Privacy Policy

1. About Us

Route X is a platform for coaching, client management, and professional growth, operated by Cornerstone Strategy LLC ("Route X" or "we"), based in New Jersey, USA.

We are committed to protecting the privacy, confidentiality, and security of all personal information and coaching-related content handled through the Service. Route X does not sell or rent user data. We do not use user content for AI model training unless the user has provided explicit, voluntary, and revocable opt-in consent.

2. Scope of This Policy

This Policy applies to personal information collected in the following contexts:

• Use of the Route X web application
• Access to our website
• Communications with our support team
• Participation in events, webinars, and training sessions
• Connection of third-party integrations (e.g., Google Calendar, Microsoft Outlook, Zoom, Google Meet)

This Policy does not apply when Route X acts as a data processor under a separate agreement with an enterprise customer.

3. Information We Collect

A. Account Information

We collect:

• Name, email address, username
• Password (hashed)
• Optional profile attributes (timezone, phone number, organization, job title, profile picture, etc.)
• Authentication metadata (IP address, browser/device type, login timestamps)

B. Usage Data

This includes:

• Access logs, session duration
• Pages viewed, clicks, form submissions
• Device information, browser settings

These are used solely for security, diagnostics, performance improvement, and analytics.

C. Coaching Content (Highly Sensitive Data)

This may include:

• Session notes, goals, action items, worksheets, journals
• Session logs and metadata
• Uploaded files, documents, audio/video recordings
• Coaching program materials
• Data synced from integrations (calendar events, meeting metadata)

We do not access or use coaching content except to provide core Service functionality, to transmit and display it to authorized users, for troubleshooting with your explicit permission, or as required by law.

4. How We Use Information

We use personal information for the following purposes:

• Providing and maintaining the Route X platform
• Account authentication and access protection
• Delivering features, integrations, reminders, and notifications
• Analyzing usage patterns to optimize performance
• Responding to support requests
• Complying with legal requirements

We do not use coaching content for:

• Advertising
• Behavioral profiling
• AI training (except where explicitly opted in)
• Sale or targeted sharing

5. AI Model Training and Opt-In Consent

Route X does not use coaching content for AI model training without the user's explicit consent.

A. Anonymous Data Used Without Opt-In

To improve security, reliability, and platform intelligence, we may use:

• Aggregated, de-identified usage analytics
• Non-personal metadata (feature usage, performance metrics)

B. Opt-In for AI Model Training (User-Controlled)

Users may voluntarily opt in to allow Route X to use strictly anonymized and de-identified coaching content signals to improve machine learning models. Before use: personal identifiers are irreversibly removed, organization names, personal names, and contextual identifiers are stripped, and text is transformed into abstracted coaching signals. Opt-in can be withdrawn at any time.

C. Raw Session Notes and Identifiable Text Are Not Used

Even with opt-in, Route X does not use raw text, logs, or identifiable session data for model training.

D. Third-Party Integration Data Excluded from AI Training

Data obtained from third-party integrations (including Google Calendar, Google Meet, Microsoft Outlook, and Zoom) is never used for AI model training, regardless of opt-in status.

6. Cookies and Tracking Technologies

We use cookies in the following categories:

• Essential Cookies:Authentication, security, session management
• Functional Cookies:Preferences, timezone, language
• Analytics Cookies:Aggregated performance and usage metrics

For details, please refer to our Cookie Policy.

7. Data Security

We implement industry-standard technical and organizational safeguards, including:

• TLS encryption of communications
• Encryption of data at rest
• Password hashing
• Network segmentation
• Privileged access controls
• Continuous monitoring and vulnerability assessments

8. Staff Access Controls and Audit Logs

• Access is based on the principle of least privilege
• Access to coaching content requires elevated authorization and is strictly limited
• All access events are recorded in tamper-resistant audit logs
• Logs are monitored to prevent unauthorized access
• Subprocessors must meet equivalent security and confidentiality standards

9. Data Retention and Backup Retention (30 Days)

• Account data is retained throughout the period of active use
• Coaching content is retained until the user deletes it or terminates the account
• Backups are retained for a maximum of 30 days solely for disaster recovery
• Deleted data may remain in encrypted backup archives for up to 30 days, after which it is automatically purged

10. Cross-Border Data Transfers (Including Japan → US)

Data is stored and processed in the United States. For users in Japan, transfers are conducted in accordance with the APPI, with appropriate safeguards, contractual protections, and transparency regarding cross-border transfers.

11. Third-Party Integrations

Route X integrates with third-party services to provide scheduling, calendar sync, and video conferencing features. These integrations are optional and are activated only with the user's explicit consent through OAuth authorization.

A. Google Calendar & Google Meet Integration

When you connect a Google account, Route X requests access to Google Calendar through the following OAuth scopes:

• .../auth/calendar.events — View and edit events on your calendar
• .../auth/userinfo.email — View the primary email address of your Google Account
• .../auth/userinfo.profile — View your personal info, including any personal info you've made publicly available
• openid — Associate you with your personal info on Google

Route X uses Google Calendar data only to create/update/manage coaching booking events, display upcoming bookings and availability, and generate Google Meet links for online coaching sessions. Route X does not access Google Meet recordings, transcripts, or other meeting content.

