GDPR Compliance
Last updated: 20 April 2026
Roadmappy is a Swiss-based SaaS company serving customers across the EU/EEA and the rest of the world. We handle the personal data of our customers, their team members, and people mentioned inside the data they bring into Roadmappy (meeting participants, reviewers, contacts). We treat GDPR not as a checkbox but as the default way we operate.
This page explains — in plain language — how we address each core GDPR obligation. For the operational detail of what we collect and why, please read our Privacy Policy. For contract terms, see our Terms of Service.
1. Legal Basis for Processing
We only process personal data when we have a lawful basis under Article 6 GDPR. We rely on three bases, and which one applies depends on the category of data:
| Legal Basis | Where We Use It |
|---|---|
| Contract necessity (Art. 6(1)(b)) | Creating and maintaining your account, billing, storing the roadmap content you put into the Platform, syncing data from CRMs and other connected systems, and every feature you need to actually use Roadmappy. |
| Explicit consent (Art. 6(1)(a)) | Connecting third-party integrations (Salesforce, Slack, Intercom, Calendar, etc.), enabling the meeting bot to join and record calls, and sending any non-transactional marketing emails. |
| Legitimate interest (Art. 6(1)(f)) | Product analytics, fraud prevention, and security logging. We weigh our interest against your rights and document the balancing test internally. |
We do not rely on "legitimate interest" as a catch-all. If we cannot point to a specific basis for a specific piece of data, we do not collect it.
2. Data Minimization
We collect only what is needed to deliver the service. Concretely:
- Sign-up requires only your email and full name. We do not ask for a phone number, a date of birth, or a physical address.
- Billing data (VAT number, billing address) is only collected when you subscribe to a paid plan, and payment card details never touch our servers — Stripe holds them directly.
- Integrations request the narrowest OAuth scopes that make the feature work. For example, the Slack integration only reads channels you explicitly select.
- The meeting bot only joins meetings you have opted in to and only processes the audio needed to produce a transcript.
When a feature is deprecated or a customer churns, the underlying data is deleted on a schedule — it is not kept around "just in case."
3. Transparency & Privacy Policy
Our Privacy Policy is written in plain language (no legalese), starts with a two-minute summary, and then spells out in detail:
- What categories of data we collect.
- Why we collect each category (purpose) and on what legal basis.
- How long we retain each category (see Retention Periods in the policy).
- Which sub-processors the data is shared with.
- Your rights and how to exercise them.
We update the policy whenever our processing materially changes and notify existing users by email before the change takes effect.
4. Your Rights as a Data Subject
Every right granted by Chapter III of the GDPR is honored. You can exercise any of these rights by emailing privacy@roadmappy.io:
| Right | What It Means in Practice |
|---|---|
| Access | We send you a machine-readable export of all personal data we hold about you. |
| Rectification | Most profile fields are editable directly in the app. For anything you cannot edit yourself, email us and we will correct it. |
| Erasure (right to be forgotten) | We fully delete your account and associated data within 24 hours of a verified request, including from our primary database, file storage, and search indexes. Backups roll over on a 30-day cycle. |
| Portability | Email us at support@roadmappy.io and we will export your data and send it to you. |
| Objection & Restriction | You can ask us to stop or limit any processing based on legitimate interest or consent. |
| Not to be subject to automated decisions | Our AI produces suggestions, not legally binding decisions. You stay in the loop. |
| Lodge a complaint | You can complain to your national supervisory authority. Find yours here. |
We respond to all rights requests within 30 days, and to erasure requests within 24 hours.
5. Data Security
Article 32 requires "appropriate technical and organizational measures." Ours include:
Technical
- TLS 1.2+ for all data in transit; AES-256 for data at rest.
- Customer secrets (integration tokens, API keys) are encrypted before being stored.
- Infrastructure on AWS (eu-central-1, Frankfurt) and Neon (EU region) — fully inside the European Union.
- Least-privilege IAM, short-lived credentials, and MFA required for all engineers with production access.
- Automated dependency scanning and static analysis on every pull request.
- Isolated development and production environments.
Organizational
- Background checks and confidentiality agreements for everyone with data access.
- Annual data-protection training for the whole team.
