runAgents — Privacy Policy
Effective Date: 20 February 2026 · Last Updated: 20 February 2026
© 2026 runAgents. All rights reserved.
Your privacy matters to us — but so does clarity. This Privacy Policy explains exactly what data we collect, why we collect it, how we use it, and what we don't do with it.
We follow a strict data minimization approach: we collect only what is necessary to provide and improve the Service, retain it for the shortest period required, and do not sell, share, or monetize your data.
This Policy applies to all users of the runAgents platform ("Platform," "Service," "we," "us," "our"). By using runAgents, you consent to this Privacy Policy.
runAgents is operated under the laws of India, including the Information Technology Act, 2000 (as amended), the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDPA").
1. Our Role — Data Controller vs. Data Processor
| Scenario | Our Role | What This Means |
|---|---|---|
| Your account data (email, name, billing) | Data Controller | We decide how this data is processed. |
| Data your agents process (agent inputs, outputs, third-party data) | Neither Controller nor Processor | This data flows between your agents and third-party services. We do not control, inspect, or take responsibility for it. See Section 6. |
| Platform usage data (logs, analytics) | Data Controller | We collect minimal usage data to run and improve the Service. |
| Agent activity logs (monitoring/debugging) | Data Processor | We store this temporarily on your behalf for operational monitoring and debugging purposes. |
2. What We Collect
We collect the minimum data necessary to operate the Service. Here is exactly what we collect and why:
2.1 Account Information (Required)
| Data | Why We Need It |
|---|---|
| Email address | Account creation, login, communications |
| Name | Display in dashboard and team features |
| Password (hashed) | Authentication — we never store plaintext passwords |
| Organisation name (if applicable) | Team workspace identification |
2.2 Billing Information (Required for Paid Plans)
| Data | Why We Need It |
|---|---|
| Payment method details | Processed by our third-party payment provider (Stripe). We do not store your full card number, CVV, or bank details on our servers. |
| Billing address | Tax compliance and invoicing |
| Transaction history | Billing records and dispute resolution |
2.3 Agent Configuration Data (Required for Service)
| Data | Why We Need It |
|---|---|
| Agent settings, schedules, prompts | To deploy and run your agents as configured |
| API keys and credentials you provide | To connect your agents to third-party services. Encrypted at rest using AES-256 encryption. |
| Agent activity metadata | Timestamps, API call counts, error codes, status — for monitoring dashboard |
2.4 Platform Usage Data (Minimal, for Service Improvement)
| Data | Why We Need It |
|---|---|
| Pages visited within the Platform | Understand which features are used to improve the product |
| Feature usage patterns | Product improvement |
| Error logs and crash reports | Bug fixing and stability |
| Browser type and OS (general) | Compatibility and debugging |
What we do NOT collect: IP-based geolocation, device fingerprinting, advertising IDs, browsing history outside our platform, or any data from your device beyond what is listed above.
3. What We Do NOT Collect
To be explicit:
- We do not read the content of your agent conversations or LLM responses.
- We do not inspect data transmitted between your agents and third-party services.
- We do not collect personal data of your end-users or customers through your agents.
- We do not use cookies for advertising or cross-site tracking.
- We do not collect biometric data, health data, or government identifiers.
- We do not use third-party analytics tools that track users across the web (no Google Analytics, no Facebook Pixel, no tracking pixels).
- We do not sell, rent, share, or trade your personal data with any third party for marketing, advertising, or data brokerage purposes. Ever.
4. How We Use Your Data
We use your data solely for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing the Service (deploying agents, dashboard, monitoring) | Contract performance |
| Processing payments and billing | Contract performance |
| Sending service-critical communications (downtime, security alerts, billing) | Legitimate interest |
| Fixing bugs and improving the Platform | Legitimate interest |
| Responding to support requests | Contract performance |
| Complying with legal obligations (tax records, law enforcement requests) | Legal obligation |
| Protecting our Platform from abuse and fraud | Legitimate interest |
We do NOT use your data for:
- Training AI models
- Advertising or marketing to third parties
- Profiling or automated decision-making
- Selling or sharing with data brokers
- Any purpose not listed above
5. Data Storage & Security
5.1 Where We Store Data
Your data is stored on cloud infrastructure located in India. We may use globally distributed infrastructure for reliability, but primary storage is within India.
