Legal
Privacy Policy
Effective date: 9 June 2026 · Respondly, the Netherlands
Your rights at a glance. Under GDPR you have the right to access, correct, delete, or export your personal data at any time. To exercise any right, contact us at support@respondly.io. We will respond within 30 days.
1. Who we are
Respondly(“Respondly”, “we”, “us”) is the data controller for personal data processed through the Respondly platform at respondly.io. Respondly is a sole proprietorship (eenmanszaak) registered in the Netherlands and subject to the General Data Protection Regulation (GDPR).
Contact for all privacy matters: support@respondly.io
2. Data we collect
Account data
When you sign up we collect your name, email address, and a hashed password. This data is required to provide the Service. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Commitment data
We store the commitments detected from your sent emails, including the original excerpt, the recipient's name and email address, and any deadline mentioned. This data is used to show you your pending follow-ups and generate draft replies. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Integration tokens
If you connect Gmail or Google Calendar, we store the OAuth access tokens required to scan your sent emails and send follow-up emails on your behalf. Tokens are stored encrypted and are only used to provide the Service. Legal basis: consent (Art. 6(1)(a) GDPR) — you can revoke at any time from Settings → Connected accounts.
Billing data
Payment details are handled directly by Stripe. We do not store card numbers or bank details. We store your Stripe customer ID to manage your subscription. Legal basis: performance of a contract and legal obligation (Art. 6(1)(b)(c) GDPR).
Usage data
We collect basic usage metrics (scan counts, commitments detected) to operate and improve the Service. We do not use third-party analytics trackers or advertising platforms. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Email communications
We send transactional emails (account confirmation, scan results, daily digest) required for the Service to function. We do not send marketing emails without your explicit consent. Legal basis: performance of a contract and consent where applicable (Art. 6(1)(a)(b) GDPR).
3. How we use your data
- →To create and manage your account.
- →To scan your sent emails and detect commitments you made to others.
- →To generate follow-up draft emails and send them on your behalf when you click Send.
- →To process payments and manage subscriptions.
- →To send you transactional emails (scan results, daily digest) about your pending follow-ups.
- →To monitor usage for rate limiting, fraud prevention, and service stability.
- →To comply with legal obligations.
We do not sell your personal data. We do not use your conversation data to train AI models. Conversation data is sent to Anthropic's API to generate responses, but Anthropic does not use API requests to train their models by default.
4. Third-party processors
We share data with the following sub-processors, all operating under data processing agreements (DPAs) that comply with GDPR:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and storage | USA (EU region available) |
| Stripe | Payment processing and subscription management | USA / Ireland |
| Anthropic | AI model inference (Claude API) — processes email content for commitment detection and draft generation | USA |
| Vercel | Platform hosting and edge network | USA / Global |
| Resend | Transactional email delivery | USA |
Several processors are located in the USA. Data transfers to these processors are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards such as the EU-U.S. Data Privacy Framework.
5. Data retention
- →Account data: retained for as long as your account is active, and deleted within 30 days of account closure.
- →Conversation data: retained for as long as your account is active. You can delete individual conversations from within the Service.
- →Agent memory: retained until you delete it from Settings → Memory, or until your account is deleted.
- →Billing records: retained for 7 years to comply with Dutch tax and accounting law (Boekhouding, art. 52 AWR).
- →Integration tokens: deleted immediately when you disconnect an integration.
6. Your rights under GDPR
As a data subject under GDPR, you have the following rights:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Ask us to correct inaccurate or incomplete data. |
| Erasure | Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements. |
| Portability | Receive your data in a structured, machine-readable format. |
| Restriction | Ask us to limit processing of your data in certain circumstances. |
| Objection | Object to processing based on legitimate interests. |
| Withdraw consent | Revoke consent at any time (e.g. disconnect an integration) without affecting the lawfulness of prior processing. |
To exercise any right, email support@respondly.io with the subject line “GDPR request”. We will respond within 30 days. We may ask for identity verification before processing sensitive requests.
You also have the right to lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens.
7. Cookies
Respondly uses a single, strictly necessary session cookie to keep you logged in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No consent banner is required for strictly necessary cookies under GDPR.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- →Encryption in transit (TLS/HTTPS) and at rest.
- →Row-level security policies ensuring users can only access their own data.
- →Minimal data access: API tokens and integration credentials are never exposed to the frontend.
- →Agent tokens never stored client-side.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users without undue delay as required by Art. 33–34 GDPR.
9. Children's data
Respondly is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@respondly.io and we will delete it promptly.
10. Google API Services — Limited Use disclosure
Respondly's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, data received from Google APIs (Gmail, Google Calendar, Google Sheets, Google Analytics, Google Search Console, YouTube, and Google Ads) is used exclusively to provide or improve user-facing features of the Respondly platform. This data is not used for advertising purposes, is not sold or transferred to third parties for their independent use, and is not used for any purpose unrelated to the features the user explicitly requested.
11. Changes to this policy
We may update this Privacy Policy as the Service evolves or as legal requirements change. When we make material changes, we will notify you by email and update the effective date above. We encourage you to review this policy periodically.
12. Contact
For all privacy and data protection matters, contact us at:
Respondly, owned by [Your Full Name], [Street address], [City], [Postcode], the Netherlands
KVK: [registration number]
support@respondly.io
We will respond to all privacy requests within 30 days.