This Privacy Policy describes how Skerric Pty Ltd trading as Routerly (“Routerly”, “routerly.io”, “we”, “us”, or “our”) collects, uses, and discloses personal information when you use the routerly.io website, OMS dashboard, agent software, and related services (the “Service”).
We handle personal information in accordance with the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). For users located in the European Economic Area, the United Kingdom, or Switzerland, we also act in accordance with the EU General Data Protection Regulation (GDPR) and equivalent UK and Swiss law.
Data controller: Skerric Pty Ltd trading as Routerly is the data controller responsible for personal information processed in connection with the Service. Privacy contact: privacy@routerly.io.
1. Information we collect
1.1 Account information
When you create an Account or are invited to a Team we collect your name, email address, hashed password, and any optional profile details you provide. We also record session and authentication events (logins, logouts, two-factor activity).
1.2 Team information
For each Team you create or join we collect the Team name, member roles, invitations you send, permissions you configure, and Team-level preferences such as iPerf3 endpoints and SMS signatures.
1.3 Device telemetry
Devices enrolled in your Team send the Service operational information including the device’s identifier, model, firmware version, connection status, signal strength, network operator, WAN IP address, GPS coordinates (where reported by the device), uptime, memory usage, and similar metrics. We store command and configuration history for audit purposes.
1.4 Access and tunnel logs
When you open a reverse SSH tunnel or remote web UI session we log who initiated the session, when, from which IP address, and to which Device, for security and audit purposes.
1.5 Billing information
Payments are processed by Paddle.com Market Limited and/or its affiliates (“Paddle”). Paddle collects your billing details (name, billing address, card or bank details, tax identifiers where applicable) directly. We receive a limited subset of this information from Paddle — typically your Team identifier, subscription status, invoice records, and the last four digits of the payment method — for reconciliation and customer service.
1.6 Technical information
Our web servers automatically record request metadata such as your IP address, user agent, and timestamp. Cookie usage is described in section 8 below.
2. How we use information
We use the information we collect to:
- Provide and operate the Service, including authenticating you, relaying commands to your Devices, and brokering remote-access tunnels.
- Bill your Subscription and provide receipts.
- Communicate with you about your Account, security alerts, service incidents, and changes to terms or features.
- Diagnose problems, prevent abuse, and improve reliability and security.
- Meet legal, regulatory, and tax obligations.
3. Legal bases for processing (EEA, UK, and Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and equivalent law to process your personal information:
- Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Service you have signed up for, including managing your Account, your Team, your Devices, and your Subscription.
- Legitimate interests (Art. 6(1)(f) GDPR) — to operate, secure, and improve the Service, prevent fraud and abuse, and respond to support requests, where those interests are not overridden by your rights and freedoms.
- Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax, accounting, and other applicable law.
- Consent (Art. 6(1)(a) GDPR) — where we rely on consent (for example, for any non-essential cookies or marketing communications we may offer in the future), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
4. Disclosure to third parties
We do not sell your personal information. We share it only with:
- Service providers (processors) who help us operate the Service — including our cloud hosting provider, our payment processor (Paddle), and our transactional email provider — each acting on our instructions and under contractual confidentiality obligations.
- Other members of your Team, who may see your name, email, role, and activity within the Team.
- Authorities where we are required by law or in response to a valid legal process.
- An acquirer, if routerly.io is involved in a merger, acquisition, or asset sale — in which case we will notify you and provide choices where the law requires.
5. International transfers
routerly.io is operated from Australia. Some of our service providers may store or process personal information outside your country of residence (for example, in the European Union, the United Kingdom, the United States, or Australia).
Where we transfer personal information of EEA, UK, or Swiss data subjects to a country that has not received an adequacy decision, we rely on appropriate safeguards under the GDPR, including the European Commission’s Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum. For information about a specific transfer or to request a copy of the safeguards in place, contact privacy@routerly.io.
6. Data retention
We retain Account and Team data for as long as the Account or Team is active. Device telemetry is retained for the period needed to provide the Service and for a reasonable operational window afterwards. Billing records are retained for the period required by tax and accounting law (typically seven years in Australia). Audit logs are retained for security review.
After your Account or Team is deleted, we delete or de-identify your information within a reasonable period, except where retention is required by law.
7. Your rights
Subject to applicable law, you may:
- Access and update most of your information through your Account settings.
- Request a copy of the personal information we hold about you.
- Ask us to correct information that is inaccurate, out of date, or incomplete.
- Ask us to delete your Account and associated personal information.
- Withdraw consent for any processing that relies on consent.
7.1 Additional rights for EEA, UK, and Swiss residents
If you are located in the EEA, the United Kingdom, or Switzerland you also have the right to:
- Data portability — receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
- Restriction of processing — ask us to restrict processing of your personal information in certain circumstances.
- Object to processing — object to processing based on our legitimate interests.
- Lodge a complaint with your local supervisory authority. EEA residents can find their authority at edpb.europa.eu. UK residents can complain to the Information Commissioner’s Office at ico.org.uk.
7.2 Rights for Australian residents
Australian residents can complain to us first, and if you are unsatisfied with our response, to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
To exercise any of these rights, contact us at privacy@routerly.io. We will respond within a reasonable time (and within one month for GDPR requests, subject to permitted extensions) and may need to verify your identity before acting.
8. Cookies and similar technologies
We use cookies and similar browser storage only as strictly necessary to operate the Service. Specifically:
- Session cookie (
oms_session) — keeps you logged in across requests. - CSRF token cookie (
XSRF-TOKEN) — protects forms and API requests against cross-site request forgery. - Preference storage — remembers light/dark theme and similar UI preferences.
We do not use third-party advertising cookies, analytics cookies, or tracking pixels. Because all cookies we set are strictly necessary, we do not display a cookie consent banner; under the EU ePrivacy Directive (Article 5(3)) and equivalent UK rules, strictly necessary cookies are exempt from prior consent. If we add non-essential cookies in the future we will update this policy and request consent where required.
9. Security
We use industry-standard measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit, strong authentication controls, role-based access, audit logging, and periodic review. No internet service can be guaranteed completely secure; if a breach affects your information we will notify you and, where required, the relevant supervisory authority, in accordance with the Notifiable Data Breaches scheme under the Australian Privacy Act and Articles 33 and 34 of the GDPR.
10. Children
The Service is not directed to children and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us so we can delete it.
11. Changes to this Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the bottom of this page reflects the most recent version. Where changes are material we will give reasonable notice before they take effect.
12. Contact
For privacy questions or to exercise any of your rights, contact us at privacy@routerly.io.