Privacy policy
Last updated: May 2026
Runa Privacy Policy
Last updated: May 22, 2026
Runa Labs Inc. ("Runa," "we," "us") provides AI meeting intelligence for the agent-era company. This Privacy Policy explains what Personal Data we collect, how we use and share it, the choices you have, and the rights you can exercise. By using or accessing our Services, you acknowledge that you accept the practices described below and consent to the collection, use, and sharing of your information as described in this Privacy Policy.
Your use of Runa is at all times subject to our Terms of Service (the "Terms"), which incorporates this Privacy Policy. Undefined terms have the meanings given in the Terms.
At a Glance
Before the details, the commitments that matter most:
Your raw audio stays on your device. Runa uses bot-free local capture. We do not send a bot to join your meeting. Audio is captured and processed on your machine. Raw audio is not retained on Runa's servers after a transcript is produced, unless you explicitly enable a "Save Audio" option for a meeting.
No third-party AI provider trains on your Personal Data. Our model and speech-to-text providers — including OpenAI, Anthropic, AssemblyAI, and Deepgram — are contractually prohibited from training on your data under our enterprise agreements.
You can opt out of Runa using your De-Identified Data to train our own models. Settings → Privacy → Model Training.
We do not sell or "share" your Personal Data for cross-context behavioral advertising as those terms are defined under California law.
We do not create voiceprints or biometric identifiers. Speaker diarization runs on transient audio and is not retained as a biometric template.
AI outputs are subject to human review (human-in-the-loop). Runa does not make solely automated decisions that produce legal or similarly significant effects about you.
We host on Google Cloud Platform (GCP) in the United States. All Personal Data is encrypted at rest (AES-256 via Google Cloud KMS) and in transit (TLS 1.2 or higher). We use VPC Service Controls, IAM with least privilege, audit logging, and monitoring.
You can delete your data and account at any time. Settings → Profile → Delete Account. We delete or anonymize within 30 days, subject to legal retention.
We may change this Privacy Policy from time to time. We will notify you of material changes through the Runa application, by email, by posting an updated version on our website, or by other reasonable means. If you continue to use the Services after a change is posted, you agree to the change.
Table of Contents
1. Who We Are and Scope of This Policy
Runa Labs Inc. is a Delaware corporation. This Privacy Policy applies to Personal Data we collect when you:
Visit our website at joinruna.com (the "Site");
Install, configure, or use the Runa desktop application or any successor application;
Interact with our Services through a connected calendar, email account, video-conferencing platform, CRM, or other third-party service;
Contact us for support, sales, or other purposes; or
Receive communications from us.
This Privacy Policy does not apply to:
Third-party websites, services, or applications we do not own or control, including any service you connect to Runa (those have their own privacy policies); or
Personal Data we process on behalf of an enterprise customer under a Data Processing Agreement ("DPA"). In that case, the enterprise customer is the controller of your Personal Data and Runa acts as a processor. Please direct privacy requests to your organization first. If we are unable to act on a request because we are a processor, we will tell you and, where reasonable, refer you to the controller.
2. Definitions
Controller — the entity that determines the purposes and means of processing Personal Data.
Processor — the entity that processes Personal Data on behalf of a controller under contract.
Personal Data — any information that identifies, relates to, describes, or could reasonably be linked with a particular individual or household. Equivalent terms include "personal information," "personally identifiable information," and "personal data" under applicable laws.
Sensitive Personal Information ("SPI") — has the meaning given under the California Privacy Rights Act and analogous state laws. See Section 3 for the categories we may collect.
Processing — any operation performed on Personal Data, including collection, recording, storage, use, disclosure, and erasure.
Customer — an individual or entity that registers for or purchases the Services.
Customer Data — Personal Data that an enterprise customer makes available to Runa, or that Runa generates on the customer's behalf, in the course of providing the Services to the customer.
De-Identified Data — data that has been processed such that it cannot reasonably be linked to an individual.
Services — Runa's website, desktop application, APIs, agent features, and any related software or services.
Subprocessor — a third party engaged by Runa to process Personal Data in connection with the Services.
3. Personal Data We Collect
This section describes the categories of Personal Data we may collect, and may have collected in the 12 months preceding the effective date of this Policy. Categories of third parties with whom we share each category are defined in Section 11.
