Privacy Policy
Effective date: April 2026
1. Information We Collect
We collect information you provide directly to us, such as when you create an account, configure agents, or contact support. This includes: account identifiers (name, email, organisation name), authentication credentials (hashed passwords, OAuth tokens), agent telemetry and audit events produced by the RuneSignal SDK, billing information processed via Stripe (we do not store raw card data), and support communications.
2. How We Use Your Information
We use collected information to operate, maintain, and improve the RuneSignal platform; to send transactional notifications (deployment alerts, HITL approval requests, billing receipts); to enforce our Terms of Service and acceptable-use policies; to comply with legal obligations under GDPR, HIPAA, and applicable data-protection laws; and to generate aggregated, anonymised analytics about platform usage.
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area, we process personal data on the basis of: performance of a contract (providing the service you signed up for), legitimate interests (security monitoring, fraud prevention, product improvement), legal obligation (audit logs required by AI-Act Article 12), and consent where required (marketing emails).
4. Data Retention
Account data is retained for the duration of your subscription plus 90 days after termination to allow data export. Audit ledger entries are immutable and retained for 7 years to comply with EU AI Act Article 12 obligations. Aggregated telemetry is retained indefinitely in anonymised form. You may request deletion of personal data via privacy@runesignal.com; immutable compliance records are exempt.
5. Data Sharing and Sub-Processors
We share data only with sub-processors necessary to deliver the service: Supabase (database and authentication, hosted in the EU), Vercel (edge hosting), Stripe (payment processing), Sentry (error monitoring), and Upstash (rate-limit cache). A full sub-processor list is available on request. We do not sell personal data to third parties.
6. International Transfers
RuneSignal is incorporated in the European Union. Data processed by US-based sub-processors is governed by EU Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable. You may configure data-residency policies within the platform to restrict which regions process your data.
7. Your Rights
Under GDPR and equivalent regulations you have the right to: access a copy of your personal data, correct inaccurate data, request erasure (subject to retention obligations), object to processing based on legitimate interests, restrict processing pending a dispute, and data portability. To exercise these rights, contact privacy@runesignal.com. We will respond within 30 days.
8. Security
RuneSignal employs industry-standard security controls: TLS 1.3 in transit, AES-256 at rest, SOC 2 Type II-aligned policies, MFA enforcement, and continuous anomaly detection. Our agent audit ledger is cryptographically chained and tamper-evident. For a detailed security overview see /security.
9. Cookies
We use strictly necessary cookies to maintain authenticated sessions and preferences. No third-party advertising cookies are set. You may disable non-essential cookies in your browser without affecting core platform functionality.
10. Changes to This Policy
We may update this policy periodically. Material changes will be communicated by email to account owners at least 30 days before they take effect. Continued use of the platform after the effective date constitutes acceptance.
11. Contact
Questions or concerns? Contact our Data Protection Officer at privacy@runesignal.com or write to: RuneSignal, Attn: Data Protection, European Union.