Privacy Policy

Effective May 7, 2026 · Last updated May 7, 2026

This Privacy Policy explains how RowRouter (“RowRouter,” “we,” “us”) collects, uses, and shares personal information in connection with the RowRouter web application, marketing site, and related services (collectively, the “Service”). It applies to two distinct audiences: Operators (people who create a RowRouter account and configure links) and Recipients (people who receive a row-scoped edit link from an Operator). Where the treatment differs, we say so explicitly.

This Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

1. Roles: Who Controls What

For Operator account information (email used to sign in, billing information, account settings), RowRouter is the “controller” under GDPR-style terminology and the “business” under CCPA-style terminology.

For data that an Operator chooses to process through the Service — including records pulled from connected data sources to build forms, recipient email addresses the Operator supplies, and the contents of recipient submissions (collectively, “Customer Data”) — the Operator is the controller and RowRouter acts as a processor or service provider on the Operator’s behalf. If you are a Recipient and have questions about why you received a link or how the underlying record will be used, please contact the Operator who sent you the link; their identity is shown on the link page.

2. Information We Collect

2.1 From Operators directly

• Account identifiers: the email address you use to sign in and an optional display name.
• Authentication artifacts: single-use magic-link tokens (stored only as SHA-256 hashes), the IP address from which a sign-in link was requested, and a signed HTTP-only session cookie (rr_session) used to keep you signed in.
• Connection credentials: Personal Access Tokens and OAuth access/refresh tokens for whichever data sources you connect (e.g., Airtable, Notion, monday.com, HubSpot, Smartsheet, Shopify, QuickBooks Online) so the Service can read schema and read/write rows on your behalf. These are encrypted at rest with AES-256-GCM using versioned keys. Provider-specific extras such as a Shopify store domain or a QuickBooks realm id are stored alongside.
• Form configuration and Customer Data: form settings, scope/table identifiers (provider-specific: base id, database id, board id, sheet id, store domain, realm id, etc.), the list of fields you allow Recipients to edit, snapshots of your data source’s field schema, optional default email subjects and bodies, and recipient email addresses you supply when generating a link.
• Pricing-interest survey responses: if you voluntarily indicate willingness-to-pay during the Founding Beta, we store the answer, an optional monthly budget, and any free-text notes you submit.
• Support correspondence: any messages you send to support@rowrouter.com and the email metadata associated with them. We retain support correspondence for up to 24 months after the last message in the thread, then delete it unless retention is required to investigate a specific incident or by law.

2.2 From Recipients

• Link identifier: a single-use token in the URL you receive. We store only a SHA-256 hash of this token; the plaintext exists only in the link itself and cannot be recovered by us after issuance.
• Email address: only if the Operator supplied your email when generating the link. Recipients are not asked to enter an email address into the Service.
• Submission content: the values you enter into the fields the Operator allowed for editing, and (in review-before-publish mode) the proposed changes pending Operator approval.
• Technical event data: when you open the link or submit a change, we record a timestamp, your IP address, your browser’s user-agent string, the HTTP status returned by the Operator’s connected data source when we wrote your change, and any error message returned. This forms the audit log the Operator relies on.

2.3 From third parties

• Connected data sources: when an Operator authenticates via OAuth, the data source typically returns a user identifier and email so the Operator can confirm which workspace, store, or company file they connected (e.g., Airtable user id and email; Notion workspace id and bot id; Shopify shop domain; Intuit/QuickBooks Online realm id). When the Service reads or writes records, it receives the corresponding record data on the Operator’s behalf.
• Stripe: when an Operator subscribes, Stripe returns a customer identifier, subscription identifier, plan, status, and current billing period. We do not receive or store full card numbers or bank details — those are handled by Stripe.

2.4 What we do not collect

• We do not embed third-party analytics (Google Analytics, Plausible, PostHog, Mixpanel, Segment, Amplitude, or similar), advertising pixels, marketing trackers, session-replay tools, or social-media widgets.
• We do not knowingly collect information from anyone under 18. See Section 11 (Children).

3. How We Use Information

We use the information described above to:

• Authenticate Operators (issue and verify magic-link tokens; sign and verify the session cookie).
• Provide the core Service: read schema from your connected data sources, generate row-scoped links, deliver them by email if you ask us to, accept submissions from Recipients, and write the resulting changes back to the corresponding data source.
• Maintain the audit log so Operators can see when each link was opened, what a Recipient submitted, and whether the write to the connected data source succeeded.
• Enforce plan limits, prevent abuse, and rate-limit sign-in requests.
• Process subscription payments through Stripe and apply Founding Member entitlement as described in our Terms.
• Send transactional email — sign-in links and outbound recipient invitations — through our email provider (Resend). We do not send marketing email unless you separately opt in.
• Investigate suspected violations of our Terms, respond to legal process, and protect the rights, property, and safety of RowRouter, our users, and the public.
• Diagnose errors and improve reliability, using server logs that age out per our retention schedule.