CategoryExamplesCategories of Third PartiesProfile or Contact DataFirst and last name, username, email address, profile photo, phone number (if provided)Service Providers; Parties You Authorize, Access, or AuthenticatePayment DataPayment card brand, last 4 digits of payment card, billing address, phone number, billing email. Full payment card numbers are collected and stored by our payment processor (Stripe, Inc.); Runa does not store full card numbersService Providers (payment processor)Device/IP DataIP address, IP-based approximate location, device identifier, type of device, operating system version, browser type and version, language, application version, microphone and audio device identifiers used by the Runa applicationService Providers; Parties You Authorize, Access, or AuthenticateWeb Analytics and Application TelemetryPages viewed, in-application events, feature usage, session duration, performance and crash data, referring URLService ProvidersProfessional or Employment-Related DataJob title, role, employer name, professional website, company domainService Providers; Parties You Authorize, Access, or AuthenticateCalendar and Meeting MetadataMeeting titles, descriptions, scheduled times, attendee names and email addresses, organizer, location, recurrence, and other calendar event metadata for calendars you connect to RunaService Providers; Parties You Authorize, Access, or AuthenticateRecordings and TranscriptsTranscripts generated from audio captured locally on your device. Raw audio is processed on your device for transcription and is not retained on Runa's servers after the transcript is produced, unless you explicitly enable "Save Audio" for a meeting. Audio in transit to our speech-to-text providers is encrypted and is governed by no-training agreementsService Providers (speech-to-text and AI model providers); Parties You Authorize, Access, or AuthenticateMeeting Memory and Cross-Meeting ContextSummaries, notes, action items, decisions, entities, topics, embeddings, and cross-meeting context that Runa generates from your transcripts to power features such as cross-meeting memory, conflict detection, and searchService Providers; Parties You Authorize, Access, or AuthenticateAgent Action DataRecords of agent-suggested actions, the prompts and signals used to generate them, your approvals or rejections, the resulting outputs (e.g., drafted emails, updated CRM fields), and audit logs of all agent activityService Providers; Parties You Authorize, Access, or AuthenticateWorkspace and Sharing DataInformation about which meetings, notes, or agent outputs you share with teammates, including share permissions, comments, and reactionsService Providers; Parties You Authorize, Access, or Authenticate (including teammates)Integration DataData Runa reads from or writes to a service you connect (e.g., emails from Gmail or Outlook for follow-up drafting, contact and deal records from a CRM, channels and messages from a communications tool), limited to the OAuth scopes you grantService Providers; Parties You Authorize, Access, or AuthenticateCommunications with RunaSupport tickets, sales inquiries, survey responses, feedback, beta and research participation, and identifying information you voluntarily provide in those communicationsService Providers; Parties You Authorize, Access, or AuthenticateInferencesInferences we draw from the categories above to support product features (e.g., topic clustering, "open loop" detection across meetings, suggested follow-ups). These inferences are not used for advertising and are not soldService Providers
Sensitive Personal Information
Some Personal Data we collect may qualify as Sensitive Personal Information under California law or analogous state laws, including:
Account log-in credentials (your Runa password or OAuth tokens you authorize). Stored encrypted; used solely to authenticate you to the Services.
Contents of mail, email, and other communications, where Runa is not the intended recipient (for example, the contents of meeting invites in your calendar, or emails Runa reads through a connected Gmail or Outlook account to draft follow-ups). Used solely to provide the integration features you have enabled.
Precise geolocation is not collected. We use approximate IP-based location only.
Racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric identifiers, health, sex life, sexual orientation, or immigration status are not intentionally collected. Such information may incidentally appear in a transcript or note if a meeting participant chooses to discuss it; we do not analyze transcripts to infer these characteristics, and we do not use them for any secondary purpose.
We use Sensitive Personal Information only for purposes permitted under California Civil Code § 1798.121 and analogous laws — namely, to provide the Services you request, to ensure security and integrity, to prevent fraud, and to comply with law. We do not use Sensitive Personal Information to infer characteristics about you. You have the right to limit our use of Sensitive Personal Information — see Section 21.
4. Sources of Personal Data
We collect Personal Data from the following sources:
Directly From You
When you create an account, install the Runa application, configure preferences, or use interactive features.
When you fill in fields in the application, respond to surveys, or send us feedback.
When you contact our support, sales, or other teams.
When you participate in a beta, research session, or community event.
Automatically When You Use the Services
Through Cookies and similar technologies (see Section 14).
Through application telemetry, diagnostic logs, and crash reports.
Through IP-based approximate location and device characteristics necessary to deliver the Services securely.
From Services You Connect to Runa
Calendar providers (e.g., Google Calendar, Microsoft Outlook).
Video-conferencing platforms (e.g., Zoom, Google Meet, Microsoft Teams).
Email providers (e.g., Gmail, Microsoft 365), where you connect an inbox.
CRM and sales tools (e.g., Salesforce, HubSpot), where you connect an account.
Communications tools (e.g., Slack), where you connect a workspace.
Identity providers (e.g., Google, Microsoft, or your single sign-on provider).
We only access data within the OAuth scopes you grant, and you can revoke access at any time from the connected service or from your Runa settings.
