Rundash

This Privacy Policy describes how rundash (“rundash”, “we”, “us”, or “our”) collects, uses, stores, and shares personal information when you use rundash.ai and the rundash application (collectively, the “Service”). rundash is operated from Ontario, Canada and is subject to Canadian federal privacy law (the Personal Information Protection and Electronic Documents Act, or PIPEDA).

If you have questions about this policy or about the personal information we hold about you, email us at hello@rundash.ai.

1. Who this applies to

This policy applies to everyone who visits our website, creates an account, or uses the Service, regardless of where you live. If you are located in the European Economic Area, the United Kingdom, or another region with data protection law, additional rights may apply to you — see Your rights below.

2. Information we collect

Information you provide

Account information — name, email address, and password (stored only as a one-way hash; we never see your plaintext password).
Billing information — if you subscribe to a paid plan, we collect a Stripe customer identifier, subscription status, and invoice history. Credit card and bank details are collected and stored by Stripe, not by us; rundash never sees or stores your full card number.
Anthropic API key — if you choose to bring your own Anthropic key in Settings, we store it encrypted at rest (Laravel’s standard encryption, AES-256). It is decrypted only in memory when your agents run.
Content you create — agents you configure, tasks you assign, prompts you write, comments you leave, and the outputs those agents produce.

Information from third-party integrations

When you connect a third-party service (e.g., Gmail, LinkedIn, Reddit, HubSpot, Slack, Notion, Stripe), rundash never receives or stores the passwords or OAuth tokens for those services. Authentication happens entirely through Composio, our integrations partner; Composio holds the credentials in their vault and returns only an opaque connection identifier to us. When an agent needs to act on a connected service, we ask Composio to perform the action on your behalf using those stored credentials.

The scope of access for each integration is determined by the permissions you grant during connection. You can revoke any integration at any time from the Integrations page; revocation takes effect immediately.

Information collected automatically

Usage data — how many agent runs you have triggered this billing period, which playbooks you have cloned, which integrations you have connected.
Log data — IP address, browser type, pages visited, and timestamps, collected by our web servers for security and debugging.
Cookies — see Cookies below.

3. How we use your information

We use your information to:

Provide the Service — run your agents, show your board, bill you accurately.
Authenticate you and keep your account secure.
Send you transactional email (verification, password resets, billing receipts, task completion).
Improve the Service — debug errors, understand usage patterns, plan new features. We do not train AI models on your data or sell it.
Comply with legal obligations (e.g., tax record-keeping, lawful requests from authorities).
Send you product updates or marketing email if you have opted in. You can unsubscribe at any time using the link in any marketing email.

4. Who we share information with

We do not sell your personal information. We share it only with the service providers we need to operate rundash, listed below. Each of these providers is contractually bound to handle your data only on our instructions and to maintain appropriate security.

Service providers (sub-processors)

Anthropic, PBC — provides the underlying AI models that power your agents. When your agent runs, the prompt, conversation history, and any relevant tool output are sent to Anthropic. Anthropic does not use API inputs to train its models.
Composio — stores your third-party integration credentials and executes actions against those services on your behalf. Composio receives the inputs and outputs of any tool call an agent makes.
Stripe — handles subscription billing and payment processing. Card data is stored only by Stripe.
Infrastructure providers — our servers, databases, queue, and WebSocket infrastructure run on cloud providers (currently Laravel Forge + AWS). These providers store your data at rest and in transit.
Email delivery — we use a transactional email provider to send account, security, and billing email.

We will maintain an up-to-date list of sub-processors on request. Email hello@rundash.ai for the current list.

Legal disclosures

We may share information if compelled by law — for example, in response to a valid subpoena, court order, or government request. If we receive such a request, we will notify you before disclosing unless prohibited from doing so.

Business transfers

If rundash is acquired, merges with another company, or sells substantially all of its assets, your personal information may be transferred to the acquirer. You will be notified before any such transfer takes effect and given the opportunity to delete your account if you do not consent.

5. Your rights

If you are in Canada

Under PIPEDA, you have the right to:

Access the personal information we hold about you.
Correct inaccuracies in that information.
Withdraw consent to our processing (noting that this may make it impossible to continue providing the Service).
File a complaint with the Office of the Privacy Commissioner of Canada.

If you are in the EU, UK, or similar jurisdictions

In addition to the above, you may have the right to data portability (receive a machine-readable copy of your data), to erasure (“right to be forgotten”, subject to legal retention obligations), to restrict processing, and to object to processing. You may also lodge a complaint with your local data protection authority.

How to exercise these rights

Most access and correction requests can be fulfilled in-product: you can edit your account information, disconnect integrations, and cancel your subscription from Settings. For deletion or data-export requests, or any request you cannot complete yourself, email hello@rundash.ai. We will respond within 30 days.

6. Data retention

We retain personal information only as long as we have a legitimate reason to keep it:

Active accounts — indefinitely, until you delete your account or request deletion.
Closed accounts — personal information is deleted within 30 days of account closure, except for records we are required to keep for legal reasons (e.g., tax records, which we keep for the period required by the Canada Revenue Agency — currently six years).
Backups — your data may persist in encrypted backups for up to 90 days after deletion; we do not restore deleted accounts from backup unless compelled by law.
Agent run outputs and logs — retained for 90 days by default. You can delete individual tasks or clear logs at any time.

7. Security

We take security seriously. Our measures include:

TLS encryption for all data in transit (HTTPS everywhere).
At-rest encryption of sensitive fields (your Anthropic API key, OAuth-like secrets stored in Composio’s vault).
One-way password hashing (bcrypt).
Principle of least privilege for internal access; logs of administrative access.
Regular dependency updates and security patches.

No system is perfectly secure. If you believe your account has been compromised, email us immediately at hello@rundash.ai. If we become aware of a breach affecting your personal information, we will notify you and the appropriate authorities as required by law.

8. Cookies and similar technologies

We use a small number of cookies and local-storage keys:

Session cookies — required to keep you signed in. These are first-party, HTTP-only, and expire when you log out or after a period of inactivity.
CSRF token cookie — required to protect form submissions from cross-site request forgery.
Theme preference (theme) — stored in localStorage so your light/dark choice persists across visits.

We do not use third-party advertising cookies or cross-site tracking. We do not currently run analytics or marketing pixels. If that changes, we will update this policy and, where required, ask for your consent.

9. Third-party integrations and AI

When your agent runs, it may read from and write to the third-party services you have connected (e.g., send email through Gmail, post to Slack, create a HubSpot contact). You authorize these actions by connecting the service; rundash passes your instructions to Composio, which performs the action on your behalf.

AI outputs are generated by Anthropic’s models based on the prompts and context your agent provides. We do not guarantee the accuracy of AI-generated content and are not responsible for your reliance on it. Always review agent outputs before treating them as authoritative.

10. Children

rundash is not intended for anyone under 16. We do not knowingly collect personal information from children. If you believe a child has created an account, contact us and we will delete the account and any associated data.

11. International data transfers

rundash is operated from Canada. If you use the Service from outside Canada, your information will be transferred to, stored, and processed in Canada and in the other jurisdictions where our sub-processors operate (including the United States). These transfers are made with appropriate safeguards, including standard contractual clauses where required.

12. Changes to this policy

We may update this policy as the Service evolves. If we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of the Service after changes take effect means you accept the updated policy.

13. Contact us

For any privacy-related question, request, or complaint:

Email: hello@rundash.ai
Location: Ontario, Canada

This policy describes our current practices and is written in plain language. It is not legal advice. If you are building on top of rundash in a regulated industry, please consult counsel about your own compliance obligations. Back to the homepage.