ETH$3,850.00BTC$71,40014 gweiblock#21,458,920[dev]
Legal · Privacy

Privacy Policy

Effective 2026-06-17.

1. Summary

We collect the minimum personal data needed to run Routescore. We do not sell or share data with brokers. Analytics are opt-in by default via a cookie banner. Wallet addresses you paste are processed locally; we identify them in analytics only as a SHA-256 hash, never raw.

2. Who we are (data controller)

Data controller: Empyrean Labs FZE LLC, a Free Zone Establishment (Limited Liability) incorporated in the United Arab Emirates under Commercial Licence No. 54978, issued by the Free Zones Authority of Ajman. Registered office: AMC — Boulevard-A Building, Ajman Media City, Ajman Free Zone, United Arab Emirates. Data protection contact: [email protected].

During the soft-launch period the data we collect is limited to account, waitlist, support, security, and opt-in analytics data described below. Paid billing data is processed only after Stripe live charging is enabled.

3. What we collect

  • Account data — email address you provide for the waitlist or your subscription, billing details handled by Stripe.
  • Wallet addresses (hashed) — when you paste a wallet, we hash it (SHA-256) and use the hash to identify your session in analytics. The raw address is processed locally in your browser.
  • Usage analytics (opt-in) — events such as which routes you scored, which scenarios you ran, and journal entries you created. Collected via PostHog only after you accept the analytics cookie.
  • Error telemetry — JavaScript errors and performance traces via Sentry, with personal data scrubbed.
  • Server logs — IP address and user agent for security, retained 30 days.

4. Why we use it

  • Operate Routescore — let you sign in, persist your journal, send receipts.
  • Improve the product — funnel + retention analysis, A/B testing.
  • Fight fraud and abuse — block scraping, sanction screening on signup.
  • Comply with law — anti-money-laundering, sanctions, tax.

5. Legal basis (GDPR users)

  • Account + billing → contract performance (Art. 6(1)(b)).
  • Analytics + product cookies → consent (Art. 6(1)(a)) via the banner.
  • Security logs + fraud detection → legitimate interest (Art. 6(1)(f)).
  • Tax + AML retention → legal obligation (Art. 6(1)(c)).

6. Sub-processors

Routescore relies on the following sub-processors:

  • Vercel (US) — hosting + edge caching
  • Neon (EU) — Postgres database
  • Cloudflare (global edge) — DNS, WAF, CDN
  • Stripe (US/EU) — payments
  • Resend (US) — transactional email
  • PostHog (EU Cloud) — product analytics (opt-in)
  • Sentry (EU) — error telemetry

All sub-processors are bound by data-processing agreements aligned with GDPR / UAE PDPL. The current list is reproduced here; we will give 30 days' notice before adding a new sub-processor.

7. International transfers

Where data leaves the UAE or the EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

8. Your rights

You have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your data (subject to legal retention obligations);
  • export your data in machine-readable form;
  • object to processing based on legitimate interest;
  • withdraw analytics consent at any time via the cookie banner;
  • lodge a complaint with your supervisory authority (e.g. your national EU DPA, or the UAE Data Office for UAE residents).

To exercise any of these rights, write to [email protected]. We respond within 30 days.

9. Retention

  • Account + journal data: as long as you have an active subscription, plus 90 days after cancellation.
  • Billing records: 7 years (tax obligation).
  • Analytics events: 24 months from collection.
  • Server logs: 30 days.
  • Sanctions screening hits: 5 years (AML obligation).

10. Children

Routescore is not directed at children under 18 and we do not knowingly collect their data.

11. Changes

We will give 14 days' notice for material privacy changes. Date of the current version is shown at the top of this page.