Datenschutzrichtlinie
PRIVACY POLICY OF RESPONDOAI
Effective Date: March 12, 2026 | Version: 3.0
I. About This Policy
This Privacy Policy ("Policy") explains how RESPONDOAI spolka z ograniczona odpowiedzialnoscia ("RESPONDOAI," "we," "us," or "our") collects, uses, stores, shares, and protects personal data in connection with the RESPONDOAI platform, including the Partner Application, the Customer Application, AI Services, and the website at https://www.respondoai.com.
This Policy applies to:
- Partners — businesses and professionals who use RESPONDOAI to manage bookings, communicate with customers through AI-powered channels, and operate their services;
- Customers — individuals who interact with Partner services through the RESPONDOAI platform, including through AI voice assistants, chatbots, booking widgets, and other AI-powered communication channels;
- Website Visitors — individuals who visit https://www.respondoai.com without creating an account.
We are committed to transparency in how we process your data. This Policy is written in plain language to help you understand your rights and our practices. Where legal terms are necessary, we provide explanations alongside them.
Changes to this Policy: We maintain a version history of this Policy. When we make material changes, we will notify you by email and through the Application. The current version is always available at https://www.respondoai.com/policy.
II. Who We Are (Controller Identity)
Data Controller:
RESPONDOAI spolka z ograniczona odpowiedzialnoscia ul. Kowalska 5/203, 20-115 Lublin, Poland Entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court Lublin-Wschod in Lublin with its seat in Swidnik, 6th Commercial Division of the National Court Register.
- KRS: 0001202972
- NIP: 9462760069
- REGON: 543116280
- Share capital: PLN 5,000.00
Contact:
- Email: contact@respondoai.com
- Postal address: ul. Kowalska 5/203, 20-115 Lublin, Poland
Data Protection Contact: For all matters related to personal data protection, you may contact our designated Data Protection contact person at: contact@respondoai.com.
III. Definitions
For the purposes of this Policy, the following terms have the meanings set forth below:
Personal Data — any information relating to an identified or identifiable natural person ("data subject"), as defined in Article 4(1) of the GDPR. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing — any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR.
Controller — the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined in Article 4(7) of the GDPR. RESPONDOAI is the Controller for data processing described in this Policy, except where indicated otherwise.
Processor — a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller, as defined in Article 4(8) of the GDPR.
Partner — an individual, legal entity, or unincorporated organizational unit that uses the RESPONDOAI Application under an Agreement in connection with its business or professional activity.
Customer — an individual who is 18 years of age or older, a legal entity, or an organizational unit without legal personality who uses the Customer Application or interacts with AI Services in order to use the Services offered by Partners.
Application — the RESPONDOAI software platform, including the Partner Application and the Customer Application, available at https://www.respondoai.com and via mobile applications.
AI Services — services provided by RESPONDOAI using artificial intelligence technologies, including AI receptionists, automated communication assistants operating via telephone, WhatsApp, Instagram, Telegram, Messenger, SMS, and other communication channels.
Special Category Data — personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation, as defined in Article 9(1) of the GDPR. In the context of RESPONDOAI, this may include health-related data processed incidentally through medical appointment bookings.
Profiling — any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, as defined in Article 4(4) of the GDPR.
IV. Data We Collect
4.1 Data Provided Directly by You
When you register for an account, create a profile, or use our services, you may provide us with the following categories of personal data:
- Identity data: name, surname, business name (firma)
- Contact data: email address, telephone number, business address, residential address
- Business data: NIP (tax identification number), REGON (statistical number), date of birth
- Profile data: logo, service descriptions, pricing information, business hours
- Employee/associate data: names, roles, contact details of employees or associates added to the Partner's account
- Payment data: processed exclusively by Stripe, Inc. (PCI DSS Level 1 certified). RESPONDOAI does not store, process, or have access to payment card numbers, CVV codes, or expiry dates.
- Communication data: content of messages you send to us (e.g., support requests, feedback)
4.2 Data Collected Automatically
When you access or use the Application or visit our website, we automatically collect:
- Device and browser data: IP address, browser type and version, operating system, device type, screen resolution
- Usage data: pages visited, features used, session duration, referral URLs, click patterns
- Log data: server logs containing timestamps, access requests, error logs
- Location data: approximate geographic location derived from IP address (country/region level only)
4.3 Data Generated Through AI Processing
When Partners use AI Services, the following data is generated and processed:
- Voice conversation data: recordings and transcriptions of telephone conversations handled by AI voice assistants
- Chat transcript data: content of text-based communications processed through AI channels (WhatsApp, Instagram, Telegram, Messenger, SMS)
- AI interaction data: AI response patterns, service recommendations generated, booking actions taken by AI
- Booking data processed by AI: reservation details, scheduling information, confirmation records created through AI interactions
4.4 Special Category Data
RESPONDOAI may incidentally process data that falls within or is proximate to special categories of personal data, specifically:
- Health-related appointment context: when Partners operate in the medical or wellness sector, the nature of booked appointments (e.g., "dermatology consultation," "physiotherapy session") may constitute health data under Article 9(1) of the GDPR.
