Privacy Policy

1. Introduction and Data Controller Identity

Respondo (“we”, “us”, or “our”) operates the platform available at respondo.app and provides communication automation infrastructure to service businesses, including salons, spas, and clinics, primarily across Spain and the European Union.

We are committed to protecting the personal data of all individuals who interact with our platform. This Privacy Policy explains what data we collect, why we collect it, the legal basis for processing, how long we retain it, and the rights you have under the General Data Protection Regulation (GDPR) (EU) 2016/679.

Data Controller: Héctor Moyano Vélez (autónomo), NIF 52006446L, Spain (VAT ES52006446L). Trading as “Respondo”. For all data protection enquiries, please contact us at privacy@hectormoyanovelez.com.

Dual Role as Controller and Processor

Respondo operates in two distinct capacities depending on the nature of the data:

• Data Controller — for data we collect directly from our business customers (the service businesses that subscribe to Respondo), including account information, billing data, and platform usage data.
• Data Processor — for data that our business customers input about their own end-clients (such as appointment history, contact details, and clinical notes). In this capacity, our customers are the Data Controllers and Respondo processes data strictly on their documented instructions via our Data Processing Agreement (DPA).

2. Data We Collect

We collect personal data in the following categories, depending on your relationship with Respondo:

2.1 Account Data (Business Customers)

When a service business registers for Respondo, we collect the information necessary to create and manage their account:

• Full name and professional role
• Business name and address
• Business email address and phone number
• Subscription plan and billing preferences
• Account credentials (managed securely via Clerk; we do not store passwords)

2.2 Client Data (End-Clients of Our Customers)

Our business customers input data about their own clients into the Respondo platform. As a processor, we store and process this data on their behalf. This may include:

• Full name, email address, and phone number
• Appointment history and booking preferences
• Communication history (SMS and voice interactions)
• Internal notes and tags added by the business customer

The business customer is solely responsible for ensuring they have a lawful basis to collect and process their end-clients' personal data and for providing appropriate privacy notices to those individuals.

2.3 Clinical Notes and Health Data

Respondo offers an optional clinical notes feature for use by health and wellness businesses (e.g., clinics, physiotherapy practices, spas offering therapeutic services). When this feature is enabled by a business customer, the platform may store data that constitutes special category data under GDPR Article 9, including health-related information.

This feature is disabled by default and must be explicitly activated by the business customer. Business customers who enable this feature must obtain explicit consent from their end-clients before recording any health-related data in Respondo. See Section 4 for further details.

2.4 Communication Data

When our platform sends or receives communications on behalf of business customers, we process:

• SMS message content and metadata (timestamps, delivery status) via Twilio
• Voice call logs and recordings (where applicable and permitted)
• AI-generated summaries of communications (when AI features are enabled)

2.5 Payment Data

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. Respondo does not store full card numbers, CVV codes, or other sensitive cardholder data. We retain only:

• Stripe Customer ID and Subscription ID (for account management)
• Subscription plan, billing cycle, and payment status
• Invoice references (required for tax compliance under Spanish law)

2.6 Usage and Technical Data

We automatically collect certain technical data when you use the Respondo platform to ensure its security and improve its functionality:

• IP addresses and approximate geolocation (country/region level)
• Browser type, operating system, and device identifiers
• Pages visited, features used, and actions taken within the platform
• Session duration and access timestamps
• Error logs and performance metrics

2.7 Cookies and Similar Technologies

We use cookies and similar technologies for authentication and analytics purposes. See Section 10 for full details on our cookie use.

3. Legal Basis for Processing (GDPR Article 6)

We rely on the following legal bases to process personal data:

• Contract performance (Art. 6(1)(b)) — Processing account data, billing data, and platform configuration is necessary to provide the Respondo service to our business customers under our Terms of Service.
• Legitimate interests (Art. 6(1)(f)) — We process usage data, technical logs, and analytics data to maintain platform security, detect fraud, improve our service, and send relevant product communications. We have assessed that our legitimate interests do not override the rights and freedoms of the data subjects concerned.
• Legal obligation (Art. 6(1)(c)) — We retain payment records and invoices for seven years to comply with Spanish tax and accounting obligations.
• Consent (Art. 6(1)(a)) — Where we deploy non-essential cookies or analytics tools, we rely on freely given, specific, informed, and unambiguous consent obtained through our cookie consent mechanism. Consent can be withdrawn at any time without detriment.

