Skip to main content
PRIVACY POLICY

Privacy Policy

Last updated: 2026-04-20

TL;DR
  • We collect only what we need to operate the service: account info, request metadata, billing data.
  • We do NOT log request or response content by default. Content logging is opt-in per-policy.
  • We use standard sub-processors (Railway, Stripe, Resend, Cloudflare). Full list below.
  • GDPR + CCPA rights: access, deletion, portability, opt-out. Contact [email protected].
  • Data retention by tier: 30 days Free, 90 days Pro, 1 year Growth, custom Enterprise.

1. Scope

This policy explains how Rungate, a service operated by Vector Apps, Inc. (“Vector Apps,” “we,” “us”), collects, uses, and protects data when you use the Rungate website, dashboard, CLI, or API. It applies to the managed cloud. Self-hosted deployments run on your infrastructure; Rungate does not collect data from self-hosted instances. Vector Apps, Inc. is the data controller for personal data collected through the managed cloud.

2. What we collect

Account information

Email address, name (optional), organization name, role. Provided by you at registration.

Billing data

Processed by Stripe. We store customer ID, subscription status, and invoice history. We do not store card numbers.

Request metadata

For every agent request through Rungate, we record: timestamp, agent ID, run ID, policy applied, model, token counts, cost, latency, outcome, tool/function names, IP address (of the requesting client), and error codes. This metadata powers analytics, billing, and audit.

Request / response content

We do not log request or response content by default. Policy-level content logging exists as an opt-in setting. When enabled, the content is encrypted at rest and subject to the same retention window as other data. Redaction is applied at the logging boundary for common sensitive patterns.

Product analytics

Standard web analytics on this marketing site (page views, referrer, device type). No cross-site tracking. We do not use advertising cookies.

Communications

If you email us, we retain the correspondence as needed to respond and for our records.

3. How we use it

We process personal data for these purposes, under the GDPR legal bases listed:

  • Operate the service (contract)
  • Bill and collect payments (contract)
  • Detect abuse and secure the service (legitimate interests)
  • Respond to support requests (contract)
  • Send transactional email (contract)
  • Improve the product via aggregated analytics (legitimate interests)
  • Comply with legal obligations (legal obligation)

We do not sell personal information. We do not use personal data to train machine-learning models.

4. How we share it

We share data only with sub-processors listed below (for service operation), with LLM providers you explicitly configure (when your agent requests go through them), with law enforcement when legally compelled, and in aggregated/anonymized form for research and product analytics.

5. Sub-processors

The managed cloud uses these sub-processors:

Vendor Purpose Region
RailwayApplication hosting, databasesUS
CloudflareCDN, edge functions, R2 backupsGlobal
StripePayment processingUS
ResendTransactional emailUS / EU
GitHubSource code hostingUS
Uptime RobotAvailability monitoringGlobal

We maintain Data Processing Agreements with each sub-processor. Enterprise customers can request a DPA with Rungate covering this sub-processor chain.

6. Retention

Operational data is retained according to your tier:

  • Free: 30 days of run history, then purged.
  • Pro: 90 days of run history.
  • Growth: 1 year of run history.
  • Enterprise: Custom, up to 1 year of run history.

Account metadata is retained for the life of the account plus 60 days after closure. Billing records are retained separately for 7 years in a restricted-access data store, as required by tax law. Audit logs for platform admin actions are retained for 3 years minimum.

7. Your rights

Under GDPR, CCPA, and similar laws, you may:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Delete your account and data (“right to be forgotten”)
  • Port your data in a machine-readable format
  • Restrict processing in certain cases
  • Object to processing under legitimate interests
  • Opt out of any sale of personal information (we do not sell)
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with your local data protection authority

Email [email protected] to exercise any of these rights. We’ll respond within 30 days.

8. Cookies

The dashboard uses a single session cookie (HTTP-only, __Host--prefixed in production, 7-day expiry) for authenticated sessions. The marketing site uses no cookies by default; if analytics is enabled, we’ll update this section with details. We do not use advertising or tracking cookies.

9. International transfers

Sub-processors may process data in jurisdictions outside your own. Transfers out of the EEA/UK rely on Standard Contractual Clauses (SCCs) where applicable. Enterprise customers can request EU-only data residency as part of a custom deployment.

10. Children

Rungate is intended for professional use and is not directed at children under 18. We do not knowingly collect data from children.

11. Policy changes

Material changes will be announced via email to account owners and posted on this page with a new “Last updated” date at least 30 days before they take effect. The changelog of every revision is available via the Git history of this file.

12. Contact

Data controller: Vector Apps, Inc.