Back to home

Privacy Policy

RouteForge — personal data processing under LGPD

Version 1.0 · Last updated: 2026-05-21

1. Introduction

This Privacy Policy explains how RouteForge (“we”, “our”, or “the platform”) processes personal data of users (“you”, “data subject”) when providing AI-powered study roadmaps.

RouteForge follows Brazil’s General Data Protection Law (LGPD — Law No. 13,709/2018) and privacy-by-design principles.

By creating an account, signing in, or using the service, you acknowledge this policy. Non-essential cookies depend on your consent in the cookie banner.

2. Data controller

Data controller: RouteForge.

Privacy and support contact: suporte@routeforge.app.

To exercise LGPD rights or ask about data processing, email us with the subject “Privacy” and, if possible, your account email.

3. Data we collect

We collect only what is needed to run the SaaS:

  • Account & auth: email, internal id, Google ID when using Google sign-in, subscription plan, credits balance, gamification points, account timestamps.
  • Legal consent: Terms and Privacy acceptance flags (acceptedTerms, acceptedTermsAt, privacyPolicyVersion).
  • Your content: roadmaps, steps, notes, per-step progress, in-app notifications and related metadata.
  • Prompts & AI: text you submit to create or improve roadmaps and step chat questions (paid plans); sent to AI providers for processing.
  • Subscription (simulated billing in test environments): plan, end-of-period cancellation flag, credits in the current period (no card storage in current test setup).
  • Technical data: session cookies (access_token, refresh_token), CSRF token, locale preference (rf_locale), minimal audit logs (event, time, user id when authenticated, route and HTTP status on security events — no full request bodies, tokens, or passwords).

4. Purposes and legal bases (LGPD)

We process data for:

  • Service delivery / contract (Art. 7(V)): account, authentication, roadmap generation, progress, notifications, plans and credits.
  • Consent (Art. 7(I)): optional analytics cookies (when enabled), Terms and Privacy acceptance on first access.
  • Legitimate interests (Art. 7(IX)): security, fraud prevention, essential audit logs, stability — with minimal impact.
  • Legal obligation (Art. 7(II)): when required by law or competent authority.

5. Artificial intelligence

RouteForge uses language models via AI providers (e.g. OpenRouter integration) to: generate study roadmaps, improve prompts, answer step chat (paid plans), and fetch educational resources from search queries.

Text you submit may be processed outside Brazil depending on the AI provider. Avoid unnecessary sensitive data in prompts (health, biometrics, government IDs, third-party data without legal basis).

We do not store full prompts in audit logs. Generation failures log only short technical messages.

AI output is suggestive only — validate before academic, professional, or high-stakes use.

6. Google sign-in

If you use “Continue with Google”, we receive data needed for authentication (typically email and Google account identifier) per the permissions you grant on Google’s screen.

Google’s processing is governed by Google’s privacy policy. We use this data only to identify your RouteForge account.

7. Cookies and similar technologies

Essential cookies are required for operation and security.

  • access_token / refresh_token — authenticated session — per JWT settings — RouteForge.
  • csrf_token — CSRF protection — session — RouteForge.
  • rf_locale — UI language — up to 1 year — RouteForge.
  • routeforge_cookie_consent (localStorage) — your banner choice (accept/reject analytics) — until you clear local storage — RouteForge.
  • Analytics cookies (optional): loaded only if you click “Accept”. No third-party analytics are active by default today; if added, we will update this section.

8. Sharing and processors

We do not sell personal data. We share data with processors that help us operate the service:

  • Hosting and database providers.
  • Authentication (Google OAuth).
  • AI providers (prompt processing and content generation).
  • Analytics tools (only after consent, when applicable).

9. International transfers

Some processors (especially AI and cloud) may process data in other countries. We use measures consistent with LGPD, such as contractual safeguards or consent when required.

10. Retention

We keep data as long as needed for:

  • Account and content: while the account is active; after deletion, associated data is removed (including cascade deletes).
  • Old notifications: automatic deletion after approximately 90 days.
  • Old roadmap generation jobs: automatic deletion after approximately 30 days.
  • Audit logs: short retention at the infrastructure log provider, without sensitive data.
  • Legal records: as required by applicable law.

11. Your rights

You may request:

  • Confirmation and access to your data.
  • Correction of incomplete or outdated data.
  • Portability: Account Settings → “Export my data”, or authenticated GET /api/users/me/export.
  • Erasure: Settings → “Delete account”, or DELETE /api/users/me/delete.
  • Withdraw consent: reject optional cookies in the banner; withdrawing Terms acceptance may require closing the account.
  • Information on sharing and on refusing consent where applicable.
  • Review of automated decisions when applicable — AI output is assistive, not binding.
  • Complaint to Brazil’s ANPD if your rights are not addressed.

12. Security

We use HTTPS in production, httpOnly session cookies, CSRF on sensitive operations, per-user access checks in APIs, rate limiting, and audit logs without sensitive payloads.

No system is perfectly secure. We will notify you of relevant incidents as required by LGPD.

13. Children

RouteForge is not directed at users under 18. If we learn of an account created by a minor without proper parental consent, we may delete the account and associated data.

14. Policy changes

We may update this policy. The current version is shown at the top (version 1.0, last updated 2026-05-21).

Material changes may require new consent or in-app notice.

15. Contact

Questions or data subject requests: suporte@routeforge.app.

We will respond within a reasonable timeframe per LGPD.