Privacy Policy

Summary of Key Points

This summary provides key points from our Privacy Policy, but you can find more details about any of these topics by reading the full policy below.

• What personal information do we process? We collect information you provide directly (name, email, company details), information collected automatically (usage data, IP addresses), and information contained in documents you upload to our platform.

• How do we use your information? We process your information to provide our ResponseHub services, automate security questionnaire responses using AI, provide customer support, and send service updates.

• AI Processing: We use AI services (AWS Bedrock and Mistral) to analyze your documents and generate questionnaire responses. Your data is never used to train these AI models.

• Will your information be shared? We only share information with our authorized service providers as listed in our Data Processing Agreement, or when required by law.

• How long do we keep your information? We retain your data for as long as you have an account with us, plus the retention periods specified in our Data Processing Agreement.

• How can you exercise your rights? You can access, correct, or delete your personal information through your account settings or by contacting us at hello@responsehub.ai.

Table of Contents

1. Introduction
2. Information We Collect
3. How We Use Your Information
4. Legal Basis for Processing
5. AI and Automated Processing
6. Information Sharing and Disclosure
7. Data Security
8. Data Retention
9. International Data Transfers
10. Your Privacy Rights
11. California Privacy Rights
12. Account Management
13. Communications and Marketing
14. Cookies and Tracking Technologies
15. Children’s Privacy
16. Changes to This Policy
17. Contact Information
18. Glossary

1. Introduction

This Privacy Policy explains how Coin-Op Technologies Ltd (“ResponseHub,” “we,” “us,” or “our”) collects, uses, and protects your personal information when you use our website at https://responsehub.ai and our platform at https://app.responsehub.ai (collectively, the “Services”).

Data Controller and Processor Roles:

• We act as a Data Controller for your account-level information (such as your name, email, billing details, and account settings)
• We act as a Data Processor for the content and data you upload to our platform (such as security policies, questionnaires, and company documentation) on behalf of your organization

Data Controller Details: Coin-Op Technologies Ltd, Company Number 15845409, registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Data Protection Officer: We have not appointed a Data Protection Officer as we are not legally required to do so under GDPR. For any data protection queries, please contact us at hello@responsehub.ai.

Relationship with Other Documents: This Privacy Policy should be read alongside our:

• Terms of Service
• Data Processing Agreement (DPA)
• Cookie Policy (available at https://responsehub.ai/legal/cookies)

Where specific details about data processing are covered in our DPA, we reference that document to avoid duplication.

2. Information We Collect

2.1 Information You Provide

Account Information:

• Name and email address
• Company name and details
• Job title and department
• Account credentials

Service Data:

• Security policies and documents you upload
• Questionnaire responses and templates
• Company security information within questionnaires
• Notes and annotations you add

Payment Information:

• Billing contact details
• Payment method information (processed by Stripe)
• Invoice history

2.2 Information Collected Automatically

Technical Data:

• IP address and device information
• Browser type and version
• Operating system
• Time zone settings

Usage Data:

• Features used within the platform
• Interaction patterns
• Performance metrics
• Error logs and diagnostics

2.3 Information from Third Parties

We may receive limited information from:

• Publicly available sources (e.g., Companies House)
• Payment processors (transaction confirmations)
• Integration partners (when you connect third-party services)

Important Note: We do not process special categories of personal data as defined under GDPR (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). As stated in our Terms of Service, customers are prohibited from uploading Special Category Personal Data to our platform.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Provision

• Creating and managing your account
• Providing the ResponseHub platform functionality
• Processing and responding to security questionnaires
• Storing and organizing your security documentation

3.2 Service Improvement

• Analyzing usage patterns to improve our services
• Developing new features
• Troubleshooting and debugging

3.3 Communication

• Sending service-related notifications
• Responding to support requests
• Providing product updates
• Sending marketing communications (with your consent)

3.4 Legal and Security

• Complying with legal obligations
• Protecting against fraud and abuse
• Enforcing our terms of service

For detailed information about the legal bases for each processing activity, please refer to Section 3 of our Data Processing Agreement.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

Contract Performance: To provide our Services and fulfill our contractual obligations to you.

Legitimate Interests: For business operations, service improvement, and security, where our interests don’t override your privacy rights.

Consent: For marketing communications and optional features.

Legal Obligation: To comply with applicable laws and regulations.

For a detailed breakdown of legal bases for specific processing activities, please refer to our Data Processing Agreement.

5. AI and Automated Processing

5.1 How We Use AI

We use artificial intelligence services to enhance the ResponseHub platform:

AWS Bedrock: We use AWS Bedrock to analyze your security documents and automatically generate responses to security questionnaires based on your uploaded policies and documentation.

Mistral AI: We use Mistral’s vision and document processing capabilities to extract and understand information from uploaded documents, including PDFs and images.

5.2 Your Data and AI Training

Zero Training Commitment: Your data is never used to train, improve, or fine-tune AI models. We have contractual agreements with our AI service providers (AWS and Mistral) ensuring your data is processed on a zero-training basis.

5.3 AI Processing Details

When you use our AI-powered features:

• Your documents are temporarily processed by the AI service to generate responses
• The AI analyzes your existing security documentation to provide accurate answers
• Processing occurs in real-time and data is not retained by the AI providers beyond the immediate processing need
• All AI processing is subject to the same security measures as the rest of our platform

5.4 Automated Decision-Making

No Significant Automated Decisions: ResponseHub does not make automated decisions that have legal or similarly significant effects on you. Our platform is designed as an assistance tool that:

• Generates draft responses for human review
• Provides suggestions based on your documentation
• Requires human oversight and approval before any responses are finalized

Product Limitations: Our Services are not intended to be used for making decisions with significant effects solely based on automated processing. All AI-generated content should be reviewed by a human before being used for any consequential decisions or submissions.