B. Zoom Integration

When you connect a Zoom account, Route X requests access through the following OAuth scopes:

• meeting:write — Create and update meetings on your behalf
• meeting:read — Read meeting details for bookings managed in Route X
• meeting:delete — Delete meetings when bookings are cancelled
• user:read:user — Identify your Zoom user account and associate meetings with the host account

Route X does not access Zoom cloud recordings, transcripts, or chat messages, monitor meetings or recordings, or access participant video or audio streams.

C. Microsoft Outlook Calendar Integration

When you connect a Microsoft account, Route X accesses Outlook Calendar to create/update/manage coaching booking events and display upcoming bookings and availability.

D. General Integration Policy

• All integrations are activated only after the user's explicit consent through the OAuth authorization flow
• OAuth tokens are securely stored with encryption at rest
• Users can disconnect integrations at any time from the Integrations settings page; disconnection immediately revokes Route X's access
• Integration data is never used for advertising, AI model training, behavioral profiling, or sale

12. Google API Services — Limited Use Disclosure

Route X's use and transfer of information received from Google APIs complies with the Google API Services User Data Policy (including Limited Use requirements).

• Limited Use:Route X uses Google user data only to provide and improve the scheduling and booking management features of this application.
• No transfer for advertising:Route X does not use or transfer Google user data for any advertising purposes, including retargeting, personalization, and interest-based advertising.
• No unauthorized transfer:Route X does not transfer Google user data to third parties except as part of a merger, acquisition, or asset sale with user notification, to comply with applicable law, or as necessary to provide features to users.
• No human review without consent:We do not allow human review of Google user data except for security purposes, compliance with applicable law, or aggregated/anonymized internal operations.
• No AI/ML training:Route X does not use Google user data to develop, improve, or train general or non-personalized AI/ML models.

13. Third-Party Service Providers (Subprocessors)

We may engage trusted third-party companies or individuals to facilitate the provision of the Service. These third parties have access to personal information only to perform tasks on our behalf. Subprocessor categories include: cloud infrastructure/hosting, payment processing, email/notification delivery, analytics (aggregated/non-personal data only), and customer support tools.

14. User Rights

Depending on your jurisdiction, you may have the following rights:

• Access:Request a copy of your personal information we hold
• Correction:Request correction of inaccurate or incomplete data
• Deletion:Request deletion of personal information, subject to legal retention requirements
• Data portability:Request data in a structured, commonly used format
• Withdrawal of consent:Withdraw previously given consent at any time
• Restriction:Request restriction of processing in certain circumstances
• Objection:Object to processing of personal information in certain circumstances

To exercise these rights, please contact us at support@route-x.app.

15. Children's Privacy

Route X is not intended for children under 16. If we become aware that personal information has been provided by a child under 16, we will take prompt steps to delete such information.

16. Data Breach Notification

In the event of a data breach affecting personal information, Route X will notify affected users without undue delay, and where possible within 72 hours of becoming aware of the breach.

17. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will post the updated policy with a revised effective date and notify you by email or in-app notification.

18. Dispute Resolution

If you have concerns about our privacy practices, please contact us at support@route-x.app. We will endeavor to resolve the matter promptly.

1. Specification of Purposes of Use

Personal data is used only within the scope set out in Part I, Section 4.

2. Third-Party Provision

We do not provide personal data to third parties except with your consent, as required by law, or as part of our engagement of service providers.

3. Outsourced Processing

We appropriately supervise our processors and require security measures, confidentiality agreements, and prior approval for sub-processing.

4. Cross-Border Transfer to the United States

This includes notification of the transfer destination, assessment of safeguards, and contractual commitments to ensure appropriate protection.

5. Requests for Disclosure, Correction, or Suspension of Use

You may request disclosure, correction/addition/deletion, or suspension of use or provision of retained personal data. All requests: support@route-x.app

6. Cookies Under APPI Guidelines

Our use of cookies complies with relevant guidance from Japan's Personal Information Protection Commission (PPC).

7. Sensitive Information

Coaching-related information is not automatically classified as 'sensitive personal information,' but Route X handles it under heightened security safeguards.

1. Notice at Collection

We collect data in the categories listed in Part I.

2. Consumer Rights

• Access
• Deletion
• Correction
• Information about disclosures

3. Sensitive Personal Information

We do not use sensitive personal information for purposes that require an opt-out.

4. No Sale or Sharing

Route X does not sell or share personal information.

• Legal basis for processing
• Rights of access, correction, deletion, and portability
• Rules on special category data
• International transfer mechanisms (SCCs)
• EU/UK representative (to be designated)

"Coaching Content":Content posted by users, including notes, logs, goals, documents, worksheets, audio/video recordings.

"Personal Information":Information relating to an identified or identifiable individual.

"Google User Data":Data obtained through Google API services.

"Aggregated Data":Data that cannot reasonably identify an individual.

"Retained Personal Data" (APPI):Personal data over which we have authority to disclose, correct, or delete.

"Sell/Share" (CCPA):Disclosure for monetary consideration or targeted advertising (Route X does not do this).

"Subprocessor":A vendor engaged to process data on Route X's behalf.

Contact

For inquiries about this Privacy Policy, please contact us.