RightResponse AI, Inc. — Privacy Policy

Effective Date:  
August 1, 2025

This Privacy Policy (“Policy”) explains how RightResponse AI, Inc. (“RightResponse,” “RRAI,” “we,” “us,” or “our”) collects, uses, and discloses personal information in connection with our marketing websites and pages that link to this Policy (the “Website”) and our software‑as‑a‑service application, including related in‑app interfaces, APIs, and support (the “Platform” and, together with the Website, the “Services”).

BY ACCESSING AND/OR USING THE SERVICES, YOU (A) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS POLICY; AND (B) AGREE THAT YOUR USE OF THE SERVICES IS SUBJECT TO THIS POLICY. IF YOU DO NOT AGREE, DO NOT USE THE SERVICES.

A. RRAI provides the Services described above, which help customers manage online reputation and local visibility.
B. This Policy describes our roles, data practices, choices, and rights. If your organization has a Subscription Agreement and a Data Processing Addendum (“DPA”) with us, those documents govern how we process personal information on your organization’s behalf in the Platform (processor/service‑provider role). If there is a conflict about data protection for Platform processing on a Customer’s behalf, the DPA controls.

NOW, THEREFORE, the following terms apply:

1. Overview

1.1 Structure.

This Policy applies to the Services. For clarity: (i) Website activities are generally controller/business context; (ii) most Platform processing is performed as a processor/service provider to our business customers (“Customers”) under a DPA; and (iii) RightResponse also acts as a controller for limited Platform‑related information it handles for its own purposes (e.g., account owner/admin contacts, billing, security/usage logs, product analytics described below).

1.2 Contractual Context; Order of Precedence.

Your organization’s Subscription Agreement and DPA (if any) govern Platform processing we perform for the Customer and take precedence over this Policy for such processing. This Policy works alongside those terms.

2. Roles and How This Policy Applies

  • Website (controller/business). We act as a controller/business for personal information we collect via the Website (e.g., contact forms, demos, marketing analytics, cookies, ads).
  • Platform (mixed):
    • Processor/service provider to Customers for most Customer Data processed in the Platform. In this context, submit your privacy requests to the Customer; we will assist them under the DPA and applicable law.
    • Controller for limited information we handle for our own purposes (e.g., admin/account owner contact data, billing contacts, security/usage logs needed to run the Platform, and product analytics as described in §5.2).

3. Information We Collect

3.1 From or About Users and Accounts.

  • Identifiers & profile: name, business name, email address, role/permissions, workspace/account IDs.
  • Credentials & auth metadata: hashed passwords, tokens/keys you supply for integrations, session identifiers.
  • Usage, device & diagnostics: IP address, device/browser data, event/telemetry logs, timestamps, feature‑usage and credit‑usage metrics, and security/audit logs.
  • Support & communications: tickets, in‑app messages, operational notices.
  • Messaging metadata (if you enable messaging features): sender/recipient identifiers, timestamps, delivery/open/bounce events for email/SMS executed via the Platform.

3.2 Customer‑Submitted/Business Data (Platform).

Content and data a Customer or its users input or sync into the Platform (e.g., review requests/responses, ratings text, public review‑platform data surfaced via integrations, and Customer‑defined fields the Customer chooses to upload/map).

3.3 Website Interactions.

Contact form submissions, demo/meeting requests, newsletter sign‑ups, and related communications; cookies and similar technologies that capture device/usage information (pages viewed, referrers, time on page, interactions, approximate location from IP, etc.) (see §5).

3.4 Prohibited/Sensitive Data We Do Not Seek.

Unless we agree in a signed addendum (and, if applicable, a BAA), the Platform is not intended to process: protected health information (PHI), GDPR special categories, children’s data subject to COPPA, government IDs, bank/financial account numbers with access credentials, full payment card data, precise geolocation, or other sensitive categories designated out of scope. We may delete or restrict such data if detected.

4. Sources of Information

  • Directly from you or your organization (account creation, feature use, support, Website forms).
  • Automatically via the Services (security/usage logs, telemetry, cookies, pixels—see §5).
  • From integrations you connect (e.g., review platforms, messaging providers) as instructed by the Customer.

5. Cookies, Analytics, Advertising, and Session Replay

5.1 Website.

We use:

  • Essential technologies for security, network management, and basic functionality.
  • Analytics to understand Website usage and improve content and performance.
  • Advertising/measurement partners to show more relevant Website ads and measure campaigns. This may be considered “sharing” (and in some cases a “sale” under California law) of identifiers and internet/activity information for cross‑context behavioral advertising. See Your Privacy Choices (§10.1).

5.2 Platform (App).

We use necessary technologies for session management and security and may use service‑provider analytics—including session‑replay/usability tools—to understand feature use and improve stability and user experience. These tools are configured not to record sensitive inputs (e.g., passwords or payment fields) and are not used for advertising. Access is limited to personnel with a need to know, and recordings/analytics data are kept for a limited period consistent with our retention schedules. No ad tech in the Platform. We do not engage in cross‑context behavioral advertising in the Platform.

