Privacy Policy

Effective May 7, 2026 · Last updated May 7, 2026

This Privacy Policy explains how RowRouter (“RowRouter,” “we,” “us”) collects, uses, and shares personal information in connection with the RowRouter web application, marketing site, and related services (collectively, the “Service”). It applies to two distinct audiences: Operators (people who create a RowRouter account and configure links) and Recipients (people who receive a row-scoped edit link from an Operator). Where the treatment differs, we say so explicitly.

This Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

1. Roles: Who Controls What

For Operator account information (email used to sign in, billing information, account settings), RowRouter is the “controller” under GDPR-style terminology and the “business” under CCPA-style terminology.

For data that an Operator chooses to process through the Service — including Airtable records pulled in to build forms, recipient email addresses the Operator supplies, and the contents of recipient submissions (collectively, “Customer Data”) — the Operator is the controller and RowRouter acts as a processor or service provider on the Operator’s behalf. If you are a Recipient and have questions about why you received a link or how the underlying record will be used, please contact the Operator who sent you the link; their identity is shown on the link page.

2. Information We Collect

2.1 From Operators directly

Account identifiers: the email address you use to sign in and an optional display name.
Authentication artifacts: single-use magic-link tokens (stored only as SHA-256 hashes), the IP address from which a sign-in link was requested, and a signed HTTP-only session cookie (rr_session) used to keep you signed in.
Connection credentials: Airtable Personal Access Tokens or OAuth access and refresh tokens you provide so the Service can read schema and read/write rows on your behalf. These are encrypted at rest with AES-256-GCM using versioned keys.
Form configuration and Customer Data: form settings, base/table identifiers, the list of fields you allow Recipients to edit, snapshots of your Airtable field schema, optional default email subjects and bodies, and recipient email addresses you supply when generating a link.
Pricing-interest survey responses: if you voluntarily indicate willingness-to-pay during the Founding Beta, we store the answer, an optional monthly budget, and any free-text notes you submit.
Support correspondence: any messages you send to support@rowrouter.app and the email metadata associated with them.

2.2 From Recipients

Link identifier: a single-use token in the URL you receive. We store only a SHA-256 hash of this token; the plaintext exists only in the link itself and cannot be recovered by us after issuance.
Email address: only if the Operator supplied your email when generating the link. Recipients are not asked to enter an email address into the Service.
Submission content: the values you enter into the fields the Operator allowed for editing, and (in review-before-publish mode) the proposed changes pending Operator approval.
Technical event data: when you open the link or submit a change, we record a timestamp, your IP address, your browser’s user-agent string, the HTTP status returned by Airtable when we wrote your change, and any error message returned. This forms the audit log the Operator relies on.

2.3 From third parties

Airtable: when an Operator authenticates via OAuth, Airtable returns the user’s Airtable user ID and email so the Operator can identify which workspace they connected. When the Service reads or writes rows, it receives the corresponding record data.
Stripe: when an Operator subscribes, Stripe returns a customer identifier, subscription identifier, plan, status, and current billing period. We do not receive or store full card numbers or bank details — those are handled by Stripe.

2.4 What we do not collect

We do not embed third-party analytics (Google Analytics, Plausible, PostHog, Mixpanel, Segment, Amplitude, or similar), advertising pixels, marketing trackers, session-replay tools, or social-media widgets.
We do not knowingly collect information from anyone under 18. See Section 11 (Children).

3. How We Use Information

We use the information described above to:

Authenticate Operators (issue and verify magic-link tokens; sign and verify the session cookie).
Provide the core Service: read your Airtable schema, generate row-scoped links, deliver them by email if you ask us to, accept submissions from Recipients, and write the resulting changes back to Airtable.
Maintain the audit log so Operators can see when each link was opened, what a Recipient submitted, and whether the write to Airtable succeeded.
Enforce plan limits, prevent abuse, and rate-limit sign-in requests.
Process subscription payments through Stripe and apply Founding Member entitlement as described in our Terms.
Send transactional email — sign-in links and outbound recipient invitations — through our email provider (Resend). We do not send marketing email unless you separately opt in.
Investigate suspected violations of our Terms, respond to legal process, and protect the rights, property, and safety of RowRouter, our users, and the public.
Diagnose errors and improve reliability, using server logs that age out per our retention schedule.

We do not sell personal information, share it for cross-context behavioral advertising, or use it to train machine-learning models.

4. Legal Bases (EEA, UK, Switzerland)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Contract: to provide the Service to Operators who have agreed to our Terms, including authenticating sign-in, executing forms and links, and processing payments.
Legitimate interests: to secure the Service, prevent abuse, maintain audit logs the Operator relies on, debug errors, and communicate operational notices. We balance these interests against your rights and freedoms.
Consent: where required, for example optional survey responses you choose to submit.
Legal obligation: to respond to lawful requests from public authorities and meet tax or accounting requirements.

Where Recipient data is processed, the Operator who issued the link is responsible for establishing a legal basis for that processing (typically the Operator’s own legitimate interest or a contract with you); RowRouter acts on the Operator’s instructions.

5. Sharing and Sub-Processors

We share personal information only with the categories of recipient listed below, and only to the extent necessary for each purpose.

