Respondable AI
Respondable
Start

Policy

Privacy Policy

Effective: 14 December 2024Version: 2024-12-14-v1

This Privacy Policy describes how Respondable AI collects, uses, stores, and protects your information when you use our platform. We are committed to transparency about our data practices.

1. Introduction

Respondable AI ("Respondable", "we", "us", "our") provides a multi-tenant AI chatbot and knowledge indexing platform. This Privacy Policy explains what personal and business data we collect, how we use it, who we share it with, and your rights regarding that data.

This policy applies to:

  • Our marketing website (respondableai.com)
  • The client dashboard and administration interface
  • Our APIs and backend services
  • The chat widget deployed on client websites

By creating an account, using our dashboard, or deploying our chat widget, you acknowledge that you have read and understood this Privacy Policy. This policy should be read alongside our Terms of Service.

2. Data We Collect

2.1 Client Registration Data

When you create an account, we collect:

  • Name: Your display name or business name
  • Email address: Used for authentication, notifications, and account recovery
  • Password: Stored as a secure one-way hash (bcrypt) - we never store plain-text passwords
  • Account timestamps: When you registered, verified your email, and accepted terms
  • Terms acceptance: Record of which version of our Terms you accepted and when

2.2 Billing and Subscription Data

For paid subscriptions, we store:

  • Stripe customer ID: Links your account to Stripe for billing
  • Subscription status: Active, cancelled, past due, etc.
  • Plan selection: Which pricing tier you've chosen
  • Renewal dates: For subscription management

Note: Payment card details are processed and stored directly by Stripe. We do not have access to your full card number.

2.3 Website Content You Provide

When you configure domains for indexing:

  • Domain URLs: The websites you authorize us to crawl
  • Page content: Text extracted from your website pages
  • Vector embeddings: Numerical representations of your content for semantic search
  • Content metadata: Page titles, URLs, crawl timestamps, content hashes
  • Knowledge base entries: Manual content you add through the dashboard

2.4 Chat and Conversation Data

When visitors use your chat widget:

  • Messages: Visitor questions and AI-generated responses
  • Conversation metadata: Session IDs, timestamps, conversation duration
  • Lead capture data: If enabled, visitor names and email addresses they voluntarily provide
  • Privacy consent: Record of visitor consent to data collection

2.5 Usage and Technical Data

We automatically collect:

  • API usage logs: Requests made to our services
  • Authentication events: Login attempts and session information
  • Indexing logs: Crawl activity, page processing, and any errors
  • Performance metrics: Response times, error rates
  • Browser and device info: User agent strings for compatibility

2.6 Dashboard Activity

When you use the dashboard:

  • Configuration changes: Branding settings, persona customizations
  • Feature usage: Which tools and features you access
  • Admin actions: Account changes, team member invitations (if applicable)

3. How We Use Your Data

3.1 Service Delivery

  • Authenticate you and manage your account access
  • Process your website content to create searchable knowledge bases
  • Generate AI responses based on your indexed content
  • Display your branding and customizations in the chat widget
  • Track usage against your plan limits

3.2 AI Processing

To generate chat responses, we:

  • Convert your content into vector embeddings using AI models
  • Send visitor questions to large language model (LLM) providers along with relevant context from your knowledge base
  • Receive and display AI-generated responses

Important: Visitor questions and your indexed content are transmitted to third-party AI providers (currently OpenAI) to generate responses. See Section 5 for details.

3.3 Communication

  • Send email verification and password reset links
  • Notify you of important account or service changes
  • Respond to support enquiries

3.4 Service Improvement

  • Analyze usage patterns to improve features (using aggregated, anonymized data)
  • Debug issues and improve system reliability
  • Develop new features based on common use cases

3.5 Legal and Safety

  • Enforce our Terms of Service
  • Detect and prevent abuse, fraud, or security threats
  • Comply with legal obligations and respond to lawful requests

4. Lawful Bases for Processing (GDPR)

Under the UK GDPR and EU GDPR, we are required to have a lawful basis for processing personal data. The table below sets out the lawful bases we rely on for different processing activities:

