Privacy Policy

Last updated: June 10, 2026

This Privacy Policy describes how Road to Offer(“we,” “us,” or “our”) collects, uses, and shares information when you use our website at roadtooffer.comand related services (the “Service”). It covers the lawful bases we rely on, the processors we use, how long we keep data, international transfers, and your rights under the GDPR and UK GDPR.

1.Who We Are (Data Controller)

The data controller responsible for your personal data is [ENTITY-TODO: legal entity name + form], registered at [ENTITY-TODO: registered address], operating the website at roadtooffer.comand related services (the “Service”). You can reach our privacy contact at support@roadtooffer.com.

2.Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, and password when you create an account (or information from third-party sign-in providers like Google).
  • Payment information: Billing details processed securely by our payment processor (Stripe). We do not store full credit card numbers.
  • Case practice data: Your responses, transcripts, and voice recordings during practice sessions.
  • Support chat contents: Messages you send through our in-product live chat or by email.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, session duration, and interaction patterns.
  • Session replay: On key pages (e.g. pricing and conversion flows) we may record a replay of on-site interactions — mouse movement, clicks, and scrolling — to diagnose usability issues. Sensitive inputs are masked. This is consent-gated in the EU/UK/CH.
  • Device information: Browser type, operating system, device type, and screen resolution.
  • Log data: IP address, access times, and referring URLs.
  • Cookies and similar technologies: See the cookie table in Section 9.

3.How We Use Your Information (Purposes & Lawful Bases)

Under the GDPR we process your data only where we have a lawful basis. The table below sets out each purpose and the basis we rely on.

PurposeLawful basis
Provide and maintain the Service (account, practice sessions)Performance of a contract
Billing and payment processingContract / legal obligation
AI evaluation of practice responses and voicePerformance of a contract
Security, fraud, and abuse preventionLegitimate interest
Product analytics and session replayConsent (EU/UK/CH) / legitimate interest (elsewhere)
Advertising and conversion measurementConsent
Marketing emailConsent, or soft opt-in with an opt-out in every message
Compliance with legal obligationsLegal obligation

4.AI Processing

Your case practice data (responses, transcripts, voice recordings) is processed by third-party AI providers to generate evaluations, scores, and coaching feedback. Voice is transcribed to text before analysis. This data is:

  • Sent to AI providers only to generate your evaluation or transcription
  • Not used to train the providers' models, subject to each provider's terms
  • Processed under our agreements with these providers (see Section 5)

5.Processors & Recipients

We do not sell your personal data. We share it with the service providers below, who process it on our behalf under data-processing agreements. We may also disclose data where required by law, or in connection with a merger, acquisition, or sale of assets.

ProviderPurpose
StripePayment processing
SupabaseDatabase and authentication
VercelHosting and delivery
PostHogProduct analytics and session replay
DataFastAnalytics
SentryError monitoring
ResendTransactional and marketing email
CrispSupport chat
AhrefsAnalytics
Google AdsAdvertising and conversion measurement
OpenRouter, GroqAI processing, including voice transcription
OpenAINon-STT AI fallback paths, including voice audio generation

AI inputs are not used to train provider models, subject to each provider's terms.

6.Data Retention

DataRetention period
Account dataLife of the account + 30 days after a deletion request
Practice data / transcriptsUntil account deletion
Payment & tax recordsAs required by law (typically up to 10 years)
Analytics dataUp to 24 months
Support conversationsUp to 2 years

7.International Transfers

Your information may be processed outside your country, including in the United States. Where a provider is certified under the EU-US Data Privacy Framework, we rely on that framework. Otherwise we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) to safeguard your data.

8.Your Rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectify inaccurate or incomplete data (Art. 16)
  • Erase your data (Art. 17)
  • Restrict processing (Art. 18)
  • Receive your data in a portable format (Art. 20)
  • Object to processing, including direct marketing (Art. 21)
  • Withdraw consent at any time, without affecting prior processing
  • Lodge a complaint with your supervisory authority

To exercise these rights, contact us at support@roadtooffer.com. We will respond within one month. You may also manage analytics, advertising, and chat cookies at any time via the cookie banner or the “Cookie preferences” link in the site footer. If you are in the EU/EEA, UK, or Switzerland, you may lodge a complaint with your local data protection authority.

9.Data Security & Breach Notification

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. No method of transmission or storage is 100% secure. In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours and affected users without undue delay where legally required.

10.Cookies & Local Storage

We use the cookies and browser storage below. In the EU/EEA, UK, and Switzerland, non-essential categories load only after you consent via our cookie banner. You can change your choices anytime through the “Cookie preferences” link in the footer.

Cookie / storagePurposeCategory
sb-*Supabase authentication sessionEssential
rto_consentStores your cookie consent choiceEssential
rto_geoCountry code used to decide whether to show the bannerEssential
ph_*PostHog analytics & session replayAnalytics (consent-gated in EU)
rto_blog_capture / rto_blog_capture_dismissedRemembers blog lead-capture stateFunctional
Crisp cookiesSupport chat sessionSupport chat (consent-gated in EU)
DataFastAnalyticsAnalytics (consent-gated in EU)

11.Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe we have, please contact us.

12.Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use after changes take effect constitutes acceptance of the updated policy.

13.Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at: