How We Handle Your Data

Privacy Policy

Last updated: May 27, 2026

Roadmap (“Roadmap,” “we,” “us,” “our”) is the brand of Roadmap Law PLLC, a New York professional limited liability company delivering fractional in‑house legal counsel and business advisory services. This Privacy Policy describes how we collect, use, store, and share personal data when you engage with our services, client portal, and marketing website at useroadmap.co.

We are a U.S. law firm. Our client relationships are governed by the New York Rules of Professional Conduct (“NY RPC”). This Policy is designed to give you the level of transparency a B2B client’s IT or legal team would need to evaluate our data handling practices. If you are reviewing this for vendor due diligence, see also our Security overview and reach out to support@useroadmap.co with any additional questionnaire requirements.

1. Who We Are

Data Controller: Roadmap Law PLLC, operating under the Roadmap brand, is the data controller for personal data processed through this platform.

Contact for data inquiries: support@useroadmap.co

Roadmap Ventures LLC is an affiliate of Roadmap Law PLLC and is addressed solely with respect to equity arrangements under our Terms of Service §10. Roadmap Ventures does not separately process client data for service delivery purposes.

Subscription products. Roadmap Counsel and Roadmap Personal are legal subscriptions. Roadmap Operator is a non‑legal advisory subscription. Each is independent and may be held in any combination. Information generated under a legal subscription is segregated from advisory‑only information through per‑client Slack channels and per‑client Drive folders, including for clients who hold more than one subscription concurrently. See our Attorney‑Client Privilege page for the privilege implications of each.

1.1 Defined Terms

In this Policy:

“Client” means the individual or entity identified in the Roadmap account and any of its authorized users.
“Client Content” means the substantive content of a Client’s matter or engagement — including documents, files, message bodies, draft work product, and matter facts shared in the per‑client Slack channel or Drive folder.
“Operational Data” means non‑content telemetry, structured event metadata, and de‑identified, aggregated analytics generated as a by‑product of operating the Service, as further described in §5 and §8.
“Processing” has the meaning given by applicable U.S. state privacy law and includes collection, use, storage, disclosure, deletion, and analysis.
“Sub‑Processor” means a third‑party service provider engaged by Roadmap to Process personal data on Roadmap’s behalf, as listed in §7.

2. What This Policy Covers

This Policy covers personal data processed in connection with:

The Roadmap client portal at useroadmap.co/portal;
Slack channels provisioned for your engagement (your per‑client channel in our Slack workspace);
Google Drive folders provisioned for your engagement (at Clients/<Tier>/<client‑slug>/);
Stripe billing and subscription management;
Cal.com bookings for paid‑subscriber and internal scheduling;
Ava, our AI client‑operations agent; and
The Roadmap marketing website at useroadmap.co.

This Policy operates alongside our Terms of Service, which governs the engagement itself. In the event of conflict, the Terms of Service govern contractual matters; this Policy governs data handling. For security controls, see our Security overview.

3. Categories of Personal Data We Collect

3.1 Account Data

Name, email address, billing address, and company or organization name collected at sign‑up. This data is used to establish your client relationship, provision your Slack channel and Drive folder, and manage your subscription through Stripe.

3.2 Engagement Data

Matters, documents, and communications that arise in the course of your engagement — including files uploaded to your Slack channel, messages in your channel, documents stored in your Drive folder at Clients/<Tier>/<client‑slug>/, and work product we prepare for you. For legal subscriptions, this data is attorney‑client privileged under applicable NY RPC rules. See our Attorney‑Client Privilege page.

3.3 Payment Data

Payment processing is handled entirely by Stripe. Roadmap never sees or stores your card number or full card credentials. We receive from Stripe: the last four digits of the card on file, card brand, your Stripe Customer ID, subscription plan tier, and transaction records (amount, date, status). This is the minimum needed for billing management and support.

3.4 Usage Data

Standard technical data about how you access the portal — login timestamps, pages visited, browser type, device type, and IP address. Used for platform security, authentication verification, and service reliability. Vercel function logs retain this data on a rolling basis.

3.5 Inferred / Metadata

Entitlement flags, subscription tier, and litigation‑hold status stored as Stripe metadata on your customer record. These are operational flags that govern how your account is treated (e.g., whether files are subject to a legal hold) and are not used for marketing or profiling.

