Privacy Policy

Draft. To be reviewed by counsel before Phase 2 (per design spec §10).

What we collect

• Account: email address, optional name and avatar.
• Trip data: trip names, dates, places, lodging, transit, stops.
• Collaboration: members, comments, mentions, notifications.
• Operational: server logs (anonymized IPs, request paths) for 30 days.

Lawful basis

Performance of contract (delivering the service you signed up for) and consent (for optional digest emails).

Subprocessors

• Supabase (Postgres + Auth, EU region) — DPA in place
• Vercel (hosting, EU region) — DPA in place
• Plausible Analytics (EU) — cookie-less, no consent required

Your rights

Right of access, rectification, erasure, portability, restriction, objection. Use the Account page to export or delete your data, or email privacy@routebook.app.

Pending invites

If you've been invited but haven't accepted, your email will be auto-purged 30 days after the invite was sent.

Data retention

Data is retained for the lifetime of your account. Deleted accounts are processed per GDPR Right to Erasure; shared trips you own enter a 7-day freeze before final deletion if no editor claims ownership.

Contact

Privacy: privacy@routebook.app
Legal / DSA: legal@routebook.app