4.1 Performance of Contract

We process data where it is necessary to perform our contract with you. This includes:

  • Creating and managing your account
  • Providing access to the dashboard and Service features
  • Crawling, indexing, and storing your website content
  • Generating AI responses using your knowledge base
  • Processing subscription payments and managing billing
  • Providing customer support

4.2 Legitimate Interests

We process data where it is in our legitimate interests to do so, provided those interests are not overridden by your rights. This includes:

  • Security and abuse prevention: Detecting, preventing, and responding to fraud, security incidents, and violations of our Terms of Service
  • Service improvement: Analysing aggregated, anonymised usage data to understand how the Service is used and improve functionality
  • System reliability: Monitoring for errors, debugging issues, and maintaining system performance
  • Communications: Sending important service-related notifications (e.g., changes to the Service, security alerts)
  • Business administration: Maintaining records for accounting, audit, and regulatory purposes

4.3 Legal Obligation

We process data where necessary to comply with legal obligations, including:

  • Retaining billing records for tax and accounting compliance
  • Responding to lawful requests from authorities
  • Complying with applicable regulations

4.4 Consent

In limited circumstances, we rely on your consent. This includes:

  • Marketing communications (if you opt in)
  • Optional analytics or tracking (where we ask for your preference)

Where we rely on consent, you can withdraw it at any time by contacting us or updating your preferences. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

5. Third-Party Service Providers

We use trusted third-party services to operate the platform. These providers process data on our behalf under contractual obligations to protect your information:

4.1 AI and Machine Learning

  • OpenAI: Provides large language models for generating chat responses and creating text embeddings. Visitor messages and your indexed content are sent to OpenAI's API. OpenAI's data processing is governed by their Privacy Policy and API data usage policies.

4.2 Infrastructure and Databases

  • Supabase: Provides PostgreSQL database hosting, authentication services, and edge functions. Your account data, configurations, and conversation logs are stored in Supabase-managed databases.
  • Qdrant: Vector database service that stores embeddings for semantic search. Your processed content embeddings are stored here.
  • Render / Cloud Hosting: Application hosting and compute infrastructure.

4.3 Payments

  • Stripe: Processes all payment transactions. Stripe directly handles your payment card information. We receive only a customer identifier and subscription status.

4.4 Email

  • Resend: Sends transactional emails including verification links, password resets, and important notifications.

4.5 Analytics (Optional)

  • We may use privacy-focused analytics tools to understand how the service is used. When enabled, these collect anonymized or pseudonymous usage data and do not track individual users across sites.

5. Website Crawling and Content Processing

A core function of our service is indexing your website content to power AI-generated responses. Here's how this works:

5.1 What We Crawl

  • Only the domains and URLs you explicitly configure
  • Publicly accessible pages (we do not bypass authentication or access private areas)
  • We respect robots.txt directives where technically feasible

5.2 How Content is Processed

  • Text is extracted from HTML pages
  • Content is split into chunks for processing
  • Each chunk is converted into a vector embedding using AI models
  • Embeddings are stored in a vector database linked to your account
  • Original text excerpts are retained for display in chat responses

5.3 Your Control

  • Add or remove domains at any time through the dashboard
  • Configure URL exclusion rules to prevent specific pages from being indexed
  • Trigger re-indexing to update content
  • Delete all indexed data by removing domains or closing your account

7. Data Storage and Retention

6.1 Storage Locations

Our primary infrastructure is hosted in data centres in the United States and European Union, managed by our cloud providers (Supabase, Qdrant, Render). Data may be transferred between regions as necessary to provide the service.

6.2 Retention Periods

We retain data for as long as necessary to provide the Service and fulfil the purposes described in this policy, or as required by law. Retention periods vary depending on the type of data and applicable legal or business requirements.

  • Account data: Retained while your account is active and for a reasonable period thereafter for audit and legal purposes.
  • Billing records: Retained as required for tax and accounting compliance.
  • Indexed content: Retained until you delete the domain or close your account, then deleted within a reasonable period.
  • Conversation logs: Retained according to your plan. You can delete specific conversations through the dashboard.
  • Technical logs: Retained for a limited period for debugging and security purposes.