We do not sell personal information, share it for cross-context behavioral advertising, or use it to train machine-learning models.

4. Legal Bases (EEA, UK, Switzerland)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract: to provide the Service to Operators who have agreed to our Terms, including authenticating sign-in, executing forms and links, and processing payments.
• Legitimate interests: to secure the Service, prevent abuse, maintain audit logs the Operator relies on, debug errors, and communicate operational notices. We balance these interests against your rights and freedoms.
• Consent: where required, for example optional survey responses you choose to submit.
• Legal obligation: to respond to lawful requests from public authorities and meet tax or accounting requirements.

Where Recipient data is processed, the Operator who issued the link is responsible for establishing a legal basis for that processing (typically the Operator’s own legitimate interest or a contract with you); RowRouter acts on the Operator’s instructions.

5. Sharing and Sub-Processors

We share personal information only with the categories of recipient listed below, and only to the extent necessary for each purpose. For transfers from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (or equivalent UK/Swiss addenda) offered by each provider.

• Hosting and infrastructure — Fly.io, Inc. Application servers, our Postgres database, and operational logs run on Fly.io infrastructure. Primary region: U.S. East, Ashburn, Virginia. Transfers from the EEA/UK rely on Fly.io’s SCCs.
• Transactional email — Resend, Inc. Magic-link sign-in emails and recipient invitations are delivered via Resend. Resend processes the recipient address, subject, and body necessary to deliver the message. Primary region: United States. Transfers from the EEA/UK rely on Resend’s SCCs.
• Payments — Stripe, Inc. (and its EU/UK affiliates). Stripe processes card information directly; we receive only customer and subscription metadata. Stripe is the controller of payment-card data it collects. Stripe routes EEA/UK payments through its Irish and UK affiliates and relies on SCCs for onward transfers to the United States.
• Connected data sources. By design, row data the Operator chose to expose flows between RowRouter and whichever data source the Operator connected. Each provider is governed by its own privacy policy and is the controller of the data the Operator stores in it; none are sub-processors of RowRouter — the Operator’s relationship with each provider is independent of ours.
  • Hosted providers (data leaves operator-controlled infrastructure): Airtable, Inc. (US), Notion Labs, Inc. (US), monday.com Ltd. (Israel/US), HubSpot, Inc. (US), Smartsheet Inc. (US), Shopify Inc. (Canada/US), Intuit Inc. (US, for QuickBooks Online).
• Professional advisors and successors. We may disclose information to legal, accounting, or other professional advisors under duties of confidentiality, and to a successor entity in connection with a merger, acquisition, or sale of assets, on notice as required.
• Law enforcement and legal process. We may disclose information when we believe in good faith that disclosure is required by law, court order, or other legal process, or is necessary to protect rights, property, or safety.

We do not sell personal information and we do not share it with advertisers or data brokers.

6. International Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and any other country in which our sub-processors operate. Where required by applicable law (e.g., transfers from the EEA, UK, or Switzerland to the United States), we rely on appropriate transfer mechanisms such as the Standard Contractual Clauses or equivalent safeguards offered by our sub-processors.

7. Security

We employ technical and organizational measures including:

• AES-256-GCM encryption with versioned keys for stored data-source access tokens (Personal Access Tokens, OAuth access tokens, and OAuth refresh tokens for every connected provider), each with a separate IV and authentication tag;
• SHA-256 hashing of recipient link tokens and operator magic-link tokens — once issued, the plaintext is not recoverable from our database;
• HTTPS for all transit, with HTTP-only secure cookies for the operator session and an HMAC-SHA256 signature over the session payload;
• Row-level access controls in our database, scoped per Operator;
• Limited administrative access on a need-to-know basis, with the production environment isolated from development.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify affected users as required by applicable law.

