Privacy Policy

RunSite ("we", "us", or "our") operates a cloud Platform-as-a-Service (PaaS) available at runsite.app. We are committed to protecting the personal data of our users and customers in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable EU and EEA privacy laws.

For the purposes of GDPR, RunSite acts as the Data Controller for personal data collected through this website and the platform. Our infrastructure and the data we process on your behalf is hosted exclusively within the European Economic Area (EEA). Where we engage third-party service providers who process personal data, we do so under binding Data Processing Agreements (DPAs) that ensure an equivalent level of protection.

For any privacy-related inquiries, please contact us at support@runsite.app.

We collect personal data in the following categories:

• Account data: name, email address, hashed password, and account preferences you provide when registering.
• Billing data: billing name, country, and VAT number where applicable. Full payment card details are handled exclusively by our payment processor and are never stored on RunSite systems.
• Usage data: IP addresses, browser type and version, operating system, pages and features accessed, timestamps, and actions taken within the platform.
• Application data: source code, environment variables, logs, and database contents you deploy to the platform. We process this data solely on your instructions as a Data Processor.
• Support communications: messages you send to our support team, including any personal data contained therein.
• Cookie and tracking data: session identifiers and analytics identifiers described in Section 8.

We process your personal data only where we have a valid legal basis under Article 6 GDPR:

• Provision and operation of the platform, including deployment pipelines, managed databases, and scheduled jobs.
• Processing payments and issuing invoices, including VAT where required under EU regulations.
• Sending transactional notifications (deployment status, billing receipts, security alerts). These are part of the service and cannot be opted out of while you hold an active account.
• Providing technical support and responding to inquiries.
• Detecting, investigating, and preventing security incidents, abuse, and violations of our Terms of Service.
• Conducting aggregated, anonymised analysis to improve platform performance and features.
• Fulfilling legal and regulatory obligations.

We never sell your personal data to third parties, and we never use your application data for advertising or model training purposes.

We engage a limited set of trusted sub-processors to help deliver our services. Each sub-processor is bound by a DPA that imposes data protection obligations consistent with GDPR. Categories of sub-processors include:

• Cloud infrastructure providers — for compute, storage, and networking underlying the platform.
• Payment and billing processors — for secure payment collection, subscription management, invoice generation, and VAT compliance. Our payment processor acts as Merchant of Record for transactions where applicable, meaning they are legally responsible for the sale and tax remittance.
• Transactional email providers — for delivery of account and billing notifications.
• Analytics providers — for aggregated, privacy-preserving usage analytics.
• Customer support tooling — for managing support tickets and communications.

We do not disclose personal data to any other third party except when required to do so by applicable law, court order, or to protect the rights, property, or safety of RunSite, our users, or the public. We will notify you of any such disclosure to the extent permitted by law.

Our primary infrastructure is located within the European Economic Area (EEA). Where a sub-processor operates outside the EEA, we ensure that any transfer of personal data is subject to appropriate safeguards as required by Chapter V of GDPR, including:

• An adequacy decision by the European Commission (e.g., EU–US Data Privacy Framework).
• Standard Contractual Clauses (SCCs) adopted by the European Commission.
• Binding Corporate Rules (BCRs) approved by a competent supervisory authority.

You may request a copy of the applicable transfer mechanisms by contacting support@runsite.app.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law:

• Account data is retained for the duration of your account and deleted within 30 days of account closure, unless a longer retention period is required by law.
• Billing and invoice records are retained for 7 years to comply with EU accounting and tax regulations.
• Platform logs (access logs, deployment logs) are retained for up to 90 days for security and debugging purposes.
• Support communications are retained for 2 years from the date of resolution.
• Anonymised and aggregated analytics data may be retained indefinitely as it no longer constitutes personal data.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure, including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using AES-256.
• Tenant-level isolation: each customer's resources and data are logically separated.
• Role-based access controls limiting internal access to personal data on a need-to-know basis.
• Regular vulnerability scanning and security reviews.
• Incident response procedures with notification timelines compliant with Art. 33 GDPR (72-hour supervisory authority notification) and Art. 34 GDPR (data subject notification where required).

No method of transmission over the internet or electronic storage is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication on your account.

We use the following categories of cookies:

• Strictly necessary cookies: required for authentication, session management, and CSRF protection. These cannot be disabled without impairing core functionality.
• Analytics cookies: used to measure aggregate usage patterns (page views, feature adoption). These are set only with your consent and process data in an anonymised or pseudonymised form where possible.

You can manage or withdraw cookie consent at any time via your browser settings or our cookie preference centre. Withdrawing consent for analytics cookies does not affect the operation of the platform.

As a data subject in the EU/EEA, you have the following rights under GDPR:

• Right of access (Art. 15): request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your personal data where no overriding legal basis exists for retention.
• Right to restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object (Art. 21): object to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing.
• Right to lodge a complaint: you have the right to lodge a complaint with your national supervisory authority or the lead supervisory authority in the EU.

To exercise any of these rights, contact us at support@runsite.app. We will respond within 30 days as required by Art. 12 GDPR. Identity verification may be required before we fulfil your request.

Our platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at support@runsite.app and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email (at the address associated with your account) and by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the platform after the effective date of any changes constitutes your acceptance of the revised policy.

For questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact:

• Email: support@runsite.app

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your EU/EEA member state of residence or the competent lead supervisory authority.