Route X is a coaching and client-management, and professional development platform operated by Cornerstone Strategy LLC ("Route X", "we", "us" or "our"), a company based in the State of New Jersey, United States.
We are committed to protecting the privacy, confidentiality, and security of all personal information and coaching-related content processed through our services. Route X does not sell or rent user data, and Route X does not use your content to train artificial intelligence ("AI") models unless you provide explicit, voluntary, and revocable Opt-in consent.
2. Scope of This Policy
This Policy applies to personal information collected when you:
Use Route X web application
Visit our website
Communicate with our support team
Participate in events, webinars, or training sessions
Connect third-party integrations (e.g., Google Calendar, Microsoft Outlook, Zoom, Google Meet)
This Policy does not apply where Route X acts as a data processor under separate agreements with enterprise customers.
Uploaded files, documents, voice or video recordings
Coaching program materials
Data synced from integrations (calendar events, meeting metadata)
We do not access or use Coaching Content except to provide the core functionality of the platform, transmit or display it to authorized users, troubleshoot issues with your explicit permission, or where required by law.
4. How We Use Information
We use personal information to:
Provide and maintain the Route X platform
Authenticate accounts and secure access
Deliver features, integrations, reminders, and notifications
Analyze usage patterns for performance optimization
Respond to support requests
Comply with legal requirements
We do not use Coaching content for:
Advertising
Behavioral profiling
AI training (unless explicitly Opted-in)
Sale or targeted sharing
5. AI Model Training and Opt-In Consent
Route X does not use Coaching Content for AI model training without your explicit consent.
A. Anonymous Data Used Without Opt-in
To improve security, reliability, and platform intelligence, we may use:
This data cannot identify individuals and does not include Coaching Content.
B. Opt-in for AI Model Training (User-Controlled)
You may voluntarily choose to opt-in to allow Route X to use strictly anonymized and de-identified Coaching Content signals for improving machine learning models.
Before use:
Personal identifiers are irreversibly removed
Organization names, people names, and contextual identifiers are removed
Text is transformed into abstracted coaching signals (topics, categories, session dynamics)
Opt-in is not required to use Route X and can be withdrawn at any time.
C. No Raw Session Notes or Identifiable Text Used
Even with opt-in, Route X does not use raw text, logs, or identifiable session data for training models.
D. Exclusion of Third-Party Integration Data from AI Training
Data obtained through third-party integrations (including Google Calendar, Google Meet, Microsoft Outlook, and Zoom) is never used for AI model training, regardless of opt-in status. This data is used exclusively to provide and improve the core scheduling and appointment functionality of the Route X platform.
Functional Cookies: Preferences, time zone, language
Analytics Cookies: Aggregated performance and usage metrics
Users may manage cookie settings through browser controls or available platform options.
7. Data Security
We implement industry-standard technical and organizational safeguards, including:
TLS encryption in transit
Encryption at rest
Password hashing
Network segmentation
Privileged access controls
Continuous monitoring and vulnerability assessment
8. Staff Access Controls & Audit Logging
Access is based on least-privilege principles
Coaching Content access requires elevated authorization and is tightly restricted
All access events are recorded in immutable audit logs
Logs are monitored to prevent unauthorized access
Subprocessors must meet equivalent security and confidentiality standards
9. Data Retention & Backup Retention (30 Days)
Account data is retained during the period of active use
Coaching Content is retained until you delete it or terminate your account
Backups are for disaster recovery only and maintained for up to 30 days
Deleted data may remain in encrypted backup archives for a maximum of 30 days, after which it is automatically purged
10. Data Transfers (Including Japan → U.S.)
Data is stored and processed in the United States.
For users in Japan, transfers occur in compliance with the Act on the Protection of Personal Information ("APPI"), including ensuring:
Adequate protective measures
Contractual safeguards
Transparency regarding overseas transfer
11. Third-Party Integrations
Route X integrates with third-party services to provide scheduling, calendar synchronization, and video conferencing functionality. These integrations are optional and activated only with your explicit consent via OAuth authorization.
A. Google Calendar & Google Meet Integration
When you connect your Google account, Route X requests access to your Google Calendar through the following OAuth scopes:
.../auth/calendar.events — View and edit events on your calendars
.../auth/userinfo.email — See your primary Google Account email address
.../auth/userinfo.profile — See your personal info, including any personal info you've made publicly available
openid — Associate you with your personal info on Google
Data collected from Google Calendar:
Calendar event metadata (event title, date, time, duration, attendees, and meeting links)
Google Meet conference links associated with calendar events
How we use Google Calendar data:
To create, update, and manage coaching appointment events directly from the Route X platform
To display upcoming appointments and scheduling availability
To generate Google Meet links for virtual coaching sessions
Route X does not access Google Meet recordings, transcripts, or any meeting content. We only access calendar event metadata and conference links for scheduling purposes.
