✓ GDPR Compliant
1. Who We Are
RouteRate (“we”, “us”, “our”) operates the route costing service available at app.routerate.app. RouteRate is the data controller for all personal data collected through this Service.
For the purposes of the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Acts 1988–2018, RouteRate is established in Ireland and subject to the supervisory authority of the Data Protection Commission (DPC).
You can contact us about data protection matters at: privacy@routerate.app
2. Data We Collect
We collect and process the following categories of personal data:
- Account data: First name, last name, company name, and email address — collected when you create an account.
- Authentication data: Hashed passwords or OAuth tokens (Google Sign-In). We never store plain-text passwords.
- Route data: Origin, destination, and any waypoints you enter when calculating routes. These are processed to return routing information and are stored against your account in your saved quotes.
- Fleet profile data: Vehicle type, fuel type, running costs, and driver rates that you enter and save to your fleet profiles.
- Quote data: Saved cost breakdowns, job references, notes, and quote status.
- Usage data: The number of route calculations performed, your subscription plan, and your monthly usage counter.
- Billing data: Subscription plan, billing cycle, and payment status. Card details are processed directly by Stripe and are never stored by RouteRate — see Section 7.
- Technical data: IP address, browser type and version, operating system, referring URL, and access timestamps — collected automatically via server logs.
- Communications: Any emails or messages you send to us for support or enquiries.
We do not collect any special category data (such as health information, racial or ethnic origin, or political opinions) and we do not collect data from children under 18. RouteRate is a business-to-business service intended for adult users in a commercial capacity.
3. Legal Basis for Processing
We rely on the following lawful bases under Article 6 GDPR for each processing activity:
- Contract (Art. 6(1)(b)): Processing your account data, route data, fleet profiles, and usage data is necessary to provide the RouteRate service you have signed up for.
- Legal obligation (Art. 6(1)(c)): Retaining billing records and tax documentation is required under Irish and EU financial regulations.
- Legitimate interests (Art. 6(1)(f)): Processing technical and server log data to maintain security, detect abuse, and diagnose technical issues. Our legitimate interest does not override your rights — you may object to this processing (see Section 11).
- Consent (Art. 6(1)(a)): Where we send optional product updates or non-essential communications, we will obtain your explicit consent and provide an easy mechanism to withdraw it at any time.
4. How We Use Your Data
We use your personal data solely for the following purposes:
- Creating and maintaining your RouteRate account
- Processing route calculation requests and returning results
- Storing and displaying your saved fleet profiles and quote history
- Enforcing monthly usage limits appropriate to your subscription plan
- Processing your subscription payment and managing billing via Stripe
- Sending transactional emails such as account confirmation, password reset, and subscription receipts
- Responding to your support queries and communications
- Detecting and preventing fraud, abuse, and security incidents
- Complying with legal obligations including tax and financial record-keeping
- Improving the Service using aggregated and anonymised usage statistics
We do not sell your personal data to any third party. We do not use your data for advertising, profiling, or automated individual decision-making that has a significant effect on you.
5. Third-Party Services
RouteRate uses the following third-party processors. Each has been assessed as providing adequate data protection and appropriate contractual safeguards (Standard Contractual Clauses or equivalent) where required.
| Provider |
Purpose |
Data Shared |
Location |
| Supabase |
Database, authentication |
Account data, route data, fleet profiles, quotes, usage records |
EU West (Ireland) |
| Google Maps Platform |
Map display, address autocomplete |
Origin/destination text, map viewport coordinates |
Google global infrastructure |
| HERE Technologies |
Truck routing, toll calculation |
Origin/destination coordinates, vehicle dimensions |
HERE global infrastructure |
| Stripe |
Payment processing |
Name, email, billing country, payment card (handled by Stripe directly) |
US/EU (Stripe contractual safeguards) |
| Vercel |
Application hosting, serverless functions |
HTTP request data including IP addresses (edge logs) |
Global CDN (primary EU) |
All third-party providers are bound by data processing agreements and are prohibited from using your data for their own commercial purposes beyond the service they provide to us.
6. Google Maps Platform
RouteRate uses the Google Maps JavaScript SDK for map display and address autocomplete only. When you use the address search or view a map in RouteRate, your browser communicates directly with Google’s servers.
Data sent to Google Maps includes:
- The text you type into origin and destination fields (for autocomplete suggestions)
- Map viewport coordinates and zoom level (for map tile rendering)
- Your IP address and browser user-agent (sent automatically by your browser as part of any HTTPS request)
Actual truck route calculation is performed server-side using the HERE Routing API — not Google. The route polyline is decoded and displayed on the Google map but the routing data itself does not pass through Google.
Google Maps Platform usage is governed by Google’s Privacy Policy. As a Google Maps Platform customer, RouteRate operates under Google’s data processing terms for API usage.
7. Stripe Payments
Subscription payments are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. When you subscribe to RouteRate:
- Your payment card details are entered directly into Stripe’s secure hosted fields and are never transmitted to or stored by RouteRate
- Stripe provides RouteRate with a payment token and subscription status only
- RouteRate stores your subscription plan, status, and renewal date in Supabase — no card data
- Stripe may store your name, email address, billing country, and anonymised card details (last 4 digits, expiry) for fraud prevention and regulatory compliance
Stripe’s handling of your data is governed by Stripe’s Privacy Policy. Stripe operates under EU Standard Contractual Clauses for data transfers.
