Legal Document

Privacy Policy

How we collect, use, store, and share personal data when you use the Responso website and application — including Google user data accessed via Google APIs.

Last updated: 29 April 2026

We are committed to protecting your privacy and want you to feel comfortable while using our services. This document presents the most important information on the principles regarding the processing of your personal data and the cookies used by our Website and the Responso application. This information has been prepared in compliance with the GDPR — the General Data Protection Regulation.

Section 01Personal Data Controller

The personal data controller is HelpRatchet spółka z ograniczoną odpowiedzialnością, with its registered seat in Gdańsk, at Aleja Grunwaldzka 472, 80-309, entered into the National Court Register — register of entrepreneurs kept by the Regional Court for Gdańsk.

KRS: 0000919366
NIP: 5833435693
REGON: 389833253
Email: kontakt@responso.com

To contact our Data Protection Officer, please send an email to kontakt@responso.com.

Section 02Your Rights

You have the right to:

access your personal data, including obtaining a copy of your data (Article 15 GDPR or, if applicable, Article 13(1)(f) GDPR),
correct your data (Article 16 GDPR),
delete your data (Article 17 GDPR),
limit data processing (Article 18 GDPR),
transfer data to another administrator (Article 20 GDPR).

You also have the right to object to the processing of your data at any time:

for reasons related to your particular situation — regarding the processing of your personal data in accordance with Article 6(1)(f) GDPR (i.e. based on our legally justified interests), including profiling (Article 21(1) GDPR);
if personal data are processed for direct marketing purposes, including profiling, within the scope related to such direct marketing (Article 21(2) GDPR).

Please contact us if you want to exercise your rights. Your objection to our use of cookies can be expressed, in particular, through the appropriate browser settings. If you believe that your data are processed unlawfully, you can submit a complaint to the President of the Personal Data Protection Office.

Section 03Personal Data and Privacy

We process your data for the purposes related to the functioning of the Website and the application and the provision of the services we offer. Detailed information on the processing of your data is set out below.

1. Using free-of-charge services

Purpose: performance of the contract for the provision of services within the Website.
Legal basis: contract for the provision of services (Article 6(1)(b) GDPR).
Retention: for the duration of the contract, plus the period during which redress is possible.
If not provided: you will not be able to use our services.

2. Using paid services

Purpose: performance of the contract for the provision of services within the Website.
Legal basis: contract for the provision of services (Article 6(1)(b) GDPR); legal obligation regarding accounting (Article 6(1)(c) GDPR).
Retention: for the duration of the contract; until accounting-related legal obligations cease to apply; plus the redress period.
If not provided: you will not be able to use our services.

3. Contacting us

Purpose: processing of your inquiries or submissions.
Legal basis: contract or actions taken at your request to conclude it (Article 6(1)(b) GDPR), or our legitimate interest in communicating with you (Article 6(1)(f) GDPR).
Retention: for the duration of the contract, or until expiry of the redress period, or until we accept your objection to processing.
If not provided: we will not be able to respond to your inquiry.

4. Browser settings allowing analytical activities

Purpose: analysis of how you use and navigate the Website, to adapt it to user needs and behaviour.
Legal basis: our legitimate interest (Article 6(1)(f) GDPR).
Retention: until the cookie validity expires or until you delete the analytical cookies.

5. Browser settings allowing marketing activities

Purpose: direct marketing through personalized advertisements.
Legal basis: our legitimate interest (Article 6(1)(f) GDPR).
Retention: until the cookie validity expires or until you delete the marketing cookies.
If not provided: you will not receive product or service suggestions tailored to your interests.

6. Establishment, exercise, or defence of legal claims

Purpose: establishment, exercise, or defence of legal claims related to a concluded contract or services provided.
Legal basis: our legitimate interest (Article 6(1)(f) GDPR).
Retention: until the statute of limitation on claims expires, or until we accept your objection to processing.
If not provided: no possibility to establish, exercise, or defend legal claims.

Section 04Google User Data

This section describes how the Responso application accesses, uses, stores, and shares user data obtained from Google APIs. This section applies only to users who connect a Google account (for example, a Gmail mailbox) to Responso.

