Install on HubSpot

Privacy Policy

Last updated: April 5, 2026

1. Introduction

CRM MANAGER IO ("we", "us", "our"), operator of RouteAnything, is committed to protecting the privacy of its users. This Privacy Policy explains how we collect, use, store, and share personal data when you use our website (routeanything.com) and application (app.routeanything.com).

CRM MANAGER IO is a company registered in France (SIREN: 928 427 897) and acts as data controller for the personal data described in sections 2 and 3, and as data processor for HubSpot CRM data described in section 4.

2. Data we collect about you (as data controller)

2.1 Account data

When you sign up or connect via HubSpot OAuth, we collect:

  • Full name and email address (from your HubSpot profile)
  • HubSpot portal ID and account type
  • IP address (for rate limiting and security)

2.2 Billing data

When you subscribe to a paid plan, payment is processed by Stripe. We store:

  • Stripe customer ID and subscription ID
  • Plan type, billing period, and subscription status

We do not store credit card numbers, CVVs, or full payment details. These are handled exclusively by Stripe (PCI DSS Level 1 certified).

2.3 Usage data

  • Rotation configurations (names, strategies, member assignments)
  • Assignment counters and logs
  • Feature usage and error logs (server-side only, no client-side tracking)

2.4 Cookies

The application uses only strictly necessary cookies for authentication and session management. We do not use advertising or third-party tracking cookies in the application.

3. How we use your data

Purpose Legal basis (GDPR Art. 6)
Provide and maintain the service Performance of contract (Art. 6.1.b)
Process payments and manage subscriptions Performance of contract (Art. 6.1.b)
Send transactional emails (welcome, billing, security alerts) Performance of contract (Art. 6.1.b)
Prevent abuse and enforce rate limits Legitimate interest (Art. 6.1.f)
Comply with legal obligations (accounting, tax) Legal obligation (Art. 6.1.c)

4. HubSpot CRM data (as data processor)

When you connect your HubSpot portal, RouteAnything accesses CRM records (contacts, deals, tickets, custom objects) solely to execute routing assignments as configured by you.

  • We use HubSpot OAuth 2.0 with the minimum required scopes
  • OAuth tokens are encrypted at rest (AES-256-GCM)
  • CRM record data is not stored in our database — it is read from and written back to HubSpot in real time via API calls
  • We store only HubSpot owner IDs within rotation member configurations

For details on how we process this data on your behalf, see our Data Processing Agreement.

5. Sub-processors

We use the following third-party services to operate RouteAnything. All data is processed within the European Union unless otherwise noted.

Sub-processor Purpose Data location Safeguards
Supabase (Supabase Inc.) PostgreSQL database, authentication EU West — Paris (AWS eu-west-3) Encryption at rest, SOC 2 Type II
Vercel (Vercel Inc.) Application hosting, serverless functions Paris (cdg1) SOC 2 Type II, GDPR DPA
Upstash (Upstash Inc.) Redis — rate limiting EU (via Vercel Marketplace) Encryption at rest and in transit
Resend (Resend Inc.) Transactional emails [PLACEHOLDER — vérifier la région Resend, probablement US] SCCs / DPA available
Stripe (Stripe Inc.) Payment processing EU (Ireland) PCI DSS Level 1, GDPR DPA
HubSpot (HubSpot Inc.) CRM platform (your data) EU (Germany) SOC 2, GDPR DPA

6. Data retention

  • Account data: retained for the duration of your account, deleted within 30 days of account closure
  • HubSpot OAuth tokens: deleted immediately upon disconnection (uninstall) or account closure
  • Assignment logs: retained for 90 days, then automatically purged
  • Billing records: retained for 10 years as required by French accounting law
  • Server logs: retained for 30 days maximum

7. Data security

  • All data in transit is encrypted via TLS 1.2+
  • Database encrypted at rest
  • HubSpot tokens encrypted with AES-256-GCM
  • Rate limiting on all endpoints (authentication, API, webhooks)
  • Security headers: HSTS, CSP, X-Frame-Options, nosniff
  • Role-based access control (Owner > Admin > Member)
  • No secrets stored on disk — all managed via environment variables

8. International data transfers

All primary data processing occurs in the European Union (France, Germany, Ireland). Some sub-processors are US-based companies operating EU infrastructure. Where data may transit through the US (e.g., Resend), transfers are protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

9. Your rights (GDPR)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Delete your data ("right to be forgotten")
  • Port your data to another service
  • Restrict processing
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (where applicable)

To exercise these rights, contact us at: [PLACEHOLDER — email]

We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés): www.cnil.fr.

10. Children's privacy

RouteAnything is a B2B service and is not directed at individuals under the age of 16. We do not knowingly collect data from children.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. The "Last updated" date at the top of this page indicates the most recent revision.

12. Contact

For any questions regarding this Privacy Policy:

  • Email: [PLACEHOLDER — ex : privacy@routeanything.com]
  • Postal address: CRM MANAGER IO — [PLACEHOLDER — adresse]