- Processing conditions: such data is only processed when entered by the Partner or Customer themselves. The legal basis for processing is: (a) explicit consent of the data subject (Article 9(2)(a) GDPR), or (b) necessity for the provision of health or social care or treatment, or the management of health or social care systems and services (Article 9(2)(h) GDPR), where the Partner is a healthcare provider.
- Minimization: RESPONDOAI does not require or actively solicit special category data. We process it only to the extent necessary to provide the booking and communication services requested by the Partner.
V. How We Use Your Data (Purposes and Legal Bases)
We process your personal data for the following purposes, based on the indicated legal bases under the GDPR:
| Purpose | Legal Basis | Data Categories |
|---|---|---|
| Account registration and management | Contract performance (Art. 6(1)(b)) | Identity, contact, business data |
| Provision of booking and reservation services | Contract performance (Art. 6(1)(b)) | Identity, contact, booking data |
| Provision of AI-powered communication services | Contract performance (Art. 6(1)(b)) | Communication data, AI interaction data, voice data, chat data |
| Payment processing and invoicing | Contract performance (Art. 6(1)(b)) | Identity, contact, payment data (via Stripe) |
| Customer support and communication | Contract performance (Art. 6(1)(b)) | Identity, contact, communication data |
| Marketing of RESPONDOAI products and services (excluding direct marketing) | Legitimate interest (Art. 6(1)(f)) | Identity, contact, usage data |
| Direct marketing of RESPONDOAI products and services | Legitimate interest (Art. 6(1)(f)) | Identity, contact data |
| Profiling and personalization of services | Legitimate interest (Art. 6(1)(f)) | Usage data, interaction data, preferences |
| Analytics, statistics, and service improvement | Legitimate interest (Art. 6(1)(f)) | Usage data, device data, log data |
| System and application development | Legitimate interest (Art. 6(1)(f)) | Anonymized/aggregated usage data |
| Establishing, asserting, or defending legal claims | Legitimate interest (Art. 6(1)(f)) | All relevant data categories |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) | Device data, log data, usage data |
| Tax and accounting compliance | Legal obligation (Art. 6(1)(c)) | Identity, payment, invoicing data |
| Regulatory compliance (GDPR, DSA, EU AI Act) | Legal obligation (Art. 6(1)(c)) | All relevant data categories |
| Marketing communications (newsletters, offers) | Consent (Art. 6(1)(a)) | Identity, contact data |
| Non-essential cookies (analytical, marketing) | Consent (Art. 6(1)(a)) | Device data, usage data, online identifiers |
Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time (see Section XIII).
VI. AI-Specific Data Processing
6.1 How AI Services Process Data
RESPONDOAI's AI Services process data across multiple communication channels. Below is an explanation of the data flow for each channel:
Telephone (Voice AI): Incoming call → Jambonz (SIP/VoIP telephony infrastructure) → ElevenLabs, Inc. (speech-to-text transcription) → OpenAI Ireland Limited (natural language understanding, intent classification, response generation) → ElevenLabs, Inc. (text-to-speech voice synthesis) → Jambonz (audio delivery to caller). Voice recordings and transcriptions are stored according to the Partner-configured retention period.
WhatsApp, Instagram, Messenger: Incoming message → Meta Platforms, Inc. (message delivery via respective platform API) → OpenAI Ireland Limited (message analysis, intent classification, response generation) → Meta Platforms, Inc. (response delivery to Customer). Chat transcripts are stored according to the Partner-configured retention period.
Telegram: Incoming message → Telegram FZ-LLC (message delivery via Telegram Bot API) → OpenAI Ireland Limited (message analysis, response generation) → Telegram FZ-LLC (response delivery). Chat transcripts are stored according to the Partner-configured retention period.
SMS: Incoming SMS → telephony infrastructure → OpenAI Ireland Limited (message analysis, response generation) → SMS delivery. Transcripts stored per Partner configuration.
6.2 AI Training Data Policy
- RESPONDOAI does NOT use identifiable Partner Data or Customer personal data to train, fine-tune, or improve general-purpose AI models. Your conversations, voice recordings, and personal data are not used as training data.
- OpenAI API: RESPONDOAI uses the OpenAI API with data processing terms that prohibit OpenAI from using API input and output data for model training. Data submitted via the API is retained by OpenAI for up to 30 days for abuse monitoring purposes only, then deleted.
- ElevenLabs: Voice data processed through ElevenLabs is used solely for the purpose of speech-to-text and text-to-speech conversion in real time. RESPONDOAI's contractual arrangements with ElevenLabs prohibit the use of Partner or Customer voice data for general model training.
