Privacy Policy

1. Introduction

ClayDesk LLC ("GoRoute.ai", "we", "us", or "our") operates the GoRoute.ai platform, a certified Peppol Access Point service for electronic invoicing. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

We are committed to protecting your privacy and ensuring the security of your personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

2.1 Account Information

When you register for GoRoute.ai, we collect:

• Name and email address
• Company name and business address
• VAT/Tax identification numbers
• Peppol participant identifiers
• Payment and billing information

2.2 Transaction Data

As a Peppol Access Point, we process:

• Electronic invoices and credit notes (UBL format)
• Sender and receiver identification data
• Document metadata (timestamps, message IDs)
• Delivery status and acknowledgments

2.3 Technical Data

We automatically collect:

• IP addresses and browser information
• Device identifiers and operating system
• Usage patterns and API access logs
• Cookies and similar tracking technologies

3. How We Use Your Information

We use your information to:

• Provide Services: Process and route electronic documents through the Peppol network
• Maintain Compliance: Meet Peppol network requirements and regulatory obligations
• Improve Services: Analyze usage patterns and enhance platform performance
• Communicate: Send service updates, security alerts, and support messages
• Billing: Process payments and manage subscriptions
• Security: Detect and prevent fraud, abuse, and security incidents

4. Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract Performance: Processing necessary to provide our services
• Legal Obligation: Compliance with Peppol regulations and tax laws
• Legitimate Interest: Service improvement and security measures
• Consent: Marketing communications (where applicable)

5. Data Retention

In accordance with Peppol requirements and applicable tax regulations, we retain transaction data for a minimum of 7 years. Account information is retained for the duration of your active subscription plus 3 years for legal compliance purposes.

You may request deletion of personal data not subject to legal retention requirements by contacting us at privacy@goroute.ai.

6. Data Sharing and Disclosure

We may share your information with:

• Peppol Network: Participant data shared with SMP/SML as required by Peppol specifications
• Other Access Points: Document data transmitted to recipient Access Points
• Service Providers: Cloud hosting (AWS), payment processing (Stripe), and analytics providers
• Legal Authorities: When required by law, court order, or regulatory request

We do not sell your personal data to third parties.

7. International Data Transfers

Our services are hosted on Amazon Web Services (AWS) in the United States and European Union. For transfers outside the EEA, we rely on:

• EU-US Data Privacy Framework certification
• Standard Contractual Clauses (SCCs)
• Supplementary technical and organizational measures

8. Your Rights

Under GDPR and applicable laws, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal retention)
• Portability: Receive your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Where processing is based on consent

To exercise these rights, contact us at privacy@goroute.ai.

9. Security Measures

We implement industry-standard security measures including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication (MFA)
• Regular security audits and penetration testing
• SOC 2 Type II compliance (in progress)
• ISO 27001 certified infrastructure

10. Cookies

We use essential cookies for authentication and session management. Analytics cookies are used only with your consent to improve our services. You can manage cookie preferences through your browser settings.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or through a prominent notice on our website. Your continued use of our services after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related inquiries or to exercise your rights: