Privacy Policy
Roadmap is the collective identity of Roadmap Law PLLC, a New York law firm, and Roadmap Ventures LLC, a New York limited liability company (together, "Roadmap," "we," "us," or "our"). This Privacy Policy explains how we collect, use, store, and share personal data when you use the Roadmap platform (app.useroadmap.co) and marketing website (useroadmap.co).
Who We Are
Roadmap Law PLLC and Roadmap Ventures LLC, operating collectively as Roadmap, are joint data controllers for personal data processed through this platform. The entity that controls your data depends on the service you engage:
- Roadmap Law PLLC is the data controller for legal services — contract review, legal counsel, and related attorney-client engagements.
- Roadmap Ventures LLC is the data controller for product studio, advisory, and venture services.
Both entities share the same platform infrastructure with role-based access controls ensuring data separation between legal and ventures operations.
Data Controllers:
Roadmap Law PLLC
Roadmap Ventures LLC
New York, NY
General inquiries: support@useroadmap.co
Data protection inquiries: privacy@useroadmap.co
For EU/EEA residents: privacy@useroadmap.co is our designated point of contact for data protection matters under GDPR Articles 13 and 14.
What Data We Collect
Account Data
When you register on the Roadmap client portal, we collect your name, email address, company or organization name, and the information you provide when creating your account. This data is necessary to establish your client relationship with Roadmap.
Document Content
When you upload contracts, agreements, or other legal documents for review, the content of those documents is processed through our platform. Document content includes any personal data embedded in the documents you submit — names of parties, addresses, financial terms, or other information appearing in those files.
Communication Data
Your messages sent through your Slack Connect channel — including text messages, file uploads, and attachments — are retained within the Slack workspace for the duration of your engagement. This includes the back-and-forth communications between you and your assigned attorney.
Usage Data
We collect standard technical data about how you access and use the platform: IP address, browser type, device information, pages visited, and timestamps. This data is used to maintain platform security and improve service reliability.
Payment Data
When you submit payment for services, billing information is processed through Stripe. We do not store your credit card number or full payment credentials on our systems. We retain a record of transactions (amount, date, service description) for accounting and legal compliance purposes.
Legal Bases for Processing
We process personal data only when we have a lawful basis to do so. Under GDPR Article 6, we rely on the following:
Contract performance (Article 6(1)(b)): Processing necessary to deliver the services you have engaged us for — whether legal services through Roadmap Law PLLC or advisory and product studio services through Roadmap Ventures LLC — including analyzing your documents, communicating with you, and billing for completed work.
Legal obligation (Article 6(1)(c)): Processing required to comply with applicable law, including professional responsibility rules governing New York attorneys (for Roadmap Law PLLC engagements), tax and accounting record-keeping obligations for both entities, and anti-money laundering requirements where applicable.
Legitimate interests (Article 6(1)(f)): Processing for purposes such as platform security, fraud prevention, and improving our service delivery — where those interests are not overridden by your rights. We have conducted a balancing assessment for each such processing activity.
Consent (Article 6(1)(a)): Where we rely on consent (for example, for non-essential cookies on our marketing site), you may withdraw that consent at any time without affecting the lawfulness of prior processing.
How Your Data Flows Through Our Platform
Roadmap operates as an integrated platform where your data moves through several systems in the course of delivering legal services. Here is how that works in practice:
- Account creation: You register and authenticate through Softr (our client billing portal). Softr stores your account credentials and manages your session.
- Contract upload: You upload documents to your dedicated Slack Connect channel. Slack stores those files within the workspace.
- AI-assisted analysis: The uploaded document content is transmitted to the Perplexity Sonar API for an initial first-pass analysis. Perplexity's zero data retention policy means the content is processed in memory and immediately discarded — nothing from your document is stored on Perplexity's servers after the request completes. Only billing metadata (token count, model used, timestamp, and API key identifier) is retained by Perplexity for invoicing purposes.
- Attorney review: The AI-generated analysis is placed in a Notion queue where your assigned attorney reviews, edits, and completes the legal analysis. The attorney then edits the redlined document in Google Docs.
- Delivery: The completed redlined document is posted back to your Slack Connect channel.
