Privacy Policy
Effective date: [EFFECTIVE_DATE] Last updated: 2026-02-19
1. Who We Are
Section titled “1. Who We Are”Raiden is the data controller for personal data processed through raiden.dev.
Contact: [COMPANY_EMAIL] DPO (if applicable): [DPO_EMAIL] Address: [COMPANY_ADDRESS], Belgium
2. What Data We Collect and Why
Section titled “2. What Data We Collect and Why”We collect the minimum data necessary to operate the Service. We are a B2B API — we do not target consumers and do not collect personal data of your end-customers unless you deliberately include it in API payloads (see Section 3).
2.1 Account Data
Section titled “2.1 Account Data”| Data | Purpose | Legal Basis |
|---|---|---|
| Name, work email | Account creation, communication | Contract (Art. 6(1)(b)) |
| Company name, VAT number | Billing and invoicing | Legal obligation (Art. 6(1)(c)) |
| Password hash | Authentication | Contract |
2.2 API Usage Data
Section titled “2.2 API Usage Data”| Data | Purpose | Legal Basis |
|---|---|---|
| API key identifiers | Authentication, rate limiting | Contract |
| Request timestamps, CU counts, HTTP status | Billing, abuse detection, debugging | Legitimate interest (Art. 6(1)(f)) |
| IP addresses of API callers | Security, fraud prevention | Legitimate interest |
We do not log the content of your API request/response bodies in our application layer. Cloudflare may log request metadata per their privacy policy.
Legitimate interest balancing: For API usage logs and IP addresses processed on the basis of legitimate interest, we have assessed that: (a) this processing is necessary for billing integrity, abuse prevention, and security; (b) data is minimised to metadata only — no payload content is stored; (c) B2B API customers have a reasonable expectation that API providers log request metadata; and (d) the processing does not materially override data subjects’ interests in the B2B context. You may object to this processing under GDPR Art. 21 by contacting [COMPANY_EMAIL].
2.3 Payment Data
Section titled “2.3 Payment Data”Payment card details are processed directly by Stripe, Inc. We receive only non-sensitive billing metadata (last 4 digits, expiry, billing address). Stripe’s privacy policy applies to payment processing.
2.4 Communications
Section titled “2.4 Communications”Emails you send us, support tickets, and feedback are retained to handle your request and improve the Service (legitimate interest).
2.5 Website Analytics
Section titled “2.5 Website Analytics”We use privacy-respecting analytics (no cross-site tracking, no fingerprinting) on raiden.dev. No cookies requiring consent are set for analytics purposes.
3. Personal Data in API Payloads
Section titled “3. Personal Data in API Payloads”The Raiden API processes operational logistics data you submit (stop locations, time windows, vehicle specs). This data may incidentally contain personal data (e.g. customer names, delivery addresses).
You are the data controller for any personal data in your API payloads. We act as your data processor. This relationship is governed by our Data Processing Agreement.
We strongly recommend:
- Pseudonymising customer identifiers in API payloads (use IDs, not names)
- Not including sensitive personal data (health, financial) in routing inputs
4. How We Share Data
Section titled “4. How We Share Data”We do not sell personal data. We share data only with:
| Recipient | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | API infrastructure, edge network | USA (SCCs in place) |
| Stripe, Inc. | Payment processing | USA (SCCs in place) |
| [Email provider] | Transactional email | [Location — confirm SCCs or adequacy] |
| Kinde Commerce Pty Ltd | Authentication | Australia (SCCs in place — no adequacy decision; Module 2 SCCs required) |
Our full subprocessor list is maintained at [SUBPROCESSOR_LIST_URL]. We notify you of subprocessor changes with 30 days’ notice.
We may disclose data to law enforcement or regulatory authorities where required by law, and will inform you unless legally prohibited.
5. International Transfers
Section titled “5. International Transfers”We are established in Belgium (EEA). Where we transfer personal data outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914
- Adequacy decisions where applicable
Cloudflare offers EEA-only data processing via their Data Localization Suite, which we use for API traffic where technically feasible.
6. Data Retention
Section titled “6. Data Retention”| Data type | Retention period |
|---|---|
| Account data (name, email, company) | Duration of account + 3 years after closure |
| API usage logs (metadata only) | 13 months (billing reconciliation) |
| Invoice records | 7 years (Belgian accounting law, Art. III.85 WER) |
| Support communications | 3 years |
| API payload content | Not retained at application layer |
| Customer Personal Data in API payloads | Not retained; deleted within 30 days of termination or Customer request per DPA Section 10 |
7. Security
Section titled “7. Security”We implement appropriate technical and organisational measures including:
- TLS 1.3 for all data in transit
- AES-256 encryption for data at rest
- API keys hashed with bcrypt
- Role-based access controls on internal systems
- Annual security reviews
In the event of a personal data breach:
- Notification to the supervisory authority (GDPR Art. 33): We will notify the Belgian Data Protection Authority (APD/GBA) without undue delay and within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals’ rights and freedoms.
- Notification to you as our customer (DPA): Where you are our data processor customer, we will notify you within 48 hours of becoming aware of a Security Incident (per the DPA Section 9), giving you sufficient time to meet your own Art. 33 obligations.
- Notification to affected individuals (GDPR Art. 34): Where a breach is likely to result in a high risk to individuals, we will notify affected data subjects without undue delay, unless the data was encrypted or other mitigating factors apply.
8. Your Rights (GDPR)
Section titled “8. Your Rights (GDPR)”As a data subject you have the right to:
| Right | How to exercise |
|---|---|
| Access (Art. 15) | Email [COMPANY_EMAIL] |
| Rectification (Art. 16) | Via dashboard or email |
| Erasure (Art. 17) | Email [COMPANY_EMAIL] — we will action within 30 days |
| Restriction (Art. 18) | Email [COMPANY_EMAIL] |
| Portability (Art. 20) | Dashboard export, or email |
| Object (Art. 21) | Email [COMPANY_EMAIL] |
| Withdraw consent | Where processing is consent-based |
We will respond within 30 days (extendable to 60 days with notice for complex requests).
You also have the right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA): gegevensbeschermingsautoriteit.be.
9. Cookies
Section titled “9. Cookies”We use only:
- Strictly necessary cookies: session management, CSRF protection (no consent required)
- No advertising or cross-site tracking cookies
10. Children
Section titled “10. Children”The Service is not directed at anyone under 18. We do not knowingly collect personal data from minors.
11. Changes
Section titled “11. Changes”We will notify you of material changes to this policy by email or dashboard notice at least 30 days before they take effect.