- Anonymized and aggregated data: RESPONDOAI may use anonymized and aggregated data (which does not constitute personal data under GDPR Recital 26) derived from usage patterns to improve AI service quality, optimize response accuracy, and develop platform features. Such data cannot be used to identify any individual.
6.3 Third-Party AI Provider Data Practices
Each third-party AI provider processes data under its own data processing agreement with RESPONDOAI, which includes:
- Obligations to process data only on RESPONDOAI's documented instructions
- Confidentiality obligations for all personnel processing the data
- Technical and organizational security measures appropriate to the risk
- Sub-processor management requirements
- Data deletion or return upon termination
- Audit and inspection rights
VII. Automated Decision-Making and Profiling (Article 22 GDPR)
7.1 Automated Decisions Made by AI
RESPONDOAI's AI Services may make the following types of automated decisions:
- Booking confirmation and scheduling: AI analyzes Customer requests and Partner availability to confirm, reschedule, or suggest alternative appointment times.
- Message routing: AI classifies incoming messages by intent (e.g., booking request, cancellation, general inquiry) and routes them accordingly.
- Response generation: AI generates contextual responses to Customer inquiries based on Partner-configured information (services, pricing, availability, business rules).
- Rescheduling and cancellation processing: AI processes Customer requests to modify or cancel existing bookings.
7.2 Logic Explanation
In plain language, the AI processes communications as follows: (1) the incoming message or voice input is analyzed to understand what the Customer is asking; (2) the AI classifies the intent of the request (e.g., "wants to book an appointment," "asks about pricing," "wants to cancel"); (3) the AI checks the Partner's configured availability, services, and business rules; (4) the AI generates an appropriate response or takes the requested action (such as creating a booking).
7.3 Your Rights Regarding Automated Decisions
Under Article 22 of the GDPR, you have the right to:
- Request human intervention: Ask that a human representative review any decision made by AI that significantly affects you.
- Express your point of view: Provide your perspective on an automated decision.
- Contest the decision: Challenge an automated decision and request that it be reconsidered.
To exercise these rights, contact us at contact@respondoai.com or request a human representative during any AI interaction.
7.4 Profiling
RESPONDOAI performs profiling and grouping to improve service delivery and personalize your experience. Profiling may be based on:
- Website and Application activity (pages visited, features used, session patterns)
- Approximate geolocation (derived from IP address, country/region level)
- Usage patterns (frequency of use, preferred communication channels, booking behavior)
- Service preferences (types of services booked, preferred time slots)
We do not engage in invasive profiling. We do not use profiling to make decisions that produce legal effects or similarly significantly affect you without human involvement.
Right to object: You may object to profiling at any time by emailing contact@respondoai.com. If you object to profiling for direct marketing purposes, we will cease such processing immediately and without exception.
VIII. Voice Recording and Telephone Communications
8.1 AI Disclosure and Recording Notification
When a Customer receives a telephone call handled by RESPONDOAI's AI voice assistant, the following disclosures are made at the beginning of the call:
- AI disclosure: The caller is informed that they are communicating with an AI-powered assistant, not a human, in compliance with EU AI Act Article 50 transparency requirements.
- Recording disclosure: The caller is informed that the call may be recorded and transcribed for the purpose of providing the requested service, in compliance with Polish Telecommunications Law Article 159.
8.2 Legal Basis for Voice Recording
Voice recordings are processed on the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR): recording and transcription are necessary to provide the AI communication service requested by the Partner.
- Legitimate interest (Art. 6(1)(f) GDPR): recording enables quality assurance, dispute resolution, and service improvement.
- Transparency and legal compliance: Polish Telecommunications Law Article 159 requires that parties to a telephone conversation be informed of recording.
8.3 Voice Data Processing Flow
Voice data is processed as follows: incoming voice audio → Jambonz (SIP/VoIP infrastructure, call routing) → ElevenLabs, Inc. (speech-to-text conversion) → OpenAI Ireland Limited (text analysis, intent classification, response generation) → ElevenLabs, Inc. (text-to-speech conversion, voice synthesis) → Jambonz (audio delivery to caller). The AI-generated voice output constitutes synthetic content under the EU AI Act.
8.4 Partner Responsibilities
Partners are responsible for:
- Ensuring compliance with applicable telecommunications and data protection laws in their jurisdiction regarding call recording and AI-assisted communications.
- Informing their Customers about the use of AI voice assistants where required by applicable law.
- Configuring appropriate voice recording retention periods in the Application settings.
8.5 Customer Rights
Customers interacting with AI voice assistants have the right to:
- Opt out of AI interaction: Request to speak with a human representative at any time during the call.
- Request recording deletion: Contact the Partner or RESPONDOAI to request deletion of their voice recording.
- Access their data: Request a copy of any voice recordings or transcriptions that relate to them.
8.6 Retention
Voice recordings are retained for the period configured by the Partner in the Application settings: minimum 7 days, maximum 180 days, default 30 days. Transcriptions are retained for: minimum 30 days, maximum 365 days, default 90 days. Upon expiry of the retention period, data is permanently deleted using cryptographic erasure methods.
