GDPR Compliance

Last updated: 15 April 2025

Our privacy commitments

At Runn, we genuinely care about your privacy. We are ready to support you in your role as a data controller and committed to ensuring all personal data we hold and process is safe and secure. As part of this commitment we have undertaken steps to meet GDPR compliance, including:

  1. Not sharing personal data with third parties purely for analytics or advertising purposes.
  2. Automatically deleting any personal data that is no longer deemed required. 
  3. Allowing users and organizations to delete the personal data they control.
  4. Providing data subjects with access to their personal data, if requested.
  5. Building in “privacy by design” as we develop and enhance the Runn product and services.  
  6. Regularly reviewing our privacy statements, DPA, and internal documentation and processes. 
  7. Appointing a Privacy Officer (privacy@runn.io) to oversee privacy matters.
  8. Offering a Data Processing Agreement (DPA) memorializing our obligations as a data processor. 

Data Processing Agreement (DPA)

If you are doing business in the EU, our terms of service include the Runn Data Processing Agreement. Working with external legal counsel we regularly update this document to be in compliance with GDPR and other generally acceptable privacy laws. Should you require a signed version, please contact us at privacy@runn.io


Runn sub-processors

As outlined in our DPA, we may use third party service providers to assist us with data processing activities. Where we act as a data processor, these third parties are known as sub-processors. You will find a list of our sub-processors, along with the reason for processing and where the data is held below. From time to time, we may need to add or remove a sub-processor if we feel it is necessary. If you would like to receive email updates about new sub-processors, you can opt in to sub-processor updates here.

Hosting

  • Salesforce Inc (Heroku)
    Purpose: The primary hosting service for the Runn application and database
    Data Retention: Data deleted on account deletion. Backups deleted within 21 days.
    Data Location: EU (Ireland) by default. Customers can alternatively choose to a hosting location in US.
  • Cloudflare Inc
    Purpose: Used for Content Delivery Network (CDN) and Web Application Firewall (WAF) processing and securing all requests to the Runn application. No customer data is stored in the service.
    Data Retention: Indefinitely (deleted on request)
    Data Location: Due to the nature of this globally distributed system, this data is processed closest to the user’s location.
  • Mailgun Technologies Inc
    Purpose: Emails from the Runn application.
    Data Retention: 7 days
    Data Location: US
  • Cloudinary Inc
    Purpose: Hosts images uploaded to Runn, such as client logos and people and user avatars.
    Data Retention: Indefinitely (deleted on request)
    Data Location: US

Monitoring

  • Rollbar Inc
    Purpose: Error reporting and monitoring. Contains minimal PII (user identifiers, IPs and email addresses for audit logging purposes).
    Data Retention: 180 days
    Data Location: US
  • Coralogix Ltd
    Purpose: Centralised logging and error reporting. Contains minimal PII (user identifiers, IPs and email addresses for audit logging purposes).
    Data Retention: 90 days
    Data Location: EU (Ireland)
  • Amazon Web Services EMEA SARL (AWS S3)
    Purpose: Long-term log archive for audit logging purposes.Contains minimal PII (user identifiers, IPs and email addresses for audit logging purposes).
    Data Retention: Indefinitely (deleted on request)
    Data Location: EU

Integration

  • Noti-Fire Apps Ltd (Novu)
    Purpose: Sends in-app and email notifications.Contains user PII and some customer basic data (project names, people names and email).
    Data Retention: Indefinitely (deleted on request)
    Location: EU (Germany)
  • Merge API Inc
    Purpose: Integration platform for connecting to third party services. Runn uses Merge.dev to offer our customers integrations with HRIS and other systems. Optional product offering that needs to be enabled by a Runn user with administrator permissions. Consent is provided via the customer’s acceptance of Merge's End Customer Terms during the integration setup process. Customers can withdraw their consent by unlinking their integration.
    Data Retention: Data deleted on account delete.
    Data hosted in the same region as your data (EU by default, US as opt-in).

Marketing and Analytics

  • Twilio Inc (Segment)
    Purpose: Collects usage statistics associated with app users and website visitors. .
    Data Retention: Indefinitely (deleted on request)
    Data Location: EU (Ireland)
  • Userflow Inc
    Purpose: Used to provide checklists, new feature guides and other onboarding features. Only contains pseudo-anonymous identifiers without other PII.
    Data Retention: 21 days after account deletion
    Data Location: US
  • Mixpanel Inc
    Purpose: Used for engagement analytics in the app, allowing us to understand how features are used and make better product decisions. Only contains pseudo-anonymous identifiers without other PII.
    Data Retention: 21 days after account deletion
    Data Location: EU (Ireland)
  • Gong.io Inc
    Purpose: Used for recording sales calls and demos. Consent granted before recording.
    Data Retention: Indefinitely (deleted on request)
    Data Location: US
  • Clay Labs Inc
    Purpose: Used for enriching sales leads with additional information about the potential customers. User can opt-out at: https://privacy.clay.com/policies
    Data Retention: Indefinitely (deleted on request)
    Data Location: US

Collaboration and Support

  • Intercom Inc
    Purpose: Used to provide customer and onboarding support, including live chat and email.
    Data Retention: Contacts deleted on account termination. Support communications deleted on request.
    Data Location: US
  • Hubspot Inc
    Purpose: Usage analytics, email and phone conversations with our prospects and customers. Only contains users we are likely to have customer conversations with.
    Data Retention: Indefinitely (deleted on request)
    Data Location: US
  • Slack Technologies LLC
    Purpose: Internal communications, occasionally referencing customer and user names. Integrates with customer support tooling, and processes names and email addresses in context of customer support requests.
    Data Retention: Most data automatically deleted within 30 days
    Data Location: US
  • Calendly LLC
    Purpose: Meeting bookings with sales prospects and customers
    Data Retention: Indefinitely (deleted on request)
    Data Location: US
  • Zoom Communications Inc
    Purpose: Conduct audio and video meetings, as well as online events and webinars.
    Data Retention: Indefinitely (deleted on request)
    Data Location: US
  • Google LLC (Google Workspace)
    Purpose: Emailing customers, internal communications and video calls. Can be used for customer data migration assistance (opt-in).
    Data Retention: Indefinitely (deleted on request). Customer data used for data migration is deleted once the migration is completed.
    Data Location: US

Things you should know

  1. Runn is headquartered in Aotearoa New Zealand. New Zealand has been certified by the EU to have adequate data protection laws allowing the transfer of data without any further safeguards.
  2. Runn does not sell your personal data or information. Your personal information is not given to third parties for any external marketing purposes. However we may use it to send you information about Runn including product updates, features and offers.
  3. The Runn application and databases are hosted with Heroku in secure data centers in the EU. 
  4. Our data is always transmitted securely over HTTPS, passwords are kept encrypted and database and software is regularly checked for any potential security issues. 
  5. Runn keeps backup and logs for up to 18 months before they are automatically deleted. When you delete your Runn account, some Customer Data continues to be stored in backups for up to 18 months. Most will be deleted instantly.
  6. You can read more about our security measures at https://www.runn.io/security

What if I need more information, or have a special request?

We are continuously looking for ways to strengthen our privacy practices and improving our processes. If you are a Runn customer or partner and have any feedback, concerns or a special request about GDPR or privacy matters in general, please contact our Privacy Officer at privacy@runn.io