Privacy Policy

Last updated: May 20, 2026 · Version 2026-05-20

1. Introduction

Road511, owned and operated by Roman Kotenko ("we", "us", "our"), respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Road511 API, website, developer portal, and related services (the "Service").

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name
• Company name (optional)
• Password (stored as a bcrypt hash; we never store plaintext passwords)

2.2 API Usage Data

When you use the API, we automatically collect:

• API key identifier (hashed; we do not store your full API key)
• Request endpoints and timestamps
• Daily request counts per endpoint
• IP address (for rate limiting; not stored long-term)

2.3 Payment Information

Payment processing is handled entirely by Paddle.com, our merchant of record. We do not collect, store, or have access to your credit card number, bank account details, or other payment instruments. Paddle may share with us:

• Paddle customer ID and subscription ID
• Subscription status and plan information
• Transaction history (amounts and dates)

2.4 Website Analytics

We may use basic server-side analytics (access logs) to understand traffic patterns. We do not use third-party tracking cookies or advertising pixels.

2.5 Routing Inputs and Auto-Saved Routes

If your plan includes the truck-routing endpoint and you submit a routing request, we store the inputs and computed result in the saved_routes table associated with your account so the route can be re-fetched within its 30-minute auto-save window. The stored record includes:

• Origin and destination coordinates
• Optional waypoint coordinates
• The frozen truck profile (dimensions, weight, axle count, hazmat class) that was active when the request was made
• The serialized route geometry and enrichment overlay produced by Road511
• Timestamps for creation, last fetch, and TTL expiry

Retention. Auto-saved routes are deleted automatically 30 minutes after creation. If you choose to explicitly persist a route to your account (via the "save" action in the developer portal or the corresponding API flag), the record is retained for as long as the route remains in your account, or until you delete it, or until you close your account (see Section 6).

We do not associate routing inputs with personally identifying inputs beyond your account identifier. We do not infer driver identity, vehicle license plate, cargo, or shipping itinerary from routing requests.

2.6 Marketing and Newsletter Emails

When you create an account, an unticked checkbox lets you optionally subscribe to our newsletter — product news, updates, offers, and tips. You can also subscribe or unsubscribe at any time from the developer portal Settings page.

• What we store: your email address, name, your newsletter-subscription state, and the timestamp of your opt-in or opt-out.
• Consent-based: we send the newsletter only if you actively subscribe. The checkbox is unticked by default and we never add you without an affirmative action on your part.
• Unsubscribe anytime: from the Settings page in the developer portal or via the unsubscribe link in any newsletter. Unsubscribing takes effect immediately. It does not affect transactional emails (account verification, billing notices, security alerts), which are essential to the Service and are not marketing.

3. How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Authenticate your API requests
• Enforce rate limits and quotas per your subscription plan
• Process billing and manage subscriptions (via Paddle)
• Send transactional emails (account verification, password reset, billing notices)
• Monitor and improve Service reliability and performance
• Respond to support requests
• Detect and prevent abuse or unauthorized access

4. What We Do NOT Do

• We do not sell your personal information to third parties
• We do not share your data with advertisers
• We do not use tracking cookies or third-party analytics scripts
• We do not profile you for marketing purposes
• We do not store your full API keys (only SHA-256 hashes)

5. Data Sharing and Sub-processors

We share your information only with the following sub-processors, each of which has its own security and privacy controls:

• Paddle.com Market Limited (Ireland / United Kingdom) — Merchant of Record for the Road511 service; handles checkout, billing, invoicing, sales-tax / VAT / GST collection and remittance, and payment-dispute resolution on the customer's behalf. Receives: name, email, company, billing country, card data (stored exclusively by Paddle, never by us), and may hold a tokenized card fingerprint, billing country, and (where the customer supplies one) a tax ID. Paddle, not Road511, is responsible for calculating, collecting, and remitting transaction taxes. Paddle's privacy policy: paddle.com/legal/privacy.
• Zoho Corporation (SMTP / Zoho Mail) — transactional email delivery (verification, password reset, trial reminders, billing notices). Receives: email address and message content. Zoho's privacy policy: zoho.com/privacy.html.
• Cloud infrastructure provider — hosts the application servers and PostgreSQL database. Data is processed under a standard data-processing agreement.
• Cloudflare, Inc. (United States) — provides Cloudflare Turnstile CAPTCHA on the signup, login, and password-reset forms, and edge protection on selected hostnames. Turnstile collects a browser/device fingerprint and behavioural signals from the visitor and shares them with Cloudflare for anti-abuse and bot-detection purposes; we receive only a pass/fail verdict. Cloudflare's privacy policy: cloudflare.com/privacypolicy.
• HERE Technologies (HERE Global B.V., Netherlands) — upstream routing provider used by the truck-routing endpoint. When you submit a routing request, we forward to HERE only: origin coordinates, destination coordinates, optional waypoint coordinates, and the truck profile (dimensions, weight, axle count, hazmat class). We do not forward your email, name, company, API key, account identifier, or any other personally identifying account attribute. HERE acts as a data processor on our behalf for this computation under Article 28 GDPR and the equivalent CCPA/CPRA service-provider concept. HERE's privacy notice: legal.here.com/privacy. Note: the Road511 API deliberately does not name HERE in routing response bodies or response headers, in order to preserve our ability to swap routing providers without breaking integrations; however, GDPR transparency obligations require that we identify HERE here, and this Privacy Policy is the controlling disclosure.
• Law enforcement — if required by a binding legal process (court order, subpoena). We publish no transparency report at this time.

We do not share your data with any other third parties. We do not use analytics, advertising, or retargeting vendors.

If you are located in the EEA or United Kingdom, you can reach us at [email protected] to request details of sub-processor transfers and the legal mechanism governing each one (typically Standard Contractual Clauses).

6. Data Retention

• Account data: Retained while your account is active. You can request deletion at any time.
• API usage logs: Aggregated daily usage statistics are retained for up to 12 months. Individual request logs are not stored.
• Application logs: Error and warning logs are automatically pruned after 7 days.
• Auto-saved routing records: Origin, destination, waypoints, frozen truck profile, and computed route in the saved_routes table are deleted automatically 30 minutes after creation. Records you have explicitly persisted are retained until you delete them or close your account.
• Deleted accounts: Account data is permanently deleted within 30 days of a deletion request.

7. Data Security

We implement appropriate technical measures to protect your data:

• All API and website traffic is encrypted via HTTPS/TLS
• Passwords are hashed with bcrypt
• API keys are stored as SHA-256 hashes (the full key is shown only once at creation)
• Database access is restricted and authenticated
• Webhook payloads are signed with HMAC-SHA256

8. Your Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate information via the developer portal
• Deletion: Request deletion of your account and associated data
• Export: Request an export of your usage data
• Objection: Object to processing of your data for specific purposes

To exercise these rights, contact us at [email protected].

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children.

10. International Data

The Service is operated from servers located in North America. By using the Service, you consent to the transfer and processing of your data in this jurisdiction.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the website. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or requests, contact us at [email protected].