5.5 Human Oversight

While AI helps automate responses, we recommend and expect human review of all AI-generated content before submission to ensure accuracy and completeness.

6. Information Sharing and Disclosure

6.1 Service Providers

We share your information with authorized subprocessors who assist in providing our Services. Our current subprocessors are listed in Section 5.1 of our Data Processing Agreement and include:

• Cloud infrastructure providers
• Payment processors
• AI service providers
• Application monitoring services

6.2 Legal Requirements

We may disclose your information when required by law, including:

• In response to valid legal requests from public authorities
• To comply with court orders or legal proceedings
• To protect our rights, property, or safety

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data. These measures are detailed in Section 6 of our Data Processing Agreement and include:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Incident response procedures
• Regular backups and disaster recovery procedures

7.1 Data Breach Notification

In the event of a personal data breach, we will notify affected users without undue delay and in any event within 72 hours of becoming aware of the breach, as required by GDPR and detailed in Section 7 of our Data Processing Agreement.

For full details of our security measures and incident response procedures, please refer to our Data Processing Agreement.

8. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Specific retention periods are detailed in Section 10 of our Data Processing Agreement:

• Active Account Data: Retained for the duration of your subscription
• Post-Termination: Primary data deleted within 60 days after account termination
• Backups: May be retained for up to 90 days as part of our backup rotation
• Data Export: You have 30 days after termination to request data export

9. International Data Transfers

Your data may be transferred and processed in countries other than your country of residence. Details about international transfers, including locations and safeguards, are provided in Section 9 of our Data Processing Agreement.

Primary Data Location: Our primary data storage is in the Netherlands (DigitalOcean AMS3 region).

Safeguards: We ensure appropriate safeguards are in place for any international transfers, including UK International Data Transfer Agreements and EU Standard Contractual Clauses where applicable.

10. Your Privacy Rights

10.1 Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data
• Restriction: Limit processing of your personal data
• Portability: Receive your data in a portable format
• Objection: Object to certain processing activities
• Withdraw Consent: Withdraw consent where processing is based on consent

10.2 Exercising Your Rights

To exercise any of these rights, please contact us at hello@responsehub.ai. We will respond to your request within the timeframes required by applicable law.

10.3 Complaints

You have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO) at ico.org.uk.

11. California Privacy Rights

If you are a California resident, you have specific rights under California privacy laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

11.1 Your California Rights

California residents have the right to:

• Know what personal information we collect, use, disclose, and sell
• Request deletion of personal information
• Opt-out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising privacy rights
• Correct inaccurate personal information
• Limit use and disclosure of sensitive personal information

11.2 Exercising Your California Rights

To exercise these rights, California residents can:

• Contact us at hello@responsehub.ai
• Use the account settings to access and manage your information
• Submit requests through our support team at support@responsehub.ai

For more details about our compliance with California privacy laws, please refer to Section 14 of our Data Processing Agreement.

12. Account Management

12.1 Accessing Your Information

You can access and update most of your personal information directly through your account settings in the ResponseHub platform.

12.2 Account Deletion

You can request deletion of your account by contacting support@responsehub.ai. Please note:

• We will delete your account and associated data in accordance with our retention policy
• Some information may be retained as required by law or for legitimate business purposes
• You have 30 days to export your data before deletion

12.3 Data Portability

You can export your data at any time through the platform or by contacting us. We provide data in commonly used, machine-readable formats including:

• CSV (Comma-Separated Values) for tabular data
• JSON (JavaScript Object Notation) for structured data
• PDF for documents and reports
• Original file formats for uploaded documents

13. Communications and Marketing

13.1 Service Communications

We will send you service-related emails that are necessary for the operation of your account. These include:

• Account notifications
• Security alerts
• Important updates to our terms or services
• Payment confirmations

You cannot opt out of these essential service communications while maintaining an active account.

13.2 Product Updates

We send product update emails to keep you informed about new features, improvements, and platform changes. These are considered part of our service delivery.

13.3 Marketing Communications

We may send you marketing communications about our products, services, and promotions if you have opted in to receive them. You can:

• Opt in or out of marketing emails through your account settings
• Unsubscribe using the link in any marketing email
• Contact us at hello@responsehub.ai to update your preferences

We will never share your information with third parties for their marketing purposes.

14. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and use personal information about you. For detailed information about:

• The types of cookies we use
• The purposes for which we use them
• How to manage your cookie preferences

Please see our Cookie Policy at https://responsehub.ai/legal/cookies

15. Children’s Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us at hello@responsehub.ai.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will update the “Last Updated” date at the top of this policy
• For material changes, we will notify you by email or through a notice on our platform
• Your continued use of our Services after changes become effective constitutes acceptance of the updated policy

17. Contact Information

For questions about this Privacy Policy or our privacy practices, please contact us:

General Inquiries: hello@responsehub.ai
Support: support@responsehub.ai

Postal Address:
Coin-Op Technologies Ltd
71-75 Shelton Street
Covent Garden
London, WC2H 9JQ
United Kingdom

18. Glossary

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: The entity that processes personal data on behalf of the Data Controller.

Data Processing Agreement (DPA): A separate agreement that governs the processing of personal data when we act as a data processor on behalf of our customers.

GDPR: General Data Protection Regulation - EU and UK data protection law.

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - California state privacy laws.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, and deletion.

Special Categories of Personal Data: Sensitive personal data including racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

Subprocessor: A third party engaged by us to process personal data on behalf of our customers.

Version: 1.0
Last Updated: 26 August 2025
Effective Date: 26 August 2025