6.3 Backups

We maintain encrypted backups for disaster recovery. Backup data is retained for a limited period and then automatically purged.

7. Security Measures

We implement reasonable security measures appropriate to an AI SaaS platform. However, no system is completely secure, and we cannot guarantee absolute security.

7.1 Technical Measures

  • All data in transit is encrypted using TLS 1.2 or higher
  • Databases use encryption at rest
  • Passwords are hashed using bcrypt with appropriate salt rounds
  • API authentication uses secure tokens
  • Admin access requires authentication and is logged

7.2 Operational Measures

  • Access to production systems is restricted to authorized personnel
  • We use managed services from reputable providers with their own security certifications
  • Regular security updates and patching

7.3 Incident Response

In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

9. Your Rights

Depending on your location, you may have certain rights regarding your personal data:

8.1 Access

Request a copy of the personal data we hold about you. Much of this is accessible directly through the dashboard.

8.2 Correction

Update or correct inaccurate information. You can edit most account details directly in the dashboard.

8.3 Deletion

Request deletion of your personal data. You can delete specific content (domains, conversations) through the dashboard, or request full account deletion by contacting us. Some data may be retained for legal or billing purposes.

8.4 Data Portability

Request your data in a structured, machine-readable format. Conversation exports and knowledge base exports are available through the dashboard or upon request.

8.5 Restriction and Objection

In certain circumstances, you may request that we restrict or stop processing your data. This may affect your ability to use the service.

8.6 Exercising Your Rights

To exercise these rights, contact us at hello@respondableai.com. We will respond within a reasonable timeframe. We may need to verify your identity before processing requests.

9. Cookies and Tracking

9.1 Essential Cookies

We use essential cookies to maintain your authentication session and protect against cross-site request forgery (CSRF). These are necessary for the dashboard to function and cannot be disabled.

9.2 Local Storage

We use browser local storage to save preferences and improve performance (e.g., caching your client ID to reduce API calls).

9.3 Analytics

If analytics are enabled, we may collect anonymized usage data through cookies or similar technologies. You can typically block these through your browser settings without affecting core functionality.

9.4 Chat Widget

The chat widget uses local storage on your visitors' browsers to maintain conversation state and remember lead capture completion. This data is stored locally in the visitor's browser, not on our servers, until they actively engage with the chat.

11. Information About Your End Users

When visitors interact with your chat widget, we process their data on your behalf. You are the data controller for your end users' data, and we are the data processor.

10.1 Your Responsibilities

  • Ensure your own privacy policy informs visitors about the chatbot and data collection
  • Obtain appropriate consent for lead capture if required in your jurisdiction
  • Respond to data subject requests from your end users

10.2 What We Collect From End Users

  • Messages they type into the chat
  • Lead capture information they voluntarily provide (if enabled)
  • Conversation metadata (timestamps, session identifiers)

10.3 What We Do Not Collect

  • We do not collect IP addresses of chat widget visitors
  • We do not use tracking cookies in the chat widget
  • We do not sell or share end user data with third parties for advertising

12. Children's Privacy

Our Service is not directed at children under 16 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

13. International Data Transfers

Our services are hosted primarily in the United States and European Union. If you access our services from other regions, your data may be transferred to and processed in these locations.

Where we transfer data outside the European Economic Area, we rely on appropriate safeguards such as standard contractual clauses or adequacy decisions where applicable.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be notified via:

  • A prominent notice in the dashboard
  • Email notification to the address on your account

We will provide reasonable notice before material changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

Each version of this policy has a version identifier. Historical versions are available upon request.

15. Contact Us

For privacy enquiries, data access requests, or complaints:

Respondable AI - Privacy

Email: hello@respondableai.com

We aim to respond to privacy requests within a reasonable timeframe. If you are located in a jurisdiction with a data protection authority, you also have the right to lodge a complaint with that authority.

This document was last updated on 14 December 2024 (Version 2024-12-14-v1).

For the most current version, please visit respondableai.com/privacy.