Privacy Policy

Last updated: March 27, 2026

1. Data Controller

NSRoute is operated by:
Maciej Brys (sole proprietorship / JDG, brands: NSRoute, NoStressStudio, NSS Container)
ul. Ignacego Paderewskiego 1F/9
35-328 Rzeszow, Poland
NIP: 8133422595
Email: [email protected]
Phone: +48 884 304 081

2. What Data We Process

NSRoute processes data in two ways: locally in your browser and on our servers when you create an account.

2a. Data stored locally (browser only)

Data Type	Storage	Purpose	Legal Basis (GDPR)
UI preferences (language, dark mode)	Browser localStorage	Remember your settings	Art. 6(1)(f) — legitimate interest
Route history (last 20 routes)	Browser localStorage	Quick access to recent routes	Art. 6(1)(f) — legitimate interest
Truck profile settings	Browser localStorage	Remember vehicle configuration	Art. 6(1)(f) — legitimate interest

You can delete all locally stored data at any time by clearing your browser's site data for nsroute.com.

2b. Data stored on our servers (registered users)

When you create an account or subscribe, we process the following data on Cloudflare Workers infrastructure (EU region):

Data Type	Purpose	Legal Basis	Retention
Email address	Account identification, login	Art. 6(1)(b) — contract performance	Until account deletion
Password (PBKDF2 hash)	Authentication	Art. 6(1)(b) — contract performance	Until account deletion
Name (optional)	Personalization	Art. 6(1)(b) — contract performance	Until account deletion
Subscription plan (free/pro/fleet)	Feature access control	Art. 6(1)(b) — contract performance	Until account deletion
JWT authentication token	Session management	Art. 6(1)(b) — contract performance	30 days (auto-expiry)

2c. Payment data (Stripe)

When you subscribe to a paid plan, payment processing is handled by Stripe, Inc. (stripe.com). We do not store your credit card number, CVV, or full payment details on our servers. Stripe processes:

Credit/debit card details
Billing name and email
IP address and device information (fraud prevention)

Stripe acts as an independent data controller for payment data. See: stripe.com/privacy

Legal basis: Art. 6(1)(b) GDPR — performance of contract.

3. Third-Party Services

NSRoute connects to external services. When you use these features, data is sent from your browser:

Service	Data Sent	Purpose	Privacy Policy
OpenRouteService (ORS)	GPS coordinates of waypoints	HGV route calculation	openrouteservice.org/privacy
Nominatim (OpenStreetMap)	Address search queries	Geocoding	nominatim.org/release-docs
OpenFreeMap	Map tile requests (no user data)	Map display	openfreemap.org
Google Gemini API (optional)	Route context, text/voice input	AI assistant & quote parser	ai.google.dev/terms
Public Holiday API	Country codes	Holiday driving ban checks	date.nager.at
Stripe	Payment & billing data	Subscription payments	stripe.com/privacy
Cloudflare	IP address, request metadata	Hosting, CDN, DDoS protection	cloudflare.com/privacypolicy

4. International Data Transfers

When you use the AI assistant (Google Gemini), AI quote parser, or voice dictation (Web Speech API), your data may be transferred to Google servers in the United States. These transfers are covered by the EU-US Data Privacy Framework and Google's Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46.

Stripe may transfer payment data to the US under the EU-US Data Privacy Framework.

Other services (OpenRouteService, Nominatim) are hosted within the EU/EEA. Cloudflare serves content from the nearest edge location.

5. AI Transparency (EU AI Act)

NSRoute includes AI-powered features using Google Gemini. In compliance with the EU AI Act (Art. 50):

The voice assistant is an AI system, not a human operator. Responses are generated suggestions and may contain inaccuracies.
The AI quote parser ("Paste email quote") uses AI to extract route and cargo information from text. Results should be verified before use.
The market rate estimate is an AI-generated approximation, not a guaranteed price.
AI features are optional. You can use NSRoute without the AI assistant.
Voice input is processed by Google's Web Speech API (cloud-based speech recognition).

6. Cookies

NSRoute does not set first-party cookies. We use browser localStorage for preferences. Cloudflare may set technical cookies (__cf_bm) for bot protection — these are strictly necessary and exempt from consent requirements under ePrivacy Directive Art. 5(3).

7. Analytics & Tracking

NSRoute does not use any analytics, tracking pixels, or advertising scripts. No Google Analytics, no Meta Pixel, no third-party tracking.

8. Your Rights (GDPR Art. 15-22)

You have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of all data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate data.
Right to erasure (Art. 17): Request deletion of your account and all associated data. Use the "Delete account" feature in the app, or email us.
Right to data portability (Art. 20): Request your data in a machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.
Right to lodge a complaint: You may file a complaint with the Polish data protection authority (UODO, uodo.gov.pl) or your local supervisory authority.

To exercise any of these rights, email: [email protected]. We will respond within 30 days.

9. Account Deletion

You can delete your account and all server-side data at any time:

In the app: Settings → Delete account
By email: [email protected] with subject "Delete my account"

Upon deletion, we remove your email, password hash, and subscription data from our servers within 7 days. Stripe retains payment records as required by tax law.

10. Data Security

All connections use HTTPS (TLS 1.3) via Cloudflare
Security headers: HSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff
Passwords stored as PBKDF2 hashes (never plaintext)
JWT tokens expire after 30 days
Login lockout after 5 failed attempts
API endpoints protected by CORS origin whitelist

11. Children

NSRoute is a professional tool for the trucking industry. It is not intended for use by individuals under 16 years of age.

12. Changes to This Policy

We may update this policy when adding new features. Changes will be posted on this page with an updated date. Material changes will be communicated via the app or email for registered users.

13. Contact

For privacy-related questions:
Maciej Brys (NoStressStudio)
Email: [email protected]
Phone: +48 884 304 081
Address: ul. Ignacego Paderewskiego 1F/9, 35-328 Rzeszow, Poland