- Billing: Your billing record is tracked in Notion, and payment is collected via Stripe through the Softr portal.
For legal engagements through Roadmap Law PLLC, all AI output is reviewed and approved by a licensed New York attorney before it is delivered to you. No AI-generated legal analysis is ever sent to a client without attorney review. For Roadmap Ventures LLC engagements, AI-assisted deliverables are reviewed by the assigned project lead before delivery.
Sub-Processors
We use the following third-party sub-processors to deliver the Roadmap service. Each has been selected for its security posture and is bound by data processing terms consistent with GDPR requirements.
| Sub-Processor | Parent Company | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|---|
| Slack | Salesforce, Inc. | Client communication channel; file uploads; document delivery | Messages, file attachments, account identifiers | United States | SOC 2 Type II, ISO 27001, GDPR compliant |
| Notion | Notion Labs, Inc. | Backend database for client records, contract queue, billing tracking, legal playbook | Client account data, billing records, workflow metadata | United States | SOC 2 Type II, GDPR compliant |
| Google Workspace (Docs & Drive) | Google LLC | Document editing (redlining) and file storage | Document content, revision history | United States | SOC 2 Type II, ISO 27001, FedRAMP, GDPR compliant |
| Perplexity Sonar API | Perplexity AI, Inc. | AI-powered first-pass contract analysis | Document content (zero retention — processed in memory only; billing metadata retained) | United States | SOC 2 Type II, GDPR compliant |
| Softr | Softr, Inc. | Client billing portal, account management, authentication | Account credentials, session data, billing identifiers | United States | GDPR compliant |
| Stripe | Stripe, Inc. | Payment processing | Payment card data, billing address, transaction records | United States | PCI DSS Level 1, SOC 2 Type II, ISO 27001 |
| Vercel | Vercel, Inc. | Webhook hosting, API routing | Request metadata, API payloads in transit | United States | SOC 2 Type II |
| Ghost | Ghost Foundation | Marketing website CMS (useroadmap.co) | Analytics data, cookies (see Cookie Policy below) | United States | GDPR compliant |
| GitLab | GitLab, Inc. | Version control for platform code | Source code only — no client data | United States | SOC 2 Type II, ISO 27001 |
We will notify clients of any material changes to our sub-processor list. If you object to the addition of a new sub-processor, contact us at privacy@useroadmap.co.
Artificial Intelligence Disclosure
Roadmap uses AI to assist attorneys in reviewing legal documents. Here is what that means for your data:
What AI does: The Perplexity Sonar API performs a first-pass analysis of documents you submit — flagging key clauses, risks, and issues — before your assigned attorney conducts a full review.
Zero data retention: Perplexity's Sonar API maintains a strict zero data retention policy. Your document content is processed in real time and not stored, logged, or retained on Perplexity's servers after the request completes. The only data Perplexity retains is billing metadata: token count, model used, request timestamp, and API key identifier. This metadata contains no content from your documents. See Perplexity's API Privacy & Security documentation for details.
No training on your data: Perplexity does not use data submitted via the Sonar API to train, fine-tune, or otherwise improve its models.
Human review: For Roadmap Law PLLC engagements, every AI-generated analysis is reviewed and approved by a licensed New York attorney before delivery. AI output is a tool for attorney efficiency — it does not constitute legal advice on its own, and it is never sent to clients without attorney sign-off. For Roadmap Ventures LLC engagements, AI-assisted deliverables are reviewed by the assigned project lead before delivery.
Your right to opt out: You may opt out of AI-assisted processing at any time by contacting support@useroadmap.co. If you opt out, your document will be reviewed entirely by an attorney without AI assistance. This may affect turnaround times.
