Privacy Policy

Last Updated: December 28, 2025

Introduction

OneRouter ("we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, and safeguard your data when you use our payment integration platform.

By using OneRouter, you agree to the collection and use of information in accordance with this policy. If you do not agree with our practices, please do not use our service.

Information We Collect

1. Account Information

When you create an account with OneRouter, we collect:

  • Email address and name (via Clerk authentication)
  • Profile information you voluntarily provide
  • Account preferences and settings
  • Authentication tokens and session data

2. Payment Gateway Credentials

We store your payment gateway API credentials securely:

  • API keys and secrets (encrypted at rest using AES-256)
  • Provider-specific configuration data (Razorpay, PayPal, Stripe)
  • Environment settings (test/live)

Security: Credentials are encrypted using industry-standard AES-256-GCM encryption before storage. We never store them in plain text.

3. Transaction Data

We collect and process:

  • Payment transactions initiated through our platform
  • API request/response logs for debugging
  • Usage analytics and statistics
  • Error logs for troubleshooting
  • Webhook events from payment providers

4. Device and Usage Information

  • IP address for security and rate limiting
  • Browser type and version for compatibility
  • Operating system information
  • Timestamps and session identifiers
How We Use Your Information

Service Delivery

We use your information to:

  • Process and route payment transactions to payment gateways
  • Authenticate your API requests
  • Provide usage analytics and dashboards
  • Send transaction status updates via webhooks
  • Manage your payment gateway credentials
  • Provide customer support

Security & Fraud Prevention

Your data is used to:

  • Enforce rate limits to prevent abuse
  • Detect and block suspicious API activity
  • Verify webhook signatures for authenticity
  • Implement CSRF protection for web requests
  • Monitor for unauthorized access attempts

Analytics & Improvement

We use aggregated data to:

  • Improve API performance and reliability
  • Identify and fix bugs
  • Develop new features
  • Optimize user experience
  • Analyze usage patterns for capacity planning
Data Sharing & Third Parties

Payment Gateway Providers

We share necessary transaction data with your chosen payment gateway providers (Razorpay, PayPal, Stripe) to process payments. This includes:

  • Payment amounts and currency
  • Customer information (required by providers)
  • Transaction metadata for order tracking

What We Don't Share

  • We never sell your personal data to third parties
  • We don't share your data with advertisers
  • We don't use your payment gateway credentials for any purpose other than processing your requests
  • We don't provide your credentials to anyone, including law enforcement, without proper legal process

Data Transfers

If we transfer your business or assets to another entity:

  • You will be notified in advance
  • Your personal data will only be transferred with your consent
  • The transferee will be bound by this privacy policy
Data Security

Encryption

All sensitive data is protected:

  • Payment Gateway Credentials: AES-256-GCM encryption at rest
  • API Keys: SHA-256 hashing for storage
  • Data in Transit: HTTPS/TLS 1.3 encryption
  • Database: Encrypted PostgreSQL with access controls

Access Controls

We implement strict access controls:

  • Authentication via Clerk (OAuth 2.0 / JWT)
  • Role-based access control for admin functions
  • API key-based authentication with rate limiting
  • Session management with secure tokens
  • IP-based rate limiting and monitoring

Infrastructure Security

  • Secure hosting with DDoS protection
  • Regular security audits and penetration testing
  • Web application firewall (WAF)
  • Real-time threat monitoring
  • Automatic security updates
Your Rights

Access & Control

  • Access Your Data: You can request a copy of all personal data we have about you
  • Data Portability: Export your data in a machine-readable format
  • Delete Your Data: Request deletion of your account and all associated data
  • Opt-Out: Disable data collection for analytics (may affect some features)

Notification Rights

You will be notified if:

  • There is a data breach or security incident
  • Your credentials are accessed without authorization
  • We change how we handle your data
  • We receive legal request to disclose your information

Consent Withdrawal

You can withdraw your consent at any time by:

  • Deleting your account
  • Revoking API key access
  • Removing payment gateway credentials
  • Contacting our support team

Note: Withdrawal of consent may result in inability to use some features of our service.

Data Retention

Retention Periods

  • Transaction Logs: Retained for 90 days for analytics
  • Error Logs: Retained for 30 days for debugging
  • Account Data: Retained until account deletion
  • API Keys: Retained until revocation or account closure

Deletion

When you delete your account:

  • All personal information is permanently deleted
  • API keys are revoked immediately
  • Payment gateway credentials are deleted from our systems
  • Some data may be retained for legal compliance purposes

Legal Requirements

We may retain data longer than specified if required by:

  • Law or legal obligations
  • Dispute resolution
  • Fraud investigation
  • Financial record-keeping requirements
Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements.

  • Notification: We will notify users of material changes via email or in-app notification
  • Effective Date: Changes become effective when posted on this page
  • Continued Use: Continued use of OneRouter after changes constitutes acceptance of the updated policy

We encourage you to review this policy periodically. Your continued use of our service indicates your acceptance of any changes.

International Data Transfers

OneRouter operates globally and may transfer data to countries outside your country of residence, including for:

  • Payment processing with international gateway providers
  • Cloud infrastructure hosting (data stored in secure data centers)
  • Customer support operations

When we transfer your data internationally, we ensure:

  • Adequate protection of your personal information
  • Compliance with applicable data protection laws
  • Appropriate safeguards for data security
  • Mechanisms for you to exercise your data protection rights
Contact Us

If you have questions or concerns about this privacy policy or our data practices, please contact us:

Email: privacy@onerouter.com

We typically respond to privacy inquiries within 30 days.

Contact Support →