Privacy Policy


The person responsible for the processing of the data collected through this Website is:

  • Sant Antoni Maria Claret Street, 330 — PTA 18, Barcelona — Spain


The personal data of the user of this Website will be processed for the following purposes:

  • Respond to requests for information and/or inquiries: Where appropriate, respond to requests for information and/or inquiries made by the User. The data processed for this purpose will be kept until the request for information and/or consultation has been answered and, after that, for the legally established periods of conservation and prescription of responsibilities. The legal basis for the processing is: a) the User's consent if they use the existing contact form on this Website; or b) Routal's legitimate interest in providing an answer to the User if they do not use this form (sending spontaneous e-mails, telephone calls, sending written requests by post).
  • Sending commercial communications: Where appropriate, keep the User informed, even by electronic means, about Routal products, services and news. The data processed for this purpose will be kept until the consent given for the reception of such communications is revoked and, after that, for the legally established retention and limitation periods of responsibility. The legal basis for the treatment is the consent of the User expressed through the channels made available on this Website.


Routal may communicate the data to Public Administrations for compliance with legal obligations and to State Security Forces and Bodies and/or the Courts and Tribunals that require them in the framework of an investigation, investigation or proceeding. You may also communicate the data to the following categories of managers: Providers of electronic communications, office automation, hosting, housing, computer maintenance, management, accounting, auditing, consulting and legal representation. Some of these managers may be located outside the European Economic Area, in which case Routal will have previously adopted appropriate data protection guarantees.


Interested parties can exercise their rights of access, rectification, deletion, limitation of processing, data portability and opposition, as well as withdraw consent at any time without affecting the lawfulness of the processing prior to its withdrawal, by sending their request to Routal, calle sant Antoni Maria Claret, 330 — PTA 18, Barcelona — Spain; or to the email address In any case, interested parties have the right to file a complaint with the corresponding supervisory authority if they deem it appropriate.

Routal as Data Processor

If the User acquires a license to use the cloud fleet management software service (hereinafter, “the Service”), Routal will need to process certain personal data on behalf of the licensee. For these purposes, the licensee will be considered as Data Controller and Routal as Data Processor. The following clauses constitute the regulation of the relationship between the Data Controller and the Data Processor for the purpose of complying with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such data data and repealing Directive 95/46/EC (hereinafter, “RGPD”) and Article 33 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, “LOPDGDD”).

Data processing to be carried out by the Data Processor

The Data Processor will process, on behalf of the Data Controller, the personal data necessary to carry out the Service. The said treatment will last for a duration equal to that of the provision of the Service, so that once the provision of the same has ended, the treatment will be considered to have ended.

Identifying the affected information

For the execution of the Service, the Data Controller will make available to the Data Processor the information described below:

Types of Personal Data

Identifying data, geolocation data and any other data that may be included by the Data Controller in the open fields enabled in the Service

Categories of stakeholders

Customers and employees

Duties of the Data Processor

The Data Processor is obliged to:

  1. Use the personal data being processed, or those you collect for inclusion, only for the strict provision of the Service. Under no circumstances may you use the data for your own purposes.
  2. Process the data in accordance with the instructions of the Data Controller. If the Data Processor considers that any of the instructions violates the RGPD or any other data protection provision of the Union or Member States, the Processor will immediately inform the Data Controller of this.
  3. Where appropriate, keep in writing the record of all categories of processing activities carried out on behalf of the Data Controller, in accordance with the provisions of Article 30.2 of the RGPD.
  4. Do not communicate the data to third parties, unless you have the express authorization of the Data Controller, in legally admissible cases.

The Data Processor may communicate the data to other processors of the same Data Controller, in accordance with the Data Controller's instructions. In this case, the Data Controller will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication. If the Data Processor must transfer personal data to a third country or to an international organization, by virtue of Union or Member State law that is applicable to him, he will inform the Data Controller of this legal requirement beforehand, unless such Law prohibits it for important reasons of public interest.

  1. Do not outsource any of the services that are part of the Service and involve the processing of personal data.
    If it is necessary to subcontract any treatment, this fact must be notified in advance and in writing to the Data Controller, at least 20 calendar days in advance, indicating the treatments that are intended to be outsourced and clearly and unambiguously identifying the subcontractor company and its contact details. Subcontracting may be carried out if the Data Controller does not express his opposition, in writing, within the established deadline.

