Privacy Policy
Last updated: April 2026
This Privacy Policy explains how Ports & Routes ("we", "us", or "our") collects, uses, and protects personal data when you use portsandroutes.com ("Service"). We are committed to handling your data responsibly and in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) where applicable.
1. Data We Collect
| Data | When collected | Purpose |
|---|
| Name and email address | Account registration | Account management, transactional emails |
| Password (bcrypt hash — never plaintext) | Registration | Authentication |
| IP address and browser user agent | Each visit / login | Security, fraud prevention, anonymous analytics |
| Route queries and chatbot interactions | While using the Service | Delivering results, improving the Service |
| Payment information | Paid subscription | Processed entirely by Paddle — we do not store card details |
| Enterprise enquiry form responses | Submitting an enquiry | Responding to your request |
We do not collect data about your browsing behaviour outside our website, and we do not use third-party advertising trackers.
2. Legal Basis for Processing (GDPR)
- Contract performance — processing necessary to provide the Service you signed up for
- Legitimate interests — security logging, abuse prevention, and service improvement
- Consent — marketing emails, if you opt in (you can withdraw at any time)
- Legal obligation — where required by law
3. How We Use Your Data
- To create and manage your account
- To deliver route data, reports, and chatbot responses
- To process payments via Paddle
- To send transactional emails (account verification, password reset, reports)
- To respond to support and enterprise enquiries
- To detect and prevent fraud or abuse
- To improve and maintain the Service
4. Third Parties
We share data with the following third parties only to the extent necessary:
- Paddle.com Market Limited — our payment processor and Merchant of Record. Paddle processes billing data under their own privacy policy. We receive confirmation of payment status but not your full card details.
- Email delivery (localhost SMTP) — transactional emails are sent from our own mail server. No third-party email marketing platform is used.
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
5. Data Retention
- Account data — retained while your account is active and for 12 months after deletion, for legal and dispute resolution purposes
- Session records — deleted when sessions expire (30 days) or on logout
- Security logs (IP, user agent) — retained for 90 days
- Payment records — retained by Paddle per their policy; we retain transaction references for 7 years for accounting purposes
6. Cookies
We use a single session cookie (pnr_session) to keep you logged in. This cookie is:
- HttpOnly — not accessible to JavaScript
- Secure — only sent over HTTPS
- SameSite=Strict — not sent on cross-site requests
- Expires after 30 days of inactivity
We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.
7. Your Rights
Depending on your location you may have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your account and associated data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Restriction — ask us to pause processing while a dispute is resolved
To exercise any of these rights, email admin@portsandroutes.com. We will respond within 30 days.
8. Security
We take reasonable technical and organisational measures to protect your data, including:
- All traffic encrypted via HTTPS (TLS)
- Passwords stored as bcrypt hashes (cost factor 12) — never in plaintext
- Session tokens generated with cryptographically secure randomness
- Database access restricted to the application server
- Rate limiting on authentication endpoints
No system is completely secure. If you discover a vulnerability please disclose it responsibly to admin@portsandroutes.com.
9. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email of material changes. The "Last updated" date at the top of this page will always reflect the most recent revision.
11. Contact
For privacy-related questions or requests:
admin@portsandroutes.com
Ports & Routes, portsandroutes.com
Terms and Conditions ·
Refund Policy ·
Pricing