- Documented incident response runbook covering detection, containment, eradication, notification, and post-mortem.
- Quarterly review of access rights and sub-processor relationships.
6. Breach Notification
In the event of a personal-data breach, we commit to:
- Notifying the relevant supervisory authority within 72 hours of becoming aware, in line with Article 33.
- Notifying affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms (Article 34).
- Providing a clear description of the nature of the breach, the categories and approximate number of people affected, the likely consequences, and the measures we have taken or propose to take.
Our incident response runbook is reviewed annually and tested with tabletop exercises.
7. Data Processing Agreements (DPAs)
GDPR requires written agreements between controllers and processors. We sit on both sides of that relationship:
Roadmappy as a Processor
When you are a business customer, you are the controller of the data you bring into Roadmappy and we act as your processor. We offer a standard DPA — including the EU Standard Contractual Clauses where relevant — to every customer on request. Enterprise customers can have the DPA countersigned before signing the main contract. Email privacy@roadmappy.io to receive the current version.
Our Sub-Processors
The current list of sub-processors is:
| Sub-Processor | Purpose | Location |
|---|---|---|
| AWS | Compute, storage, and hosting | Germany (eu-central-1) |
| Neon | Managed PostgreSQL | Germany (EU region) |
| Stripe | Payment processing and invoicing | Ireland (EU) with SCCs for any US processing |
| Google AI (Gemini) | Large language model inference | European-based API region |
| Assembly AI | Speech-to-text transcription | European-based API region |
| PostHog | Product analytics | EU (Frankfurt) |
We notify customers in advance whenever we add or replace a sub-processor, and every sub-processor is vetted against our security and privacy checklist before onboarding.
8. Data Transfers Outside the EU
The default answer is: your data does not leave the EU. Primary storage and compute sit in Germany, and all AI inference runs against European API endpoints.
Where a sub-processor (for example, Stripe for certain payment flows) may process data in a country without an EU adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) plus supplementary measures (encryption in transit, contractual audit rights) to ensure an essentially equivalent level of protection as required by Schrems II.
We do not transfer personal data to jurisdictions where we cannot put valid transfer mechanisms in place.
9. Appointed Roles
Roadmappy is a small, Switzerland-based company. At our current size we are not formally required to appoint a Data Protection Officer under Article 37. Nevertheless:
- A named internal Privacy Lead owns GDPR compliance, reviews DPAs, and coordinates data-subject requests. You can reach them at privacy@roadmappy.io.
- Because we serve users in the EU from outside the EU, we are in the process of formally designating an EU Representative under Article 27. In the meantime, EU users can contact us directly at the address above, and all requests are handled with the same urgency regardless of origin.
10. Records of Processing Activities (RoPA)
As required by Article 30, we maintain an internal Record of Processing Activities. It documents, for every processing operation:
- The purpose and legal basis.
- The categories of data subjects and personal data involved.
- Recipients and sub-processors.
- Storage location and retention period.
- Technical and organizational security measures.
The RoPA is reviewed at least twice a year and updated whenever we ship a feature that introduces new processing. We make extracts available to supervisory authorities on request.
11. Cookies and Tracking
We use a minimum of cookies: session authentication (strictly necessary, so no consent required) and a single product-analytics cookie from PostHog that runs only after you opt in through our consent banner. No advertising or cross-site tracking cookies are set, ever.
12. End-to-End Deletion
A deletion request must actually delete. When you ask us to erase your data, we remove it from:
- The primary PostgreSQL database (within 24 hours).
- Object storage for uploads, meeting recordings, and transcripts (within 24 hours).
- Search and analytics indexes (within 24 hours).
- Sub-processor systems we control (PostHog events, Stripe customer record once invoices are legally cleared).
- Encrypted backups, which roll over on a 30-day cycle; we flag the record so it cannot be restored during that window.
The only data we keep beyond your deletion request is what we are legally required to retain (for example, invoice records for tax purposes), and only for the strict minimum period.
13. Contact
Questions about this page, our GDPR program, or a data-subject request?
- Email: privacy@roadmappy.io
- Urgent deletion requests are handled within 24 hours.
- All other requests receive a substantive response within 30 days.
For everyday details on what data we collect and why, see our Privacy Policy.