Legal Routbox · Privacy

Privacy Policy

Effective: April 21, 2026 Version 1.0 routbox.com

  1. 01 Introduction
  2. 02 Who We Are
  3. 03 Information We Collect
  4. 04 How We Use Your Information
  5. 05 How We Share Your Information
  6. 06 Data Retention
  7. 07 International Data Transfers
  8. 08 Your Privacy Rights
  9. 09 Cookies and Tracking Technologies
  10. 10 Security
  11. 11 Children's Privacy
  12. 12 Artificial Intelligence and Automated Decision-Making
  13. 13 Contact Us
  14. 14 Changes to This Privacy Policy

01Introduction

Routbox ("we," "our," or "us") is a software product owned and operated by Routbox Inc., a Delaware C Corporation. We are committed to protecting your privacy and handling your personal information with transparency, care, and respect.

This Privacy Policy explains how Routbox (accessible at routbox.com) collects, uses, stores, shares, and protects information when you use our services. It applies to all users of Routbox, including business clients, end users, and visitors to our website.

This Privacy Policy is governed by and compliant with: the California Consumer Privacy Act (CCPA/CPRA) as amended through 2026, the EU General Data Protection Regulation (GDPR), and applicable US state privacy laws in force as of the effective date above.

02Who We Are

Legal EntityRoutbox Inc.
State of IncorporationDelaware, United States
Product NameRoutbox
Websiteroutbox.com
Privacy Contactprivacy@routbox.com
Data ControllerRoutbox Inc. (for EU/UK GDPR purposes)

Routbox Inc. is the parent company that owns and operates multiple software products including Cynact and Intgrate. Each product operates under this shared Privacy Policy framework, with product-specific disclosures where applicable.

03Information We Collect

3.1 Information You Provide Directly

  • Account registration data: name, email address, job title, company name
  • Billing and payment information (processed by Stripe — we do not store card numbers)
  • Profile information and user preferences
  • Communications you send us: support requests, feedback, inquiries
  • Contract and agreement details when engaging our services

3.2 Information Collected Automatically

  • Usage data: pages visited, features used, session duration, click patterns
  • Device information: browser type, operating system, screen resolution
  • IP address and approximate geographic location (country/region level)
  • Log data: timestamps, error logs, API request records
  • Cookies and similar tracking technologies (see Section 9)

3.3 Information From Third Parties

  • Payment processors (Stripe): transaction confirmation and status
  • Authentication providers if you use single sign-on (SSO)
  • Analytics providers: aggregated behavioral data
  • Business partners who refer users to our platform

3.4 Building Automation and IoT Data (Cynact Specific)

If you use Cynact, our AI building automation platform, we may collect additional data including:

  • Device telemetry: sensor readings, energy consumption, temperature, occupancy status
  • Automation rules and schedules you configure
  • Building system states: lighting, HVAC, access control events
  • Location data of installed hardware nodes (building address level only)

Cynact processes building automation data locally on your premises via the ameriDroid edge node. Raw sensor data is processed locally and only aggregated state information is transmitted to our cloud infrastructure. We do not store continuous raw video feeds.

04How We Use Your Information

PurposeLegal Basis (GDPR)Examples
Provide and operate our servicesContract performanceAccount management, feature delivery, node provisioning
Process payments and billingContract performanceSubscription billing via Stripe, invoice generation
Improve and develop our productsLegitimate interestsFeature analytics, bug fixing, performance optimization
Communicate with youContract / Legitimate interestsService updates, security alerts, support responses
AI and automation featuresContract performancePredictive maintenance, energy optimization, anomaly detection
Legal complianceLegal obligationTax records, regulatory reporting, fraud prevention
Safety and securityLegitimate interestsPreventing unauthorized access, abuse detection
Marketing (with consent)ConsentProduct newsletters, feature announcements (opt-in only)

05How We Share Your Information

We do not sell your personal information. We do not share your data with third parties for their own marketing purposes. We share information only in the following circumstances:

5.1 Service Providers (Data Processors)

ProviderPurposeLocation
SupabaseDatabase and authentication infrastructureUSA (AWS)
StripePayment processing and billingUSA
VercelWebsite and dashboard hostingUSA (Edge network)
CloudflareDNS, CDN, security, and tunnel servicesUSA (Global)
ResendTransactional email deliveryUSA
AnthropicAI-powered features (Claude API)USA
SentryError monitoring and performance trackingUSA
Google Analytics (optional)Website analytics (with consent)USA

All service providers are contractually bound to protect your data, use it only for specified purposes, and comply with applicable privacy laws including GDPR where applicable.

5.2 Business Transfers

If Routbox Inc. is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.3 Legal Requirements

We may disclose your information when required by law, court order, or government authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 With Your Consent

We will share your information with additional third parties only when you have given us explicit consent to do so.