B. Zoom Integration
When you connect your Zoom account, Route X accesses Zoom via OAuth to:
Create and manage Zoom meeting links for coaching sessions
When you connect your Microsoft account, Route X accesses your Outlook Calendar to:
Create, update, and manage coaching appointment events
Display upcoming appointments and scheduling availability
D. General Integration Policies
All integrations are activated only after you provide explicit consent through the OAuth authorization flow
OAuth tokens are stored securely with encryption at rest and are used solely to maintain your authorized connection
You may disconnect any integration at any time from the Integrations settings page, which immediately revokes Route X's access
Upon disconnection, all stored OAuth tokens for that integration are permanently deleted from our systems
Integration data synced to Route X (e.g., event metadata) follows the same retention policy as other platform data (see Section 9)
Data obtained from third-party integrations is used exclusively to provide and improve the core scheduling and appointment functionality of Route X
Data from integrations is never used for advertising, AI model training, behavioral profiling, sale, or any purpose unrelated to providing the Route X service
12. Google API Services — Limited Use Disclosure
Route X's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Route X accesses Google user data (via Google Calendar API and Google authentication) solely to provide and improve the user-facing features described in this Privacy Policy. Specifically:
Limited Use: Route X only uses Google user data to provide and improve the scheduling and appointment management features of the application. We do not use Google user data for any other purpose.
No Transfer for Advertising: Route X does not use or transfer Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
No Unauthorized Transfer: Route X does not transfer Google user data to third parties unless doing so is (a) necessary to provide or improve the user-facing features of the application and apparent to the user, (b) required to comply with applicable law, or (c) part of a merger, acquisition, or asset sale with notice to users.
No Human Reading Without Consent: Route X does not allow humans to read Google user data unless (a) we have the user's affirmative agreement, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized and used for internal operations.
No AI/ML Training: Route X does not use Google user data for developing, improving, or training generalized or non-personalized AI and/or ML models. The AI opt-in described in Section 5 of this Privacy Policy explicitly excludes all data obtained from Google APIs.
13. Third-Party Service Providers (Subprocessors)
We may engage trusted third-party companies and individuals to facilitate our services, perform service-related tasks, or assist in analyzing how our service is used. These third parties have access to personal information only to perform tasks on our behalf and are contractually obligated not to disclose or use it for any other purpose.
Categories of subprocessors include:
Cloud infrastructure and hosting providers
Payment processing services
Email and notification delivery services
Analytics providers (aggregated, non-personal data only)
Customer support tools
All subprocessors are bound by data processing agreements that require compliance with equivalent privacy and security standards.
14. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal information, subject to legal retention requirements
Data Portability: Request your data in a structured, commonly used format
Withdraw Consent: Withdraw previously granted consent (e.g., AI training opt-in, integration connections) at any time
Restriction of Processing: Request that we limit processing of your data in certain circumstances
Objection: Object to processing of your personal information in certain circumstances
To exercise any of these rights, contact us at support@route-x.app. We will respond to valid requests within the timeframe required by applicable law.
15. Children's Privacy
Route X is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@route-x.app.
16. Data Breach Notification
In the event of a data breach that affects your personal information, Route X will:
Notify affected users without undue delay and within 72 hours of becoming aware of the breach, where feasible
Provide details of the nature of the breach, the data affected, and recommended protective measures
Notify relevant supervisory authorities as required by applicable law
Take immediate steps to contain and remediate the breach
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
Post the updated policy on this page with a revised "Effective Date"
Notify you via email or in-app notification for significant changes
Obtain renewed consent where required by applicable law
We encourage you to review this Privacy Policy periodically. Your continued use of Route X after the revised policy becomes effective constitutes your acceptance of the updated terms.
18. Dispute Resolution
If you have a concern about our privacy practices, please contact us at support@route-x.app. We will work to resolve your concern promptly.
If we are unable to resolve your concern to your satisfaction, you may have the right to file a complaint with your local data protection authority or pursue remedies under applicable law.
Part II. Japan Supplement (APPI Compliance)
Applies to users residing in Japan.
1. Purpose Specification
Personal data is used strictly within the scope defined in Part I, Section 4.
2. Third-Party Provision
We do not provide personal data to third parties except:
With your consent
As required by law
As part of entrusting processing to service providers (not considered "third-party provision" under APPI)
3. Entrusted Processing
We supervise processors appropriately and require: