Privacy Policy
Effective Date: February 21, 2026 · Last Updated: February 21, 2026
Respondi ("we," "us," or "our") operates the Respondi platform (the "Service"), a business-to-business software-as-a-service application that helps property managers, dental practices, restaurants, and other small businesses manage and respond to Google reviews using artificial intelligence.
This Privacy Policy describes what personal information we collect, how we use it, who we share it with, and the rights you have regarding your data. It applies to all users of the Service, including visitors to our website at respond-i.com.
1. Information We Collect
1.1 Information You Provide Directly
- Account information. When you create an account, we collect your email address. We authenticate you via a passwordless magic-link system; we do not collect or store plaintext passwords.
- Business information. You provide your business name, Google Place ID, industry category (e.g., dental, restaurant, apartments), timezone, and optional brand voice preferences that guide how AI-generated responses are written.
- Payment information. When you subscribe to a paid plan, you provide payment details (such as credit or debit card information) through our payment processor, Stripe. We do not receive, process, or store your full card number, CVV, or other sensitive payment credentials. We store only a Stripe customer identifier and subscription identifier to manage your billing relationship.
- Communications. If you contact us for support, we may retain the content of those communications.
1.2 Information We Collect Automatically
- Google review data. We periodically retrieve publicly available reviews of your business from the Google Places API, including reviewer display names, star ratings, review text, publication dates, and any existing owner responses. This data is publicly available on Google and does not include reviewer email addresses, phone numbers, or other private contact information.
- Session and authentication data. We use session cookies and, if you choose to stay signed in, a persistent remember-me cookie (retained for up to 14 days) to maintain your authenticated session. We generate cryptographically hashed authentication tokens stored in our database; these tokens are automatically invalidated after their expiration period.
- Usage data. We collect standard server-side telemetry, including request durations and database query performance metrics, for operational monitoring. This telemetry is stored locally on our infrastructure and is not transmitted to any third-party analytics service. We do not use client-side analytics tools (such as Google Analytics, Mixpanel, or similar services), and we do not embed third-party tracking scripts on our website or application.
1.3 Information We Collect from Third-Party Sources
- Business directory data. For our outreach operations, we may collect publicly available business information from the Google Places API, including business names, addresses, phone numbers, websites, star ratings, and review counts.
- Business contact information. We may collect the names, job titles, and business email addresses of decision-makers at prospective customer organizations through publicly available sources, including business websites. This information is used solely for business-to-business outreach purposes.
- Review aggregation data. We use SerpAPI, a third-party search data provider, to retrieve publicly available Google review data, including reviewer display names, ratings, review text, and owner response rates. This supplements data from the Google Places API.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service. To sync your Google reviews, generate AI-drafted responses using your brand voice preferences, and present them for your review and approval.
- AI response generation. We send review text, reviewer display names, star ratings, your business name, and your brand voice instructions to our AI provider (Anthropic) to generate personalized review response drafts. This is the core function of the Service.
- Billing and account management. To process payments, manage subscriptions, enforce plan limits, and communicate with you about your account.
- Email digests. If you enable email digests, we send periodic summaries of new reviews and pending responses to your registered email address via our email delivery provider (Mailgun).
- Business outreach. We use collected business contact information to send relevant B2B communications about our Service. All outreach emails include a functioning unsubscribe mechanism and our physical mailing address in compliance with the CAN-SPAM Act.
- Email delivery monitoring. For outreach emails, we track whether messages were delivered, opened, or clicked, and whether they bounced or received complaints. We use a 1x1 tracking pixel to detect email opens and redirect-based link tracking to detect clicks. This information helps us maintain email deliverability and comply with anti-spam best practices. We do not use these tracking mechanisms in transactional emails to our registered users (such as magic-link login emails or account digests).
- Service improvement and security. To monitor system performance, detect abuse, enforce rate limits, and maintain the security and integrity of the Service.
3. How We Share Your Information
We do not sell your personal information. We share data with the following categories of service providers, each of which processes data solely on our behalf and in accordance with our instructions:
| Service Provider | Data Shared | Purpose |
|---|---|---|
| Anthropic (Claude API) | Review text, reviewer display names, star ratings, business name, brand voice instructions | AI-powered response generation |
| Stripe | Account email address, internal account identifier | Payment processing and subscription management |
| Mailgun | Recipient email addresses, email content | Email delivery (digests and outreach) |
| Google (Places API) | Google Place IDs | Retrieving publicly available review and business data |
| SerpAPI | Google Place IDs | Retrieving publicly available review data and response rates |
We may also disclose your information if required by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
Regarding Anthropic (our AI provider): Review content you submit to the Service, along with associated business context, is transmitted to Anthropic's API for response generation. Anthropic processes this data in accordance with its own data usage policies. As of the date of this policy, Anthropic does not use API inputs to train its models. We encourage you to review Anthropic's Privacy Policy and Usage Policy for details.