From Other Third Parties
Service providers and vendors that help us operate the Services (e.g., analytics, fraud-prevention, customer-support tooling).
Business-information vendors that help us identify and qualify business leads (used only for business-to-business outreach).
Publicly available sources when reasonable for fraud prevention, security, or business research.
Personal Data of Non-Users
Meeting attendees who are not Runa users may be referenced in calendar metadata or transcripts captured by users of Runa. See Section 10 for our handling of non-user Personal Data.
5. How We Use Personal Data
We process Personal Data for the purposes described below. In the European Economic Area ("EEA"), United Kingdom, and Switzerland, our lawful bases for processing are set out in Section 22.
Providing, Operating, and Improving the Services
Creating and managing your account and workspace.
Detecting meetings on your connected calendar, capturing audio locally on your device, producing transcripts, generating summaries, action items, decisions, and cross-meeting memory.
Powering search, conflict detection, and follow-up suggestions across your meetings.
Powering human-in-the-loop agent features that draft messages, update connected systems, or take other actions you approve.
Personalizing the Services based on your preferences and usage.
Providing customer support and responding to your requests.
Diagnosing problems, monitoring performance, and improving reliability.
Conducting research, testing, and product development. We do not allow third-party AI model or speech-to-text providers to train on your Personal Data. Internal model training on De-Identified Data is subject to opt-out (see Section 9).
Billing and Account Administration
Processing subscriptions, charges, refunds, and chargebacks (through our payment processor).
Sending transactional communications (account, security, billing, and service notices). These are required for the Service and are not subject to marketing opt-out.
Communications and Marketing
Sending newsletters, product updates, and announcements. You can unsubscribe at any time using the link in any marketing email or by contacting us.
Responding to your inquiries and notifying you about features that may be relevant.
Security, Fraud Prevention, and Compliance
Preventing, detecting, and investigating fraud, abuse, security incidents, and other harmful activity.
Enforcing our Terms, agreements, and policies.
Complying with applicable law, regulation, court order, or other legal process; responding to lawful requests from public authorities; protecting our rights, property, or safety, or those of our users or others.
Business Operations and Transactions
Internal business analytics, planning, and reporting.
Corporate transactions such as financing, restructuring, merger, acquisition, or sale of assets (see Section 11).
We will not collect additional categories of Personal Data or use Personal Data for materially different, unrelated, or incompatible purposes without providing notice and, where required, obtaining your consent.
6. Recording, Transcription, and Meeting Consent
Recording or transcribing a conversation may be subject to laws that require notice to, or consent from, some or all participants. These laws vary by jurisdiction. Some U.S. states (including California, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington) generally require all-party consent. Other states require only one-party consent. Many countries have their own rules.
You are responsible for complying with all applicable laws when you use Runa, including by:
Obtaining any consents required by law from meeting participants before capturing audio or generating a transcript;
Providing required notices at the start of a meeting;
Honoring requests from meeting participants to stop capture or delete a transcript.
Runa supports these obligations by:
Showing a clear in-application indicator when capture is active;
Allowing you to pause or stop capture at any time;
Allowing you to delete a meeting, transcript, or note from the application;
Providing a process for any meeting participant — including non-users — to request access, correction, or deletion of their Personal Data (see Section 10 and Section 23).
If you are an employer or organization deploying Runa to your workforce, you are responsible for ensuring lawful basis, notices, and any required works-council consultations or employee disclosures.
7. AI Processing and Automated Decision-Making
Runa is an AI-native product. This section explains how AI is used and what protections apply.
What AI Does in Runa
Speech-to-text transcription. Audio captured on your device is streamed in encrypted form to a speech-to-text provider that returns a transcript. The audio is processed for transcription and is not retained by Runa after the transcript is produced, unless you enable "Save Audio."
Summarization, note generation, and structuring. Large language models generate summaries, action items, decisions, and structured notes from the transcript.
Cross-meeting memory and search. We generate embeddings and structured representations of your meeting content so that Runa can surface relevant prior context across meetings.
Conflict detection. Runa flags potential conflicts between statements, decisions, or commitments across meetings for your review.
Agent suggestions. Runa may draft emails, update CRM fields, or take other actions in connected systems, subject to your review and approval before they are sent or applied (human-in-the-loop).
Third-Party Model Providers
We use third-party AI providers, including OpenAI, Anthropic, AssemblyAI, and Deepgram. Our agreements with these providers prohibit them from training their models on your Personal Data. Inputs sent to these providers are processed under their enterprise terms with zero data retention or short-window retention for abuse monitoring only.
We may add or change providers from time to time. The current list of AI subprocessors is available on request (see Section 12).
