Privacy Policy

Last updated: May 20, 2026 · Version 2026-05-20

This Privacy Policy explains how we collect, use, store, and protect personal data when you visit napspan.com or use the NAPSPAN API, developer portal, live map, or related services (the "Service"). It implements our duties under Regulation (EU) 2016/679 ("GDPR"), Directive 2002/58/EC ("ePrivacy"), and the national laws transposing them in EEA member states.

1. Controller and EU Representative

Data controller within the meaning of Article 4(7) GDPR:

Roman Kotenko, sole proprietor (фізична особа-підприємець) registered in Ukraine
Email: [email protected]
Postal address: see Imprint / Legal Notice

Representative in the European Union (Article 27 GDPR): the operator is established outside the EEA but offers the Service to data subjects in the EEA. Our designated EU representative — to whom EEA data subjects and supervisory authorities may address all questions concerning the processing — is identified in the Imprint / Legal Notice. Until that designation is published there, you may direct all GDPR enquiries to [email protected] and we will route them accordingly.

Data Protection Officer (DPO). We are not required to designate a DPO under Article 37 GDPR (no large-scale processing of special categories, no large-scale systematic monitoring). For all data-protection enquiries, contact the controller directly.

2. Personal Data We Process, Purposes, and Legal Bases

The table below sets out, for each processing activity, what we process, why, on which legal basis (Article 6(1) GDPR), and how long we keep it.

2.1 Account creation and management

Categories: name, email, optional company name, password (bcrypt hash; we never store plaintext)
Purpose: create and manage your account; authenticate you
Legal basis: performance of a contract with you or pre-contractual measures at your request — Article 6(1)(b) GDPR
Retention: for the duration of your account; deleted within 30 days of account-closure request, except where a longer period is required by tax or accounting law (typically up to 10 years for invoice-related metadata)

2.2 API key management and request authentication

Categories: API key (stored only as SHA-256 hash; the full key is shown to you exactly once at creation), key label, creation/last-used timestamps
Purpose: authenticate your API requests; enforce rate limits and quotas
Legal basis: performance of contract — Article 6(1)(b) GDPR
Retention: while the key is active; revoked keys retained for up to 90 days for audit, then deleted

2.3 API usage and rate limiting

Categories: hashed API key identifier, request endpoint, timestamp, IP address (short-term, for rate limiting), aggregated daily request counts
Purpose: rate limiting, plan enforcement, abuse prevention, capacity planning
Legal basis: performance of contract — Article 6(1)(b); legitimate interest in protecting Service integrity — Article 6(1)(f) GDPR
Retention: raw request logs are not stored; IP addresses used for rate limiting are kept in volatile memory only and not persisted; aggregated daily usage is retained for up to 12 months

2.4 Billing and subscription management

Categories: Paddle customer ID, subscription ID, plan, subscription status, transaction amounts and dates, billing country, VAT status. We do not see, store, or have access to your card number, IBAN, or other payment instruments.
Purpose: manage your paid subscription, issue invoices, comply with tax law
Legal basis: performance of contract — Article 6(1)(b); compliance with legal obligations (tax/accounting) — Article 6(1)(c) GDPR
Retention: billing records retained for the period required by tax law in the relevant jurisdictions (typically 7–10 years)

2.5 Transactional email

Categories: email address, message content (account verification, password reset, trial reminders, billing notices, security alerts)
Purpose: deliver service-essential communications
Legal basis: performance of contract — Article 6(1)(b) GDPR
Retention: we do not archive transactional emails; they are kept only as long as needed for delivery and bounce handling

2.6 Support correspondence

Categories: name, email, message content, attachments you choose to send
Purpose: respond to your enquiries and resolve issues
Legal basis: performance of contract or pre-contractual measures — Article 6(1)(b); legitimate interest in providing support — Article 6(1)(f) GDPR
Retention: 24 months from the last message in the thread, then archived or deleted

2.7 Server logs (security and debugging)

Categories: truncated IP address, request path, status code, user-agent, timestamp; application warning/error logs
Purpose: security monitoring, abuse prevention, debugging
Legal basis: legitimate interest in operating a secure service — Article 6(1)(f) GDPR
Retention: error/warning logs are pruned after 7 days; access logs after 30 days

2.8 Cookies and similar technologies

See the Cookie Policy for the exhaustive list. We use only strictly-necessary cookies and local-storage entries (authentication session, CSRF token, language preference). We do not use analytics, advertising, or tracking cookies.