5.3 Signals and Preferences.

  • Do Not Track (DNT): No industry standard; we do not respond to DNT.
  • Opt‑Out Preference Signals (e.g., Global Privacy Control, “GPC”): On the Website, recognized and honored as a request to opt out of sale/sharing for that browser/device. See §10.1.
  • App consent controls: Because the Platform does not “sell” or “share” personal information or use ad tech, an opt‑out link (e.g., “Your Privacy Choices”) is not required in‑app.

6. How We Use Information

  • Provide, operate, and support the Services; authenticate users; route/deliver in‑app communications; provide customer support; comply with legal obligations.
  • Maintain safety and integrity, including monitoring for abuse, security incidents, and service quality.
  • Improve and develop the Services, including diagnostics, analytics, quality, and performance; train/tune models operated by or for RightResponse’s use (not third‑party foundation models) using Aggregated/De‑Identified Data.
  • Communicate operational notices; send product updates or marketing to admin/owner contacts (opt‑out available at any time).
  • Automated decision‑making: We do not use automated decision‑making that produces legal or similarly significant effects about you.

7. How We Disclose Information

We may disclose personal information:

  • To service providers/subprocessors that host, secure, deliver, analyze, support, or otherwise operate the Services under written obligations no less protective than this Policy and the DPA.
  • At your or the Customer’s direction (e.g., third‑party integrations you connect).
  • For legal and safety purposes, to comply with law or valid process, enforce terms, or protect rights and security.
  • In a corporate transaction, such as a merger, acquisition, or asset sale (information may transfer as part of the transaction).
  • We do not authorize service providers to use Platform personal information for advertising.

8. Model Training; Aggregated/De‑Identified Data

We do not use Customer Personal Data to train third‑party foundation models. We may use Aggregated/De‑Identified Data to improve safety, quality, and performance, including to train or fine‑tune models operated by or for RightResponse’s use only (not to improve models made available to others). We take reasonable measures to prevent re‑identification, will not attempt to re‑identify, and contractually require subprocessors to do the same.

9. Sensitive Information

Within the Services we may process account login credentials and security/audit data as necessary to operate and protect the Services. We do not use or disclose sensitive personal information for purposes beyond those permitted by applicable law (e.g., CPRA).

10. Your Choices and Privacy Rights

10.1 “Your Privacy Choices” (Website Only).

On the Website, you can opt out of sale/sharing and targeted (cross‑context behavioral) advertising::

  • By using our “Your Privacy Choices” link (which opens our consent preferences manager and includes “Do Not Sell or Share My Personal Information” controls);
  • By adjusting preferences in our cookie consent banner; and
  • By enabling a compliant Opt‑Out Preference Signal (e.g., GPC) in your browser—recognized and honored as described in §5.3.
  • If you have an account and are signed in when you opt out via “Your Privacy Choices,” we use commercially reasonable efforts to extend your preference across your account (in addition to honoring recognized signals on individual browsers/devices). We may request limited information to verify and persist your opt‑out. We do not require you to create an account to exercise opt‑out rights.
  • Platform: The Platform does not “sell” or “share” personal information and does not use ad tech; therefore, these opt‑out controls are not required in‑app.

10.2 How to Exercise Legal Rights.

Your rights depend on your role and location:

  • Platform, processor context. If you use the Platform under a Customer account, submit requests (access, deletion, correction, portability, objections) to the Customer. We will support them under the DPA and applicable law.
  • Controller contexts (Website and limited Platform data). You may have rights under laws such as the CCPA/CPRA, GDPR/UK GDPR, and PIPEDA, including to know/access, correct, delete, object/restrict certain processing, and data portability. To exercise these rights, contact compliance@rightresponseai.com. We will verify your identity and respond as required by law.
  • California: We do not sell or share the personal information of consumers under 16.
  • EEA/UK: Where we rely on legitimate interests (e.g., Website analytics; Platform product analytics/session replay in controller context), you may object at any time; we will assess and comply where required.
  • Marketing: You can opt out of marketing emails via the message footer or by contacting us.

11. California Notice at Collection & CPRA Categories (Past 12 Months)

Categories collected (Website and/or Platform, as applicable) and typical disclosures:

  • Identifiers (e.g., name, business name, email, IP address, cookie/ad IDs) — Collected: Yes — Recipients: Service providers; Website advertising/analytics partners (sharing)
  • Customer Records (Cal. Civ. Code §1798.80(e)) (contact and billing/admin info) — Collected: Yes — Recipients: Service providers
  • Commercial Information (records of products/services purchased or considered) — Collected: Yes — Recipients: Service providers
  • Internet/Network Activity (page views, events, referrers, device/browser, approximate location from IP) — Collected: Yes — Recipients: Service providers; Website advertising/analytics partners (sharing)
  • Geolocation (coarse) (city/region inferred from IP) — Collected: Yes — Recipients: Service providers; Website advertising/analytics partners (sharing)
  • Professional/Employment Info (role/title when provided) — Collected: Yes — Recipients: Service providers
  • Sensitive PI (account login credentials/auth metadata; support communications contents you send to us) — Collected: Yes (limited) — Recipients: Service providers (security/support); not used beyond permitted purposes

