Privacy Policy
Last updated: 5 July 2026
This is a convenience translation. In case of any discrepancy, the English version of this document prevails.
This Privacy Policy explains how Tunel LLC (“OSRMRoute”, “we”) collects, uses, discloses and protects personal data when you use our websites, APIs and dashboards (the “Service”). We act as the data controller for the personal data described here.
1. Data we collect
We collect the following categories of data:
- Account data — the email address you register with and a securely hashed version of your password. We never store passwords in plain text.
- API keys and configuration — the keys you generate and their plan and limit settings.
- Usage data — for each API request we log the key used, the requested endpoint/path, the originating IP address, the HTTP status and the response time. We use this for authentication, quota enforcement, analytics, billing and abuse prevention.
- Query content — the coordinates and search terms you send are processed to produce results. We do not use this content to build a profile of you.
- Cookies — an authentication cookie and, with your consent, Google Analytics cookies (see below).
2. How we use data and legal bases
We process personal data to:
Where we rely on legitimate interests, we balance them against your rights and freedoms. Legal bases listed here refer to Article 6 of the EU/UK GDPR where it applies to you.
- provide, operate and secure the Service (performance of a contract);
- enforce quotas and prevent fraud, abuse and security incidents (legitimate interests);
- bill for paid plans and keep financial records (contract and legal obligation);
- communicate service and account notices (contract and legitimate interests);
- comply with applicable law (legal obligation).
3. Cookies
We use a strictly necessary, HTTP-only authentication cookie (auth_token) to keep you signed in to the dashboard; it is not used for advertising or cross-site tracking. With your consent, we also use Google Analytics to understand how the site is used — it sets analytics cookies and is loaded only after you accept via our cookie banner. You can withdraw consent at any time by clearing the site's storage, and you can block cookies in your browser (the dashboard may not function without the authentication cookie).
4. Sharing and disclosure
We do not sell personal data. We share it only:
- with service providers who host and support the Service, under confidentiality obligations;
- with payment processors to handle paid plans;
- where required by law, legal process or to protect rights, safety and security;
- in connection with a merger, acquisition or asset sale, subject to this Policy.
5. International data transfers
We may process data in countries other than yours. Where we transfer personal data out of the EEA, UK or other regulated regions, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision.
6. Data retention
We keep account data for as long as your account is active and as needed to provide the Service. Usage logs are retained for a limited period for analytics, billing and security, after which they are deleted or aggregated. We retain records longer where required for legal, tax or accounting purposes.
7. Your rights
Depending on where you live, you may have the right to access, correct, delete, restrict or object to processing of your personal data, to data portability, and to withdraw consent. Residents of the EEA/UK have rights under the GDPR; California residents have rights under the CCPA/CPRA, including the right to know, delete, and opt out of “sale” or “sharing” (we do not sell or share personal data as defined by those laws). To exercise your rights, contact us; you also have the right to lodge a complaint with your local supervisory authority.
8. Security
We use technical and organizational measures to protect personal data, including password hashing, encrypted transport (HTTPS), access controls and network isolation of our databases. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
9. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
10. Changes to this Policy
We may update this Policy from time to time. We will post the updated version with a new “last updated” date and, for material changes, provide additional notice.
11. Contact
Data controller: Tunel LLC, Haydar Aliyev Ave., Caspian Sport & Business Center, Baku, Azerbaijan. For privacy requests, email [email protected]. For any data protection matter, including requests from the EEA or UK, you may also write to us at the address above.
Questions about this document? Contact us at [email protected].