Your Data and Privacy

What Data We Collect

ResponseIQ collects several categories of data in order to deliver its review management service. We follow the principle of data minimization, meaning we only collect information that is directly required for the platform to function.

• Account information — your name, email address, company name, and hashed password (if not using Google OAuth).
• Google Business Profile data — your connected locations, business names, addresses, and categories as provided by the Google Business Profile API.
• Review data — the full text, star rating, reviewer display name, and timestamp of each review synced from your Google Business Profile.
• AI-generated responses — every response generated by the AI, including drafts, edits, approved versions, and published versions.
• Billing information — your subscription plan and payment status. Credit card details are stored and processed entirely by Stripe and never touch our servers.
• Usage data — login timestamps, feature usage metrics, and quota consumption records used for analytics and billing accuracy.

How Your Data Is Stored

All data is stored in secure, encrypted databases hosted on infrastructure that meets SOC 2 and ISO 27001 standards. We employ multiple layers of protection to ensure your data remains safe.

• Encryption at rest — all database records are encrypted using AES-256 encryption. Even if storage media were physically compromised, the data would be unreadable without the encryption keys.
• Encryption in transit — all communication between your browser and our servers uses TLS 1.2 or higher, ensuring data cannot be intercepted during transmission.
• Password hashing — account passwords are hashed using bcrypt with a high cost factor. We never store passwords in plain text.
• Token security — Google OAuth tokens are encrypted at rest and stored separately from other application data.
• Automated backups — encrypted backups are created daily and retained for 30 days to enable disaster recovery.

Who Has Access to Your Data

Access to customer data is strictly controlled and limited to the people and systems that genuinely need it.

• You and your team — account owners and any team members you invite can access the data associated with your account based on their assigned roles.
• ResponseIQ engineering staff — a small number of senior engineers have access to production databases for the purpose of troubleshooting critical issues. All access is logged and audited.
• ResponseIQ support staff — support agents can view your account metadata (plan, quota, connected locations) to assist with support requests. They cannot view your review content or AI responses unless you explicitly share them in a support ticket.
• Third-party processors — Stripe processes payment data. Google processes review data through their API. No other third parties have access to your data.

Data Isolation Between Accounts

Each ResponseIQ account is fully isolated at the database level. One customer's data is never accessible to another customer, even if they manage overlapping Google Business Profile locations. All API queries are scoped to the authenticated user's account, and our authorization layer enforces strict tenant boundaries on every request.