Automated Decision-Making
Runa does not make solely automated decisions that produce legal or similarly significant effects about you. AI outputs in Runa — summaries, action items, agent-drafted actions, conflict flags — are presented for your review. You can edit, override, or discard them. Where you direct Runa to execute an action in a connected system, the action is the result of your approval, not an autonomous decision by Runa.
You have the right to obtain human review of any AI output and to challenge it. To do so, contact admin@joinruna.com.
Transparency
Runa identifies AI-generated content as such within the application. Where required by applicable law (including the EU AI Act), Runa will provide additional disclosures about AI-generated content.
EU AI Act
Runa is designed to operate as a general-purpose AI application, not as a high-risk AI system under Annex III of the EU AI Act. We do not market Runa for the evaluation of employees in a manner that would render it high-risk. If you intend to use Runa in a way that could constitute a high-risk use case (for example, to make employment evaluation decisions), you are responsible for ensuring your use complies with applicable law, and you must not present AI outputs as authoritative decisions without human review.
8. Voice and Biometric Information
Voice data warrants special treatment under several U.S. state laws (including the Illinois Biometric Information Privacy Act ("BIPA"), the Texas Capture or Use of Biometric Identifier Act, and the Washington biometric statute) and under the GDPR.
Runa does not create, store, or use biometric identifiers or biometric information to uniquely identify a natural person. Specifically:
We do not generate voiceprints, voice templates, or other biometric identifiers from your audio.
Speaker diarization — labeling who said what within a single meeting — is performed using ephemeral acoustic analysis. Diarization data is associated with a specific meeting (e.g., "Speaker 1," "Speaker 2," or, where you provide a label, a name). It is not used to identify the same speaker across unrelated meetings absent your action (e.g., manually labeling a speaker by name).
Audio is processed for transcription and is not retained on Runa's servers after the transcript is produced, unless you enable "Save Audio."
If we ever introduce a feature that would involve the creation or storage of biometric identifiers (for example, voice-based authentication), we will provide notice, obtain any required consents, and update this Policy.
9. De-Identified Data and Model Training
We may create de-identified, anonymized data ("De-Identified Data") from the Personal Data we collect, such that it cannot reasonably identify, relate to, describe, or be linked with a particular individual. We use De-Identified Data for our lawful business purposes, including:
Analyzing usage patterns and improving the Services;
Training, evaluating, and fine-tuning the AI models that power Runa features such as summarization, structured note generation, cross-meeting memory, and conflict detection;
Benchmarking quality and safety;
Marketing the Services using aggregate metrics.
You can opt out of the use of your De-Identified Data to train Runa's models at any time at Settings → Privacy → Model Training. The opt-out applies on a going-forward basis; data already used in training cannot be removed from prior model versions, but new model versions trained after your opt-out will not include data attributable to you.
We will not attempt to re-identify De-Identified Data, will not allow another party to do so, and will publicly commit to maintaining the data as de-identified, consistent with CCPA § 1798.140(m).
10. Personal Data of Non-Users (Meeting Attendees)
When a Runa user records a meeting, attendees who are not Runa users may appear in calendar metadata and in the transcript. Specifically, non-user Personal Data may include the attendee's name (as it appears in the calendar invite or as labeled by the user), email address (from the calendar invite), and the contents of what the attendee said during the meeting.
Our lawful basis for processing non-user Personal Data is the legitimate interest of the Runa user (and Runa's legitimate interest in providing the Service the user requested), balanced against the rights and freedoms of the non-user.
If you are a meeting attendee and you wish to:
Access the Personal Data Runa holds about you;
Correct inaccurate Personal Data;
Delete Personal Data; or
Object to further processing,
please contact admin@joinruna.com with details of the meeting (date, time, organizer, your role) so we can locate the relevant record. Because we typically hold non-user data only as part of a meeting record controlled by our user, we may need to refer you to that user or their organization, or coordinate with them, to give effect to your request. We will respond within the timelines required by applicable law.
We do not use non-user Personal Data for marketing, profiling, or any purpose other than providing the Services to the user who initiated the meeting.
11. How We Share Personal Data
We disclose Personal Data only as described below. We do not sell Personal Data, and we do not "share" Personal Data for cross-context behavioral advertising, as those terms are defined under California law.
Service Providers and Subprocessors
We engage service providers that process Personal Data on our behalf under written contracts that limit their use of the data to providing services to us. Categories include:
Cloud infrastructure: Google Cloud Platform (GCP) — hosting, storage, networking, key management.
Speech-to-text providers: e.g., AssemblyAI, Deepgram.
AI model providers: e.g., OpenAI, Anthropic.
Payment processing: Stripe, Inc.
Authentication: identity providers used for sign-in (e.g., Google, Microsoft).
Email and customer communications: transactional and marketing email providers.
Analytics and product telemetry: product analytics providers.