5.2 How We Protect Data
| Measure | Details |
|---|---|
| Encryption in transit | TLS 1.2+ for all data in transit |
| Encryption at rest | AES-256 encryption for all stored data |
| API key encryption | AES-256 with per-instance key derivation for stored credentials |
| Access controls | Role-based access, principle of least privilege for our team |
| Authentication | Hashed passwords (bcrypt), optional 2FA |
| Infrastructure | Hosted on reputable cloud providers with SOC 2 / ISO 27001 certifications |
| Monitoring | Automated alerting for unauthorised access attempts |
5.3 Security Limitations
No security system is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. We are not liable for breaches caused by:
- Vulnerabilities in third-party infrastructure, software, or services.
- Security flaws, bugs, or vulnerabilities in the OpenClaw open-source codebase — whether present at deployment or introduced through community updates.
- Your failure to maintain secure credentials, API keys, or access controls.
- Agent actions that expose or transmit data to third-party services.
- Prompt injection, jailbreaking, or other attacks on AI agents.
- Agents being hacked, exploited, or compromised through any means.
- Agent misconfiguration by you or your team members.
- Zero-day vulnerabilities or advanced persistent threats.
- Your team members' actions or negligence.
6. Agent Data Flows — Critical Section
6.1 Data Your Agents Handle Is Not Our Responsibility
This is the most important section of this Privacy Policy regarding data. When you deploy an AI agent through runAgents, that agent may process, transmit, receive, and store data through various third-party services (LLM providers, APIs, databases, communication platforms, etc.).
This data is NOT covered by this Privacy Policy once it leaves our infrastructure. Specifically:
- Data sent by your agent to an LLM provider (Anthropic, OpenAI, Google, etc.) is governed by that provider's privacy policy and data handling practices.
- Data sent by your agent to any third-party API, service, or platform is governed by that service's terms and privacy policy.
- We do not control, inspect, filter, or monitor the data that flows between your agents and third-party services.
- We do not know what data your agents access, process, or transmit unless it is captured in our activity logs and monitoring tools.
- We bear no responsibility for data leaks, breaches, or misuse that occurs through agent interactions with third-party services.
6.2 Your Responsibility
You are solely responsible for:
- Understanding the data handling practices of every third-party service your agents connect to.
- Ensuring your agents do not transmit sensitive, personal, or confidential data to services that do not provide adequate protection.
- Configuring your agents to minimize data exposure (e.g., not passing unnecessary context to LLM prompts).
- Obtaining any necessary consents from data subjects whose data may be processed by your agents.
- Complying with all applicable data protection laws (DPDPA, GDPR, CCPA, etc.) with respect to data your agents process.
6.3 LLM Provider Data Warning
Be aware: Most LLM providers may log, store, and in some cases use data sent to their APIs. Some providers use API data for model training unless you have opted out or have a specific enterprise agreement. runAgents has no control over this. If you are processing sensitive data through AI agents, you should have direct agreements with your LLM providers regarding data handling.
7. Data Retention
We retain data for the minimum period necessary:
| Data Type | Retention Period | After Expiry |
|---|---|---|
| Account information | Duration of account + 30 days | Permanently deleted |
| Agent configuration data | Duration of account + 30 days | Permanently deleted |
| Agent activity logs/metadata | 90 days rolling | Automatically purged |
| Billing/transaction records | 7 years (legal requirement under Indian tax law) | Securely archived, then deleted |
| Support correspondence | 1 year after resolution | Permanently deleted |
| Error logs | 30 days | Automatically purged |
Upon account deletion:
- All agent configurations and activity logs are deleted within 30 days.
- Billing records are retained for the legally required period only.
- We do not retain any backup copies of your data beyond the retention periods listed above.
- API keys and stored credentials are immediately and permanently deleted upon account deletion or credential removal.
8. Data Sharing
We share your data only in these limited circumstances:
| Recipient | What | Why |
|---|---|---|
| Payment processor (Stripe) | Billing data | To process payments |
| Cloud infrastructure provider | Encrypted platform data | To host the Service |
| Email service provider | Email address | To send service-critical communications only |
| Law enforcement / regulators | As required by law | Only in response to valid legal process (court orders, subpoenas). We will notify you unless legally prohibited. |
That's it.
