Privacy Policy

1. Who We Are and the Roles We Play

Routella is operated by Deco Garden (Israeli company number 5583435), a company registered in Israel with its registered office at Jabotinsky 1, Herzliya, Israel, which runs the Routella service at routella.app.

We play two different privacy roles depending on whose data it is, and it matters because it decides who you contact about your rights.

For data we decide the purpose and means of, we are the controller. This covers merchant account holders (the businesses and their staff users who sign up for Routella), visitors to our public website, our marketing, and our own operational and security records.

For the personal data a merchant uploads or feeds into Routella about their own end customers and drivers — delivery recipients’ names, addresses, phone numbers, emails, order contents, delivery locations, driver records and driver GPS — the merchant is the controller and Routella is the processor. We process that data only on the merchant’s documented instructions, which are expressed through how the merchant configures and uses Routella (for example, enabling WhatsApp notifications or connecting a store). The merchant decides why and how their customers and drivers are messaged and is responsible for the lawful basis. Our processor terms are set out in the Data Processing Agreement (/dpa).

What this means for you in practice: if you are an end customer or a driver, the business you ordered from or drive for is the controller of your data — contact them first. We will help them respond, and you can also email us. If you are a merchant account holder or a website visitor, contact us directly.

2. The Personal Data We Process, the Sources, and Why

We process only the data needed to run the service. The categories below reflect what the product actually collects. For each, we name the purpose and the legal basis. Where we are a processor, the legal basis belongs to the merchant (the controller), and we rely on their basis and instructions rather than our own.

We do not ask for or want special-category data — data revealing health, racial or ethnic origin, religious or political beliefs, trade-union membership, genetic or biometric identifiers, or data about a person's sex life or sexual orientation. Merchants must not put special-category data into free-text fields (such as delivery notes or reviews); where a merchant uploads a driver's licence image it is used only to identify the driver, not to derive any special-category attribute. The merchant is the controller for any such data it chooses to enter and is responsible for having a lawful basis under GDPR Article 9.

• Merchant account data — name, email, hashed password, login one-time codes, company name, phone, plan, and account-verification status (an internal “KYC” / risk-review flag on the account). Source: provided by the merchant at signup, or from Google/Apple sign-in. Purpose: account creation, sign-in, billing, support, fraud and abuse prevention. Legal basis (we are controller): performance of our contract with the merchant; legitimate interest for fraud/abuse prevention; legal obligation for billing records.
• Acquisition and marketing context — sign-up source and campaign tags (e.g. utm_source/utm_campaign) and the country we detect from the visitor’s IP at signup. Source: the visitor’s browser and IP. Purpose: understanding where sign-ups come from and improving our marketing. Legal basis (controller): legitimate interest, and consent where it comes from non-essential cookies.
• End-customer order data — customer name, full delivery address (including building, floor, apartment where provided), latitude/longitude, phone, email, order line items, totals, cash-on-delivery amount, notes, and tags. We also retain the full raw order payload received from the connected platform for re-sync and troubleshooting, which may contain additional fields the platform sent. Source: imported from the merchant’s connected store/platform, or entered by the merchant as a manual order. Purpose: building delivery rounds, route optimization, dispatch, and sending the customer their delivery updates and tracking link. Legal basis: the merchant is the controller and supplies the basis; Routella acts as processor on the merchant’s instructions.
• Driver data — driver name, phone, email, vehicle details, an optional driving-license photo, an optional contract file, and real-time GPS location only while a delivery round is active. Source: entered by the merchant; GPS comes from the driver’s device during a round. Purpose: dispatching, live tracking, and proof of delivery. Legal basis: merchant is controller; Routella is processor. Drivers are data subjects in their own right — see section 6.
• Proof of delivery and reviews — delivery-confirmation photos, and customer ratings/reviews that can include a customer name, phone number, and free-text comment. Source: captured by the driver at delivery; reviews submitted by end customers. Purpose: confirming delivery and collecting delivery feedback for the merchant. Legal basis: merchant is controller; Routella is processor.
• Integration credentials — access tokens, API keys, and OAuth secrets for the merchant’s connected platforms. Source: provided/authorized by the merchant. Purpose: importing orders and writing back fulfillment status. These are stored with an extra layer of AES-256-GCM field-level encryption (see section 9). Legal basis (controller): performance of contract.
• Operational, security, and telemetry data — sign-in events, a personal-data access audit log (who viewed which order/customer/driver records, when, and from which hashed IP), error logs, public tracking-page view logs (with the IP hashed, not stored raw), and webhook/cron processing records. Source: generated as you use the service. Purpose: security monitoring, abuse/fraud prevention, debugging, and meeting regulatory obligations. Legal basis (controller): legitimate interest and legal obligation.
• Billing references — subscription and customer identifiers held by our payment providers, and which plan/packs you have. Routella does not collect or store payment-card numbers; the card is handled entirely by the payment provider (see section 3). Legal basis (controller): performance of contract and legal obligation (tax/accounting).
• Website and app analytics — page-visit and conversion data from visitors to our public site, only with consent. Source: cookies/SDKs in the visitor’s browser. Purpose: measuring website and advertising performance. Legal basis (controller): consent (see section 7).