For data processed as a processor on behalf of our business customers (end-client data), the relevant legal basis is determined by the business customer as the Data Controller.

4. Special Category Data (GDPR Article 9)

Clinical notes and other health-related information recorded in our platform constitute special category data under GDPR Article 9. Processing this category of data requires an explicit legal basis beyond those listed in Article 6.

Respondo's position as processor: We process health data strictly on documented instructions from the business customer (the Data Controller). We do not use this data for any purpose other than providing the requested service.

Business customer obligations: Any business customer that enables the clinical notes feature must:

• Obtain explicit, documented consent from each end-client before recording health data (Art. 9(2)(a)), or identify another applicable Art. 9(2) basis (e.g., provision of healthcare under Art. 9(2)(h));
• Provide a clear privacy notice to end-clients explaining how their health data will be used, stored, and for how long;
• Ensure an appropriate Data Processing Agreement (DPA) is in place with Respondo before enabling this feature.

Business customers who fail to comply with these requirements do so in breach of our Terms of Service and applicable GDPR obligations.

5. How We Use Data

We use the personal data we collect for the following purposes:

• Service provision: Creating and managing accounts, processing subscriptions, enabling communication automation features, and delivering the core functionality of the Respondo platform.
• Communication automation: Sending SMS messages, handling call forwarding, and managing appointment reminders and follow-ups on behalf of our business customers.
• AI-powered features: Generating appointment summaries, suggesting follow-up actions, and transcribing voice interactions using integrated AI services (Anthropic and OpenAI). AI outputs are generated on behalf of the business customer and are not used to train AI models without explicit agreement.
• Billing and subscription management: Processing payments, issuing invoices, managing subscription upgrades and downgrades, and enforcing usage limits.
• Customer support: Responding to queries, troubleshooting issues, and improving the onboarding experience.
• Security and fraud prevention: Monitoring for unauthorized access, detecting abuse, and maintaining audit logs.
• Product improvement: Analysing aggregated and anonymised usage patterns to improve platform performance, reliability, and features.
• Legal and compliance: Meeting our obligations under applicable law, including tax reporting, responding to lawful requests from competent authorities, and enforcing our Terms of Service.

6. Data Sharing and Sub-processors

We do not sell personal data. We share data only with trusted sub-processors that are necessary to deliver our service, and only to the extent required. All sub-processors are bound by contractual obligations consistent with GDPR requirements.

Our current sub-processors are:

• Clerk — User authentication and session management. Located in the United Kingdom. Certified SOC 2 Type II. Processes account credentials and user session data.
• Supabase — Database hosting and storage. Infrastructure located in the EU (Dublin, Ireland). Certified SOC 2 Type II and GDPR compliant. Processes all platform data stored in our database.
• Stripe — Payment processing and subscription management. Located in the United States (with EU operations). PCI-DSS Level 1 certified and SOC 2 Type II. Processes payment card data and billing information.
• Twilio — SMS and voice communications infrastructure. Located in the United States (with EU data residency options). Certified SOC 2 Type II and ISO 27001. Processes SMS content and call metadata.
• Anthropic — AI language model processing (Claude) for appointment summaries, follow-up suggestions and clinical assistant chat. Located in the United States. Certified SOC 2 Type II. A Data Processing Addendum was accepted on 22 April 2026 (DPA effective 24 February 2025). Anthropic does not use customer data to train its AI models. Only processes content when AI features are enabled for your profile — you can turn them off any time in Settings → Privacy & Data.
• OpenAI— Audio transcription for clinical voice notes (Whisper API). Located in the United States. Certified SOC 2 Type II. A Data Processing Addendum was signed on 22 April 2026 (DPA v.010126). OpenAI does not train on API customer data; audio submitted to the API is retained for up to 30 days under OpenAI's default retention policy before deletion. Only processes audio when the voice transcription feature is used with AI features enabled.
• Sentry — Error tracking and performance monitoring. Data region: EU (de.sentry.io). Certified SOC 2 Type II and ISO 27001. Personal data in session replays is masked by default (all text and inputs are masked; media is blocked).
• PostHog — Product analytics. Data region: EU (eu.i.posthog.com). Certified SOC 2 Type II. Only receives anonymised usage events after the user opts in via the cookie banner; no clinical data is sent.
• Vercel — Application hosting and edge network. Headquartered in the United States with EU edge nodes. Certified SOC 2 Type II. Processes HTTP request data necessary to serve the application.