Data Retention
We retain personal data for no longer than necessary for the purposes described in this policy, subject to applicable legal and professional obligations.
| Data Category | Retention Period |
|---|---|
| Account data (name, email, contact info) | Duration of engagement + 7 years (tax and accounting obligations) |
| Document content (Google Docs/Drive) | Duration of engagement, then deleted or returned upon request; 7-year retention applies to final work product under professional responsibility rules |
| Document content (Perplexity Sonar API) | Zero retention — not stored after processing |
| Slack messages and files | Per workspace retention settings; default is indefinite until manually deleted or engagement concludes |
| Billing and payment records | Per Stripe's retention policy (typically 7 years) plus our internal accounting records (7 years) |
| Usage and technical data | 90 days rolling |
| Communications (email, general) | Duration of engagement + 7 years |
Upon conclusion of your engagement, you may request deletion of personal data that is not subject to mandatory retention periods. Contact privacy@useroadmap.co to initiate this process.
International Data Transfers
All sub-processors listed in this policy are headquartered in the United States. If you are located in the European Union or European Economic Area, your personal data is transferred to and processed in the United States.
We rely on the following transfer mechanisms for EU/EEA data transfers:
- EU-U.S. Data Privacy Framework: Where applicable sub-processors are certified under the EU-U.S. Data Privacy Framework.
- Standard Contractual Clauses (SCCs): For transfers not covered by an adequacy decision or DPF certification, we rely on the European Commission's Standard Contractual Clauses (2021 version) incorporated into our data processing agreements with sub-processors.
You may request a copy of the relevant transfer mechanisms by contacting privacy@useroadmap.co.
Your Rights Under GDPR
If you are located in the EU/EEA (or otherwise entitled to GDPR rights), you have the following rights regarding your personal data:
Right of access (Article 15): You may request confirmation of whether we process your personal data and, if so, a copy of that data along with information about how it is processed.
Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data we hold about you.
Right to erasure (Article 17): You may request deletion of your personal data where there is no legitimate reason for us to continue processing it. Note that certain data must be retained to comply with legal obligations (for example, billing records and legal work product).
Right to restriction of processing (Article 18): You may request that we limit how we use your personal data in certain circumstances — for example, while a dispute about accuracy is resolved.
Right to data portability (Article 20): Where processing is based on your consent or a contract and carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format.
Right to object (Article 21): You may object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is for legal claims.
Rights related to automated decision-making (Article 22): Roadmap does not make decisions about you based solely on automated processing that produce legal or similarly significant effects. AI analysis is always reviewed by a human attorney before any output is acted upon.
How to exercise your rights: Submit requests to privacy@useroadmap.co. We will respond within 30 days. If the request is complex, we may extend this by an additional 60 days, in which case we will notify you within the initial 30-day period.
Right to lodge a complaint: If you believe we have mishandled your personal data, you have the right to lodge a complaint with your local supervisory authority. In the EU, this is the data protection authority of your member state. You also have the right to seek a judicial remedy.
Cookie Policy
Marketing Site (useroadmap.co)
Our marketing site is powered by Ghost CMS. Ghost may place analytics cookies to measure visitor traffic and page performance. These cookies do not track individuals across third-party sites.
We do not operate our own advertising or cross-site tracking infrastructure on the marketing site. Where consent is required for non-essential cookies under applicable law, we will present a cookie consent mechanism before setting those cookies.
Platform (app.useroadmap.co)
The Roadmap platform uses session cookies set by Softr to authenticate your session. These are strictly necessary cookies — they are required for the platform to function and cannot be disabled without affecting your ability to log in. No consent is required for strictly necessary cookies under GDPR.
We do not use advertising or behavioral tracking cookies on the platform.
Children's Data
Roadmap is a professional legal services platform intended for use by businesses and adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided personal data through our platform, contact privacy@useroadmap.co and we will promptly delete it.
Security
We implement technical and organizational measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These include encryption in transit and at rest, access controls, and regular security reviews of our platform and sub-processors.
For a detailed description of our security practices, see our Security Page.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities as required by applicable law. Under GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach.
How to Contact Us
For data protection inquiries, subject access requests, or to exercise any of your rights under this policy:
Email: privacy@useroadmap.co
General inquiries: support@useroadmap.co
Mailing address: Roadmap Law PLLC / Roadmap Ventures LLC, New York, NY
We aim to respond to all data requests within 30 days.
Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and notify active clients by email at least 14 days before the changes take effect.
Your continued use of the Roadmap platform after a policy update constitutes acceptance of the revised terms.