IX. Who We Share Data With
9.1 Sub-Processors
RESPONDOAI uses the following sub-processors (third-party service providers) for the provision of its services. Each sub-processor processes data under a Data Processing Agreement with RESPONDOAI:
| Sub-Processor | Legal Entity | Purpose | Data Categories | Location | Transfer Mechanism | DPA |
|---|---|---|---|---|---|---|
| OpenAI | OpenAI Ireland Limited | Natural language processing, text generation | Message content, conversation context | Ireland / USA | DPF + SCCs | Yes |
| ElevenLabs | ElevenLabs, Inc. | Voice synthesis, speech-to-text | Voice recordings, audio data | USA | SCCs | Yes |
| Jambonz | Jambonz | SIP/VoIP telephony infrastructure | Call metadata, audio streams | USA / EU | SCCs | Yes |
| Stripe | Stripe, Inc. | Payment processing | Payment data, billing email | USA | DPF | Yes |
| Google LLC | OAuth authentication, Calendar integration, Analytics | Auth tokens, calendar data, analytics data | USA | DPF | Yes | |
| Meta | Meta Platforms, Inc. | WhatsApp, Instagram, Messenger integration, Meta Pixel | Messages, analytics data | USA | DPF | Yes |
| Telegram | Telegram FZ-LLC | Telegram messaging integration | Message content, chat metadata | UAE | SCCs | Yes |
| Vercel | Vercel, Inc. | Application hosting, performance analytics | Performance data, server logs | USA | SCCs | Yes |
| Apple | Apple Inc. | Sign in with Apple authentication | Authentication tokens | USA | DPF | Yes |
The current list of sub-processors is available at: https://www.respondoai.com/policy. RESPONDOAI will notify Partners of any changes to the sub-processor list in accordance with the Data Processing Agreement (see Terms of Service, Annex 1).
9.2 Other Recipients
Your personal data may also be shared with the following categories of recipients, where necessary:
- Partners: Customer data is shared with the relevant Partner to enable service provision (e.g., booking details, contact information).
- Courts and public authorities: where required by law, court order, or regulatory obligation.
- Supervisory authority (UODO): in the context of regulatory inquiries or data protection complaints.
- Law enforcement: where legally required (e.g., in response to a valid legal process).
- Professional advisors: accountants, legal advisors, and auditors, subject to professional confidentiality obligations.
- IT service providers: infrastructure, maintenance, and support providers, under data processing agreements.
X. International Data Transfers
Your personal data may be transferred outside the European Economic Area (EEA) in connection with the provision of RESPONDOAI services. We ensure that all international transfers are subject to appropriate safeguards as required by Chapter V of the GDPR:
10.1 EU-US Data Privacy Framework (DPF)
The following providers are certified under the EU-US Data Privacy Framework, which has been recognized by the European Commission as providing an adequate level of data protection (Adequacy Decision C(2023) 4745 of July 10, 2023):
- Stripe, Inc.
- Google LLC
- Meta Platforms, Inc.
- Apple Inc.
10.2 Standard Contractual Clauses (SCCs)
For transfers to providers not covered by an adequacy decision, RESPONDOAI has entered into Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914), supplemented by additional technical and organizational measures where necessary:
- Module 2 (Controller to Processor): OpenAI Ireland Limited, ElevenLabs, Inc., Jambonz, Vercel, Inc.
- Module 3 (Processor to Processor): where sub-processors engage their own sub-processors outside the EEA.
- Telegram FZ-LLC (UAE): SCCs with supplementary measures.
10.3 Supplementary Measures
In addition to the contractual safeguards above, RESPONDOAI implements the following supplementary measures for all international data transfers:
- Encryption in transit (TLS 1.2 or higher) and at rest
- Pseudonymization of personal data where technically feasible
- Contractual prohibitions on onward transfer without equivalent safeguards
- Transfer Impact Assessments conducted for all SCC-based transfers
- Regular review of the legal framework in the recipient country
10.4 Your Rights
You may request a copy of the safeguards applied to international data transfers by contacting us at contact@respondoai.com.
XI. Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected, in accordance with the principle of storage limitation (Article 5(1)(e) GDPR). The specific retention periods are as follows:
| Data Category | Retention Period | Legal Justification |
|---|---|---|
| AI voice recordings | 7–180 days (Partner-configurable, default: 30 days) | Legitimate interest (Art. 6(1)(f)), contract performance |
| AI transcriptions | 30–365 days (Partner-configurable, default: 90 days) | Contract performance (Art. 6(1)(b)) |
| Chat messages (WhatsApp, Instagram, Telegram, Messenger) | 90–730 days (Partner-configurable, default: 365 days) | Contract performance (Art. 6(1)(b)) |
| Reservation/booking data | 365–1,825 days (Partner-configurable, default: 730 days) | Contract performance + legal obligation |
| Account and profile data | Duration of contract + 3 years | Limitation period (Art. 118 KC) |
| Payment and invoicing records | 5 years from end of fiscal year | Tax law (Ordynacja podatkowa) |
| Log data and IP addresses | Maximum 12 months | Proportionality principle |
| Cookie consent records | Duration of consent + 3 years | Accountability (Art. 5(2) GDPR) |
| Marketing consent records | Duration of consent + 3 years | Accountability (Art. 5(2) GDPR) |
Deletion Procedures
- Cryptographic erasure: when data is deleted, cryptographic keys used to encrypt the data are destroyed, rendering the data unrecoverable.
