Runback
Why RunbackSee it workPricingDocsLog inStart free →
Legal

Privacy Policy

Last updated 2 July 2026

This policy explains what personal data Runback Inc., a Delaware corporation("Runback", "we"), acting as data controller, collects, how we use it, and the choices you have. It covers our website and our managed cloud service. It does not change the rights you have under applicable law. Data-protection queries: privacy@runback.dev.

Self-host changes everything below. When you run Runback in your own infrastructure, your agent traces are written to a database you control and never reach us. For self-hosted deployments we do not receive, store, or process your agents' data, and we act only as a software provider — not a data processor.

1. Data we collect

Account & contact data

When you sign in or contact us we process your work email, name, and the organisation you belong to. Sign-in is passwordless — we email a one-time link and store only a hashed token, never a password.

Usage & diagnostic data

For our website and managed cloud we process standard technical data — IP address, browser, pages viewed, and product events — to operate, secure, and improve the service.

Agent trace data (managed cloud only)

If you use our managed cloud, the traces your instrumented agents send us are stored to power observe, replay, evals, and audit. Sensitive values (secrets, keys, emails, card numbers, SSNs) are designed to be redacted inside your own process before a trace ever leaves it. You control what your instrumentation sends.

2. How we use data

  • To provide, secure, and operate the service and your account.
  • To respond to your requests and provide support.
  • To detect, prevent, and investigate abuse or security incidents.
  • To meet legal, accounting, and regulatory obligations.

We do not sell personal data, and we do not use your agent trace data to train models.

3. Legal bases (GDPR)

Where the GDPR applies, we rely on: performance of a contract (to provide the service), legitimate interests (to secure and improve it), consent (where required, e.g. certain cookies), and legal obligation.

4. Sharing & sub-processors

We share data only with vendors that help us run the service (hosting, email delivery, payments, analytics), each under contract and only as needed. Our current sub-processor list and our Data Processing Agreement are available in the DPA and on request via privacy@runback.dev.

5. International transfers

Where data crosses borders, we use appropriate safeguards such as Standard Contractual Clauses. The managed cloud currently resides in the United States (US); self-host customers keep data in their own region by definition. EU or Australian residency requires the Enterprise self-hosted tier.

6. Retention

We retain personal data only as long as needed for the purpose collected or as required by law:

  • Account & contact data — retained while your account is active, plus 30 days after account closure (to allow for reactivation), then deleted unless a longer period is required by applicable law.
  • Agent trace data — retained in two phases. Raw event payloads are deleted at the end of your plan's retention window (7 days on Community, 30 days on Starter, 60 days on Growth/Scale, 90 days on Pro, configurable on Enterprise). Run-level summary metadata (name, status, token counts, timestamps) is retained for up to twice the plan window before permanent deletion. You can delete any run at any time; deletion queues removal from active systems within 30 days.
  • Usage & diagnostic data — retained for up to 24 months from collection.
  • Billing records — retained for 7 years to meet accounting and tax obligations.

Self-host customers control retention entirely — data never reaches us and this section does not apply.

7. Security

We protect data with measures including in-process redaction, hashed credentials, encrypted transport, role-based access, and tamper-evident audit records. See our security pagefor specifics and an honest view of what is and isn't yet in place.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object or withdraw consent. To exercise them, email privacy@runback.dev. We will respond within one calendar month of receiving your request (extendable by two further months for complex or numerous requests, with explanation). We may ask you to verify your identity before acting on a request.

Supervisory authority complaints. You may also lodge a complaint with your local data-protection authority. For users in the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO) — ico.org.uk. For users in the EEA, the relevant authority is the supervisory authority of your country of residence or establishment.

9. Automated decision-making

Runback's policy enforcement engine may automatically block or flag agent actions based on configured policy rules. These automated checks operate on your agents' outputs — they do not produce legal or similarly significant effects on individuals in the sense of GDPR Art.22(1). You, as the controller, design the policies and remain responsible for any decisions that affect individuals. Where your use of Runback does give rise to Art.22(1) automated decisions, you are responsible for meeting the applicable obligations (providing human review, explaining the logic, and enabling individuals to contest outcomes). Contact privacy@runback.dev if you need assistance assessing your Art.22 obligations.

10. Cookies

We use strictly necessary cookies only — a single session cookie (__Host-rb_session) that authenticates your signed-in session. No analytics, tracking, or advertising cookies are deployed on this site. Because we use only strictly necessary cookies, no consent banner is required and no non-essential cookies can be configured through your browser.

11. Change of control

If Runback is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify account holders by email or a prominent notice on the service before personal data is transferred or becomes subject to a different privacy policy. You may delete your account and data before any such transfer takes effect.

12. Changes to this policy

We'll update this policy as the product evolves and post the new effective date here. Material changes will be communicated to account holders.

13. Contact & DPO

Privacy questions: privacy@runback.dev. Security reports: security@runback.dev.

Runback has assessed its obligations under GDPR Art.37 and does not currently meet the criteria requiring mandatory appointment of a Data Protection Officer. Privacy and data-protection matters are handled directly by our team at privacy@runback.dev. If our processing activities change in a way that requires DPO appointment, we will update this policy.

Runback

Govern, observe & audit your AI agents.

AI Governance Weekly

One regulatory update, one incident pattern, one control — every Monday.

Product

How it worksPricingDocumentationGet started free

Proof

MTTR proofrunback.cassette/v1Verify a recordDemo runs

Company

EnterpriseSecurityBook a callContact
© RunbackPrivacyTermsDPA