The subcontractor, who will also have the status of processor, is also obliged to comply with the obligations established here for the Data Processor and the instructions issued by the Data Controller. It is up to the initial Data Processor to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as him, with regard to the proper processing of personal data and the guarantee of the rights of the affected persons. In the event of non-compliance by the subcontractor, the initial Data Processor will remain fully responsible to the Data Controller with regard to compliance with the obligations. The Data Controller authorizes the Data Processor to carry out the following subcontracts necessary to be able to provide the Services:

ProductBoard, Inc. (Productboard): United States: Customer-Centric Product Management Platform

Intercom, Inc.: United States: Customer Communication Platform

WebEmpresa Europa S.L: Europe: Data Hosting Provider

  1. Maintain the duty of secrecy with respect to personal data to which you have had access by virtue of the provision of the Service, even after the provision of the Service ends.
  2. Ensure that persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be properly informed.
  3. Keep at the disposal of the Data Controller the documentation supporting the compliance with the obligation established in the previous section.
  4. Ensure the necessary training on the protection of personal data for persons authorized to process personal data.
  5. Assist the Data Controller in responding to the exercise of the rights of:
  1. Access, rectification, deletion and opposition;
    2. Limitation of treatment;
    3. Data portability;
    4. Not to be subject to automated individualized decisions (including profiling).

When affected persons exercise their rights of access, rectification, deletion and opposition, limitation of processing, data portability and not to be subject to automated individualized decisions before the Data Processor, the Data Processor must communicate this by email to the Data Controller. The communication must be made immediately and in no case beyond the working day following the receipt of the request, together, where appropriate, with other information that may be relevant to resolving the request.

  1. Notify the Data Controller without undue delay and, in any case, before a maximum period of 48 hours via email, of any personal data security violations at your expense of which you are aware, together with all the information relevant to the documentation and communication of the incident. Notification will not be necessary when it is unlikely that such a breach of security would constitute a risk to the rights and freedoms of natural persons.

If available, at a minimum, the following information shall be provided:

  1. Description of the nature of the personal data security violation, including, where possible, the categories and the approximate number of affected interested parties, as well as the categories and the approximate number of personal data records affected.
  2. The name and contact details of the data protection officer or other point of contact where more information can be obtained.
  3. Description of the possible consequences of the violation of personal data security.
  4. Description of the measures taken or proposed to remedy the breach of personal data security including, if appropriate, the measures taken to mitigate potential negative effects.

If it is not possible to provide the information simultaneously, to the extent that it is not, the information will be provided gradually without undue delay.

  1. Provide support to the Data Controller in carrying out impact assessments related to data protection, where appropriate.
  2. Provide support to the Data Controller in carrying out prior consultations with the supervisory authority, where appropriate.
  3. Make available to the Data Controller all the information necessary to demonstrate compliance with their obligations, as well as to carry out audits or inspections carried out by the Data Controller or other auditor authorized by him.
  4. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the application costs and the nature, scope, context and purposes of the treatment, as well as risks of varying probability and severity for the rights and freedoms of individuals. In any case, you must implement mechanisms to:
  1. Ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
  2. Restore availability and access to personal data quickly, in the event of a physical or technical incident.
  3. Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the safety of the treatment.
  4. Pseudonymize and encrypt personal data, if appropriate.
  • Appoint a data protection officer and communicate your identity and contact details to the Data Controller, where appropriate.
  • Once the provision of the Service has been completed, the Data Controller will have a maximum period of 30 calendar days to access the Service and download all their information stored there. After this period has elapsed, the Data Processor will delete such information stored on the Service. In any case, the Data Processor may keep a copy, with the data duly blocked, for as long as responsibilities may arise from the execution of the provision.
  • Comply with the rest of the obligations established by the GDPR, the LOPDGDD and their implementing regulations for the Data Processor.

Obligations of the Data Controller

It is the responsibility of the Data Controller:

  1. Deliver or allow access by the Data Processor to the data specified above.
  2. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Data Processor, where appropriate.
  3. Make the appropriate prior inquiries.
  4. Ensure, prior to and throughout the processing, that the Data Processor complies with the GDPR, the LOPDGDD and its implementing regulations.
  5. Monitor treatment, including carrying out inspections and audits.
  6. Facilitate the right to information at the time of data collection.
  7. Comply with the rest of the obligations established by the GDPR, the LOPDGDD and their implementing regulations for the Data Controller