Purposes for collection/use:

  • Sale/Sharing: We do not sell for money. On the Website, we may share limited identifiers and internet/activity data with advertising/measurement partners for cross‑context behavioral advertising (and treat similar disclosures as “sale” where the law defines it that way). Use Your Privacy Choices to opt out (§10.1). We do not sell/share PI in the Platform.
  • We do not use or disclose Sensitive PI beyond purposes permitted by CPRA (e.g., security, authentication, preventing fraud).

12. Security

We implement commercially reasonable administrative, technical, and physical safeguards aligned with industry practices (e.g., encryption in transit, access controls, logging/audit, secure SDLC, vulnerability management, incident response). No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

13. Retention

We retain personal information as long as necessary to provide the Services and meet legal/operational requirements (e.g., security, billing, fraud prevention, litigation hold), or as otherwise permitted by law. We may retain Aggregated/De‑Identified Data for analytics and service improvement. Copies in routine backups are deleted in the ordinary course per rotation schedules.

14. Children

The Services are not intended for individuals under 18. We do not knowingly collect personal information from children.

15. International Transfers

We may process and store information in the United States and other jurisdictions where we or our service providers operate. For Customer data subject to GDPR/UK GDPR/Swiss FADP, transfers are supported by appropriate safeguards (e.g., Standard Contractual Clauses and applicable addenda) as described in the DPA.

16. Third‑Party Services & Integrations

The Services may link to third‑party sites and services. If a Customer connects third‑party integrations (e.g., review platforms, email/SMS providers), those providers’ terms and privacy policies govern their handling of data. We are not responsible for third‑party practices.

17. Changes to This Policy

We may update this Policy from time to time. If changes are material, we will provide notice (e.g., in‑app notice or email to account admins/owners, or a banner on the Website). Your continued use of the Services after the effective date means you accept the updated Policy.

18. Contact Us

RightResponse AI, Inc. (controller for Website and controller‑context data; processor/service provider for Platform Customer data)
Email: compliance@rightresponseai.com

Address:

RightResponse AI, Inc.

9428 Baymeadows Ave, Ste 502

Jacksonville, FL 32256

gswetlitz@rightresponseai.com

For Platform data we process on behalf of a Customer, please contact the Customer directly to exercise privacy rights; we will assist them under the DPA and applicable law.

19. Definitions

  • Aggregated/De‑Identified Data means data related to the provision or use of the Services that has been aggregated (including by combining with similar data from other customers) and/or de‑identified so it does not identify a Customer or an individual.
  • Application Monitoring Data means technical and operational data about use of the Platform (e.g., logs, usage metrics, device/browser and performance data) collected for operation, maintenance, support, security, capacity planning, and billing.
  • Controller / Processor / Service Provider have the meanings given by applicable law (e.g., GDPR/UK GDPR; CCPA/CPRA).
  • Customer means the business entity that has a Subscription Agreement (and, if applicable, a DPA) with RRAI for use of the Platform.
  • Customer Data means data, content, and materials that a Customer or its Authorized Users submit to or process through the Platform (including “Personal Data”/“Personal Information” as defined by law), but excluding Application Monitoring Data and Aggregated/De‑Identified Data.
  • Customer Personal Data means Customer Data that is personal data/personal information under applicable law.
  • DPA means the RightResponse AI, Inc. — Data Processing Addendum (Public Standard), including any SCCs/UK Addendum, available at https://www.rightresponseai.com/legal/dpa.
  • Opt‑Out Preference Signal means a signal meeting applicable specifications (e.g., Global Privacy Control) indicating a user’s choice to opt out of sale/sharing for cross‑context behavioral advertising.
  • Personal Data / Personal Information have the meanings given by applicable law.
  • Platform means RRAI’s software‑as‑a‑service application, including related in‑app interfaces, APIs, and support.
  • Sell / Share / Cross‑Context Behavioral Advertising have the meanings given by the CCPA/CPRA and its regulations.
  • Services means the Website and the Platform together.
  • Subprocessor means a processor engaged by RRAI to process Customer Personal Data on behalf of a Customer.
  • Website means RRAI marketing websites and pages that link to this Policy.

Our mission is to help you drive customer acquisition and improve customer retention effortlessly, by using your online reviews to help you improve your business operations

Products
Review AnalysisReview ResponderMaps Rank TrackerReview Requester
Company
Contact UsAbout usPricingDone For You Services
RESOURCES
Free AI Response GeneratorFree Map Rank TrackerOur BlogMediaRestaurant Industry Reports
© Copyright 2025, All Rights Reserved by RightResponse AI, Inc
Terms of ServiceSubscription AgreementPrivacy PolicyData Processing Addendum
Your Privacy Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept