Runchat Privacy Policy

Last updated: May 6, 2026

1. Introduction

This Privacy Policy explains how Runchat Pty Ltd ("Runchat", "we", "our", or "us"), an Australian company, collects, uses, discloses, stores, and protects personal information in connection with the Runchat website at https://runchat.com and our related applications, services, and software (collectively, the "Services").

This policy is a privacy notice. It does not by itself create blanket consent to all processing. Where we rely on consent, we ask for it separately and explain how you can withdraw it. This policy should be read together with our Terms of Service and, where applicable, our Data Processing Agreement ("DPA").

2. Who We Are and Our GDPR Roles

The data controller for account, billing, website, support, security, marketing, and product analytics data is:

Runchat Pty Ltd

Email: support@runchat.com

We have not appointed a data protection officer at this time. Privacy requests, questions, and complaints should be sent to the email address above or to our EU representative in Section 13.

For business and team customers, Runchat may act as a processor for Content that a customer submits to the Services for processing on behalf of that customer. In that case, the customer is usually the controller, and Runchat processes the Content under the customer's instructions, our Terms, and any applicable DPA. Runchat remains a controller for personal information we process for our own business purposes, such as account administration, billing, security, fraud prevention, and service analytics.

3. Information We Collect

3.1 Information You Provide

  • Account information: email address, display name, authentication identifiers, account settings, plan, team membership, and subscription status
  • Content: prompts, files, images, workflows, chats, generated outputs, artifacts, code, notes, and other materials you create, upload, publish, or share through the Services
  • Integration data: encrypted API keys, OAuth tokens, connected account identifiers, requested scopes, and allowed origins for third-party integrations you connect
  • Payment information: payment method, billing, invoice, tax, and transaction details processed by Stripe; we do not store full payment card details
  • Communications: support requests, contact form submissions, team invitations, marketing preferences, and other messages you send to us

3.2 Information Collected Automatically

  • Account and identification data: user ID, account ID, visitor ID, session identifiers, and email where you are signed in
  • Usage data: features used, workflows viewed or run, model selections, request volumes, credit usage, error events, subscription events, and product analytics events
  • Technical data: IP address, browser type, device information, operating system, referrer, current page, approximate location data provided by Cloudflare, and server logs
  • Security and abuse data: rate-limit signals, CAPTCHA/Turnstile verification results, login and authentication events, and information needed to investigate misuse of the Services

We do not sell personal data. We do not use third-party advertising SDKs or cross-context behavioural advertising trackers.

4. Cookies, Local Storage, and Similar Technologies

We use cookies, local storage, session storage, and similar browser technologies to operate and improve the Services. These include:

  • Authentication and security: Authentication cookies, session cookies, OAuth state or user identifiers, and security checks
  • Service preferences: theme, tips, preferences, onboarding, cached data and similar product settings stored in local storage or session storage
  • Platform detection: a runchat-platform cookie used to identify the host application context for embedded use
  • Anti-abuse: Cloudflare Turnstile tokens and Cloudflare edge data used to verify contact forms, protect the Services, and detect abuse

We use these technologies where they are necessary to provide the Services or where we have a legitimate interest in operating, securing, debugging, and improving the Services. If we introduce non-essential analytics, advertising, or tracking cookies that require consent in your jurisdiction, we will request consent before using them.

5. How We Use Information and GDPR Legal Bases

Where the GDPR applies, we process personal information for the purposes and legal bases below.

PurposeExamples of data usedGDPR legal basis
Create and manage accountsEmail, display name, authentication identifiers, plan, team membership, approximate signup locationContract, Art. 6(1)(b); legitimate interests in preventing duplicate, fraudulent, or abusive accounts, Art. 6(1)(f)
Provide workflows, collaboration, storage, AI features, and supportContent, prompts, files, generated outputs, workflow metadata, chats, support messages, encrypted integration credentialsContract, Art. 6(1)(b); where Runchat is a processor, processing occurs under the customer's instructions and DPA
Route AI requests and connected integrationsPrompts, files, model selections, OAuth tokens, API keys, provider request and response metadataContract, Art. 6(1)(b); consent for optional connected accounts where required, Art. 6(1)(a)
Process payments and subscriptionsBilling details, plan, invoices, tax records, Stripe customer and subscription identifiersContract, Art. 6(1)(b); legal obligation, Art. 6(1)(c)
Send service communicationsEmail, account status, billing events, security events, team invitations, support updatesContract, Art. 6(1)(b); legitimate interests in operating the Services, Art. 6(1)(f)
Send marketing communicationsEmail, display name, mailing list status, unsubscribe token, product interestConsent where required, Art. 6(1)(a); legitimate interests where permitted by law, Art. 6(1)(f)
Secure the Services and prevent abuseIP address, device and browser data, logs, Turnstile verification, rate-limit events, usage patternsLegitimate interests in security, fraud prevention, and service reliability, Art. 6(1)(f); legal obligation where applicable, Art. 6(1)(c)
Product analytics and improvementAggregated or pseudonymised usage events, feature usage, request volumes, credit usage, error logsLegitimate interests in improving, maintaining, and planning the Services, Art. 6(1)(f)
Comply with legal obligations and enforce termsAccount, billing, security, support, and usage records relevant to legal requests or disputesLegal obligation, Art. 6(1)(c); legitimate interests in establishing or defending legal claims, Art. 6(1)(f)

When we rely on legitimate interests, we balance those interests against your rights and expectations. You can object to processing based on legitimate interests as described in Section 15.

6. AI Features and Model Training

Runchat does not train AI models on your Content. We do not use your prompts, files, workflows, chats, generated outputs, or other Content to train, fine-tune, or improve any AI model operated by Runchat. This commitment is also reflected in Section 5.3 of our Terms of Service.

When you use AI features, Runchat sends the information needed to fulfil your request to the selected AI provider or integration. How this works depends on the provider path:

  • Vertex AI through Runchat-managed configuration: where Runchat provides access to Google Cloud Vertex AI, we treat Google Cloud / Vertex AI as a Runchat sub-processor where GDPR processor rules apply. Content transmitted to Vertex AI is not used by Google to train or improve their models, based on Google's commitments for Vertex AI and the Limited Use requirements in Google's User Data Policy. See Section 19 for more on our compliance with Google's policies.
  • User-selected providers and bring-your-own-key integrations: for other AI providers, model routers, custom endpoints, API keys, OAuth accounts, or third-party services you connect or select, you direct Runchat to transmit the relevant Content to that provider. That provider's own terms and privacy policy may apply to its independent processing, including any model improvement or training settings available under your provider account.

You should not submit personal data, confidential information, or regulated data to an AI provider unless you have the right to do so and are satisfied with that provider's terms.

7. Data Storage and Hosting

  • Account data, authentication, workflow data, Content metadata, and application data: stored primarily in Australia
  • Uploaded files, generated images, artifacts, and other binary Content: stored on Cloudflare's global network closest to the user's request
  • Application compute, CDN, security, CAPTCHA, and edge networking: provided through Cloudflare's global network
  • Database backups: point-in-time recovery backups retained for 7 days, primarily in Australia where configured

Some uploaded or generated assets are made available through public URLs so they can be displayed, downloaded, embedded, or shared in the Services. Treat any public asset URL as accessible to anyone who has the URL.

8. Content Visibility and Sharing

  • Pro and Enterprise plans: workflows are private to your team by default unless you publish, share, or otherwise make them public.
  • Starter and Hobby plans: workflows and related assets may be visible to anyone with the URL or through public/gallery features, unless a private-workflow feature has been separately enabled for your account or plan.
  • Published or shared Content: published workflows, public artifacts, gallery entries, public profile pages, shared assets, and public-by-link URLs may be viewed, copied, downloaded, indexed, or re-shared by people who can access them.

You can delete or unpublish Content where the Services provide that control. Deletion or unpublishing may not remove copies already accessed, saved, cached, indexed, or re-shared by others outside Runchat's control.

Section 5 of our Terms of Service describes the licence you grant Runchat to host, display, publish, and process Content as needed to provide the Services.

9. Sub-processors and Third-Party Providers

We use third-party providers to help deliver the Services. The main providers include:

ProviderPurposeRoleTypical processing location
Cloudflare, Inc.Application hosting, edge compute, CDN, R2/blob storage, image storage, security, Turnstile, edge analytics, networking, and transactional, support, invitation, and marketing email deliveryRunchat service provider / sub-processorUnited States / global edge
Supabase Inc.Database, authentication, storage, realtime collaboration, and presenceRunchat service provider / sub-processorAustralia and other Supabase infrastructure as configured
Stripe, Inc.Payment processing, subscriptions, invoicing, tax and billing recordsPayment processor / service providerUnited States and other Stripe infrastructure
Google Cloud Vertex AIAI inference when Runchat provides Vertex AI accessRunchat sub-processor for that AI processingUnited States / global Google infrastructure
Google APIs and OAuth servicesGoogle integrations you connect, such as OAuth-authorised Google API accessUser-connected third-party providerUnited States / global Google infrastructure
FAL AIAI inference, image generation, video generation, model hosting, and related generation workflows selected or connected by the userUser-selected third-party providerUnited States / global infrastructure
OpenRouterAI inference routing to underlying model providers selected or connected by the userUser-selected third-party providerUnited States / global infrastructure
Other user-selected AI or API providersBYO API key integrations and custom model endpoints, such as Together, Groq, Cerebras, Inference.net, or other providers you chooseUser-selected third-party providerDepends on the provider

Where a provider is a Runchat sub-processor, we require appropriate data protection terms, including Standard Contractual Clauses where needed. Where you connect or select your own third-party service, model provider, model router, endpoint, or API key, that provider may act as an independent controller or processor under its own terms.

We may update this list as the Services evolve. Material changes that affect how your personal data is processed will be notified as described in Section 19.

10. International Data Transfers

Runchat is established in Australia. Your personal information may be transferred to, stored in, or accessed from Australia, the United States, the European Union, and countries reached through global cloud, edge, email, payment, AI, and support infrastructure.