4. How We Collect It

Sign‑up flow. You provide account data through Stripe Checkout. Stripe sends a webhook to our servers upon successful payment; our provisioning functions then create your per‑client Slack channel (and invite you) and your Drive folder at Clients/<Tier>/<client‑slug>/, which is shared with you as Commenter.

Slack channel. Client messages and file uploads in your channel are stored natively within Slack. When files are uploaded to your channel, they are also mirrored to your Drive folder via our Google service account (see §7).

Drive folder. Files shared with support@useroadmap.co appear in your folder and in the portal’s “Shared folders” list. The service account roadmap-app-drive@roadmap-app-497521.iam.gserviceaccount.com manages folder creation and sharing using domain‑wide delegation, impersonating support@useroadmap.co.

Stripe Checkout and Customer Portal. Billing data flows through Stripe. You manage payment methods and subscription settings through the Stripe Customer Portal linked from your Roadmap account.

Portal. Login events and session data are collected when you access useroadmap.co/portal. The “Last search” card on your dashboard shows a preview of Ava’s most recent answer in your channel, sourced from Slack.

4A. Accounts You Create With Our Sub‑Processors

To use the Roadmap platform, you (or, where you are an organization, your authorized users) will need to create or use an account with certain of our sub‑processors listed in §7. The relationship between you and each sub‑processor is governed by that sub‑processor’s own terms and privacy policy. Roadmap does not control, and cannot access, your credentials or any data held outside the per‑engagement workspace we provision.

Slack (required). You must accept a Slack invitation to your dedicated per‑client channel in the Roadmap workspace. You will sign in to Slack with your own Slack account (you may create a free Slack account if you do not have one). Your use of Slack is governed by Slack’s terms and privacy policy. Roadmap does not receive your Slack password or your activity in any other Slack workspace.
Google Drive (required). You will need to access the Google Drive folder we provision for your engagement at Clients/<Tier>/<client‑slug>/; that folder is the primary store for documents and work product associated with your matter. Access requires either signing in with a Google account (Gmail or Google Workspace) under the email address you provide, or using Google’s standard guest‑sharing flow if your address is not a Google account. Creating a Google account is not required, but you must be able to receive sharing notifications at the email you give us and complete Google’s standard access flow. Your use of Google services is governed by Google’s terms and privacy policy. Roadmap does not receive your Google password.
Stripe (required). Subscription payment is processed through Stripe Checkout and managed through the Stripe Customer Portal. You provide payment information directly to Stripe; Roadmap does not see or store your full card number. Your use of Stripe is governed by Stripe’s terms and privacy policy.
Cal.com (paid subscribers only, where applicable). Active Clients who use our Cal.com booking links provide their name, email, and any scheduling details directly to Cal.com. A Cal.com account is not required to book; if you choose to create one, your relationship with Cal.com is governed by Cal.com’s terms and privacy policy. Roadmap is not used as Cal.com’s identity provider, and Cal.com is not used to host Client matter content or work product (see §7).

Where any sub‑processor account is used to access Roadmap services, you remain responsible for the security of that account (including password strength, multi‑factor authentication where supported, and prompt notification to Roadmap and the sub‑processor if you suspect compromise). Roadmap’s confidentiality obligations under NY RPC 1.6 and our security commitments under Security apply to the data we hold and process; they do not extend to the security of accounts you maintain with sub‑processors.