3. Payments — Handled by Third Parties, Not by Us

Subscription and pack charges are processed by our payment providers, not by Routella. For merchants who installed Routella through Shopify, billing runs through the Shopify Billing API. For merchants who signed up directly, billing runs through LemonSqueezy, which acts as the merchant of record for those charges. SMS/WhatsApp top-ups and prepaid packs are charged through these same providers.

Routella never sees or stores your full payment-card details. We keep only references such as a subscription ID, a customer ID, and which plan or pack balance you hold. When you subscribe, the applicable provider’s own terms and privacy practices apply to the card payment.

4. Sub-processors and Other Recipients

We share personal data only with the providers needed to run Routella, and only for the purposes shown. The sub-processors that handle merchant end-customer and driver data also appear in our Data Processing Agreement (/dpa); the website analytics and advertising tools listed at the end of this section touch only public-website visitor data and are covered by the Cookies section (section 7), not the DPA. We keep this list current when providers change, and each provider receives only what its job requires.

• MongoDB Atlas — our primary database. Encrypted at rest (AES-256) and in transit (TLS). Receives all stored personal data.
• Vercel — application hosting and TLS termination. Processes data in transit as you use the service.
• Infobip — SMS delivery worldwide, and WhatsApp delivery on Routella’s shared/managed number. Receives the recipient phone number and message content for the messages a merchant sends.
• WAHA Plus — WhatsApp delivery for merchants using their own connected WhatsApp number (the primary self-connected WhatsApp transport for paid tiers). Receives the recipient phone number and message content.
• Resend — transactional email delivery. Receives the recipient email and message content.
• Shopify Billing — subscription billing for merchants installed via Shopify. Receives merchant billing identifiers; processes the card.
• LemonSqueezy — subscription and pack billing for merchants who signed up directly, acting as merchant of record. Receives merchant billing contact details; processes the card. Routella never stores card numbers.
• Google (Maps Platform – Routes API) — traffic-aware route optimization (Smart Routing). Receives delivery locations as latitude/longitude coordinates (origin, destination, and intermediate stops). It does not receive customer names, phone numbers, emails, or order contents.
• Google (Maps Platform – Places) — address autocomplete. Receives the address text a user types into the address box, plus an optional location bias. It does not receive other customer identifiers.
• OpenStreetMap (Nominatim) and Photon — address geocoding. Receive the address query text only, no other customer identifiers.
• OpenFreeMap and Esri — map tile and satellite imagery for the dashboard and tracking pages. Receive the map viewport/coordinates being viewed, not customer identifiers.
• Anthropic — used only to translate interface strings and message templates. It receives English text strings to translate; it does not receive order, customer, address, or driver data (dynamic placeholders such as a customer name are kept out of the translation request).
• Analytics and advertising on our public website only — Google (Analytics 4, Tag Manager, Signals, Search Console), Meta Pixel, TikTok Pixel, and Microsoft Clarity (session replay and heatmaps). These receive page-visit and conversion data from website visitors who consent, and never receive merchant account data or end-customer order data. See section 7 for details and opt-outs. NOTE: the absolute statement that “Google never receives order data” applies to these analytics/advertising products — it does NOT apply to Google Maps Platform (Routes/Places) above, which does receive delivery coordinates and typed address text for the purpose of routing and address lookup.
• Merchant-connected platforms (Shopify, WooCommerce, Wix, Salesforce, Monday, and others) — these are the merchant’s own systems that the merchant chooses to connect. Routella reads orders from and writes fulfillment status back to them on the merchant’s instruction. The merchant’s use of these platforms is governed by those platforms’ own terms.