Error monitoring and observability: crash and error reporting providers.
Customer support tooling: ticketing and helpdesk providers.
Security and fraud prevention: anti-abuse and bot-detection providers.
Parties You Authorize, Access, or Authenticate
Your teammates and workspace members, where you choose to share a meeting, note, or agent output with them.
Connected services, where you have authorized Runa to read from or write to them (see Section 13).
Organizations through which you access Runa, such as your employer when you use Runa under an enterprise plan.
Social media and other third parties, where you choose to share Runa content externally.
Organizational Email Disclosure
Each Runa account is associated with a unique email address. If you used an email address provisioned by an individual or entity whose domain is affiliated with that entity (an "Organizational Email") to create a personal account that is not managed by that organization, the individual or entity that provisioned the Organizational Email may request, and we will disclose to them, the Organizational Email associated with your account. Runa will not transfer your other account information or its contents to the individual or entity that provisioned the Organizational Email without your consent.
Legal, Safety, and Compliance
We may disclose Personal Data when we believe in good faith that disclosure is necessary to:
Comply with applicable law, regulation, court order, subpoena, or other legal process;
Cooperate with law enforcement, regulators, or other public authorities;
Enforce our Terms or other agreements;
Investigate, prevent, or address fraud, security, or technical issues;
Protect the rights, property, or safety of Runa, our users, or others.
Where lawful, we will provide notice to the affected individual before disclosing Personal Data in response to a government request. We publish (or will publish) a Law Enforcement Guidelines document describing how we handle legal requests.
Corporate Transactions
If Runa is involved in a financing, reorganization, merger, acquisition, divestiture, or sale of assets, Personal Data may be transferred to the counterparty or successor, subject to the protections of this Policy or a comparable policy. We will provide notice before Personal Data becomes subject to a different policy.
Aggregated and De-Identified Data
We may share aggregated or De-Identified Data that does not identify any individual for any lawful business purpose.
12. Subprocessors
We maintain a current list of subprocessors (third parties that process Personal Data on our behalf to deliver the Services). The list is available on request at admin@joinruna.com. Enterprise customers may also receive the list and notice of new subprocessors under their DPA.
We require subprocessors to:
Process Personal Data only as instructed;
Maintain confidentiality;
Implement appropriate security measures;
Comply with applicable data protection law;
Permit audits and provide cooperation as required by our agreements;
For international transfers, sign and comply with Standard Contractual Clauses (or equivalent transfer mechanisms).
13. Third-Party Integrations and OAuth Scopes
You can connect third-party services to Runa using OAuth. When you do, Runa will request only the scopes needed to provide the features you have enabled. Examples:
Calendar (Google Calendar, Microsoft Outlook): read events and attendees to detect meetings, optionally write events.
Email (Gmail, Microsoft 365): read recent messages to provide context for follow-ups; send messages on your behalf when you approve a drafted email.
Video conferencing (Zoom, Google Meet, Microsoft Teams): join metadata only; no remote audio capture by a bot.
CRM and sales tools (Salesforce, HubSpot): read and write records you specify (e.g., create or update opportunities, contacts, notes) when you approve an action.
Communications tools (Slack): read and post messages in channels you authorize.
You can:
Review and modify Runa's permissions in your connected service's settings;
Revoke Runa's access at any time from your connected service;
Disconnect any integration in Runa at Settings → Integrations.
Google API Services User Data Policy and Limited Use Disclosure:
Runa’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Runa uses Google Workspace API data only to provide and improve user-facing features that are prominent in the Runa application, such as calendar-based meeting detection, email-based follow-up drafting, and user-approved actions. Runa does not use Google Workspace API data for advertising, does not sell Google Workspace API data, and does not transfer Google Workspace API data except as necessary to provide or improve the Services, comply with law, or as otherwise permitted by the Google API Services User Data Policy.
Disconnecting an integration stops further data flow but does not delete data already pulled into Runa. To delete that data, delete the relevant meeting, note, or your account.
14. Cookies and Similar Technologies
Our Site and Services use cookies and similar technologies, including pixel tags, web beacons, clear GIFs, and JavaScript (collectively, "Cookies"). We use the following types:
Essential Cookies. Required to provide features and services you have requested (for example, to authenticate you). Disabling these may make the Services unavailable.
Functional Cookies. Record your choices and settings (for example, language or region) and recognize you on return.
Performance/Analytical Cookies. Help us understand how visitors use the Site and Services so we can improve them.
You can control Cookies through your browser settings. Most browsers allow you to block or delete Cookies, but doing so may affect functionality. We do not currently respond to browser "Do Not Track" signals. We honor Global Privacy Control (GPC) signals where required by law.
For more information about Cookies generally, see allaboutcookies.org or, if you are in the EU, ico.org.uk/for-the-public/online/cookies.
