Privacy Policy
Last updated: March 19, 2026
1. Scope
This Privacy Policy explains how SpiceRouter collects, uses, discloses, and protects personal information through the SpiceRouter website, Management Portal, subscriptions, billing, support, managed networking and diagnostics features, and related communications and integrations.
This Policy is intended to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Where other privacy laws apply, SpiceRouter will handle personal information in accordance with the requirements of those laws to the extent applicable.
2. What We Collect
Account and contact information
Name, email address, organization or household name, billing information, support contact details, and account credentials.
Transaction and billing information
Subscription details, invoices, payment status, plan selection, and limited payment metadata. Payment card processing is handled by third-party processors; SpiceRouter does not store full payment card numbers.
Device information
Device serial numbers, MAC addresses, hardware model identifiers, firmware version, and registration status. This information identifies a SpiceRouter Device, not the individuals using the network behind it.
Network management and configuration data
Site and workspace names, network configuration settings, labels, SSID names, and DNS Filtering preferences configured by Customer through the Management Portal.
Telemetry and diagnostic data
Device health metrics (CPU utilization, memory usage, uptime, temperature), bandwidth utilization statistics, connected client counts (aggregate number of devices — not individual device identities or names), DNS query volume statistics (total queries and blocked query counts — not individual query content), security event summaries, VPN and tunnel connection status, and Wi-Fi signal quality metrics.
Usage and technical information
IP address, browser and device data, authentication logs, product usage metrics within the Management Portal, and dashboard interaction data.
Communications and preferences
Messages sent to support, onboarding, and sales channels, as well as consent and communication preferences.
3. What We Do NOT Collect
SpiceRouter is a managed networking service — not a surveillance tool. We want to be clear about what we do not collect:
- Network traffic content: SpiceRouter does not inspect, log, or store the content of network traffic (web pages, emails, file transfers, messages, or application data) passing through the Device.
- Browsing history: We do not collect, store, or transmit the browsing history of any user on Customer's network. DNS Filtering operates at the domain level; individual DNS queries are not stored centrally.
- Individual device identities: While we count the number of connected clients for aggregate statistics, we do not collect the names, MAC addresses, or identities of downstream devices connected to the SpiceRouter network (other than the SpiceRouter Device itself).
- Encrypted traffic content: SpiceRouter does not perform deep packet inspection, SSL/TLS interception, or content inspection of encrypted traffic.
- Keystroke or application data: We do not monitor keystrokes, application usage, or user behavior on devices connected to the network.
4. How We Use Personal Information
We use personal information to:
- provide and manage the Service, including Device provisioning, monitoring, and Remote Management;
- authenticate users and administer accounts;
- process subscriptions and payments;
- operate, diagnose, secure, and improve the Service using Telemetry Data;
- provide DNS Filtering functionality;
- send service notices, support communications, firmware update notifications, and security alerts;
- send marketing communications where permitted by law;
- investigate incidents, fraud, abuse, or security events; and
- comply with legal obligations.
5. Telemetry and Diagnostics
Because SpiceRouter is a managed networking service, Devices collect and transmit Telemetry Data as described in Section 2. This data is used to:
- monitor Device health and detect hardware or software issues;
- measure network performance and identify connectivity problems;
- track DNS Filtering effectiveness (aggregate blocked query counts, not individual queries);
- detect security anomalies and potential threats;
- deliver firmware updates and apply configuration changes; and
- improve the Service through aggregated analytics.
We limit Telemetry Data collection to what is reasonably necessary for these purposes.
6. DNS Filtering Data
SpiceRouter provides DNS Filtering through AdGuard Home, which runs locally on the Device. DNS queries are:
- resolved locally on the Device or forwarded to upstream DNS resolvers;
- processed for the purpose of blocking known advertising, tracking, and malicious domains; and
- counted in aggregate (total queries, blocked queries) for service quality and dashboard display.