5. How We Use It

Deliver legal and advisory services. Processing documents, drafting work product, answering questions via Ava, managing your matter through your Slack channel and Drive folder.
Billing and subscription management. Creating and managing your Stripe subscription, charging recurring fees, providing invoices, and handling the Customer Portal.
Provisioning and platform operations. Creating per‑client Slack channels and Drive folders, maintaining the portal, and routing webhooks.
Support and communications. Responding to your requests via your Slack channel or support@useroadmap.co.
Compliance with bar rules and applicable law. Retaining files as required by NY RPC, tax and accounting obligations, and any applicable legal hold.
Security and fraud prevention. Authenticating sessions, detecting unauthorized access, and maintaining audit logs.
Service operation and improvement using operational data and de‑identified, aggregated analytics. Roadmap operates, monitors, secures, debugs, optimizes, and improves its platform using operational data and de‑identified, aggregated derivatives of usage. This includes, without limitation: (a) operational telemetry — invocation counts, response latencies, error and retry rates, command and feature usage frequencies, routing decisions, model and tool selection events, session durations, queue depths, rate‑limit events, infrastructure performance metrics, citation coverage, and similar signals describing how the Service operates; (b) structured event metadata — command names, tool identifiers, workflow types, channel and workspace identifiers held in hashed or pseudonymous form, timestamps, and other non‑content event attributes; (c) de‑identified, aggregated analytics — statistical summaries and aggregate feature‑adoption, performance, and quality measurements computed across the Roadmap client base; and (d) internal models, indices, and tooling trained or built solely on the foregoing — including routing classifiers, intent classifiers, latency and anomaly‑detection models, quality and reliability scorers, retrieval indices over Roadmap’s own documentation, prompts, templates, and internal materials, and similar task‑specific models and infrastructure that do not ingest Client content, document text, message bodies, or matter facts and that have no capacity to reproduce Client information. Data used under this Section is irreversibly de‑identified and aggregated before use; contains no Client identifiers, no document content, no matter content, and no Slack, email, or other message bodies; and cannot reasonably be re‑associated with any individual Client, matter, or person. Roadmap retains all right, title, and interest in any operational data, aggregate analytics, and internal models, indices, benchmarks, and tooling described in this Section, and may use them perpetually for any lawful internal purpose — including measuring quality, comparing performance over time, evaluating new models or providers, publishing aggregate industry benchmarks that contain no Client‑identifying information, and developing new features — without further notice or consent. Roadmap does not share data described in this Section with any third‑party foundation model provider for model training, and does not share it with any advertising network or data broker for any purpose. The activities described in this Section are within the ordinary operation of the Service and do not require additional Client consent beyond acceptance of these Terms and the engagement; Roadmap’s confidentiality obligations under New York Rule of Professional Conduct 1.6 are not relaxed by this Section. Roadmap may update the specific operational data and analytic techniques used under this Section from time to time as the Service evolves, provided no such update will narrow the de‑identification, aggregation, or non‑sharing protections set forth above. See §8 for AI processing specifics.

We do not use your data for advertising, behavioral profiling, or sale to third parties. See §9.

6. Legal Basis for Processing

Contract performance. The primary basis for processing engagement data, account data, and payment data is performance of the contract you have with us (the Terms of Service and the attorney‑client engagement). Without this processing, we cannot deliver the services.

Legal obligation. Certain processing is required to comply with applicable law — including NY RPC 1.15(d)(1) record‑keeping (7 years for matter‑related financial records), NYSBA Op. 623 reasonable‑period closed‑file retention for substantive files, tax and accounting record‑keeping, and any court or regulatory order.

Legitimate interests. Security, fraud prevention, and platform reliability — balanced against your rights. We do not rely on legitimate interests to override your fundamental privacy rights.

Consent (AI use). Your consent to Roadmap’s use of AI tools, including Ava, is given as part of your engagement under Terms of Service §3.4. AI processing is integral and native to the Service; the only remedy for a Client who can no longer accept AI processing is to cancel under Terms of Service §5 and Module M‑SUB.5. Attorney supervision applies to all work regardless.

7. Sub‑Processors

We use the following sub‑processors to deliver the Roadmap service. All client data is processed in U.S. data centers. We will notify clients of any material new sub‑processor at least 30 days before activation via email and an updated version of this Policy.