2.9 Routing inputs and auto-saved routes

Categories: origin coordinates, destination coordinates, optional waypoint coordinates, the frozen truck profile (dimensions, weight, axle count, hazmat class) active at request time, the serialized route geometry and enrichment overlay produced by NAPSPAN, and timestamps for creation, last fetch, and TTL expiry. We do not infer or store driver identity, vehicle license plate, cargo description, or shipping itinerary.
Purpose: compute and return the routing result, enable re-fetch of a recent route without consuming a new routing call, enforce quota and abuse-prevention, and (for routes you explicitly persist) deliver the requested storage feature.
Legal basis: performance of contract — Article 6(1)(b) GDPR — for routes you submit while subscribed to a plan that includes routing.
Recipients / processors: the coordinates and truck profile are forwarded to HERE Technologies (HERE Global B.V., Netherlands) acting as a data processor on our behalf (see Section 4). We do not forward your email, name, company, API key, account identifier, or any other account attribute to HERE.
Retention: auto-saved routes are deleted automatically 30 minutes after creation. Routes you have explicitly persisted are retained until you delete them or close your account.

2.10 Marketing and newsletter emails

Categories: email address, name, your newsletter-subscription state, and the timestamp of your opt-in or opt-out.
Purpose: to send you our newsletter — product news, updates, offers, and tips — only where you have actively subscribed.
Legal basis: your consent — Article 6(1)(a) GDPR. The subscription checkbox is unticked by default and subscribing is a separate, optional, affirmative action. We operate a double opt-in process: after you tick the box we send a confirmation email, and you are added to the newsletter only when you click the confirmation link in that email.
Withdrawing consent: you may unsubscribe at any time — from the developer-portal Settings page or via the unsubscribe link in any newsletter. Withdrawal takes effect immediately and does not affect the lawfulness of processing carried out before withdrawal, nor does it affect transactional emails (verification, billing, security), which are necessary for performance of the contract.
Retention: while you remain subscribed; the opt-in / opt-out timestamp is retained as proof of consent for as long as needed to demonstrate compliance under Article 7(1) GDPR.

3. What We Do NOT Do

We do not sell or rent your personal data to third parties
We do not share your data with advertisers or data brokers
We do not run third-party tracking pixels, analytics scripts, retargeting tags, or session-replay tools
We do not profile you for marketing purposes
We do not engage in solely automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR
We do not store your full API keys (only SHA-256 hashes)

4. Recipients and Sub-processors

We share personal data only with the following recipients, each bound by a written data-processing agreement under Article 28 GDPR where they act as processor on our behalf:

Paddle.com Market Limited — Ireland (registered office) and United Kingdom — Merchant of Record for the NAPSPAN service. Acts as separate controller for tax/payment compliance and as our processor for subscription management. Processes name, email, company, billing country, VAT status / tax ID (where supplied), card data and (tokenized) card fingerprint (stored exclusively by Paddle). Paddle, not NAPSPAN, is responsible for calculating, collecting, and remitting VAT / GST / sales tax on transactions, and for issuing compliant invoices. Privacy policy: paddle.com/legal/privacy.
Zoho Corporation — for Zoho Mail SMTP relay of transactional email. Receives the email address and message content needed for delivery. Privacy policy: zoho.com/privacy.html.
Hetzner Online GmbH — Germany — provides the dedicated servers and managed database infrastructure on which the Service runs. Hetzner is bound by a Data Processing Agreement under Article 28 GDPR. Privacy policy: hetzner.com/legal/privacy-policy.
Cloudflare, Inc. — United States, with EU-based processing options — used for (i) DNS and edge TLS termination on selected hostnames, processing only request metadata (IP, host, path) needed to route the request; and (ii) Cloudflare Turnstile CAPTCHA on the signup, login, and password-reset forms. Turnstile collects a browser/device fingerprint and behavioural signals from the visitor and shares them with Cloudflare for anti-abuse and bot-detection purposes; we receive only a pass/fail verdict. Cloudflare offers Standard Contractual Clauses for non-EU processing. Privacy policy: cloudflare.com/privacypolicy.
HERE Technologies (HERE Global B.V., Netherlands) — upstream routing provider used by the truck-routing endpoint, acting as a data processor on our behalf within the meaning of Article 28 GDPR. When you submit a routing request, we forward to HERE only: origin coordinates, destination coordinates, optional waypoint coordinates, and the truck profile (dimensions, weight, axle count, hazmat class). We do not forward your email, name, company, API key, account identifier, or any other personally identifying account attribute. HERE Global B.V. is established in the EU; for the portion of the computation performed on infrastructure outside the EEA, HERE relies on its own appropriate safeguards (Standard Contractual Clauses or adequacy). HERE's privacy notice: legal.here.com/privacy. Note: the NAPSPAN API deliberately does not name HERE in routing response bodies or response headers, in order to preserve our ability to swap routing providers without breaking integrations; however, GDPR transparency obligations require that we identify HERE here, and this Privacy Policy is the controlling disclosure.
The operator (Roman Kotenko, Ukraine) — administers the Service from Ukraine; this constitutes a transfer of personal data to a third country (see Section 5).
Public authorities and law enforcement — only where required by binding legal process under EU or applicable national law and only to the extent necessary.