Individual DNS queries are not stored centrally or transmitted to SpiceRouter's servers. Aggregate statistics (query counts, block rates) may be included in Telemetry Data. The DNS Filtering blocklists are updated periodically and may be customized by Customer through the Management Portal.
7. Household and Business Network Users
If Customer uses SpiceRouter in a home or business, other people using the network (family members, employees, guests, visitors) are not direct users of the SpiceRouter service and do not create accounts.
SpiceRouter does not collect personal information about these network users beyond the aggregate device counts described in Section 2. If Customer enables DNS Filtering, it applies to all devices on the network; SpiceRouter does not track which network user triggered which DNS query.
Customer is responsible for informing network users about the presence of DNS Filtering and any other network management features, as appropriate for their context.
8. Consent and Legal Bases
SpiceRouter relies on the following legal bases for processing personal information, as applicable under PIPEDA:
- Consent — where you have provided express or implied consent, such as when creating an account or enabling specific features;
- Contractual necessity — where processing is necessary to provide the Service;
- Legitimate business purposes — where processing is necessary for SpiceRouter's legitimate interests (security, fraud prevention, service improvement) and those interests are not overridden by your privacy rights;
- Legal obligations — where processing is required by law.
9. Disclosure of Personal Information
We may disclose personal information to:
- Service providers assisting with hosting, support, analytics, payment processing, communications, identity, and infrastructure (including Cloudflare, Supabase, and Stripe);
- Authorized administrators on the same account or workspace;
- Regulators, law enforcement, or other authorities where required or permitted by law; and
- A purchaser or successor in a transaction involving our business.
SpiceRouter does not sell personal information.
10. Cookies and Similar Technologies
We may use cookies and similar technologies on the SpiceRouter website and Management Portal for:
- Authentication and session management — keeping users signed in and maintaining session state;
- Analytics — measuring traffic and usage patterns to improve the Service; and
- Preferences — remembering dashboard settings and display preferences.
11. Marketing and CASL
If SpiceRouter sends commercial electronic messages, we comply with Canada's Anti-Spam Legislation (CASL), including by obtaining consent, providing identification information, and offering a functioning unsubscribe mechanism.
12. Retention
We retain personal information for as long as reasonably necessary for the purposes described in this Policy:
- Account Data is retained during the account relationship and for a reasonable period thereafter.
- Telemetry Data is retained in accordance with the applicable plan's metrics retention period (e.g., 7 days for Free, 30–90 days for Pro).
- Billing and transaction records are retained for the period required by applicable tax and accounting laws.
- Support communications are retained for a reasonable period for quality and dispute resolution purposes.
13. Security
We use reasonable administrative, technical, and organizational safeguards to protect personal information and Service data, including encryption in transit, access controls, and monitoring. No method of storage or transmission is perfectly secure.
14. Cross-Border Processing
SpiceRouter is based in Ontario, Canada. Personal information may also be processed by our service providers in other jurisdictions, including through Cloudflare's global edge network and Oracle Cloud Infrastructure. Where personal information is processed outside Canada, it may be subject to the laws of those jurisdictions.
15. Access, Correction, and Privacy Rights
Subject to applicable law, you may:
- request access to your personal information held by SpiceRouter;
- request correction of inaccurate personal information;
- withdraw consent to certain processing activities; and
- file a complaint with the Office of the Privacy Commissioner of Canada or the applicable provincial authority.
SpiceRouter may need to verify identity before responding to a request.
16. Children
The Service is not intended for children under the age of sixteen (16). SpiceRouter does not knowingly collect personal information from children. If a SpiceRouter Device is used in a household with children, the account holder (parent or guardian) is responsible for the account and for supervising network use.
17. Changes to This Policy
We may update this Privacy Policy by posting a revised version with a new "Last Updated" date. Material changes will be communicated through the Management Portal, by email, or by other reasonable means.
Contact
If you have questions about this Privacy Policy, please contact us at privacy@spicerouter.com or visit our Support page.
Privacy authority: Office of the Privacy Commissioner of Canada — priv.gc.ca