Sub‑Processor	Purpose	Data Processed	Region	Key Commitment
Slack (Salesforce, Inc.)	Primary work surface; per‑client private channel; Slack Connect for external client access; file uploads and delivery	Messages, file attachments, channel membership identifiers	U.S. data centers	SOC 2 Type II, ISO 27001; enterprise channel isolation
Google Workspace (Google LLC) — Drive & Gmail	Per‑client Drive folder at `Clients/<Tier>/<client‑slug>/`; file storage and mirroring; service account impersonation of support@useroadmap.co for folder management	Documents, files, folder structure, sharing permissions	U.S. data centers	SOC 2 Type II, ISO 27001, FedRAMP; AES‑256 at rest; Google Workspace Admin audit logs
Stripe (Stripe, Inc.)	Billing, Stripe Checkout, Customer Portal, subscription management, payment methods, webhook events; litigation‑hold flag and plan metadata stored on Stripe customer record	Payment method (last4, brand), billing address, Stripe Customer ID, subscription status, Stripe metadata	U.S. data centers	PCI‑DSS Level 1; Roadmap never sees or stores card numbers; SOC 2 Type II, ISO 27001
Vercel (Vercel, Inc.)	Application hosting (Next.js / static); webhook routing; portal at useroadmap.co; US‑East region	Request metadata, Vercel function logs (request/response, errors), session tokens in encrypted env vars	U.S. (US‑East)	SOC 2 Type II; encrypted at rest; encrypted environment variables for secrets
Notion (Notion Labs, Inc.)	Matter management workspace — matter records, statuses, internal attorney notes, work‑product drafts, summaries, and Client Content (notes, summaries, and documents) handled by the assigned attorney(s) on a matter	Matter identifiers and metadata; internal notes and summaries; Client Content (including documents and excerpts) actively used for matter management	U.S. data centers	SOC 2 Type II, ISO 27001; AES‑256 at rest, TLS 1.2+ in transit; access scoped via Roadmap’s Business plan with SAML SSO and audit logs; data‑processing addendum in place
Perplexity AI, Inc. (Enterprise plan)	Powers Ava, our AI client‑operations agent; Perplexity Sonar (Enterprise) is the inference layer for all Ava answers	Relevant Slack thread context and cited sources sent per Ava invocation; no persistent client data store at Perplexity	U.S. data centers	Enterprise plan: zero retention of customer inputs/outputs for training; no use of customer data to train models; operational retention for abuse/safety only; Roadmap has no direct accounts with OpenAI, Anthropic, or other model providers — all model access is mediated by Perplexity
GitHub (GitHub, Inc. / Microsoft)	Application source code version control only	Source code only — no client data	U.S. data centers	SOC 2 Type II, ISO 27001; Dependabot vulnerability scanning
Cal.com (Cal.com, Inc.)	Scheduling for paid‑subscriber meetings (matter check‑ins, working sessions) and internal team scheduling; booking links shared with active Clients. Not used for prospect intake.	Booker name and email, meeting type, requested date and time, time zone, any free‑text notes the booker chooses to provide, and standard booking metadata (event identifier, status, cancellation/reschedule events)	U.S. data centers (Cal.com cloud, U.S. region)	SOC 2 Type II; TLS 1.2+ in transit, encryption at rest; data‑processing addendum available; bookers may submit only the minimum personal data needed to schedule; Cal.com is not used to host Client matter content or work product

Note on prior sub‑processors. Resend appears in earlier versions of this Policy as a sub‑processor for transactional email delivery; it is no longer used and has been removed from the sub‑processor list as of this version.

8. AI Processing & Ava

Roadmap does not use Client Content to train, fine‑tune, or otherwise modify any AI model — whether operated by Roadmap, by Perplexity, or by any third‑party model provider — unless Client has expressly authorized that specific training activity in a signed writing referencing this commitment. This commitment is the controlling rule of this Section.

What Ava is. Ava is Roadmap’s AI client‑operations agent. She operates within your per‑client Slack channel and has access to your Drive folder. She is invoked by @‑mention, the /ask command, or by replying to a thread in your private channel. Ava does not see other clients’ data; her scope is restricted to a single client’s channel and Drive folder.

What Ava sends to Perplexity. When Ava answers a question, she sends the relevant context — the recent thread and any cited sources — to Perplexity Sonar (Enterprise). The answer is posted back to your Slack channel. Ava cites sources for every answer.

Perplexity Enterprise no‑training commitment. Under Perplexity’s Enterprise plan, Perplexity commits to: (a) zero retention of customer inputs and outputs for training purposes; (b) no use of customer data to train, fine‑tune, or otherwise improve models; and (c) only standard short‑window operational retention for abuse and safety review. This commitment covers all underlying model providers that Perplexity routes to. Roadmap does not have direct accounts with OpenAI, Anthropic, or any other model provider — all model access is mediated through Perplexity, and Perplexity’s Enterprise commitments apply transitively to that routing.

What Ava does not do. Ava does not give legal advice. All legal work product is subject to attorney supervision. Per Terms of Service §3.4, AI is integral and native to the Roadmap service; use of AI tools (including Ava) is a condition of the engagement and is not an opt‑in feature. There is no AI‑free version of the service. If you cannot accept AI processing as described in this Policy and in §3.4 of the Terms, do not subscribe; existing subscribers who can no longer accept it must cancel under Terms §5 and Module M‑SUB.5.