A full and up-to-date list of sub-processors is maintained at /legal/sub-processors. We will notify business customers of any material changes to our sub-processor list with at least 30 days' notice, providing the opportunity to object.

We may also disclose personal data to competent public authorities (such as law enforcement or tax authorities) when required to do so by law, court order, or other legally binding obligation. We will notify affected customers of such disclosures where legally permitted to do so.

7. International Data Transfers

Some of our sub-processors — specifically Stripe, Twilio, Anthropic, OpenAI, and Vercel — are based in the United States. Transfers of personal data from the European Economic Area (EEA) to the United States are subject to the requirements of GDPR Chapter V.

We ensure that all such transfers are governed by appropriate safeguards, specifically Standard Contractual Clauses (SCCs) as adopted by the European Commission under GDPR Article 46(2)(c). These clauses impose binding data protection obligations on the recipients of the data and grant enforceable rights to data subjects.

Where applicable, transfers are additionally covered by the EU-U.S. Data Privacy Framework (DPF), where sub-processors have obtained DPF certification.

You may request a copy of the applicable transfer mechanisms by contacting us at privacy@hectormoyanovelez.com.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Account data: Retained for the duration of the active subscription and deleted within 30 days of account closure, unless a longer retention period is required by law.
• Communication logs (SMS, call metadata): Retained for 12 months from the date of the communication, then permanently deleted.
• Clinical notes and health data: Retained for the period configured by the business customer (Data Controller), subject to a default maximum of 5 years unless otherwise specified. Upon account closure, this data is deleted within 30 days unless the business customer requests earlier deletion or a legally required longer retention applies.
• Payment records and invoices: Retained for 7 years from the date of the transaction to comply with Spanish tax law (Ley 58/2003, General Tributaria) and accounting obligations.
• Usage and technical logs: Retained for 90 days for security and debugging purposes, then permanently deleted.
• Anonymised and aggregated analytics data: May be retained indefinitely as it cannot reasonably be used to identify individuals.

When retention periods expire, data is securely deleted or anonymised in accordance with our internal data retention policy.

9. Your Rights Under GDPR (Articles 15–22)

If you are an individual whose personal data we process as a Data Controller (including business customers and their authorised users), you have the following rights under GDPR:

• Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how it is processed.
• Right to rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data without undue delay.
• Right to erasure (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where consent is withdrawn, or where processing is unlawful.
• Right to restriction of processing (Art. 18): You have the right to request that we restrict processing of your data in certain circumstances, for example while the accuracy of data is contested.
• Right to data portability (Art. 20): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object (Art. 21): You have the right to object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with the competent supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan, 6, 28001 Madrid. Website: www.aepd.es.

To exercise any of these rights, please contact us at privacy@hectormoyanovelez.com. We will respond to all verified requests within 30 days, which may be extended by a further two months in cases of complexity or high volume. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.

Note for end-clients of Respondo customers: If your personal data was entered into Respondo by a business (e.g., your salon, clinic, or spa), that business is the Data Controller for your data. Please direct your rights requests to them directly. Respondo will assist our business customers in responding to such requests in accordance with our DPA.

