Routal
Legal

Privacy Policy

Responsible

The data controller for the personal data collected through this Website is:

  • Routal Tech SL (hereinafter, “Routal")
  • Calle La Vinya 16, Barcelona – Spain
  • legal@routal.com

Purposes

The personal data of the user of this Website will be processed for the following purposes:

  • Respond to requests for information and/or queries: Where applicable, respond to requests for information and/or queries made by the User. The data processed for this purpose will be retained until the request has been addressed and, thereafter, for the legally required retention and limitation periods. The legal basis for processing is: a) the User's consent when using the contact form available on this Website; or b) Routal's legitimate interest in responding when the User contacts Routal by other means (unsolicited email, phone calls, or written requests by post).
  • Sending commercial communications: Where appropriate, keep the User informed, even by electronic means, about Routal products, services and news. The data processed for this purpose will be retained until the consent given to receive such communications is withdrawn and, thereafter, for the legally required retention and limitation periods. The legal basis for processing is the User's consent provided through the channels available on this Website.

Recipients

Routal may disclose data to Public Administrations to comply with legal obligations and to State Security Forces and Bodies and/or Courts and Tribunals when required in the context of an investigation or legal proceeding. Routal may also disclose data to the following categories of data processors: providers of electronic communications, office software, hosting and housing services, IT maintenance, administrative services, accounting, auditing, legal advisory services, and legal representation. Some processors may be located outside the European Economic Area; in such cases, Routal will have implemented appropriate data protection safeguards in advance.

Rights

Interested parties may exercise their rights of access, rectification, deletion, limitation of processing, data portability and opposition, as well as withdraw consent at any time without affecting the legality of the processing prior to its withdrawal, by sending their request to Routal, Calle La Vinya 16, 08041, Barcelona – Spain; or to the email address  legal@routal.com. In any case, interested parties have the right to file a claim with the corresponding supervisory authority if they deem it appropriate.

Routal as Data Processor

In the event that the User acquires a license to use the cloud fleet management software service (hereinafter, “the Service”), Routal will need to process certain personal data on behalf of the licensee. For these purposes, the licensee will be considered the Data Controller and Routal will be considered the Data Processor. The following clauses constitute the regulation of the relationship between the Data Controller and the Data Processor for the purposes of complying with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, relating to the protection of natural persons with regard to the processing of personal data and the free circulation of these data and which repeals Directive 95/46/EC (hereinafter, “GDPR”) and Article 33 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, “LOPDGDD”).

Data processing to be carried out by the Data Processor

The Data Processor will process, on behalf of the Data Controller, the personal data necessary to carry out the Service. This processing will last for the same period as the provision of the Service, and it will end once the Service ends.

Identification of affected information

For the execution of the Service, the Data Controller will make available to the Data Processor the information described below:

Types of personal data

Identification data, geolocation data and any other data that may be included by the Data Controller in the open fields enabled in the Service.

Categories of interested parties

Clients and employees

Obligations of the Data Processor

The Data Processor is obliged to:

  1. Use the personal data being processed, or those collected for inclusion, only for the strict provision of the Service. Under no circumstances may you use the data for your own purposes.
  2. Process the data in accordance with the instructions of the Data Controller. If the Processor considers that any of the instructions violate the GDPR or any other data protection provisions of the Union or Member States, the Processor will immediately inform the Controller.
  3. Where applicable, keep a written record of all categories of processing activities carried out on behalf of the Data Controller, in accordance with the provisions of article 30.2 of the GDPR.
  4. Do not communicate the data to third parties, unless you have the express authorization of the Data Controller, in legally admissible cases.

The Data Processor may communicate the data to other data processors of the same Data Controller, in accordance with the latter's instructions. In this case, the Data Controller will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication. If the Data Processor must transfer personal data to a third country or to an international organization, pursuant to Union or Member State Law applicable to it, it will inform the Data Controller of that legal requirement in advance, unless such Law prohibits it for important reasons of public interest.

  1. Do not subcontract any of the services that are part of the Service and involve the processing of personal data.
    If it is necessary to subcontract any treatment, this fact must be previously communicated in writing to the Data Controller, at least 20 calendar days in advance, indicating the processing activities intended to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact information. Subcontracting may be carried out if the Data Controller does not express its opposition, in writing, within the established period.

The subcontractor, who will also have the status of data processor, is also obliged to comply with the obligations established here for the Data Processor and the instructions issued by the Data Controller. It is up to the person responsible for the initial processing to regulate the new relationship so that the new person in charge is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as him, regarding the proper processing of personal data and the guarantee of the rights of the affected persons. In the event of non-compliance by the subcontractor, the initial Data Processor will remain fully responsible to the Data Controller regarding compliance with the obligations. The Data Controller authorizes the Data Processor to carry out the following subcontracting necessary to provide the Services:

ProductBoard, Inc.(Productboard): United States: Customer-centric product management platform

Intercom, Inc. : United States : Customer communication platform

Webempresa Europa S.L : Europe : Data hosting provider

  1. Maintain the duty of secrecy regarding personal data to which you have had access by virtue of the provision of the Service, even after its provision has ended.
  2. Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be appropriately informed.
  3. Keep at the disposal of the Data Controller the documentation proving compliance with the obligation established in the previous section.
  4. Guarantee the necessary training on personal data protection for persons authorized to process personal data.
  5. Assist the Data Controller in responding to the exercise of the rights of:
  1. Access, rectification, deletion and opposition;
    2. Limitation of treatment;
    3. Data portability;
    4. Not to be subject to automated individualized decisions (including profiling).