5. How Long We Keep Data (Retention)

We keep data only as long as needed. Retention is enforced automatically by database time-to-live (TTL) rules plus a daily cleanup job. The windows below reflect what the system actually does.

• Driver GPS location: 24 hours.
• Error logs: 14 days.
• Webhook delivery history: 30 days.
• Cron run records: 60 days.
• Public tracking-page view logs (with the IP stored only as a hash): 90 days.
• Sign-in events: 180 days.
• Personal-data access audit log: 365 days.
• Customer notification history and order-import history: 2 years.
• Orders, manual orders, and completed rounds: 5 years, or until the merchant deletes them, whichever is sooner.
• Shopify privacy-request records: kept up to 7 years for compliance evidence.
• Merchant account data: kept while the account is active; deleted within 30 days of account closure, except legal/billing records that law requires us to keep for up to 7 years.

6. Your Privacy Rights and How to Use Them

Depending on where you live, you have rights over your personal data. We honor the full set below for everyone, and route requests to the right place. Email support@routella.app to make a request; we respond within 30 days. If you are an end customer or driver, contact the merchant you dealt with first — they are the controller — and we will assist them.

Core rights (GDPR, UK GDPR, PIPEDA, LGPD and similar): access a copy of your data; correct inaccurate data (merchants can correct most data directly in the dashboard); delete your account and associated data; export your data in machine-readable JSON; restrict or object to non-essential processing; and withdraw consent at any time for anything based on consent (withdrawing does not affect processing already done). Note that under the Australian Privacy Principles, erasure and portability are not standalone rights, but access and correction are.

Drivers specifically: you can ask to access or delete your data through the merchant you drive for, or by emailing us. Your location is tracked only while a delivery round is active and is deleted within 24 hours. Your merchant should inform you of this tracking as part of your working relationship.

We do not make decisions about individuals by purely automated means that produce legal or similarly significant effects. Route optimization and auto-dispatch are operational aids; a merchant can always override an assignment manually.

• California (CCPA/CPRA): you have the right to know what we collect, to delete, to correct, to opt out of “sale” or “sharing”, to limit use of sensitive personal information, and not to be discriminated against for exercising rights. We do not sell personal information. We do not use end-customer or driver data for advertising. The advertising cookies on our public website (section 7) may count as “sharing” for cross-context behavioral advertising under CPRA — you can opt out using the “Do Not Sell or Share My Personal Information” or “Cookie settings” link at the bottom of this page (which lets you decline the Marketing category), and we honor the Global Privacy Control (GPC) browser signal as a valid opt-out. Categories we collect map to: identifiers, commercial information, geolocation (driver location; delivery coordinates), and internet/website-activity data for site visitors. You may use an authorized agent to submit a request.
• Shopify-installed merchants: we implement the three mandatory Shopify privacy webhooks — customers/data_request, customers/redact, and shop/redact. Each is HMAC-verified and audit-logged. Data requests are collected and emailed to the merchant within 30 days; redaction requests are processed promptly.
• Right to complain: if you are unhappy with our response, you can complain to your local supervisory authority — for example an EU/EEA data protection authority, the UK ICO, the Office of the Australian Information Commissioner (OAIC), the Office of the Privacy Commissioner of Canada (OPC), or Brazil’s ANPD.

7. Cookies, Website Analytics, and Advertising

Essential cookies are always used for authentication and session management. Public delivery tracking pages may store a delivery token in your browser’s local storage so a recipient does not have to re-enter it on refresh.

Non-essential analytics and advertising tools load only with your consent, managed through our cookie consent banner, split into two separate categories. Decline a category and those tools do not load. You can change your choice at any time using the “Cookie settings” link at the bottom of this page (or any Routella legal page); clearing site data for routella.app and reloading also re-opens it.