Scopes requested and data accessed

When you connect a Google account to Responso, we request only the OAuth scopes strictly necessary to provide the customer-service features you have signed up for. The scopes we may request include:

https://www.googleapis.com/auth/gmail.readonly — to read incoming customer emails so they can be displayed and organised as conversations inside Responso.
https://www.googleapis.com/auth/gmail.send — to send replies to customer emails on your behalf from your connected mailbox.
https://www.googleapis.com/auth/gmail.modify — to apply labels, mark messages as read, archive, or move them between folders, reflecting the actions you take inside Responso.
https://www.googleapis.com/auth/userinfo.email and profile — to identify the connected Google account and display the connected user's name and email address inside Responso.

From these scopes we access and store: email message content (subject, body, attachments), message headers (sender, recipients, date), thread identifiers, labels, and the email address and display name of the connected Google account.

How we use Google user data

We use Google user data exclusively to provide the customer-service features of the Responso application — specifically:

to import and display customer emails as conversations inside Responso,
to allow your support agents to respond to those customer emails from within Responso,
to keep the state of conversations (read/unread, labels, assignments) synchronized between Responso and your Google mailbox,
to provide search, filtering, and reporting on your customer-service activity.

We do not use Google user data for any other purpose.

How we share Google user data

We do not sell Google user data. We do not share Google user data with third parties for advertising, marketing, or any purpose unrelated to operating the Responso service. Google user data is shared only with the following sub-processors, strictly to the extent necessary to operate the service:

Hosting and infrastructure providers — Amazon Web Services (AWS) and OVHcloud, used to host the Responso application and its databases.
Email-delivery infrastructure providers — used to deliver outgoing emails sent through Responso when applicable.

We may also disclose Google user data when required by law (for example, in response to a valid legal request from a competent authority) or as part of a merger, acquisition, or sale of assets, in which case affected users will be notified and any successor will be bound by the same obligations.

Data retention and deletion

Google user data is retained for the duration of your active Responso subscription.
If you disconnect your Google account from Responso, the associated Google user data is deleted from our active systems within 30 days.
If your Responso account is closed, all data associated with it — including Google user data — is deleted within 30 days, except where a longer retention period is required by law (for example, for accounting purposes).
You can revoke Responso's access to your Google account at any time at myaccount.google.com/permissions.
You can request immediate deletion of your data by contacting kontakt@responso.com.

Security of Google user data

All data is encrypted in transit using TLS 1.2 or higher.
Data at rest is encrypted using AES-256.
Access to Google user data is restricted to authorized personnel on a need-to-know basis and is logged and audited.
OAuth refresh tokens are stored encrypted and are never exposed to other users of the platform.
We follow industry-standard practices for vulnerability management, including regular security reviews and timely application of security patches.

Limited Use compliance

Responso's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, Responso commits to the following:

We do not use Google user data to serve advertisements of any kind, including retargeted, personalized, or interest-based advertisements.
We do not sell Google user data, and we do not transfer Google user data to data brokers or information resellers.
We do not use Google user data to train or improve generalized or general-purpose artificial intelligence or machine learning models.
We do not use Google user data to determine credit-worthiness or for lending purposes.
We do not allow humans to read Google user data unless: (a) we have your explicit consent for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized and used for internal operations such as capacity planning, in accordance with applicable privacy laws.

Section 05Profiling

Within the Website, we conduct profiling activities — this takes place if you allow such activities (for example, by adjusting your browser settings appropriately). This profiling is the automatic assessment of which products or services you may be interested in, using information about the content you display. As a result, advertisements for products or services displayed as part of the online services you use will be more tailored to you. The conducted profiling does not result in decisions that have legal effects on you or similar significant impact.

Section 06Analytical Activities

Within the Website, we conduct analytical activities aimed at increasing its intuitiveness and accessibility — this takes place if you allow such activities. As part of these analyses, we take into account how you navigate the Website, for example how much time you spend on a given subpage, or which places of the Website you click on. This allows us to customize the layout, appearance, and content of the Website to the needs of users.

