ROUTORA Privacy Policy
Effective Date: July 10, 2026
1. Introduction
This Privacy Policy ("Policy") explains how ROUTORA ("we," "us," or "our") collects, uses, stores, and protects your information when you use our mobile app, website (ygroutora.com), API (api.ygroutora.com), and VPN services (collectively, the "Service").
ROUTORA is a WireGuard-based VPN with prepaid data plans. Because your traffic is routed through our servers, we are transparent about what we process — and what we never touch.
2. Information We Collect
2.1 Account Information
- Email address (required for registration and login)
- Password (stored only as a one-way bcrypt hash; we never store your plaintext password)
- Account status and role (e.g., active, banned, user, admin)
- Authentication tokens (JWT) stored locally on your device via secure storage
2.2 Device & VPN Configuration Data
- Device UUID (generated locally on first launch, used to identify your device for plan limits)
- WireGuard public key (uploaded to our servers to provision your VPN connection; your private key remains on your device only)
- Platform identifier (e.g., Android, iOS)
- Selected VPN node preference (cached locally on your device)
- Assigned internal VPN IP address (e.g., 10.8.0.x)
2.3 VPN Traffic Metadata (for metering only)
- Aggregate data transfer volume (bytes sent and received) to enforce your traffic plan quota
- WireGuard last-handshake timestamp (connection health monitoring)
- VPN session connection/disconnection events necessary for service operation
We collect traffic volume at the byte level to bill and enforce your plan. We do not log the content of your internet traffic, websites you visit, DNS queries, or destination IP addresses.
2.4 Payment & Order Information
- Order ID, plan purchased, amount, currency (USD), payment status, and payment timestamp
- PayPal transaction reference ID (provider order ID)
Payment card details and PayPal account credentials are processed directly by PayPal. We do not receive or store your full payment card numbers or PayPal login credentials.
2.5 Server & Operational Logs
- API request logs for security, fraud prevention, and troubleshooting (may include IP address, timestamp, and endpoint accessed)
- Node health and infrastructure status logs
3. Information We Do NOT Collect
To protect your privacy, ROUTORA does not collect:
- Browsing history, URLs visited, or search queries
- DNS resolution records or domain names accessed
- Contents of communications passing through the VPN tunnel
- Source or destination IP addresses of your internet sessions
- GPS or precise location data
- Phone number, real name, photo, or government ID
- Contacts, photos, microphone, or camera data
- Advertising identifiers or behavioral analytics profiles
ROUTORA does not integrate third-party advertising or behavioral analytics SDKs (such as Google Analytics, Firebase Analytics, or similar).
4. How We Use Your Information
We use the information we collect to:
- Create and manage your ROUTORA account
- Authenticate your identity and secure your account
- Provision and maintain your WireGuard VPN connection
- Measure and enforce your data-traffic plan quota
- Process payments and fulfill orders via PayPal
- Enforce device limits per your subscription plan (1–5 devices)
- Detect and prevent fraud, abuse, and unauthorized access
- Provide customer support and respond to your requests
- Comply with applicable legal obligations
- Improve service reliability and security
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on:
- Contract performance: to provide the ROUTORA Service you signed up for
- Legitimate interests: to secure our network, prevent abuse, and improve service quality
- Legal obligation: to comply with applicable laws and lawful requests
- Consent: where required (e.g., optional marketing communications, if offered in the future)
6. Data Sharing & Third Parties
We do not sell your personal information. We share data only in the following circumstances:
- PayPal: payment processing. PayPal's privacy policy governs data they collect: paypal.com/privacy
- VPS infrastructure providers: our VPN nodes run on third-party servers; only encrypted VPN tunnel traffic and operational metadata pass through these servers
- Cloud/hosting providers: to host our API, database, and administrative systems under contractual data protection obligations
- Legal requirements: when required by law, court order, or governmental authority, or to protect our rights, users, or public safety
- Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to affected users
7. International Data Transfers
ROUTORA operates globally. Your data may be processed in countries outside your country of residence, including China, Singapore, the United States, and other jurisdictions where our servers and service providers are located. Where required by law, we implement appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.
8. Data Retention
- Account data: retained while your account is active; deleted or anonymized within 30 days of account deletion request, except where retention is required by law
- Traffic usage records: retained for the duration of your active plan and up to 12 months thereafter for billing disputes
- Order/payment records: retained for up to 7 years to comply with financial and tax regulations
- Server logs: retained for up to 90 days unless needed for security investigations
9. Data Security
We implement industry-standard security measures including:
- TLS/HTTPS encryption for all API communications in production
- WireGuard protocol encryption for VPN tunnel traffic
- Bcrypt password hashing
- Secure local storage for tokens and cryptographic keys on your device
- Access controls and authentication for administrative systems
No method of transmission or storage is 100% secure. We cannot guarantee absolute security but continuously work to protect your data.
10. Your Rights
Depending on your location, you may have the following rights:
- Access: request a copy of personal data we hold about you
- Correction: request correction of inaccurate data
- Deletion: request deletion of your account and associated data
- Portability: request your data in a structured, machine-readable format
- Restriction: request restriction of processing in certain circumstances
- Objection: object to processing based on legitimate interests
- Withdraw consent: where processing is based on consent
To exercise these rights, contact us at [email protected]. We will respond within 30 days (or as required by applicable law). You also have the right to lodge a complaint with your local data protection authority.
11. California Privacy Rights (CCPA/CPRA)
If you are a California resident:
- We do not sell or share your personal information for cross-context behavioral advertising
- You have the right to know what personal information we collect, use, and disclose
- You have the right to request deletion of your personal information
- You have the right to non-discrimination for exercising your privacy rights
Submit requests to [email protected] with the subject line "California Privacy Request."
12. Children's Privacy
ROUTORA is not directed to children under 13 (or 16 in certain jurisdictions). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
13. VPN-Specific Disclosures
When you connect to ROUTORA:
- Your device's internet traffic is routed through our VPN servers using full-tunnel mode (all traffic encrypted via WireGuard)
- Your traffic is encrypted between your device and our VPN server; we cannot read the contents of encrypted tunnel traffic
- We meter aggregate byte volume solely to enforce your purchased data plan
- VPN laws vary by country; you are responsible for ensuring your use of ROUTORA complies with local laws
14. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified via the app, website, or email. The "Effective Date" at the top will reflect the latest revision. Continued use of ROUTORA after changes constitutes acceptance of the updated Policy.
15. Contact Us
Questions about this Policy or requests to exercise your data rights:
We aim to respond within 30 days.