Rijwind
Legal

Privacy.

How we handle the data you and your end-users send through Rijwind.

Last updated 14 May 2026 · Version 1.0

1. Who we are

Rijwind is a maps + geocoding + routing API, operated from the Netherlands. For any privacy question, write to info@rijwind.com.

2. What we store about you (the customer)

When you sign up we store:

  • Your name and email address.
  • The names you give your projects and API keys.
  • The SHA-256 hash of each API key — never the plaintext.
  • Billing details (address, VAT id) on paid plans. Card and direct-debit details are held by Mollie, not by us.
  • Two-factor authentication secrets, encrypted at rest.

We use PostHog (EU region) for first-party product analytics and error tracking — it helps us see which dashboard pages people get stuck on and catch backend errors before customers report them. No advertising cookies, no cross-site tracking, no profile shared with any other site. Data is hosted in Germany; details in the DPA §5.

3. What we log when you call the API

Every API call is logged for billing, abuse prevention, and incident response. A log line records:

  • Timestamp.
  • The endpoint hit (e.g. /v1/geocode/search) and HTTP status.
  • The key prefix (e.g. rw_live_AbCd) — never the full plaintext.
  • The IP address that issued the request.
  • The query parameters you sent (e.g. the search string, the coordinates).

Retention is 30 days. After that the per-request rows are deleted; only aggregated per-day counters survive (for the dashboard charts and billing reconciliation). You can request earlier deletion at any time.

4. End-user data

Rijwind does not retain the addresses, coordinates, or queries your end-users submit through your application beyond the 30-day log described above. We are a processor for that data; you are the controller. Our Data Processing Agreement at /legal/dpa covers the relationship.

5. Where the data lives

All customer and end-user data is processed on infrastructure inside the European Union. The full list of subprocessors and their locations is in the DPA, §5.

6. Your rights (GDPR)

You can exercise the rights granted by the GDPR at any time:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — correct any inaccurate data.
  • Erasure — close your account and have us delete the associated data.
  • Restriction — ask us to stop processing while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to a specific processing activity.

Email info@rijwind.com. We respond within 30 days. If you're not satisfied with the response, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

7. Cookies

We use a small number of strictly-necessary first-party cookies:

  • rijwind_session — keeps you logged in.
  • XSRF-TOKEN — protects against cross-site request forgery.
  • sidebar_state — remembers whether you collapsed the dashboard sidebar.

No analytics, advertising, or third-party tracking cookies are set.

For product analytics, PostHog stores an anonymous identifier in your browser's localStorage rather than a cookie. It is scoped to rijwind.com, never shared with other sites, and cleared when you sign out.

8. Changes to this policy

Material changes are announced at least 30 days in advance via email and an update to the version stamp at the top of this page. Non-material edits (typos, clarifications) are applied immediately.