An up-to-date list of sub-processors is available on request at [email protected].

5. International Transfers

The Service's application servers and primary PostgreSQL database are hosted in the European Union (Frankfurt, Germany). However, certain transfers of personal data outside the EEA do occur:

Ukraine — administrative access by the operator. Ukraine is not the subject of an adequacy decision under Article 45 GDPR. We rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and supplementary technical measures (encryption in transit, encrypted SSH access, principle of least privilege) for these transfers, in accordance with Article 46 GDPR.
United Kingdom (Paddle) — covered by the European Commission's adequacy decision of 28 June 2021.
India (Zoho) — Zoho operates EU data centres for EEA customers; where any data is processed in India we rely on Standard Contractual Clauses.
HERE Technologies (Netherlands; possibly other locations as a sub-processor of HERE) — routing computation. HERE Global B.V. is established in the EU. Where the routing infrastructure HERE uses to serve our requests is located outside the EEA, HERE relies on its own Article 46 safeguards (Standard Contractual Clauses, adequacy where applicable). The data we send to HERE is limited to coordinates and a truck profile (Section 4) and does not include direct identifiers.

You may request a copy of the safeguards applicable to any specific transfer at [email protected].

6. Your Rights

If you are in the EEA or United Kingdom, you have the following rights under the GDPR / UK GDPR. To exercise them, write to [email protected]; we respond within one month (extendable by two further months for complex requests, with notice to you).

Right of access (Article 15): obtain confirmation of whether we process your personal data and a copy of it
Right to rectification (Article 16): have inaccurate or incomplete data corrected; you can update most fields yourself in the developer portal
Right to erasure / "right to be forgotten" (Article 17): request deletion where one of the listed grounds applies
Right to restriction of processing (Article 18): request that processing be restricted in defined cases
Right to data portability (Article 20): receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
Right to object (Article 21): object to processing based on legitimate interests, including profiling (we do not profile)
Rights related to automated decision-making (Article 22): we do not use such decision-making
Right to withdraw consent (Article 7(3)): where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal
Right to lodge a complaint with a supervisory authority (Article 77): you may complain to the data-protection authority in your EEA member state of residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is published by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members. UK residents may complain to the Information Commissioner's Office (ico.org.uk).

Exercising any of these rights is free of charge in normal circumstances; we may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests, in line with Article 12(5) GDPR.

7. Data Security

We implement appropriate technical and organisational measures (Article 32 GDPR), including:

HTTPS/TLS for all API and website traffic
Bcrypt password hashing
SHA-256 hashing of API keys at rest (the full key is shown only once at creation)
Encrypted disks on hosting infrastructure
Restricted, authenticated database access; least-privilege principles
HMAC-SHA256 signing of webhook payloads
Off-site encrypted database backups

8. Data Breach Notification

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Article 33 GDPR), and we will notify you without undue delay where the breach is likely to result in a high risk (Article 34 GDPR).

9. Children

The Service is not directed at, and not intended for use by, persons under the age of 16 (or the higher digital-consent age in any EEA member state). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this Policy

We may update this Privacy Policy as our practices, the law, or our infrastructure evolves. Material changes will be communicated by email and by a notice on the website at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related questions or to exercise any of your rights, contact [email protected] or our EU representative as identified in the Imprint / Legal Notice.