Hosting and infrastructure — Fly.io. Application servers, our Postgres database, and operational logs run on Fly.io infrastructure (primary region: U.S. East, Ashburn).
Transactional email — Resend. Magic-link sign-in emails and recipient invitations are delivered via Resend. Resend processes the recipient address, subject, and body necessary to deliver the message.
Payments — Stripe. Stripe processes card information directly; we receive only customer and subscription metadata. Stripe is the controller of payment-card data it collects.
Connected data sources — Airtable. By design, row data the Operator chose to expose flows between RowRouter and Airtable. Airtable is governed by its own privacy policy and is not a sub-processor of RowRouter; the Operator’s relationship with Airtable is independent of ours.
Professional advisors and successors. We may disclose information to legal, accounting, or other professional advisors under duties of confidentiality, and to a successor entity in connection with a merger, acquisition, or sale of assets, on notice as required.
Law enforcement and legal process. We may disclose information when we believe in good faith that disclosure is required by law, court order, or other legal process, or is necessary to protect rights, property, or safety.

We do not sell personal information and we do not share it with advertisers or data brokers.

6. International Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and any other country in which our sub-processors operate. Where required by applicable law (e.g., transfers from the EEA, UK, or Switzerland to the United States), we rely on appropriate transfer mechanisms such as the Standard Contractual Clauses or equivalent safeguards offered by our sub-processors.

7. Security

We employ technical and organizational measures including:

AES-256-GCM encryption with versioned keys for stored Airtable access tokens (PATs, OAuth access tokens, and OAuth refresh tokens), each with a separate IV and authentication tag;
SHA-256 hashing of recipient link tokens and operator magic-link tokens — once issued, the plaintext is not recoverable from our database;
HTTPS for all transit, with HTTP-only secure cookies for the operator session and an HMAC-SHA256 signature over the session payload;
Row-level access controls in our database, scoped per Operator;
Limited administrative access on a need-to-know basis, with the production environment isolated from development.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify affected users as required by applicable law.

8. Data Retention

We keep personal information only as long as we need it:

Account records (Operator email, name) — for the life of the account.
Magic-link tokens — invalidated when consumed or after expiry (15 minutes), then purged on a rolling basis.
Airtable connection credentials — until you disconnect the connection or delete your account; encrypted at rest throughout.
Recipient links and audit events — retained while the parent form is active so the Operator can review history. Open and submit events are kept for the audit log described in our Terms.
Pending submissions (review-before-publish mode) — retained for the life of the form unless an Operator deletes them.
Billing records — retained for as long as required by tax, accounting, and Stripe’s own retention schedule.
Server logs and operational metrics — age out on a short rolling window unless retained longer to investigate a specific incident.

On termination of your account, Customer Data is retained for 30 days (during which you may export or request deletion), and then deleted from active systems, subject to retention required by law and limited operational backups that age out per our retention schedule. See the Termination section of our Terms.

9. Your Rights

Depending on where you live, you may have the right to:

Access: request a copy of the personal information we hold about you;
Rectify: correct information that is inaccurate or incomplete;
Erase: request deletion of your personal information, subject to exceptions for legal or operational retention;
Restrict or object: ask us to limit or stop certain processing, including processing based on legitimate interests;
Portability: receive your information in a structured, commonly used, machine-readable format;
Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing;
Lodge a complaint: with your local data-protection authority. EEA users may also contact the lead authority of their member state.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information are collected and disclosed, the right to delete, the right to correct, and the right to non-discrimination for exercising these rights. We do not sell personal information or share it for cross-context behavioral advertising, so there is no opt-out to exercise on those grounds.

To exercise any right, email us at support@rowrouter.app from the address associated with your account, or describe enough detail for us to verify your request. If you are a Recipient asking about a specific link, we will route your request to the Operator who sent it, since they are the controller of that data.

10. Cookies and Similar Technologies

The Service uses one first-party cookie:

rr_session — an HTTP-only, secure, same-site cookie that holds a signed payload identifying your Operator account. It expires 30 days after sign-in (sliding) and is required to access dashboard pages. Recipients do not receive this cookie.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Because the Service does not depend on consent-based cookies, no cookie banner is presented; the session cookie is strictly necessary for sign-in.

11. Children

The Service is intended for use by people aged 18 or older in the context of business workflows. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information through the Service, contact us and we will delete it.

12. Operator Responsibilities

If you are an Operator, you control which Airtable bases, tables, and fields you connect, and which records you expose through row-scoped links. You are responsible for ensuring that your use of the Service complies with applicable data-protection laws, including providing your own privacy notice to Recipients where required, establishing a lawful basis for sending them row-scoped edit links, and obtaining any consents required by law. Where required, we will sign a data processing addendum on reasonable terms; contact us at support@rowrouter.app.

13. Communications

We send transactional email related to your account: sign-in links, billing receipts via Stripe, security and incident notices, and material changes to the Service or these policies. You cannot opt out of these because they are necessary to operate the Service. If we ever introduce a marketing email program, it will be opt-in and include an unsubscribe mechanism.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The “Effective” date at the top reflects the most recent revision. For material changes, we will notify Operators by email to the address on file and post a notice on the Service at least 30 days before the change takes effect, unless an earlier date is required by law. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

Questions, requests, or complaints about this Privacy Policy or our handling of personal information can be sent to support@rowrouter.app.