11. Data Retention

We keep personal information only for as long as needed for the purposes described in this policy, unless a longer retention period is required by law or needed to resolve disputes, enforce agreements, or maintain security.

  • Account and profile data: retained while your account is active and for a reasonable period after closure where needed for legal, security, or business records
  • Content and workflow data: retained for the duration of your active subscription or account, unless deleted earlier by you or under the Terms
  • Free plan accounts: accounts inactive for 180 continuous days may be marked dormant and have associated Content deleted after prior email notice, as described in the Terms
  • Published or shared Content: retained while published or shared, and for a limited period after deletion or unpublishing in backups, caches, and logs
  • OAuth tokens and API keys: retained until you remove the integration, delete your account, or request deletion, subject to legal and backup retention
  • Backups: database point-in-time recovery backups are retained for 7 days; deleted data is purged from those backups as the backup window rolls over
  • Billing, invoice, and tax records: retained as required by Australian tax and accounting law, typically 7 years
  • Security logs and abuse records: retained for as long as reasonably necessary to secure the Services and investigate abuse
  • Support communications: retained for as long as reasonably necessary to provide support and maintain business records
  • Marketing records: retained until you unsubscribe or ask us to delete them, unless we need limited records to honour suppression requests

12. Account Deletion

You may request deletion of your account and associated Content at any time by emailing support@runchat.com. We will delete personal data from active systems within 30 days of verifying the request, except where we must retain information for legal, security, billing, dispute, or fraud-prevention reasons. Data in backups will be deleted as the 7-day backup rotation expires.

Deletion of your account may not remove Content already published, shared, cached, indexed, copied, downloaded, or re-shared outside Runchat's control.

13. EU Representative

We have appointed Prighter Group with its local partners as our privacy representative and point of contact in the European Union.

EU data subjects may contact us through Prighter to exercise privacy rights or ask privacy-related questions. To contact Prighter, visit: https://app.prighter.com/portal/13777888813

14. Data Processing Agreement

We provide a DPA to business customers where Runchat processes personal data on their behalf. The DPA includes Standard Contractual Clauses where required for international transfers. To request a DPA, email support@runchat.com.

15. Your Rights

Depending on your location, you may have the following rights in relation to your personal information:

  • Right of access: obtain a copy of the personal data we hold about you
  • Right to rectification: correct inaccurate or incomplete data
  • Right to erasure: request deletion of your data
  • Right to restrict processing: ask us to limit how we use your data in certain circumstances
  • Right to object: object to processing based on legitimate interests or direct marketing
  • Right to data portability: receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible
  • Right to withdraw consent: withdraw consent where processing is based on consent
  • Right not to be subject to certain solely automated decisions: object to decisions based solely on automated processing that produce legal or similarly significant effects
  • Right to lodge a complaint: complain to a data protection supervisory authority in your jurisdiction

To exercise these rights, email support@runchat.com or contact our EU representative in Section 13. We will respond within 30 days of receipt, in line with GDPR Art. 12(3). For complex or numerous requests, we may extend this by up to two further months and will notify you of any extension within the first 30 days.

We may need to verify your identity before acting on a request. If Runchat processes Content as a processor for a business customer, we may direct you to that customer or work with that customer to respond.

16. Automated Decision-Making

We do not use personal information to make decisions based solely on automated processing that produce legal or similarly significant effects for users. AI outputs are generated in response to user instructions, but Runchat does not use those outputs to make legal or similarly significant decisions about you.

17. Data Security

We take reasonable technical and organisational measures to protect personal information against loss, theft, misuse, unauthorised access, disclosure, alteration, and destruction. These include:

  • Encryption in transit using TLS
  • Encryption of secrets, credentials, API keys, and OAuth tokens at rest
  • Access controls for production systems and customer data
  • Logging, monitoring, rate limits, and abuse-detection controls
  • Reasonable efforts to redact identifying information from operational logs
  • Backups and disaster-recovery processes

No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal data breach that requires notification, we will notify affected users and regulators where required by law.

18. Children's Privacy

The Services are not directed to individuals under 18, and we do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will delete it promptly.

19. Limited Use of Google User Data

If you connect your Google account to Runchat, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We use Google user data only to provide or improve user-facing features that are prominent in the Services
  • We only transfer Google user data:
    • To provide or improve features you request or enable
    • For security purposes, such as investigating abuse
    • To comply with applicable law
    • In a merger, acquisition, or sale of assets, where permitted by law and applicable Google policy
  • Our staff only access Google user data with your consent, for security purposes, to provide support you request, or to comply with law
  • We do not sell Google user data, transfer it for advertising, or use it for credit or lending decisions
  • We do not use Google user data to train AI models unless you explicitly direct us to submit that data to a model provider as part of a feature you use and that use is allowed by Google policy

You can review Google's Privacy Policy at https://policies.google.com/privacy.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and revise the "Last updated" date. Material changes will be communicated by email or in-product notice where appropriate.

21. Contact

Runchat Pty Ltd

Email: support@runchat.com

EU representative: Prighter (see Section 13)