15. Analytics and Marketing
Analytics
We use product analytics and error-monitoring providers to understand how the Services are used and to identify and fix issues. These providers process Personal Data on our behalf and are prohibited from using it for their own purposes.
Marketing Communications
We may send marketing communications (newsletters, product updates, event invitations). You can opt out at any time by using the unsubscribe link in any such email or by contacting us. Opt-out does not affect transactional communications, which are required for the Services.
No Cross-Context Behavioral Advertising
We do not engage in cross-context behavioral advertising. We do not allow third-party advertising networks to collect Personal Data on the Site or in the Services to target ads based on your activity across unaffiliated services.
California "Shine the Light"
California Civil Code §§ 1798.83–1798.84 permits California residents to request information about Personal Data disclosed to third parties for the third parties' direct-marketing purposes. We do not knowingly make any such disclosures.
Financial Incentives
We do not currently offer financial incentives or price or service differences in exchange for the collection or sale of Personal Data.
16. Security and Infrastructure
We protect Personal Data using physical, technical, organizational, and administrative measures appropriate to the type of data and risk. Our practices include:
Hosting on Google Cloud Platform (GCP) in the United States. Our production environment runs in GCP regions in the U.S.
Encryption at rest using AES-256 with keys managed in Google Cloud Key Management Service (Cloud KMS). Enterprise customers may request Customer-Managed Encryption Keys (CMEK) where supported.
Encryption in transit using TLS 1.2 or higher.
Network isolation through Virtual Private Cloud (VPC) and VPC Service Controls.
Identity and Access Management (IAM) with least-privilege access; production access limited to a small number of authorized engineers, with logging and review.
Multi-factor authentication required for administrative access.
Audit logging through Google Cloud Audit Logs and application-level logs.
Vulnerability management including dependency scanning, patching, and periodic third-party penetration testing.
Secrets management through hardened secret stores.
Backups and disaster recovery with regular restore testing.
Vendor security review for material subprocessors.
Personnel security, including background checks where lawful, confidentiality obligations, and security training.
Security Incident Notification
If we become aware of a security incident affecting your Personal Data, we will notify you and applicable authorities as required by law, and provide information about the incident, the categories of data affected, the likely consequences, and the measures we have taken or propose to take. Notifications to enterprise customers are governed by the DPA.
Your Role
You can help protect your Personal Data by:
Using a strong, unique password and enabling multi-factor authentication;
Limiting access to your devices and accounts;
Signing out when you finish using the Services;
Carefully reviewing the data you share through connected services and the actions you approve from Runa's agent features.
No method of transmitting or storing data is completely secure. While we work to protect your Personal Data, we cannot guarantee absolute security.
17. International Data Transfers
The Services are hosted and operated in the United States. By using the Services, you acknowledge that Personal Data is transferred to, stored, and processed in the United States and may be processed in other countries where Runa or its subprocessors operate. Laws in the United States and other countries may differ from those in your country of residence.
Where required, we use lawful transfer mechanisms, including:
The European Commission's Standard Contractual Clauses (SCCs) for transfers from the EEA;
The UK International Data Transfer Addendum (UK Addendum) for transfers from the United Kingdom;
The Swiss Federal Data Protection and Information Commissioner-recognized SCCs for transfers from Switzerland;
together with supplementary technical, organizational, and contractual safeguards as required by the relevant authorities.
Where the U.S. and EU/UK/Swiss data privacy frameworks are applicable, Runa may rely on the relevant adequacy decisions and self-certifications. A copy of the transfer mechanism applicable to your data is available on request.
18. Data Retention and Deletion
We retain Personal Data only as long as necessary to provide the Services and to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. The criteria we use to determine retention include the purpose, the sensitivity of the data, applicable legal obligations, and the reasonable expectations of users.
Examples:
CategoryRetentionRaw meeting audioProcessed on your device for transcription; not retained on Runa's servers post-transcript. If you enable "Save Audio," retained until you delete the meeting or your account.Transcripts, summaries, notes, meeting memoryRetained for the life of your account or until you delete the meeting.Profile and account dataLife of account, plus up to 3 years (e.g., to defend or bring legal claims, comply with tax/audit obligations).Payment dataUp to 7 years for tax, audit, and accounting purposes.Application telemetry, diagnostic logs12 to 24 months, then deleted or anonymized.Security logs and audit logsUp to 24 months, longer where required for investigation or legal hold.Support tickets and communications3 years after resolution.Marketing dataUntil you opt out, plus a reasonable suppression period to honor your opt-out.
When you delete your account, we delete or anonymize your Personal Data within 30 days, except where retention is required by law (e.g., financial records) or necessary to defend or assert legal claims. Backups are overwritten or expired on a rolling basis under our backup retention schedule.