- Backup purge: data deleted from primary systems is purged from backup systems within 30 days.
- Sub-processor deletion: RESPONDOAI ensures that sub-processors delete personal data in accordance with their data processing agreements and within the contractual timeframes. Deletion is verified.
XII. Cookies and Tracking Technologies
12.1 Cookie Categories
RESPONDOAI uses the following categories of cookies and similar tracking technologies:
Essential Cookies: necessary for the Application to function properly. They enable basic operations such as navigation, authentication, and access to secure areas. These cookies are placed automatically and do not require consent, as they are strictly necessary for the provision of the service (Art. 5(3) ePrivacy Directive).
Functional Cookies: allow the Application to remember your preferences (such as language, region, or display settings) and provide enhanced features. These cookies require your consent.
Analytical / Performance Cookies: help us understand how visitors interact with the Application by collecting anonymized usage data (page views, session duration, navigation patterns). These cookies require your consent.
Marketing Cookies: used to track users across websites for the purpose of displaying targeted advertisements. These cookies require your consent.
12.2 Third-Party Services
RESPONDOAI uses the following third-party analytics and advertising services, which may place cookies or use similar tracking technologies on your device:
- Google Analytics / Google Ads: website traffic analysis, advertising campaign measurement, and conversion tracking. Google may process data such as IP addresses, browser information, and user interactions. Privacy policy: https://policies.google.com/privacy.
- Meta Pixel (Facebook Pixel): advertising campaign effectiveness measurement on Meta platforms (Facebook, Instagram). Meta may process data such as page views, user actions, and device information. Privacy policy: https://www.facebook.com/privacy/policy/.
- Vercel Analytics: application performance monitoring. Vercel processes anonymized performance data. Privacy policy: https://vercel.com/legal/privacy-policy.
12.3 Cookie Consent
RESPONDOAI uses a cookie consent mechanism that:
- Presents a clear banner on first visit with "Accept All" and "Reject All" options equally prominent.
- Allows granular category-by-category selection on the first layer of the banner.
- Does not use cookie walls (access to the Application is not conditioned on accepting non-essential cookies).
- Allows you to change your cookie preferences at any time through the cookie settings available in the Application.
Essential cookies are placed automatically as they are necessary for the Application to function. All non-essential cookies (functional, analytical, marketing) are only placed after you have given your explicit, informed, and freely given consent.
12.4 Managing Cookies in Your Browser
You can also manage cookies through your browser settings. Instructions for common browsers:
- Chrome: Settings → Privacy and Security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Manage Website Data
- Edge: Settings → Privacy, Search, and Services → Cookies and site permissions
Please note that disabling cookies may affect the availability of certain Application features (e.g., authentication, session persistence).
XIII. Your Rights Under the GDPR
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data. To exercise any of these rights, contact us at contact@respondoai.com. We will respond to your request within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt. We may request identity verification before processing your request.
13.1 Right of Access (Article 15)
You have the right to obtain confirmation as to whether your personal data is being processed by RESPONDOAI and, if so, to access that data and receive a copy. You are also entitled to information about the purposes of processing, the categories of data, recipients, retention periods, and your rights.
13.2 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected without undue delay. You may rectify most data directly through the Application settings ("Settings" > "Profile"). For data that cannot be corrected through the Application, contact us.
13.3 Right to Erasure ("Right to Be Forgotten") (Article 17)
You have the right to request the erasure of your personal data where:
- The data is no longer necessary for the purposes for which it was collected.
- You withdraw consent and there is no other legal basis for processing.
- You object to processing and there are no overriding legitimate grounds.
- The data has been unlawfully processed.
- Erasure is required by a legal obligation.
When this right does NOT apply: We may refuse erasure where processing is necessary for compliance with a legal obligation (e.g., tax records), for the establishment, exercise, or defense of legal claims, or for other grounds specified in Article 17(3) GDPR.
Self-service deletion: You may delete your account through the Application: "Settings" > "Delete Account." This will trigger deletion of your account data and initiate deletion of associated data from sub-processors according to our data processing agreements. Data already deleted per Partner-configured retention schedules is not recoverable. Backup systems will be purged within 30 days.
Data export formats: JSON, CSV (see Right to Data Portability below).