8. Data Storage and Security
Your account and application data is stored on Supabase infrastructure located in the EU West region (Ireland), within the EU/EEA. We implement the following security measures:
- Encryption in transit: All data between your browser and RouteRate is encrypted using TLS 1.2 or higher
- Encryption at rest: Supabase encrypts all stored data at rest using AES-256
- Password security: Passwords are hashed using bcrypt via Supabase Auth and are never stored or transmitted in plain text
- Access control: Row-level security policies in Supabase ensure each user can access only their own data
- API key protection: All third-party API keys (HERE, Google Maps, Stripe) are stored as server-side environment variables and are never exposed to your browser
- Authentication: All API requests require a valid Supabase JWT token, validated server-side before any data is accessed or returned
In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours and will notify affected users without undue delay, as required by GDPR Article 33–34.
9. Data Retention
We retain your data for as long as is necessary for the purposes for which it was collected:
- Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
- Route and quote data: Retained for the duration of your account to support your quote history. Deleted within 30 days of account deletion.
- Fleet profiles: Retained for the duration of your account. Deleted within 30 days of account deletion.
- Usage records: Monthly route counts are reset each billing cycle. Aggregate usage data may be retained in anonymised form for up to 2 years for service improvement.
- Billing records: Transaction records and invoices are retained for 7 years to comply with Irish Revenue and VAT obligations. After this period they are securely deleted.
- Server logs: IP address and access logs are retained for up to 90 days for security monitoring and then deleted.
- Support communications: Emails and support records are retained for 2 years after the last interaction and then deleted.
10. Cookies and Local Storage
RouteRate uses a minimal set of browser storage mechanisms:
- Session cookies (Supabase Auth): A secure, HTTP-only session token is set by Supabase to keep you logged in. This is strictly necessary for the Service to function and does not require consent under the ePrivacy Directive.
- Local storage (user preferences): Your preferred currency, distance unit (km/mi), and UI state are stored in your browser’s local storage. This data remains on your device and is not transmitted to our servers.
- Google Maps cookies: The Google Maps SDK sets cookies on your browser when the map is displayed. These are subject to Google’s Cookie Policy.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use any cross-site tracking technology.
11. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. You can exercise any of these rights by contacting us at privacy@routerate.app. We will respond within 30 days (this may be extended to 60 days for complex requests, with notice).
Right of Access
Request a copy of all personal data we hold about you (a “Subject Access Request”).
Right to Rectification
Request correction of any inaccurate or incomplete personal data we hold.
Right to Erasure
Request deletion of your personal data (“right to be forgotten”) — see Section 12 for full details.
Right to Data Portability
Request your data in a structured, machine-readable format (JSON or CSV) to transfer to another service.
Right to Object
Object to processing based on our legitimate interests. We will cease unless we can demonstrate compelling legitimate grounds.
Right to Restrict Processing
Request that we limit how we process your data while a dispute or complaint is being resolved.
We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive. We may request proof of identity before processing a request.
12. Right to Deletion
You have the right to request deletion of your RouteRate account and all associated personal data at any time. This is sometimes called the “right to be forgotten” under GDPR Article 17.
How to request account deletion:
Email privacy@routerate.app from the email address associated with your account and include “Account Deletion Request” in the subject line. We will process your request within 30 days and confirm when deletion is complete.
Upon receiving a valid deletion request, we will:
- Delete your account, fleet profiles, route data, saved quotes, and preferences from Supabase within 30 days
- Revoke and invalidate all active sessions and authentication tokens
- Request deletion of your data from Stripe (subscription and billing data) — subject to Stripe’s own retention obligations for fraud prevention
- Server logs and billing records required for legal compliance will be retained for their applicable retention periods (90 days and 7 years respectively) and then securely deleted
Anonymised and aggregated data that cannot identify you is not subject to erasure and may be retained for service improvement purposes.
13. International Data Transfers
Your primary account and route data is stored within the EU/EEA (Supabase EU West, Ireland). Some data may be transferred outside the EEA in the following circumstances:
- Google Maps Platform: Address autocomplete and map tile requests are routed through Google’s global infrastructure. Google operates under Standard Contractual Clauses (SCCs) for EU data transfers.
- HERE Technologies: Routing requests are processed on HERE’s global infrastructure. HERE operates under SCCs for EU data transfers.
- Stripe: Payment processing involves Stripe’s US and EU infrastructure. Stripe operates under SCCs and participates in the EU–US Data Privacy Framework.
- Vercel: Serverless function logs may pass through Vercel’s global edge network. Vercel operates under SCCs for EU data transfers.
Where data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the effective date at the top of this page
- Notify registered users by email at least 14 days before the changes take effect
- Where required by law, seek your consent before applying changes to existing processing
Your continued use of RouteRate after the effective date of an updated policy constitutes acceptance of the changes, subject to any legal rights you retain under GDPR.
15. Contact and Complaints
For any privacy-related queries, Subject Access Requests, or to exercise your rights, contact us at:
privacy@routerate.app
If you are not satisfied with our response or believe we are processing your data in breach of GDPR, you have the right to lodge a complaint with the Irish supervisory authority:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28
www.dataprotection.ie
Tel: +353 (0)761 104 800
You also have the right to lodge a complaint with the supervisory authority in your country of residence if different from Ireland.