9b. Your rights under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"):

• Right to know what categories of personal information we collect, the sources of that information, the purposes for which it is collected and with whom it is shared.
• Right to delete personal information we hold about you, subject to limited statutory exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing of personal information for cross-context behavioural advertising.
• Right to limit the use and disclosure of sensitive personal information.
• Right to non-discrimination for exercising any of these rights.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not knowingly collect or sell personal information of minors under 16.

Notice at collection. We collect the personal information described in Section 2 for the business purposes set out in Section 5. We retain personal information for the periods described in Section 8. California residents may exercise their CCPA rights by emailing privacy@hectormoyanovelez.com. You may also designate an authorised agent to submit requests on your behalf.

HIPAA and U.S. healthcare practices.Respondo is not currently offered to healthcare practices subject to the U.S. Health Insurance Portability and Accountability Act ("HIPAA"). We do not hold Business Associate Agreements with the sub-processors listed above. Registrations from U.S. healthcare practices that identify themselves as such at signup are blocked automatically. See our Terms of Service for the related customer representation.

10. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Respondo platform. Cookies are small text files stored on your device by your browser.

Essential Cookies

These cookies are strictly necessary for the platform to function and cannot be disabled. They include:

• Authentication cookies (provided by Clerk): maintain your login session and protect your account against unauthorized access.
• Security cookies: CSRF protection tokens and session integrity markers.

Essential cookies do not require your consent as they are technically necessary for the service to function.

Analytics Cookies

With your consent, we may use analytics cookies to understand how the platform is used in aggregate, identify areas for improvement, and measure the effectiveness of new features. These cookies do not track you across other websites. You can withdraw consent at any time through the cookie preference centre accessible from the footer of the platform.

11. Children's Privacy

The Respondo platform is designed for use by adult service businesses and their professional staff. Our service is not intended for individuals under the age of 16, and we do not knowingly collect personal data from children.

If you are a business customer who becomes aware that an individual under the age of 16 has provided personal data through your use of Respondo, please contact us at privacy@hectormoyanovelez.com and we will take steps to delete such data promptly.

12. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorized access, accidental loss, alteration, or disclosure. Our key security controls include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 or higher.
• Encryption at rest: All data stored in our database is encrypted at rest using AES-256.
• Multi-tenant isolation:Our database enforces Row Level Security (RLS) policies that cryptographically prevent any business customer from accessing another customer's data.
• Access controls: Access to production systems is restricted to authorised personnel on a need-to-know basis, and protected by multi-factor authentication.
• SOC 2 compliant infrastructure: All our sub-processors maintain SOC 2 Type II certification or equivalent, ensuring your data is held to industry-recognized security standards.
• Regular security reviews: We conduct periodic internal security audits and address identified vulnerabilities in accordance with our vulnerability management policy.
• Incident response: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where required by GDPR Article 34.

Despite these measures, no system is completely immune from security threats. We encourage business customers to use strong, unique passwords, enable multi-factor authentication, and report any suspicious activity to privacy@hectormoyanovelez.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable legal requirements.

For material changes — those that significantly affect your rights or how we process your data — we will provide at least 30 days' advance notice via email to the registered contact address of our business customers, or via a prominent notice within the Respondo platform. The updated date at the top of this page will always reflect when the policy was last revised.

For non-material changes (such as clarifications, corrections of typographical errors, or updates to contact details), we will update this page without prior notice. We encourage you to review this policy periodically.

Your continued use of the Respondo platform after the effective date of a revised policy constitutes your acceptance of the updated terms, to the extent permitted by applicable law.

14. Contact and Data Protection

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:

• Email: privacy@hectormoyanovelez.com
• Platform: respondo.app
• Jurisdiction: Spain, European Union

We aim to respond to all privacy-related enquiries within 5 business days.

Supervisory Authority

Our lead supervisory authority under GDPR is the Agencia Española de Protección de Datos (AEPD):

• Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
• Website: www.aepd.es
• Telephone: +34 912 663 517

You have the right to lodge a complaint with the AEPD at any time if you believe we have not handled your personal data in accordance with GDPR. We would, however, appreciate the opportunity to address your concerns directly before you approach the supervisory authority.