You may also request deletion of specific Personal Data — see Section 23.
19. Your Choices and Account Controls
Within the Runa application, you can:
Delete a meeting: open the meeting and select Delete meeting.
Delete your account: Settings → Profile → Delete Account.
Manage integrations: Settings → Integrations (connect, disconnect, manage scopes).
Opt out of model training on your De-Identified Data: Settings → Privacy → Model Training.
Pause or stop meeting capture at any time during a meeting.
Manage email preferences: unsubscribe from marketing emails using the link in any such email, or contact us.
Manage Cookies: use your browser settings.
You can also exercise the rights described in Sections 21 and 22 by submitting a request as described in Section 23.
20. Children's Privacy
Our Services are not directed to children. We do not knowingly collect Personal Data from children under 16. If you are under 16, do not use the Services or send us any Personal Data. If we learn that we have collected Personal Data from a child under 16, we will delete that information as quickly as possible. If you believe a child under 16 may have provided Personal Data to us, please contact admin@joinruna.com.
We comply with the U.S. Children's Online Privacy Protection Act ("COPPA") where applicable, and with the GDPR's specific protections for children where applicable.
21. U.S. State Privacy Rights
This section describes your rights under U.S. state privacy laws. To exercise these rights, see Section 23. We will not discriminate against you for exercising any of these rights.
California (CCPA/CPRA)
If you are a California resident, you have the right to:
Know the categories and specific pieces of Personal Data we have collected about you, the categories of sources, the business or commercial purposes for collecting, and the categories of third parties with whom we share Personal Data. The disclosures in Sections 3, 4, 5, and 11 apply to the 12 months preceding the effective date of this Policy.
Delete Personal Data we have collected from you, subject to permitted exceptions.
Correct inaccurate Personal Data.
Opt out of the "sale" or "sharing" of Personal Data. We do not sell or share Personal Data as those terms are defined under the CCPA.
Limit the use and disclosure of Sensitive Personal Information to permitted business purposes. We do not use Sensitive Personal Information to infer characteristics about you (see Section 3).
Receive a copy of your Personal Data in a portable, machine-readable format, where technically feasible.
Non-discrimination for exercising any of these rights.
We honor Global Privacy Control (GPC) signals where required.
Categories of Personal Data we collected in the past 12 months. The categories in Section 3.
Categories of Personal Data we "sold" or "shared" in the past 12 months. None.
Categories of Personal Data we disclosed for a business purpose in the past 12 months. The categories in Section 3, disclosed to the categories of recipients in Section 11.
Nevada
Nevada residents have the right to direct us not to sell certain Personal Data. We do not currently sell Personal Data as defined in Nevada Revised Statutes Chapter 603A.
Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, Indiana, Kentucky, Tennessee
If you are a resident of one of these states, you may have rights to:
Confirm whether we are processing your Personal Data and access that data;
Correct inaccurate Personal Data;
Delete Personal Data;
Receive a portable copy of Personal Data;
Opt out of the sale of Personal Data, targeted advertising, and certain profiling. We do not sell Personal Data and do not engage in targeted advertising or profiling that produces legal or similarly significant effects.
Your specific rights and the categories of data covered depend on your state's law. We honor recognized universal opt-out mechanisms (such as Global Privacy Control) where required.
You may have a right to appeal our decision on a request — see Section 23.
Illinois (BIPA), Texas (CUBI), and Washington Biometric Laws
As described in Section 8, Runa does not collect, store, or use biometric identifiers or biometric information.
Washington My Health My Data Act
We do not knowingly collect "consumer health data" as defined under the Washington My Health My Data Act. If consumer health data incidentally appears in a transcript, we treat it under the safeguards described in this Policy and do not use it for any secondary purpose.
22. European, UK, Swiss, and Other International Privacy Rights
If you are in the EEA, UK, Switzerland, Liechtenstein, Norway, or Iceland, this section applies. If you are in Brazil, references to the GDPR are read as the analogous provisions of the LGPD.
Controller and Representative
Runa Labs Inc. is the controller of Personal Data processed in connection with the direct Services. Where Runa acts as a processor for an enterprise customer, the customer is the controller and Runa processes Personal Data under the DPA.
Runa will appoint an EU representative under Article 27 GDPR and a UK representative under Article 27 UK GDPR where required by law; current contact details are available on request at admin@joinruna.com.
Lawful Bases for Processing
We rely on the following lawful bases under Article 6 GDPR:
Performance of a contract (Article 6(1)(b)) — to provide the Services to you under our Terms. Applies to Profile or Contact Data, Payment Data, Professional or Employment-Related Data, Calendar and Meeting Metadata, Recordings and Transcripts, Meeting Memory and Cross-Meeting Context, Agent Action Data, Workspace and Sharing Data, Integration Data, and Other Identifying Information You Voluntarily Provide. Failure to provide this data may make some or all of the Services unavailable.
