Privacy Policy — Application

This policy covers the Routebase application at app.routebase.dev and workspaces under *.routebase.dev. For the marketing website at routebase.dev, see the website privacy policy.

1. Controller

Routebase GmbH, Wegedornstraße 253Q, 12524 Berlin, Germany
E-Mail: hello@routebase.dev

For content your team stores in its workspace (API specifications, tests, mock configurations, documentation), your organization is the controller and we process that content on your organization's behalf as a processor.

2. Account and authentication

When you sign up, we process your e-mail address, name, and authentication data. Authentication is operated by Auth0 (Okta, Inc.) as our processor; login requests pass through auth.routebase.dev. Transfers to Okta are covered by appropriate safeguards (EU standard contractual clauses). Legal basis: Art. 6 (1) (b) GDPR (performance of contract).

3. Workspace data and data residency

You choose EU or US data residency when creating your organization, and your workspace data stays in that region. Both regions run on Microsoft Azure; Microsoft acts as our processor. Legal basis: Art. 6 (1) (b) GDPR.

4. AI features

AI features are enabled per organization and can be switched off at any time. When enabled, prompts are sent to the configured AI provider — Anthropic or Microsoft Azure, pinned to your workspace region — or to your own provider key (BYOK). Personal data is redacted from prompts before they leave your workspace; prompts are never stored in plaintext (we keep only a hash for caching). Every AI call is recorded in an audit log available to your organization. Legal basis: Art. 6 (1) (b) and (f) GDPR.

5. Billing

Paid subscriptions are processed by Stripe as our payment processor. Stripe receives the data required to process payments (name, e-mail, payment details, billing address); full card details are never stored on our systems. Legal basis: Art. 6 (1) (b) GDPR and legal retention obligations under Art. 6 (1) (c) GDPR.

6. Transactional e-mail

We send transactional e-mails (sign-up, team invitations, alerts) via Microsoft Azure. Legal basis: Art. 6 (1) (b) GDPR.

7. Logs and telemetry

The application records technical logs and telemetry (request metadata, error traces, performance metrics) to operate and secure the service. Application telemetry is retained for 90 days, access logs for 30 days, after which they are deleted automatically. Legal basis: Art. 6 (1) (f) GDPR — our legitimate interest in operating and securing the service.

8. Cookies and local storage

The application stores only what is strictly necessary to sign you in and operate the app (authentication session data and offline caches in your browser's local storage). It contains no marketing or third-party tracking.

9. The desktop app

The Routebase desktop app (macOS, Windows) stores your workspace cache locally on your device; that data stays under your control and is removed by uninstalling the app. The app periodically checks our release server for updates; the check transmits your app version and platform (and, technically, your IP address) and is required to keep the app secure and current. Legal basis: Art. 6 (1) (f) GDPR.

10. Security

We protect personal data with appropriate technical and organizational measures pursuant to Art. 32 GDPR. These include encryption in transit (TLS) and at rest, role-based access controls following the principle of least privilege, isolation of each organization's workspace data, audit logging of administrative and AI operations, and regular review of our security measures. No method of transmission or storage is completely secure, but we maintain measures appropriate to the risk.

11. International transfers

The EU and US regions both run on Microsoft Azure, and your workspace data stays in the region you choose at sign-up. If you select the US region, or use AI features routed to a provider in the United States (see section 4), personal data is transferred to the United States. Such transfers are safeguarded by an adequacy decision (the EU–US Data Privacy Framework, where the recipient is certified) or by EU standard contractual clauses (SCC). You can request a copy of the relevant safeguards using the contact details above.

12. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. AI features process content at your instruction and do not make automated decisions about individuals.

13. Retention and deletion

Account and workspace data is deleted when your organization is deleted. Residual copies contained in our backups are removed within our backup cycle, at the latest within twelve months. Billing and accounting records are retained for the statutory retention periods under German tax and commercial law (§ 147 AO, § 257 HGB, § 14b UStG), currently up to ten years.

14. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction of processing, data portability, and objection. You also have the right to lodge a complaint with a supervisory authority — for us, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

15. Processors

We use the following processors: Microsoft Azure (hosting, AI, and e-mail infrastructure), Okta/Auth0 (authentication), Stripe (payments), Anthropic (AI features, when selected). Where processors are located outside the EU/EEA, transfers are covered by appropriate safeguards (EU standard contractual clauses or an adequacy decision).

We keep this list up to date as our processors change and inform Customers of material changes to our sub-processors in advance, so that they can object where the data processing agreement provides for it.

16. Changes

We will update this policy when the application or its processors change, and note material changes in the application.