8. Data Retention

We keep personal information only as long as we need it:

• Account records (Operator email, name) — for the life of the account.
• Magic-link tokens — invalidated when consumed or after expiry (15 minutes), then purged on a rolling basis.
• Data-source connection credentials — for any connected provider (Airtable, Notion, monday.com, HubSpot, Smartsheet, Shopify, QuickBooks Online) until you disconnect the connection or delete your account; encrypted at rest throughout.
• Recipient links and audit events — retained while the parent form is active so the Operator can review history. Open and submit events are kept for the audit log described in our Terms.
• Pending submissions (review-before-publish mode) — retained for the life of the form unless an Operator deletes them.
• Billing records — retained for as long as required by tax, accounting, and Stripe’s own retention schedule.
• Server logs and operational metrics — age out on a short rolling window unless retained longer to investigate a specific incident.

On termination of your account, Customer Data is retained for 30 days (during which you may export or request deletion), and then deleted from active systems, subject to retention required by law and limited operational backups that age out per our retention schedule. See the Termination section of our Terms.

9. Your Rights

Depending on where you live, you may have the right to:

• Access: request a copy of the personal information we hold about you;
• Rectify: correct information that is inaccurate or incomplete;
• Erase: request deletion of your personal information, subject to exceptions for legal or operational retention;
• Restrict or object: ask us to limit or stop certain processing, including processing based on legitimate interests;
• Portability: receive your information in a structured, commonly used, machine-readable format;
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing;
• Lodge a complaint: with your local data-protection authority. EEA users may also contact the lead authority of their member state.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information are collected and disclosed, the right to delete, the right to correct, and the right to non-discrimination for exercising these rights. We do not sell personal information, share it for cross-context behavioral advertising, or process sensitive personal information for any purpose that triggers a right to limit, so there is no “Do Not Sell or Share” or “Limit the Use of My Sensitive Personal Information” opt-out to exercise on those grounds. A summary of the choices available to you is published at Your Privacy Choices.

How to exercise a right. Email us at privacy@rowrouter.com (or support@rowrouter.com) with “Privacy Request” in the subject line. You can also submit a request via our contact page. To verify your request we will, at minimum, require that you write from the email address associated with your Operator account; for requests from a different address we may ask for additional information sufficient to link the request to data we hold (for example, an account-creation date or a link token you received). If you are a Recipient asking about a specific link, we will route your request to the Operator who sent it, since they are the controller of that data.

Response time. We respond to verifiable requests within 30 days for GDPR/UK GDPR, and within 45 days for CCPA/CPRA (extendable by an additional 45 days where reasonably necessary, on notice to you). We do not charge a fee for the first request in any 12-month period.

Authorized agents. California residents may designate an authorized agent to make a request on their behalf; we will require written proof of the agent’s authority and may verify the request directly with you.

10. Cookies and Similar Technologies

The Service uses one first-party cookie:

• rr_session — an HTTP-only, secure, same-site cookie that holds a signed payload identifying your Operator account. It expires 30 days after sign-in (sliding) and is required to access dashboard pages. Recipients do not receive this cookie.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Because the Service does not depend on consent-based cookies, no cookie banner is presented; the session cookie is strictly necessary for sign-in.

11. Children

The Service is intended for use by people aged 18 or older in the context of business workflows. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information through the Service, contact us and we will delete it.

12. Operator Responsibilities

If you are an Operator, you control which data sources, scopes (bases, workspaces, boards, sheets, stores, company files, etc.), tables, and fields you connect, and which records you expose through row-scoped links. You are responsible for ensuring that your use of the Service complies with applicable data-protection laws, including providing your own privacy notice to Recipients where required, establishing a lawful basis for sending them row-scoped edit links, and obtaining any consents required by law. We publish a standing Data Processing Addendum at /dpa; by using the Service to process personal data on behalf of data subjects, the Operator and RowRouter are deemed to have entered into that DPA. For customer-specific terms or signed counterparts, contact us at support@rowrouter.com.

13. Communications

We send transactional email related to your account: sign-in links, billing receipts via Stripe, security and incident notices, and material changes to the Service or these policies. You cannot opt out of these because they are necessary to operate the Service. If we ever introduce a marketing email program, it will be opt-in and include an unsubscribe mechanism.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The “Effective” date at the top reflects the most recent revision. For material changes, we will notify Operators by email to the address on file and post a notice on the Service at least 30 days before the change takes effect, unless an earlier date is required by law. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

Questions, requests, or complaints about this Privacy Policy or our handling of personal information can be sent to privacy@rowrouter.com (privacy requests) or support@rowrouter.com (general support), or by post to:

Recipients in the European Economic Area, the United Kingdom, or Switzerland may also contact their local supervisory authority. We have not appointed an Article 27 representative; if your processing context requires one, contact us and we will provide an alternative point of contact.