Analytics category: Google Analytics 4 and Google Tag Manager measure how visitors use our site. Google Analytics 4 has Google Signals enabled, which lets visitors who are signed in to a Google account with Ads Personalization on be deduplicated across devices and contribute to aggregated, anonymized demographic/interest reports; Routella receives only aggregated reports, never the underlying identity. When a consenting visitor signs up or upgrades, we may send a SHA-256 hash of their email to Google so it can match the conversion to an ad click — only the irreversible hash is sent; the raw email never leaves Routella. We have also linked Google Search Console, which uses search-query data Google already holds. We also use Microsoft Clarity for session replay and heatmaps — it runs only after analytics consent is granted, only on public marketing and funnel pages (never on the app dashboard or customer/driver token pages), and does not receive merchant account data or end-customer order data.

Marketing category: Google Ads Consent Mode (ad_storage), the Meta Pixel, and the TikTok Pixel measure advertising performance. None of these receive merchant account data or end-customer order data. The Meta and TikTok pixels do not run inside the Shopify-embedded admin, and none of these tools load on preview or local builds — only on the production routella.app site.

To opt out of everything: decline the categories in the banner. To opt out of Google Signals specifically: turn off Ads Personalization at adssettings.google.com. To opt out of Google Analytics on every site: install Google’s official Analytics Opt-out Browser Add-on. California residents can also rely on the Global Privacy Control signal, which we honor.

8. International Data Transfers

Routella is operated from Israel. Some sub-processors operate in the EU/EEA, the United Kingdom, the United States, and elsewhere, so personal data may be transferred across borders. We use a lawful transfer mechanism for each route.

Israel holds an EU adequacy decision (and is recognized as adequate by the UK), so transfers from the EEA/UK to Routella in Israel can rely on that adequacy finding. Where data is then transferred onward to a sub-processor in a country without its own adequacy decision (for example certain US-hosted infrastructure), we rely on the EU Standard Contractual Clauses (2021, the controller-to-processor or processor-to-processor module as applicable), supported by a transfer assessment.

For UK personal data transferred to a country without adequacy, we use the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. We apply equivalent Swiss provisions where Swiss data is involved.

Delivering an SMS or WhatsApp message inherently routes it through carrier infrastructure in the recipient’s own country — this is unavoidable to reach that recipient.

9. Security

We use technical and organizational measures appropriate to the risk. No system can be guaranteed perfectly secure, but the measures below are real and in place. A fuller description is on our Security and Compliance page (/security).

• Encryption in transit: HTTPS / TLS 1.2 or later on all endpoints, including merchant connections, sub-processor calls, and customer tracking pages.
• Encryption at rest: AES-256 on the primary database and backups, plus an additional AES-256-GCM field-level encryption layer specifically on connected-store credentials, using a separately managed key. The application refuses to start in production if that key is missing.
• Passwords: hashed with bcrypt (cost factor 12); a minimum 10-character policy requiring letters and digits, with common passwords rejected; password-reset tokens are stored as SHA-256 hashes.
• Sign-in: optional passwordless one-time email code; sign-in endpoints are rate-limited and inputs are coerced to block injection.
• Logging: sign-in events and reads of personal-data records are audit-logged with timestamp, hashed IP, and user agent.
• Minimization by design: tracking-page and access logs store a hashed IP, not a raw IP; driver location auto-expires after 24 hours.
• We commit to notifying affected merchants of a confirmed personal-data breach without undue delay and within 72 hours of becoming aware.
• Some operational measures (environment separation, backup restore testing, staff access reviews) are described on the Security page.

10. Children

Routella is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 16. Merchants are responsible for ensuring any end-customer or driver data they enter has a lawful basis, including any data relating to minors. If we learn we hold a child’s data without a lawful basis, we delete it.

11. Changes to This Policy

We may update this Policy. Each version carries a “last updated” date and a version label. We communicate material changes by email and an in-app notice before they take effect, and where the law requires fresh consent we will ask for it again.

12. Contact and Data Protection

Controller and data-protection contact: Deco Garden (operating Routella at routella.app). Privacy matters are handled by Aviv Uzan on behalf of Deco Garden.

For privacy inquiries, data-subject/consumer rights requests, or to report a suspected incident: email support@routella.app.

We have not appointed a statutory Data Protection Officer because we assess we are not required to under GDPR Article 37.