13.4 Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing where:
- You contest the accuracy of the data (restriction applies during verification).
- Processing is unlawful and you request restriction instead of erasure.
- We no longer need the data but you need it for legal claims.
- You have objected to processing (restriction applies pending verification of legitimate grounds).
13.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller without hindrance, where processing is based on consent or contract and carried out by automated means.
13.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interest (Article 6(1)(f)) at any time, on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Direct marketing: If you object to processing for direct marketing purposes, we will cease such processing immediately and without exception. No balancing test is required.
13.7 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. You have the right to obtain human intervention, express your point of view, and contest such a decision. See Section VII for details.
13.8 Right to Withdraw Consent (Article 7(3))
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
You can withdraw consent by:
- Emailing contact@respondoai.com
- Using the Application: "Settings" > "Consents" > "Protect Your Data"
- Adjusting cookie preferences through the cookie settings banner
13.9 Dual Controller Clarification
Because RESPONDOAI and Partners are separate controllers of Customer data (see Section V and Appendices A/B):
- Requests relating to RESPONDOAI's processing (platform account, AI processing, analytics): contact RESPONDOAI at contact@respondoai.com.
- Requests relating to the Partner's processing (services provided by the Partner, Partner-controlled communications): contact the relevant Partner directly.
- If you are unsure, you may contact RESPONDOAI and we will direct your request to the appropriate controller.
XIV. Children's Data
RESPONDOAI's services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children under 16 (the applicable threshold under Polish law implementing Article 8 of the GDPR).
If we become aware that we have collected personal data from a child under 16 without appropriate parental or guardian consent, we will take steps to delete that data as soon as possible.
Partners operating in sectors serving minors (e.g., pediatric clinics, children's salons) are responsible for ensuring that they have obtained appropriate parental or guardian consent for the processing of minors' data before entering such data into the RESPONDOAI Application. RESPONDOAI processes such data on behalf of the Partner in accordance with the Data Processing Agreement.
Parents or guardians who believe that their child's data has been processed without appropriate consent may contact us at contact@respondoai.com.
XV. Data Security
RESPONDOAI implements comprehensive technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or damage, in accordance with Article 32 of the GDPR:
Technical measures:
- Encryption in transit: all data transmitted between users and RESPONDOAI servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: sensitive data is encrypted at rest using industry-standard encryption algorithms.
- Password protection: passwords are hashed using bcrypt, making reverse engineering computationally infeasible.
- Access controls: role-based access control (RBAC), multi-factor authentication (MFA) for administrative access.
- Network security: firewalls, intrusion detection systems (IDS), DDoS protection.
Organizational measures:
- Need-to-know access: access to personal data is restricted to authorized personnel who require it for their role.
- Staff training: personnel with access to personal data receive regular data protection training.
- Security policies: documented information security policies and procedures.
- Vendor management: sub-processors are selected based on their security posture and are contractually obligated to maintain appropriate security measures.
Infrastructure:
- Professional cloud hosting infrastructure with regular security updates and patch management.
- Regular vulnerability assessments and security monitoring.
- Redundancy and disaster recovery capabilities.
Payment security:
- Payment processing is handled exclusively by Stripe, Inc., a PCI DSS Level 1 certified payment processor. RESPONDOAI does not store, process, or have access to payment card data (card numbers, CVV codes, expiry dates).
Incident response:
- RESPONDOAI maintains data breach response procedures in accordance with the GDPR:
- Article 33: notification to the supervisory authority (Prezes UODO) within 72 hours of becoming aware of a personal data breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons.
- Article 34: notification to affected individuals without undue delay, where the breach is likely to result in a high risk to their rights and freedoms.
XVI. Data Protection Impact Assessments (DPIAs)
In accordance with Article 35 of the GDPR, RESPONDOAI conducts Data Protection Impact Assessments for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. DPIAs have been conducted for:
- AI-powered communication processing: assessment of risks associated with the processing of voice recordings, transcriptions, and chat messages through AI technologies.
- International data transfers to AI sub-processors: assessment of the adequacy of safeguards for transfers to OpenAI, ElevenLabs, and other AI providers.
- Automated decision-making and profiling: assessment of the impact of AI-driven booking decisions and Customer communication routing.
- Voice recording at scale: assessment of the proportionality and necessity of voice recording practices.
DPIAs are reviewed annually and updated when there are material changes to the relevant processing operations.
For more information about our DPIAs, please contact us at contact@respondoai.com.
XVII. Google API Services — Limited Use Disclosure
RESPONDOAI uses Google OAuth to access only the user data necessary to provide its core functionality, specifically:
- Google Calendar: to synchronize Partner booking calendars with RESPONDOAI.
- Google Authentication (OAuth): to provide secure login functionality.
RESPONDOAI adheres to the Google API Services User Data Policy, including all Limited Use requirements:
- We access only the minimum scope of Google user data necessary for our service functionality.
- We do not transfer Google user data to third parties except as required to operate and improve our service, or as required by law.
