Privacy Policy

Route13 is a B2B intelligence platform aggregating publicly available data on European companies, operated at route13.io.

Controller: Route13 (EU-based operator). Full identification and postal address provided on request to any data subject, supervisory authority, or enterprise customer at [email protected].
Data protection inquiries: [email protected] (this address handles all GDPR rights requests; no formal Data Protection Officer has been designated under Article 37 — Route13 is below the threshold of public authority and does not engage in large-scale systematic monitoring within the meaning of Articles 37(1)(b)-(c)).
General contact: [email protected]
Lead supervisory authority: AEPD (Spain) — www.aepd.es. You may also complain to your local national DPA via the GDPR one-stop-shop.

• Email address — for account, login (magic-link or password), and service communication.
• Hashed password (Argon2id) or magic-link tokens — for authentication.
• Subscription plan + billing email — for invoicing.
• API keys — stored hashed (SHA-256) at rest. Validated server-side per request.
• Usage logs — API calls, search queries, IP addresses, user-agents. Retained 90 days in identifiable form, anonymised thereafter. Used only for abuse prevention and capacity planning.
• Payment data — processed end-to-end by Stripe. We never store card numbers.

We do not use analytics cookies, advertising trackers, or third-party tracking pixels. No cookie consent banner is required because we set only strictly necessary cookies (authentication session).

The bulk of Route13's database is information about legal entities (companies) — not natural persons. However, our service includes personal data about natural persons acting in their professional capacity as directors, legal representatives, or signatories of EU companies.

3.1 Categories of director / officer data

• Name + role — from public commercial registries.
• Date of appointment / departure — same source.
• Nationality + date of birth (where the registry exposes them) — used only for disambiguation; never displayed to subscribers.
• Generic / function inboxes (e.g. info@…, contact@…) — scraped only from each company's own published pages, respecting robots.txt and identifying ourselves as Route13Bot.
• Director email addresses — only where (a) explicitly published on the company's own materials, or (b) derived from a common B2B email pattern (e.g. firstname.lastname@) and confirmed by SMTP RCPT TO probe against the company's own mail server. Only addresses where the company's own mail server confirms existence (SMTP 250 reply) are retained — candidates that fail verification are discarded immediately and not stored. We never issue an SMTP DATA command; no actual email is delivered during verification.

3.2 Sources we use (exhaustive list)

• FR Sirene (INSEE) — French enterprise master directory
• FR INPI — French bilans déposés (annual accounts)
• FR BODACC (DILA) — French commercial bulletin (announcements)
• FR recherche-entreprises.api.gouv.fr — French government search API
• FR Egapro — French gender-equality index
• FR IDCC / siret2idcc — French collective agreement mapping
• BE KBO / BCE — Belgian Crossroads Bank for Enterprises
• EU + UN + OFAC sanctions lists — public consolidated sanctions feeds
• Company-own websites — for generic inboxes + director email patterns (only sites that allow scraping in robots.txt)
• SMTP RCPT TO probe — against the company's own mail server, for verification of director email candidates

3.3 Sources we explicitly do NOT use

We neversource data from: LinkedIn, Hunter.io, Apollo, ZoomInfo, Kaspr, Lusha, RocketReach, browser-extension crowdsourcing, or any third-party email broker. This is a deliberate posture choice — Route13 only processes data that is either (a) published by an official EU registry, or (b) self-published by the company on its own infrastructure, or (c) confirmed by the company's own mail server.

3.4 Article 14 proactive notification

When a director email is first added to our production database, we send a one-time informational email to the director within 30 days, informing them of:

• The fact that their data is included in Route13
• The legal basis (Art. 6(1)(f) — legitimate interest)
• Their rights under Art. 15-22 GDPR
• A one-click opt-out link
• Contact for data protection inquiries

This notification is sent only once — no other emails follow unless the director initiates contact.