Regarding Stripe (our payment processor): All payment transactions are processed by Stripe. We never receive or store your full payment card details. Stripe's handling of your payment information is governed by Stripe's Privacy Policy.
4. Cookies and Similar Technologies
We use a minimal set of cookies, all of which are strictly necessary for the operation of the Service:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie | Maintains your authenticated session and CSRF protection | Browser session | Strictly necessary |
| Remember-me cookie | Keeps you signed in across browser sessions (optional) | 14 days | Strictly necessary / Functional |
We do not use advertising cookies, social media cookies, or third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising.
5. Data Retention
- Account data. We retain your account information for as long as your account is active. When you delete your account, we perform a soft deletion that removes your data from active use. You may request permanent deletion by contacting us.
- Authentication tokens. Session tokens expire after 14 days. Magic-link login tokens expire after 15 minutes. Email change tokens expire after 7 days. Expired tokens are periodically purged.
- Review data. Google review data synced to your account is retained for the duration of your account and deleted when your account is deleted.
- AI-generated responses. Draft and published responses are retained for the duration of your account.
- Payment records. Stripe customer and subscription identifiers are retained as long as necessary for billing, tax, and legal compliance purposes.
- Outreach data. Business contact information collected for outreach purposes is retained until the contact unsubscribes or requests deletion, or until we determine the data is no longer necessary for its collected purpose.
- Email tracking data. Open and click tracking records for outreach emails are retained for operational and compliance purposes.
6. Data Security
We implement the following security measures to protect your information:
- Encryption in transit. All data transmitted between your browser and our servers is encrypted using TLS/SSL. We enforce HTTPS in production.
- Password and token security. Authentication tokens are hashed using SHA-256 before storage. No plaintext credentials are stored in our database.
- Access controls. All user data is scoped to the authenticated account. Our data access layer enforces account-level isolation to prevent unauthorized cross-account access.
- Payment security. We do not store, process, or transmit payment card data. All payment handling is delegated to Stripe, a PCI DSS Level 1 certified payment processor.
- Webhook verification. Inbound webhooks from Stripe and Mailgun are authenticated using cryptographic signature verification (HMAC) to prevent tampering.
- Primary key obfuscation. Database records use binary UUIDs rather than sequential integer IDs, reducing the risk of enumeration attacks.
While we take reasonable measures to protect your data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security.
7. Your Rights and Choices
7.1 All Users
Regardless of your location, you may:
- Access your data. Request a copy of the personal information we hold about you.
- Correct your data. Update your email address or business information through your account settings.
- Delete your account. Request deletion of your account and associated data by contacting us at james@hexbolt.dev.
- Unsubscribe from outreach. If you receive outreach emails from us, you can unsubscribe at any time using the link in the email footer.
7.2 European Economic Area, United Kingdom, and Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation:
- Legal basis for processing. We process your personal data on the following legal bases:
- Performance of a contract — to provide the Service you have subscribed to.
- Legitimate interests — to send B2B outreach communications, improve the Service, and ensure security, where these interests are not overridden by your rights.
- Legal obligation — to comply with applicable laws and regulations.
- Right to restrict processing. You may request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability. You may request a machine-readable copy of the personal data you have provided to us.
- Right to object. You may object to our processing of your personal data based on legitimate interests, including direct marketing.
- Right to lodge a complaint. You have the right to lodge a complaint with your local data protection supervisory authority.
To exercise any of these rights, contact us at james@hexbolt.dev. We will respond within 30 days.
7.3 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
- Right to delete. You may request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to opt out of sale. We do not sell personal information as defined under the CCPA.
- Right to non-discrimination. We will not discriminate against you for exercising your CCPA rights.
To exercise your rights, contact us at james@hexbolt.dev. We will verify your identity before processing your request and respond within 45 days.
8. International Data Transfers
Our Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. By using the Service, you acknowledge this transfer. Where required by applicable law, we rely on appropriate safeguards (such as standard contractual clauses) for international data transfers.
9. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you interact with.
10. Children's Privacy
The Service is designed for business use and is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service prior to the change becoming effective. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Respondi
Email: james@hexbolt.dev