RunoSO LogoRunoSO

Privacy Policy

Last Updated: June 2026

1. Who We Are

RunoSO is operated by Gautam Parmar, Vadodara, Gujarat, India. Data Controller contact: privacy@runoso.in. We are subject to India's Digital Personal Data Protection Act (DPDP) 2023, GDPR (for EU users), and CCPA (for California users).

2. Data We Collect

When you sign up:

  • Full name
  • Email address
  • Profile photo (Google OAuth only)
  • Google account ID (OAuth only)
  • Password hash (email signup only — we never store plain passwords)

When you use the platform:

  • All data you create: clients, projects, invoices, tasks, content, vault items, assets, investments
  • Usage data: features used, pages visited, actions taken
  • Last active timestamp

When you pay:

  • Billing plan and status
  • Stripe customer ID and subscription ID
  • Payment history (amounts, dates)

Note: We never see or store your credit card number — Stripe handles all payment data.

Automatically collected:

  • IP address (for security logging)
  • Browser and device type
  • Country/timezone (for currency detection)
  • Cookies (see Cookie Policy)

3. Why We Collect It (Legal Basis)

Contract performance:

  • To provide the RunoSO service
  • To process your subscription
  • To send billing receipts

Legitimate interests:

  • Security and fraud prevention
  • Product improvement
  • Customer support

Legal obligation:

  • Billing records (tax compliance)
  • Responding to legal requests

Consent (where required):

  • Marketing emails (you can opt out anytime)
  • Non-essential cookies (EU users)

4. How We Store Your Data

Your account data lives in an isolated Neon Postgres database schema — completely separate from all other users. Vault credentials are encrypted before storage. Data is hosted in the United States (Neon — us-east-1, Vercel — global CDN). We use industry-standard security practices including HTTPS everywhere, encrypted connections, and access controls.

5. Third Party Processors

We share data with these processors to run the service:

  • Stripe (stripe.com) — Purpose: Payment processing. Data: Email, name, billing info. Location: United States. Policy: stripe.com/privacy.
  • Google (google.com) — Purpose: OAuth login (if used). Data: Name, email, profile photo. Location: United States. Policy: policies.google.com/privacy.
  • Resend (resend.com) — Purpose: Transactional emails. Data: Name, email. Location: United States. Policy: resend.com/legal/privacy-policy.
  • Vercel (vercel.com) — Purpose: Application hosting. Data: IP address, request logs. Location: Global CDN. Policy: vercel.com/legal/privacy-policy.
  • Neon (neon.tech) — Purpose: Database hosting. Data: All user-created data. Location: United States (us-east-1). Policy: neon.tech/privacy.

We do not sell your data to anyone. We do not share your data with advertisers.

6. Your Rights

All users:

  • Access: request a copy of your data
  • Correction: fix inaccurate data
  • Deletion: delete your account and data
  • Export: download all your data as JSON

EU users (GDPR):

  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent
  • Lodge complaint with your supervisory authority

California users (CCPA):

  • Know what data is collected
  • Delete your data
  • Opt out of sale (we don't sell data)
  • Non-discrimination for exercising rights

India users (DPDP):

  • Access and correction rights
  • Deletion on request
  • Grievance redressal

To exercise any right, email privacy@runoso.in. We respond within 30 days. For account deletion, navigate to Settings → Account → Delete Account.

7. Data Retention

Active account: data is kept while the account exists.

After deletion:

  • All personal data is removed within 30 days.
  • Billing records are retained for 7 years (Indian tax law requirement).
  • Anonymised usage statistics may be retained indefinitely.

8. Children's Privacy

RunoSO is not directed at anyone under 18 years old. We do not knowingly collect data from minors. If you believe a minor has signed up, contact hello@runoso.in and we will delete the account immediately.

9. International Transfers

Your data is stored in the United States. For EU users, we rely on Standard Contractual Clauses (SCCs) for international data transfers. For India users, transfers are made in accordance with the provisions of the DPDP Act.

10. Security

We implement industry-standard encryption for vault data, HTTPS everywhere, isolated databases per user, hashed passwords, and signed httpOnly authentication cookies. No system is 100% secure. In the event of a security breach affecting your data, we will notify you within 72 hours.

11. Changes to This Policy

We will notify you by email 30 days before material changes take effect. The latest version is always located at runoso.in/privacy.

12. Contact & Grievance Officer

Privacy questions or requests:
Email: privacy@runoso.in
Grievance Officer (DPDP): Gautam Parmar — privacy@runoso.in
Response time: within 30 days.