GDPR Compliance

Last updated: 15 April 2025

Our privacy commitments

At Runn, we genuinely care about your privacy. We are ready to support you in your role as a data controller and committed to ensuring all personal data we hold and process is safe and secure. As part of this commitment we have undertaken steps to meet GDPR compliance, including:

  1. Not sharing personal data with third parties purely for analytics or advertising purposes.
  2. Automatically deleting any personal data that is no longer deemed required. 
  3. Allowing users and organizations to delete the personal data they control.
  4. Providing data subjects with access to their personal data, if requested.
  5. Building in “privacy by design” as we develop and enhance the Runn product and services.  
  6. Regularly reviewing our privacy statements, DPA, and internal documentation and processes. 
  7. Appointing a Privacy Officer (privacy@runn.io) to oversee privacy matters.
  8. Offering a Data Processing Agreement (DPA) memorializing our obligations as a data processor. 

Data Processing Agreement (DPA)

If you are doing business in the EU, our terms of service include the Runn Data Processing Agreement. Working with external legal counsel we regularly update this document to be in compliance with GDPR and other generally acceptable privacy laws. Should you require a signed version, please contact us at privacy@runn.io


Runn sub-processors

As outlined in our DPA, we may use third party service providers to assist us with data processing activities. Where we act as a data processor, these third parties are known as sub-processors. You will find a list of our sub-processors, along with the reason for processing and where the data is held below. From time to time, we may need to add or remove a sub-processor if we feel it is necessary. If you would like to receive email updates about new sub-processors, you can opt in to sub-processor updates here.

  • Heroku
    The primary hosting service for Runn, and Runn’s database.
    Contains PII and Customer Data
    Data deleted on account deletion. Backups deleted within 90 days.
    Data hosted in the EU (Ireland) by default. Optionally in USA.
  • Intercom
    Used to provide customer and onboarding support, including live chat and email.
    Data deleted on account deletion.
    Data hosted in USA.
  • Userflow
    Used to provide checklists, new feature guides and other onboarding features.
    Data deleted on account deletion.
    Data hosted in USA.
  • Rollbar
    Error reporting and monitoring.
    Data hosted in USA.
  • Coralogix
    Logs and error reporting.
    Contains PII (email)
    Data retained for 90 days.
    Data hosted in EU (Ireland)
  • AWS S3
    Long-term log archive for audit logging purposes.
    Data hosted in USA.
  • Slack
    Used by Runn for internal communications. Integrates with customer support tooling.
    Most data automatically deleted within 30 days.
    Data hosted in USA.
  • Calendly
    Used to book meetings.
    Contains PII (name, email)
    Data deleted upon request.
    Data hosted in US.
  • Zoom
    Used to conduct audio and video meetings, as well as online events and webinars.
    Data deleted upon request.
    Data hosted in USA.
  • Google Service (G-suite)
    Used for email, internal communications, documentation and video calls.
    Data deleted upon request.
    Data hosted in USA.
  • Mixpanel
    Used for engagement analytics in the app, allowing us to understand how features are used and make better product decisions.
    Does not contain identifiable personal information.
    Data hosted in EU (Ireland).
  • Hubspot
    Used for usage analytics, email and phone conversations with our prospects and customers.
    Data deleted on request.
    Data hosted in USA.
  • Mailgun
    Used to send app emails.
    Data automatically deleted after 7 days.
    Data hosted in USA.
  • Cloudinary
    Hosts images uploaded to Runn, such as client logos and people and user avatars.
    Contains Data deleted on request.
    Data hosted in USA.
  • Cloudflare
    Used for Content Delivery Network (CDN) and Web Application Firewall (WAF) processing and securing all requests to the Runn application.
    Due to the nature of this globally distributed system, this data is processed closest to the user’s location. No customer data or personally identifiable information is stored in the service.
  • Merge.dev
    Integration platform for connecting to third party services. Runn uses Merge.dev to offer our customers integrations with HRIS and other systems. Optional product offering that needs to be enabled by a Runn user with administrator permissions. Consent is provided via the customer’s acceptance of Merge's End Customer Terms during the integration setup process. Customers can withdraw their consent by unlinking their integration.
    Data deleted on account delete.
    Data hosted in EU by default. Optionally USA.
  • Segment
    Used to streamline data collection such as usage statistics, log-in counts, pages visited, app usage and similar. Passes this data onto other services in a secure and GDPR & PII friendly manner.
    Contains user PII (email & name).
    Data deleted on request.
    Data hosted in EU (Ireland)
  • Novu
    Used for sending in-app and email notifications.
    Contains user PII and some customer basic data (project names, people names and email).
    Data deleted on request.
    Data hosted in EU (Frankfurt)
  • Gong
    Used for recording sales calls and demos
    Contains user PII and any data included in the video call.
    Data deleted on request. Consent granted before recording.
    Data hosted in US
  • Clay
    Used for enriching sales leads with additional information about the potential customers.
    Contains user PII (name & email)
    User can opt-out at:     https://privacy.clay.com/policies
    Data hosted in the US

Things you should know

  1. Runn is headquartered in Aotearoa New Zealand. New Zealand has been certified by the EU to have adequate data protection laws allowing the transfer of data without any further safeguards.
  2. Runn does not sell your personal data or information. Your personal information is not given to third parties for any external marketing purposes. However we may use it to send you information about Runn including product updates, features and offers.
  3. The Runn application and databases are hosted with Heroku in secure data centers in the EU. 
  4. Our data is always transmitted securely over HTTPS, passwords are kept encrypted and database and software is regularly checked for any potential security issues. 
  5. Runn keeps backup and logs for up to 18 months before they are automatically deleted. When you delete your Runn account, some Customer Data continues to be stored in backups for up to 18 months. Most will be deleted instantly.
  6. You can read more about our security measures at https://www.runn.io/security

What if I need more information, or have a special request?

We are continuously looking for ways to strengthen our privacy practices and improving our processes. If you are a Runn customer or partner and have any feedback, concerns or a special request about GDPR or privacy matters in general, please contact our Privacy Officer at privacy@runn.io

Smart resource and capacity planning
Runn
Resource managementAboutCareers
Contact
LinkedIn
Resources
BlogEbooksWebinarsCase studiesHelp centerRoadmapWhat's new
Get Started
Log inLet's talkTry for freePricing
Runn © 2025
Privacy PolicyGDPRSecurityTermsCookies
By clicking “Accept” you agree to the storing of cookies on your device and tracking to analyze site usage and assist in our marketing efforts. View our Privacy Policy, Cookie Policy and GDPR page for more information.
PreferencesDenyAccept