Operational data, de‑identified analytics, and internal models — service operation and improvement. Consistent with §5, Roadmap operates, monitors, secures, debugs, and improves the Service using (a) operational telemetry (invocation counts, latencies, error and retry rates, routing decisions, model and tool selection events, command and feature usage, citation coverage, infrastructure performance, and similar non‑content signals); (b) structured event metadata in hashed or pseudonymous form; (c) de‑identified, aggregated analytics computed across the client base; and (d) internal task‑specific models, indices, and tooling trained or built solely on the foregoing — including routing classifiers, intent classifiers, anomaly‑detection models, quality scorers, and retrieval indices over Roadmap’s own documentation, prompts, and internal materials. None of these activities ingest Client content, document text, message bodies, or matter facts, and the resulting models and analytics have no capacity to reproduce Client information. Roadmap retains all right, title, and interest in such operational data, aggregate analytics, and internal models, indices, benchmarks, and tooling, and may use them perpetually for any lawful internal purpose — including measuring quality, comparing performance over time, evaluating new models or providers, publishing aggregate industry benchmarks that contain no Client‑identifying information, and developing new features — without further notice or consent. Roadmap does not send Client content (identified or de‑identified) to OpenAI, Anthropic, or any other foundation model provider for training; Roadmap has no direct accounts with such providers, and Perplexity’s Enterprise plan contractually prohibits training on Roadmap data in any form. Roadmap’s confidentiality obligations under NY RPC 1.6 and the attorney‑client privilege are not relaxed by this paragraph; the activities described here are within the ordinary operation of the Service and use only operational data, structured event metadata, de‑identified aggregated analytics, and Roadmap’s own materials.

We share personal data only in the following circumstances:

Sub‑processors listed in §7 — solely for the purposes described in that table.
Legal process. Where required by a valid court order, subpoena, regulatory demand, or applicable law, and only to the extent required. We will notify you before disclosing where legally permitted to do so.
Professional responsibility. Where required by NY RPC or order of a court or bar authority.
Business transfer. In connection with a merger, acquisition, or transfer of substantially all assets, where the successor assumes the obligations of this Policy. We will notify clients before any such transfer affects their data.

We do not sell, rent, or license personal data to third parties for any purpose. We do not share data for advertising, cross‑context behavioral advertising, or marketing by third parties.

10. International Transfers

All client data — Slack messages, Drive documents, Stripe billing metadata, application data on Vercel, and Cal.com bookings — is stored in U.S. data centers operated by the sub‑processors named in §7. We do not transfer client data to the EU, EEA, or any other non‑U.S. region as part of our standard operations today.

We are a U.S. law firm serving primarily U.S.‑based clients. We are not currently offering GDPR‑specific Data Processing Agreements or EU‑U.S. Standard Contractual Clauses as a standard offering. If your organization requires a DPA for EU‑law compliance purposes, contact support@useroadmap.co to discuss.

11. Retention

We retain personal data for no longer than necessary for the purposes described in this Policy, subject to applicable professional and legal obligations.

Data Category	Retention Period	Basis
Client files and work product (Drive folder, documents, Notion matter pages)	At least 7 years from close of matter for matter‑related financial records under NY RPC 1.15(d)(1) (measured from the event the record records); for substantive work product and other matter files, retained for a reasonable period consistent with NYSBA Op. 623 (generally not less than 7 years from close of matter), longer where the statute of limitations, malpractice exposure, or the Client’s reasonable interests warrant	NY RPC 1.15(d)(1); NYSBA Op. 623; Terms of Service §17
Slack channel and messages	Duration of active engagement + 30 days after cancellation for client export, then archived per file‑retention policy	Engagement continuity; NY RPC; Terms of Service §17
Billing records (Stripe)	Per Stripe defaults and applicable tax / accounting law (typically 7 years)	Tax and accounting obligations
Stripe metadata (litigation‑hold flag, plan tier)	Life of the customer record	Operational entitlement management
Account data (name, email, company)	Duration of engagement + 7 years	Tax, accounting, professional responsibility
Vercel function logs (request / response, errors)	Vercel standard retention (rolling; see Vercel’s documentation)	Platform security and debugging
Perplexity (Ava invocation inputs / outputs)	Zero retention for training; operational short‑window only per Perplexity Enterprise plan	Perplexity Enterprise commitment
Cal.com booking records for paid subscribers (booker name, email, meeting type, time, notes)	Retained as part of the Client file under the row above (matter records); booker may request earlier deletion under §13 to the extent consistent with our retention obligations	Treated as matter records; NY RPC 1.15(d)(1) / NYSBA Op. 623
Litigation hold	Any data subject to a litigation hold, preservation demand, court order, or regulatory directive is preserved regardless of the retention periods stated above and regardless of any deletion request under §13	Legal obligation; duty to preserve

Upon cancellation of a subscription, you will retain access to your Slack channel and Drive folder for 30 days to export materials. After that period, the channel and folder are archived in accordance with the file‑retention policy above. Beyond the 30‑day post‑cancellation window, the Client may request a copy of materials to which the Client is entitled under NY RPC 1.15(c) and 1.16(e); we will provide the export or restore access for that limited purpose. Any materials subject to a legal hold are preserved regardless of cancellation.