- We do not use Google user data for advertising or marketing purposes.
- We do not allow humans to read Google user data unless: (a) we have the user's affirmative consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
- RESPONDOAI does not use Google Workspace APIs data to develop, improve, or train generalized AI and/or ML models. Any data accessed through Google Workspace APIs is used solely for the specific functionality of our Application.
- Google user data is deleted when a user disconnects their Google account from RESPONDOAI.
For full details, see Google's API Services User Data Policy: https://developers.google.com/terms/api-services-user-data-policy.
XVIII. Changes to This Policy
RESPONDOAI may update this Privacy Policy from time to time to reflect changes in our processing practices, legal requirements, or business operations.
- Notification: we will notify you of material changes by email and through the Application at least 15 days before the changes take effect, unless a shorter notice period is required by law.
- Material changes: significant modifications to data processing purposes, legal bases, data sharing practices, or your rights will be clearly highlighted.
- Version history: we maintain a record of all versions of this Policy. Previous versions are available upon request.
- Effective date: the effective date of the current Policy is stated at the top of this document.
Your continued use of the Application after the effective date of an updated Policy constitutes your acknowledgment of the changes. If you do not agree with the changes, you may terminate your Agreement and delete your account.
XIX. How to Contact Us and How to Complain
Contact RESPONDOAI
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data:
- Email: contact@respondoai.com
- Postal address: RESPONDOAI sp. z o.o., ul. Kowalska 5/203, 20-115 Lublin, Poland
We will endeavor to respond to all inquiries within one (1) month.
Supervisory Authority
If you believe that RESPONDOAI's processing of your personal data violates the GDPR or applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority:
Prezes Urzedu Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa, Poland Website: https://uodo.gov.pl
Right to Judicial Remedy
Under Article 79 of the GDPR, you also have the right to an effective judicial remedy against a controller or processor if you consider that your rights under the GDPR have been infringed.
XX. Appendix A: Information Obligation for Partners (Article 13 GDPR)
We inform you that we process your personal data — details are provided below:
Personal Data Controller
The administrator of your personal data is:
RESPONDOAI spolka z ograniczona odpowiedzialnoscia ul. Kowalska 5/203, 20-115 Lublin, Poland KRS: 0001202972, NIP: 9462760069, REGON: 543116280
Contact Information
- Email: contact@respondoai.com
- Postal address: ul. Kowalska 5/203, 20-115 Lublin, Poland
Data Protection Contact
For matters related to personal data protection: contact@respondoai.com
Scope of Personal Data Processed
To register an account and fully use the Application's features, we process the following categories of your personal data:
- Name, surname
- Business name (firma)
- Tax identification number (NIP)
- Statistical number (REGON)
- Email address
- Telephone number
- Business/residential address
- Device IP address
- Date of birth
- Logo
- Content of messages with Customers
- Voice recordings and transcriptions of telephone conversations processed through AI Services
- Chat transcripts and communication logs from WhatsApp, Instagram, Telegram, Messenger, and other channels processed through AI Services
- Data derived from AI interactions (response patterns, service preferences, communication history)
AI Data Processing
In connection with the provision of AI-powered services (AI receptionists, automated communication via telephone, WhatsApp, Instagram, Telegram, and other channels), RESPONDOAI processes the content of communications between you (the Partner) and your Customers. This data may be transmitted to third-party AI technology providers (OpenAI Ireland Limited, ElevenLabs, Inc., Jambonz) for the purpose of generating AI responses. RESPONDOAI ensures appropriate safeguards for such processing, including data minimization, encryption, and contractual obligations with AI providers prohibiting the use of your data for general model training.
Automated Decision-Making
RESPONDOAI uses AI technologies that involve automated processing, including profiling, in the context of managing Reservations, Customer communications, and service recommendations. You have the right to:
- Obtain information about the logic involved in automated processing.
- Request human intervention in decisions made by AI.
- Express your point of view and contest decisions based solely on automated processing.
To exercise these rights, contact us at contact@respondoai.com.
Purposes and Legal Bases
| Purpose | Legal Basis |
|---|---|
| Conclusion and performance of the Agreement | Contract performance (Art. 6(1)(b) GDPR) |
| Provision of AI-powered communication services | Contract performance (Art. 6(1)(b) GDPR) |
| Marketing of RESPONDOAI products/services (excluding direct marketing) | Legitimate interest (Art. 6(1)(f) GDPR) |
| Direct marketing of RESPONDOAI products/services | Legitimate interest (Art. 6(1)(f) GDPR) |
| Profiling/grouping for service personalization | Legitimate interest (Art. 6(1)(f) GDPR) |
| Service demand research (surveys) | Legitimate interest (Art. 6(1)(f) GDPR) |
| Establishing, asserting, or defending claims | Legitimate interest (Art. 6(1)(f) GDPR) |
| Fulfilling legal obligations (tax, regulatory) | Legal obligation (Art. 6(1)(c) GDPR) |
| Analytics, statistics, and internal reporting | Legitimate interest (Art. 6(1)(f) GDPR) |
| System and application development | Legitimate interest (Art. 6(1)(f) GDPR) |
| Responding to your messages and requests | Legitimate interest (Art. 6(1)(f) GDPR) |
Profiling/Grouping
We perform profiling/grouping to provide services and target advertisements, reminders, recommendations, and promotions suited to you. Profiling may be based on: website and Application activity, geolocation, usage hours, last activity time, service preferences, and communication patterns. We do not use invasive profiling or tracking for advertising purposes. You may object to profiling by contacting contact@respondoai.com.