When the affected persons exercise the rights of access, rectification, deletion and opposition, limitation of processing, data portability and not to be subject to individualized automated decisions before the Data Processor, the latter must notify the Data Controller by email. Communication must be made immediately and in no case later than the business day following receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request.

  1. Notify the Data Controller without undue delay and, in any case, before the maximum period of 48 hours via email, of the violations of the security of the personal data in its charge of which it is aware, together with all the relevant information for the documentation and communication of the incident. Notification will not be necessary when it is unlikely that such a security breach constitutes a risk to the rights and freedoms of natural persons.

If available, at least the following information will be provided:

  1. Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records affected.
  2. The name and contact details of the data protection officer or other contact point where further information can be obtained.
  3. Description of the possible consequences of the violation of the security of personal data.
  4. Description of the measures taken or proposed to remedy the breach of personal data security including, if applicable, the measures taken to mitigate potential negative effects.

If it is not possible to provide the information simultaneously, to the extent it is not possible, the information will be provided gradually without undue delay.

  1. Provide support to the Data Controller in carrying out impact assessments related to data protection, where appropriate.
  2. Provide support to the Data Controller in carrying out prior consultations with the supervisory authority, when appropriate.
  3. Make available to the Data Controller all the information necessary to demonstrate compliance with its obligations, as well as to carry out audits or inspections carried out by the Data Controller or another auditor authorized by it.
  4. Implement appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as risks of varying probability and severity for the rights and freedoms of natural persons. In any case, you must implement mechanisms to:
  1. Ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
  2. Restore availability and access to personal data quickly, in the event of a physical or technical incident.
  3. Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the security of processing.
  4. Pseudonymize and encrypt personal data, if applicable.
  • Appoint a data protection officer and communicate their identity and contact details to the Data Controller, where applicable.
  • Once the provision of the Service has been completed, the Data Controller will have a maximum period of 30 calendar days to access the Service and download all of the information stored therein. After this period, the Data Processor will proceed to delete said information hosted in the Service. In any case, the Data Processor may keep a copy, with the data duly blocked, as long as responsibilities may arise from the execution of the service.
  • Comply with the rest of the obligations that the GDPR, the LOPDGDD and their development regulations establish for the Data Processor.

Obligations of the Data Controller

The following obligations correspond to the Data Controller:

  1. Deliver or allow the Data Processor access to the data specified above.
  2. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Data Processor, when applicable.
  3. Make the appropriate prior consultations.
  4. Ensure, prior to and throughout the treatment, compliance with the GDPR, the LOPDGDD and their implementing regulations by the Data Processor.
  5. Monitor processing, including conducting inspections and audits.
  6. Facilitate the right to information at the time of data collection.
  7. Comply with the rest of the obligations that the GDPR, the LOPDGDD and its development regulations establish for the Data Controller

Use of Google user data

We use Google user data only to provide essential functionality and we fully comply with the Google API Services User Data Policy, including Limited Use requirements.

2.1. Data we access

Our application accesses the following Google user data:

Google account email address

  • Purpose: Allow users to register, log in, and identify their account securely.
  • Storage: We only store the email address associated with the Google account. We do not store any other Google profile information.

Google Sheets files explicitly selected by the user

  • Purpose: Import operational data, such as stops or route-related information, into Routal.
  • Scope: Access is strictly limited to the spreadsheets that the user selects during authorization.
  • Storage: We do not store the content of Google Sheets. The data is processed only temporarily to perform the import task.

2.2. No other access or use is made

  • We do not access Google Drive files other than the spreadsheets that the user chooses.
  • We do not use Google user data for advertising, analytics, profiling or other unrelated purposes.
  • We do not share Google user data with third parties except as necessary to operate the Service.

2.3. Compliance with Google's Limited Use policy

We meet all Limited Use requirements:

  • Google user data is used solely to provide or improve user-visible functionality.
  • The data is never sold or used for targeted advertising.
  • The data is not transferred to third parties except when necessary to operate the Service and always under strict confidentiality commitments.
  • Data access and storage are minimized as much as possible.

2.4. Data protection mechanisms

We are committed to ensuring the security of your information.

We implement the following mechanisms to protect Google user data:

  • Encryption in transit: All data transfers between the user's device, Google APIs, and our servers are encrypted using industry-standard HTTPS/TLS protocols.
  • Secure processing: Data is processed in a secure cloud infrastructure, with strict access controls.
  • Ephemeral processing: As stated in section 2.1, we do not permanently store the content of your Google Sheets; it is processed in memory for the import task and then discarded, minimizing security risks.