Section 07Data Safety

While processing your personal data, we use organisational and technical measures which comply with the relevant provisions of law, including encrypting communications using SSL/TLS certificates.

Section 08Cookies

This Website, like most internet websites, uses cookies. These cookies are stored in the memory of your device (computer, mobile phone, etc.) and do not introduce any changes in the settings of your device. On this Website, cookies are used for the purposes of remembering your session, collecting statistical data, marketing, and making the functions of the Website available.

To learn how to manage cookies and disable them in your browser, you can use your browser's help files. Below you will find information about the cookies we process and their period of validity:

Cookie	Validity	Purpose
__utma	24 months	Google Analytics — distinguishes between users and sessions for tracking visitor behaviour and measuring website performance.
__utmb	30 minutes	Google Analytics — specifies new sessions and visits.
__utmc	Session	Google Analytics — interoperability with older versions of the GA code; deleted on browser close.
__utmt	10 minutes	Google Analytics — used to limit data collection on high-traffic websites.
__utmz	6 months	Google Analytics — identifies the source of website traffic.
_ga	24 months	Google Universal Analytics — distinguishes unique users by assigning a randomly generated identifier.
_gid	24 hours	Google Universal Analytics — distinguishes users.
_gcl_au	3 months	Google Ads — collects conversion data to measure how often users who clicked an ad take action on our website.
fr	3 months	Facebook — used to display, measure effectiveness, and improve the relevance of ads.
_fbp	3 months	Facebook — identifies browsers for advertising and site-analytics purposes.
datr	2 years	Facebook — site security and integrity, account recovery, identification of compromised accounts.
sb	2 years	Facebook — browser identification for login and authentication purposes.

By using the appropriate options of your browser, you can at any time delete cookies or block the use of cookies in the future. In these cases, we will no longer process them.

Section 09External Services and Data Recipients

We use the services of external entities which support us in running our business. We entrust them with the processing of your data — these entities process data only on our documented instructions.

Activity	Recipients	Transfer outside EU
Every action related to the Website	Hosting providers; entities cooperating on the basis of civil agreements supporting our business activity	No
Use of the Website with analytical settings enabled	Entities providing statistics on the Website	Yes (United States)
Use of the Website with marketing settings enabled	Entities providing marketing on the Website	Yes (United States)

In addition, data may be made available to competent public authorities to the extent required by law.

Section 10International Data Transfers

For the reasons indicated above, your personal data may also be processed by entities outside the European Union. An adequate level of protection of data processing — including the use of appropriate security measures — is ensured by the application of the standard data protection clauses adopted by the European Commission referred to in Article 46(2)(c) GDPR.

Responso's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Section 11Security Policy

Data transmission encryption

Communication between the user and the Responso website is performed using a secure, encrypted SSL/TLS protocol.

Technical service

Service activities are performed immediately if any malfunction of the server or network infrastructure is detected.

Backups

All data entered into the system is backed up twice a day.

System updates

In the event of changes in external systems with which Responso is integrated (for example the Allegro.pl marketplace), the application is adjusted to the current requirements of these services in an immediate manner so as to ensure continuous and correct operation of the system with as few interruptions as possible.

Server security

The servers used by the Responso system are located in a data center monitored 24 hours a day, 7 days a week. Only authorized administrators are allowed to operate the servers. The server room is protected against fires and unauthorized access, and has a power supply independent of city power.

User accounts

Each user's account is protected by a login and password. The password is stored in an encrypted form (hash) — if you lose your password, you can only set a new password. It is not possible to recover a password based on its encoded form.

Network data security

Because all data is stored on our servers, customers do not have to worry about theft or failure of their computer. In such cases, their data will be available immediately from another computer.

Section 12Contact

If you have any questions about this Privacy Policy, your personal data, or the way Responso handles Google user data, please contact us at kontakt@responso.com.

HelpRatchet sp. z o.o.
Aleja Grunwaldzka 472
80-309 Gdańsk, Poland

↑ Back to top