Categories of Data Recipients
Your personal data may be shared with:
- Authorized entities (courts, supervisory authorities, law enforcement)
- Service providers (accounting, IT, legal, marketing, under data processing agreements)
- Sub-processors listed in Section IX of this Policy
- Partners (in the context of dual controller relationship for Customer data)
International Data Transfers
Your data may be transferred outside the EEA. See Section X of this Policy for details on the safeguards applied. You may request a copy of the safeguards at contact@respondoai.com.
Data Retention
See Section XI of this Policy for detailed retention periods.
Your Rights
Under the GDPR, you have the right to: access, rectification, erasure, restriction of processing, data portability, object, and withdraw consent. See Section XIII for details. To exercise any right, contact contact@respondoai.com.
Right to Withdraw Consent
You may withdraw consent at any time by emailing contact@respondoai.com or through the Application ("Settings" > "Consents" > "Protect Your Data"). Withdrawal does not affect prior processing legality.
Right to Lodge a Complaint
You have the right to lodge a complaint with the supervisory authority: Prezes Urzedu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl.
Provision of Data
Providing your personal data is voluntary but necessary for the conclusion and performance of the Agreement and for the use of RESPONDOAI services. You can view and edit your data at any time under the "Settings" tab in the Application.
XXI. Appendix B: Information Obligation for Customers (Articles 13 and 14 GDPR)
This appendix fulfills RESPONDOAI's information obligation toward Customers whose personal data RESPONDOAI processes as a separate controller (not as a processor on behalf of the Partner).
When This Applies
- Article 13 (data collected directly): when a Customer creates an account, makes a booking, or interacts with AI Services directly through the RESPONDOAI platform.
- Article 14 (data obtained indirectly): when a Partner enters Customer data into the RESPONDOAI Application (e.g., manually adding a Customer to the booking system, importing Customer contact lists).
Controller Identity
For the purposes described in this Appendix, the controller of your personal data is:
RESPONDOAI spolka z ograniczona odpowiedzialnoscia ul. Kowalska 5/203, 20-115 Lublin, Poland KRS: 0001202972, NIP: 9462760069, REGON: 543116280 Email: contact@respondoai.com
Dual Controller Explanation
When you use RESPONDOAI to book services with a Partner:
- RESPONDOAI is the controller for data processed for RESPONDOAI's own purposes: platform operation, AI service provision, security, analytics, and regulatory compliance.
- The Partner is the controller for data processed for the Partner's own purposes: providing their services to you, managing their business relationship with you, and any other purposes determined by the Partner.
RESPONDOAI and the Partner are separate controllers — each independently determines the purposes and means of processing for their respective purposes. They are not joint controllers.
Data Categories Processed by RESPONDOAI as Controller
For its own purposes, RESPONDOAI processes the following Customer data:
- Name, email address, telephone number (identity and contact data)
- Booking and reservation details (service type, date, time, Partner)
- Content of AI-powered communications (voice recordings, transcriptions, chat messages)
- Device and browser data (IP address, browser type, device information)
- Usage data (interactions with the platform, features used)
Purposes and Legal Bases
| Purpose | Legal Basis |
|---|---|
| Provision of the booking platform and AI Services | Contract performance (Art. 6(1)(b) GDPR) |
| AI-powered communication facilitation | Contract performance (Art. 6(1)(b) GDPR) |
| Platform security and fraud prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f) GDPR) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
Source of Data (Article 14)
Where RESPONDOAI obtains your data indirectly (from the Partner), the source is the Partner with whom you have a business relationship. Categories of data obtained indirectly include: name, contact details, and booking history entered by the Partner into the RESPONDOAI Application.
How to Exercise Your Rights
- For data processed by RESPONDOAI: contact contact@respondoai.com.
- For data processed by the Partner: contact the Partner directly using the contact details provided by the Partner.
- If unsure: contact RESPONDOAI at contact@respondoai.com and we will direct your request to the appropriate controller.
Your Rights
As a Customer, you have the same rights as described in Section XIII of this Policy: access, rectification, erasure, restriction, data portability, objection, rights regarding automated decision-making, and withdrawal of consent.
Right to Lodge a Complaint
You have the right to lodge a complaint with: Prezes Urzedu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl.