents.

Operations and support

From install to daily run, what we do and what we don’t:

Install

We pick the cloud provider with you (Hetzner, AWS EU, GCP TR, etc.). Install typically completes in 2-5 business days.

Updates

Scheduled updates along the stable release branch (weekly or fortnightly). Critical security patches always go first.

Backups

A daily encrypted PostgreSQL backup is shipped to the object store you nominate. Restore drills are run twice a year.

Monitoring & alerts

Health probes run continuously; on failure we and you are alerted simultaneously via phone/Telegram.

Access

Admin access is limited to contracted support engineers; SSH keys are registered; every session lands in audit log.

Data-view authority

Operations engineers only look at end-user content with your explicit written request and within contractual limits; routine tasks touch metadata only, not content.

Common questions

What execs and IT ask before contracting. Deeper legal items arrive in the written package at the contracting stage.

How long does install take?

Typically 2–5 business days. Path: pick provider → DNS → install → connect mailbox → walk through the approval flow together.

Will my data leave the EU / Turkey?

No — you pick the VPS region. LLM traffic to OpenRouter (minimum context only) is handled separately in the contract; with a BYOK key the content is routed through your account entirely.

How much data is sent to OpenRouter?

Only the context needed to generate a reply at that moment. No history, audit log, user list, password or backup is included.

Who can access the server?

Only contracted support engineers, via registered SSH keys. Every connection surfaces in your audit log. Cut all access with a single command if needed.

If we terminate, how do we get our data?

Encrypted PostgreSQL dump + disk volume are delivered to you. Our copies are irreversibly deleted within the contractual window (typically 30 days); written confirmation is sent.

Let’s talk

Once we know your profile, we send a written package covering technical scope and legal framing. Include the items below in your first email and we’ll reply within one business day:

Approximate active users / mail volume
Preferred server region (EU, TR, US, other)
Mail provider to connect (Gmail, Outlook, your Exchange, IMAP)
Specific retention / erasure requirements
Any additional frameworks you must satisfy (e.g. HIPAA)
Target go-live date

[email protected]We reply within one business day.

Hand your inbox to an AI assistant today

Set up in minutes — your AI assistant takes over mail, calendar and rules right after.

Start free