3.5 Opt-out mechanism (SHA-256 hash registry)

Opted-out emails are persisted as SHA-256 hashes in a permanent block-list. The registry is checked before every database write and before every SMTP probe — opted-out addresses are never re-added to the directory, even on full re-scrapes from source registries. The raw email is not retained after the opt-out request is processed.

• Art. 6(1)(b) — Contract: processing of subscriber email, password, billing data to provide the contracted service.
• Art. 6(1)(c) — Legal obligation: EU/UN/OFAC sanctions screening (for KYC obligations of our customers under AML directives).
• Art. 6(1)(f) — Legitimate interest: (i) B2B intelligence and due diligence on natural persons in their professional capacity (directors); (ii) SMTP RCPT TO verification against the company's own mail server to confirm deliverability of derived candidate addresses before persistence (no DATA command issued, no email delivered). Detailed balancing test in our Legitimate Interest Assessment (LIA) available on request from [email protected].
• Art. 6(1)(a) — Consent: waitlist communications. Unsubscribe via the link in any such email.

Route13 is a strictly B2B service. We do not knowingly process personal data of individuals under the age of 16. If you believe a record in our directory pertains to a minor, contact [email protected] and we will erase it promptly.

Database and authentication are fully self-hosted — no third-party identity provider, no managed database, no third-party logging.

All primary data storage is in the EU (Hetzner Falkenstein, Germany). The following cross-border transfers occur and are documented in our TIA (available on request):

• Cloudflare edge metadata — request headers may be processed at non-EU edges (SCCs + DPF).
• Stripe — some operations may transit US infrastructure (SCCs + DPF).
• Non-EU subscribers — receive query results at retrieval time (SCCs module 1, plus subscriber TOS supplementary measures).

• Subscriber account data: until account deletion + 30 days grace.
• Usage logs: 90 days identifiable; anonymised thereafter.
• Payment records: 7 years (legal accounting requirement).
• Company directory + director records: while present in source registry; or 3 years after last commercial activity / company dissolution, whichever sooner. Auto-purge cron enforces this monthly.
• Director emails: 3 years from last commercial use; rolling 90-day SMTP re-verification (stale entries removed).
• Opt-out hash registry: indefinite (this is the technical guarantee that opted-out emails are never re-added).

You have the following rights under GDPR:

• Art. 15 — Access: request a copy of the personal data we hold about you.
• Art. 16 — Rectification: request correction of inaccurate data.
• Art. 17 — Erasure: request deletion (“right to be forgotten”).
• Art. 18 — Restriction: request that we limit processing.
• Art. 20 — Portability: request a machine-readable export of your data.
• Art. 21 — Object: object to processing based on legitimate interest.
• Art. 22 — Automated decisions: not applicable — no fully automated decisions with legal effect.
• Art. 77 — Complaint to DPA: lodge a complaint with AEPD (Spain) or your local national DPA.

To exercise any right, email [email protected]. For erasure / objection requests about director data specifically, the fastest path is the self-service form at /data-subjects/route13 — it triggers an immediate database update and SHA-256 block-list entry. We respond to all requests within 30 days (Art. 12(3)).

• Encryption at rest (full-disk encryption on Hetzner Volume)
• Encryption in transit (TLS 1.3 for all external traffic)
• Database access restricted to a single non-superuser role; no public DB port
• Password hashing with Argon2id or passwordless magic-link authentication
• API keys stored only as SHA-256 hashes; validated server-side per request
• Cloudflare WAF + rate limiting at the network edge
• Daily encrypted backups retained 30 days off-site
• Per-account audit log of email reveal actions
• 72-hour breach notification protocol (Art. 33-34) documented and rehearsed
• Quarterly security review against OWASP Top 10

• Data Protection Impact Assessment (DPIA)
• Record of Processing Activities (RoPA)
• Transfer Impact Assessment (TIA)
• Legitimate Interest Assessment (LIA) — director email processing
• 72-hour breach notification runbook
• Subscriber Data Processing Agreement (DPA) template — for enterprise customers

Request access from [email protected].