12. Security

We implement technical and organizational measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These include TLS 1.2+ encryption in transit for all client‑facing surfaces, encryption at rest per sub‑processor (Google Drive AES‑256; Stripe PCI‑DSS Level 1; Vercel encrypted at rest), multi‑factor authentication on all Roadmap admin accounts, and least‑privilege access controls throughout. For the complete security control set, see our Security overview.

12.1 Security Incident Notification

In the event of a confirmed security incident that compromises the confidentiality, integrity, or availability of Client personal data, Roadmap will notify affected Clients without unreasonable delay and within the timeframes required by applicable law, by email to the Client’s account contact and, where the incident affects a specific engagement, by message in the Client’s Slack channel. The notification will describe the nature of the incident, the categories of data affected (to the extent then known), the steps Roadmap is taking, and the recommended steps for the Client. Roadmap will continue to update affected Clients as material new facts become available.

13. Your Rights

You may exercise the following rights by contacting support@useroadmap.co:

Access. Request a copy of all personal data we hold about you and your engagement. We will respond within 30 days.
Correction. Request correction of inaccurate or incomplete personal data.
Deletion. Request deletion of personal data that is not subject to mandatory retention. Note that file‑retention obligations under NY RPC (§11 above) and any active legal hold will limit deletion of engagement data. Billing records are also subject to statutory retention requirements.
Portability. Your Drive folder is portable as‑is; you own and can re‑share it directly. Slack channel exports are available through Slack workspace export tools. We will facilitate any such export request.
Termination if you can no longer accept AI processing. AI processing is integral and native to the Roadmap service; there is no AI‑free version (see Terms of Service §3.4 and §8 above). If you can no longer accept AI processing as described, your remedy is to cancel your subscription under Terms of Service §5 and Module M‑SUB.5. Cancellation does not give rise to a refund or proration of fees already paid (see Module M‑SUB.6), does not excuse any unpaid installments or the cumulative discount clawback under an Annual Commitment Plan (see Modules M‑SUB.4 and M‑SUB.6), and does not retroactively withdraw consent to AI processing that has already occurred.

Turnaround for non‑deletion requests: 30 days. Deletion requests are subject to the retention obligations described in §11.

13.1 State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, or another U.S. state that grants consumer privacy rights, you have, in addition to the rights stated above, the right to (a) confirm whether Roadmap is Processing personal data about you, (b) access and correct that data, (c) request deletion (subject to the file‑retention obligations in §11 and any active legal hold), (d) request a portable copy of data you provided, and (e) opt out of sale or “sharing” of personal data for cross‑context behavioral advertising — Roadmap does not sell personal data and does not engage in cross‑context behavioral advertising, so the opt‑out is satisfied by default. To exercise these rights, contact support@useroadmap.co; we respond within 45 days and may extend by an additional 45 days where reasonably necessary, as permitted by applicable law. You may appeal a denial of any request by replying to our response; we will review and respond within an additional 45 days.

14. Children’s Privacy

Roadmap is a professional legal services platform. Our services are not directed to, and we do not knowingly collect personal data from, individuals under the age of 18. If you believe a minor has provided personal data through our platform, contact support@useroadmap.co and we will promptly address it.

15. Changes to This Policy

We may update this Policy from time to time. Material changes — including any material new sub‑processor — will be communicated by email and posted at this URL with an updated “Last updated” date at least 30 calendar days before they take effect. Non‑material changes (corrections, clarifications, or changes required by law or rules of professional conduct) may take effect upon posting. Your continued use of the Roadmap platform after the effective date of a material change constitutes acceptance of the revised Policy.

16. Contact

For data protection inquiries, access or deletion requests, vendor due diligence questionnaires, or to discuss a DPA:

Email: support@useroadmap.co
Entity: Roadmap Law PLLC
Jurisdiction: New York, NY

We are not currently SOC 2 certified. Vendor due diligence questionnaires are available on request. For enterprise security review or DPA, contact support@useroadmap.co.