We do not share data with: advertisers, data brokers, analytics companies, marketing platforms, or any other third party not listed above.
8.1 Sub-Processors
We maintain a list of sub-processors (third-party services that process data on our behalf). Our current sub-processors are:
| Sub-Processor | Purpose | Data Processed |
|---|---|---|
| Cloud hosting provider | Platform infrastructure | All platform data (encrypted) |
| Stripe | Payment processing | Billing data |
| Transactional email provider | Service emails | Email addresses |
We will update this list if sub-processors change and will make reasonable efforts to notify users.
9. Cookies
We use only essential cookies required for the Platform to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Keeps you logged in | Session (expires on browser close) |
| Authentication token | Secure authentication | 30 days or until logout |
| CSRF token | Security — prevents cross-site request forgery | Session |
We do NOT use:
- Advertising cookies
- Third-party tracking cookies
- Analytics cookies
- Social media cookies
- Any cookie not listed above
10. Your Rights
Depending on your jurisdiction, you may have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of data we hold about you | Email support@runagents.co |
| Correction | Request correction of inaccurate data | Account settings or email support |
| Deletion | Request deletion of your data | Account settings or email support |
| Data Portability | Request your data in a machine-readable format | Email support@runagents.co |
| Withdraw Consent | Withdraw consent for non-essential processing | Email support@runagents.co |
| Objection | Object to processing based on legitimate interest | Email support@runagents.co |
| Nomination | Nominate another person to exercise rights on your behalf (DPDPA) | Email support@runagents.co |
We will respond to all rights requests within 30 days. In complex cases, we may extend this by an additional 30 days with notice.
Important: We cannot fulfil requests to delete or retrieve data that your agents have transmitted to third-party services — that data is outside our control. Contact the third-party service directly.
11. Data Breach Response
11.1 Our Commitment
In the event of a data breach affecting your personal data:
- We will notify affected users within 72 hours of confirming the breach.
- We will notify the Data Protection Board of India as required under the DPDPA.
- We will provide details of: what data was affected, what we are doing about it, and what you should do (e.g., rotate credentials).
- We will take immediate steps to contain the breach and prevent further exposure.
11.2 Limitations
We can only report on breaches that occur within our infrastructure.If your agent transmits data to a third-party service and that service is breached, it is that service's responsibility to notify you — not ours. We have no visibility into third-party breaches.
Similarly, if an agent leaks data through its own actions (e.g., sending credentials in an LLM prompt, transmitting sensitive data to an unintended endpoint), this is an agent behaviour issue — not a platform breach. You are responsible for monitoring and controlling agent behaviour.
Additionally, if a data leak or security incident results from a vulnerability in the OpenClaw open-source codebase, this is an OpenClaw issue — not a runAgents platform breach. OpenClaw is community-developed software that runAgents does not audit, maintain, or patch. See our Terms & Conditions Section 11A for full details.
12. Children's Privacy
runAgents is not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If we discover that we have collected data from a minor, we will delete it promptly.
13. International Data Transfers
If your data is transferred outside India (e.g., due to cloud infrastructure distribution), we ensure that adequate safeguards are in place, including:
- Encryption of data in transit and at rest.
- Contractual obligations with service providers.
- Compliance with DPDPA requirements for cross-border transfers.
You consent to such transfers by using the Platform.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- We will update the "Last Updated" date.
- We will notify you by email or via the Platform dashboard.
- Material changes will be highlighted.
Your continued use of the Platform after changes take effect constitutes acceptance. If you disagree, stop using the Platform and delete your account.
15. Grievance Redressal
In accordance with the Information Technology Act, 2000 and the DPDPA, 2023, all privacy-related grievances, complaints, and concerns can be directed to:
Email: privacy@runagents.co
Response Time: We will acknowledge complaints within 24 hours and resolve them within 30 days.
A dedicated Grievance Officer will be appointed and details will be updated on this page. Until such appointment, all grievances will be handled through the email address above.
If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.
16. Contact Us
For any privacy-related questions or requests:
Privacy & Grievances: privacy@runagents.co
General Support: support@runagents.co
We will respond to all queries within 5 business days.
By using runAgents, you acknowledge that you have read, understood, and agreed to this Privacy Policy.