06Data Retention

Data TypeRetention PeriodReason
Account informationDuration of account + 3 yearsContract and legal obligation
Billing records7 years from transactionUS tax law (IRS requirements)
Building automation telemetry90 days rolling (configurable)Operational analytics
Support communications3 years from resolutionService quality and dispute resolution
Security and audit logs12 monthsSecurity monitoring and incident response
Marketing consent recordsDuration of relationship + 3 yearsCompliance evidence
Deleted account data30 days post-deletion then purgedRecovery window then permanent deletion

You may request deletion of your data at any time. See Section 8 for your rights and how to exercise them.

07International Data Transfers

Routbox Inc. is headquartered in the United States. Our infrastructure providers are primarily US-based. If you access our services from the European Union, European Economic Area, United Kingdom, or other regions with data transfer restrictions, your information may be transferred to and processed in the United States.

We protect international data transfers through the following mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to our US-based processors
  • Data Processing Agreements (DPAs) with all sub-processors
  • Technical and organizational measures equivalent to EU standards

EU and UK users: We rely on Standard Contractual Clauses as the legal basis for transferring your personal data outside the EEA. You may request a copy of these clauses by contacting us at the email address in Section 13.

08Your Privacy Rights

8.1 Rights Under GDPR (EU/UK Users)

RightWhat It MeansHow to Exercise
Right to AccessObtain a copy of all personal data we hold about youEmail privacy@routbox.com
Right to RectificationCorrect inaccurate or incomplete personal dataIn-app settings or email us
Right to ErasureRequest deletion of your personal dataEmail privacy@routbox.com
Right to RestrictionLimit how we process your dataEmail privacy@routbox.com
Right to PortabilityReceive your data in a machine-readable formatEmail privacy@routbox.com
Right to ObjectObject to processing based on legitimate interestsEmail privacy@routbox.com
Right to Withdraw ConsentWithdraw consent for consent-based processing at any timeIn-app settings or email us
Right to Lodge a ComplaintFile a complaint with your local Data Protection AuthoritySee your national DPA

8.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected about you
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell data)
  • Right to Limit: Limit the use and disclosure of sensitive personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights

To exercise your CCPA rights, contact us at: privacy@routbox.com. We will respond within 45 days. We may need to verify your identity before processing your request.

8.3 Rights for Other Jurisdictions

Users in Canada (PIPEDA), Brazil (LGPD), Australia (Privacy Act), and other jurisdictions with applicable privacy laws have equivalent rights to access, correct, and delete their personal information. Contact us at the email address in Section 13 to exercise these rights.

09Cookies and Tracking Technologies

9.1 What We Use

Cookie TypePurposeCan You Opt Out?
Essential / Strictly NecessaryAuthentication, security, session managementNo — required for service to function
FunctionalUser preferences, language settings, UI stateYes — via cookie settings
AnalyticsUnderstanding usage patterns to improve the productYes — via cookie settings or opt-out link
Marketing (opt-in only)Promotional communications you have consented toYes — at any time

We do not use third-party advertising cookies or tracking pixels for behavioral advertising without your explicit consent.

9.2 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, and set preferences for specific websites. Note that disabling essential cookies may impact the functionality of our service.

10Security

We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit using TLS 1.3 and at rest using AES-256
  • Row-Level Security (RLS) in our database ensuring strict tenant data isolation
  • Multi-factor authentication (MFA) requirements for administrative access
  • Regular security audits and penetration testing
  • Access controls limiting data access to authorized personnel only
  • Cloudflare Zero Trust network security for infrastructure access
  • Automated monitoring and alerting for security anomalies
  • Secure local-first architecture: building automation data processed on-premises by default

In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities within the timeframes required by law (72 hours for GDPR, without undue delay for CCPA).

11Children's Privacy

Routbox is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@routbox.com and we will promptly delete such information.

12Artificial Intelligence and Automated Decision-Making

Routbox uses artificial intelligence and machine learning features to provide automation, predictive analytics, and intelligent recommendations. We are committed to transparency about how these systems work.

12.1 How We Use AI

  • Building energy optimization and predictive maintenance (Cynact)
  • Anomaly detection in device behavior and building systems
  • Automation rule suggestions based on usage patterns
  • Natural language processing for support and interface features

12.2 Automated Decision-Making

Where AI makes decisions that significantly affect you, you have the right to: (a) request human review of the decision, (b) obtain an explanation of the decision-making logic, and (c) contest the decision. Contact us at the email below to exercise these rights.

We comply with the EU AI Act transparency requirements effective August 2026 and California CCPA automated decision-making regulations effective January 2026.

13Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Privacy Emailprivacy@routbox.com
Legal EntityRoutbox Inc.
ProductRoutbox (routbox.com)
Response TimeWithin 10 business days for general inquiries; 45 days for formal rights requests
EU Data Protection AuthorityFile a complaint with your local DPA if you are unsatisfied with our response

14Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the effective date at the top of this document
  • Notify registered users by email at least 30 days before changes take effect
  • Display a prominent notice in the product dashboard
  • Maintain a version history of previous policies upon request

Your continued use of our services after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.