Legitimate interests (Article 6(1)(f)) — to operate and improve the Services, secure our systems, prevent fraud, market the Services to business contacts, respond to inquiries, complete corporate transactions, and create De-Identified Data. Applies to Device/IP Data, Web Analytics and Application Telemetry, and (in addition to contractual necessity) several of the categories listed above. Our legitimate interest assessment balances these interests against your rights and freedoms; you can object to processing on this basis (see below).
Consent (Article 6(1)(a)) — for certain optional features (for example, model training on De-Identified Data, where required by local law, and certain marketing communications). You may withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
Legal obligation (Article 6(1)(c)) — to comply with applicable law and respond to lawful requests.
Vital interests (Article 6(1)(d)) — in rare cases, to protect a person's life.
Where we process special categories of Personal Data (Article 9 GDPR) that incidentally appear in a transcript or note, we rely on your explicit consent or another permitted basis under Article 9(2). We do not seek out, infer, or use special categories of data.
Your Rights
You have the right to:
Access Personal Data we hold about you and obtain a copy.
Rectify inaccurate or incomplete Personal Data. Note that transcripts cannot be modified after creation, but you can edit summaries and notes generated from them.
Erase Personal Data ("right to be forgotten"). See Section 19.
Restrict processing in certain circumstances.
Object to processing based on legitimate interests, including for direct marketing (an absolute right for marketing).
Portability — receive Personal Data in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
Withdraw consent at any time, where processing is based on consent.
Not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Article 22 GDPR). Runa does not make such decisions; see Section 7.
Lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu/about-edpb/board/members_en. In the UK, contact the Information Commissioner's Office at ico.org.uk. In Switzerland, contact the Federal Data Protection and Information Commissioner at edoeb.admin.ch.
International Transfers
See Section 17 for transfer mechanisms.
Source of Personal Data Not Collected From You
For non-user attendees, Personal Data is collected from the meeting organizer's calendar and from audio captured by the Runa user. See Section 10.
23. Submitting a Request, Authorized Agents, Verification, and Appeals
How to Submit a Request
To exercise any of the rights in this Policy, email admin@joinruna.com with the subject line "Privacy Request: [nature of request]." Include enough information for us to verify your identity, identify the records at issue, and respond — typically your name, the email address associated with your account or the meeting, the nature of the request, and any relevant dates or context.
You may also submit a request through any in-product privacy controls we offer (for example, account deletion at Settings → Profile → Delete Account).
Verification
We will take reasonable steps to verify your identity before responding to a request, proportionate to the sensitivity of the data and the risk of harm from unauthorized access. We may match information you provide against information we already hold, or ask you to authenticate to your Runa account. We will not use information you provide for verification for any other purpose.
If we cannot verify your identity, we will tell you and explain what additional information we need. If we still cannot verify, we may deny the request and you may appeal.
Authorized Agents
You may designate an authorized agent to submit a request on your behalf. We will require:
Written permission from you authorizing the agent to act on your behalf; and
Verification of your identity directly with us (in addition to the agent's identity), except where the agent provides a valid power of attorney under applicable law.
Response Timing
We will respond within the timelines required by applicable law (typically 45 days for U.S. state requests, with a possible 45-day extension; and 30 days for GDPR requests, extendable by up to 60 days for complex or numerous requests).
Appeals
If we deny your request in whole or in part, you may appeal by replying to our response with the subject line "Privacy Appeal: [original request reference]." We will review and respond within 60 days (or the period required by applicable law). If we deny the appeal, we will tell you why and inform you of your right to contact the applicable supervisory authority or attorney general.
Where We Are a Processor
If we hold your Personal Data on behalf of an enterprise customer, please direct your request to that customer (the controller). If you submit your request to us, we will, where reasonable, refer you to the controller and notify the controller of your request.
24. Changes to This Policy
We may update this Policy from time to time. The "Effective date" and "Last updated" at the top reflect the latest version. We will notify you of material changes by:
Posting the updated Policy at this URL;
Sending an email to the address associated with your account; or
Providing a notice through the Runa application.
If you continue to use the Services after the effective date of the updated Policy, you agree to be bound by it. If you do not agree, you must stop using the Services and may exercise your rights as described in Sections 19, 21, 22, and 23.
25. Contact
If you have questions about this Privacy Policy or our privacy practices, contact us at:
Runa Labs Inc. Attn: Privacy Email: admin@joinruna.com
EEA, UK, and Swiss residents may also lodge a complaint with their local supervisory authority. Contact details for our EU/UK Article 27 representative are available on request.