Rundunrundun

Legal

Privacy Policy

Effective May 24, 2025

Elmeris LLC (“Rundun”, “we”, “us”, or “our”) operates the Rundun platform at rundun.app and the associated mobile application. This policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over your data.

By using Rundun you agree to this policy. If you do not agree, please stop using the service and contact us to delete your account.

1. Who we are

The data controller is Elmeris LLC, a Wyoming limited liability company. You can reach us at privacy@rundun.app.

2. Data we collect

Account data

We use OAuth-only sign-in (Google, Microsoft, or Apple). When you authenticate we receive your name, email address, and profile photo URL from the identity provider. We store these to identify your account and communicate with you.

Run data

When a run is executed, we store every answer provided — text, numbers, selections, and signatures. If a step has GPS enabled and the person completing the run grants location permission, we store the GPS coordinates for that step. Run answers are associated with your organisation.

Photos

Photos captured during a run are uploaded to Rundun's servers and stored for the duration of your account. Photos are associated with the run and step they were captured on. We do not analyse, index, or share photos beyond making them available to your organisation's owners and admins.

Usage data

We collect standard server logs — IP address, browser or app version, pages visited, timestamps, and error reports — to operate, debug, and improve the service. Logs are retained for 30 days.

Billing data

Payments are processed by our payment processor, which acts as the merchant of record. We do not store your full card number or bank details. We store billing contact information (entity name and address) and a record of transactions for your account history.

3. How we use your data

  • Providing, operating, and improving the Rundun service
  • Authenticating you and securing your account
  • Delivering run assignments and completion notifications
  • Processing payments and managing subscriptions
  • Sending transactional emails (run invites, billing receipts, account notices)
  • Responding to support requests
  • Meeting legal obligations

We do not use your data for advertising. We do not sell your data to third parties.

4. Data sharing

We share data only as necessary to operate the service:

  • Payment processor — billing data is shared with our payment processor to handle subscriptions and pay-as-you-go purchases. Their privacy policy governs their use of your data.
  • Cloud infrastructure — data is stored and processed on cloud servers operated by our infrastructure providers under data processing agreements. Servers are located in the United States.
  • Email delivery — your email address is passed to our transactional email provider to deliver notifications you have requested.
  • Legal requirements — we may disclose data when required by law, court order, or to protect our legal rights.

When a checklist is sent to you via a run link, the organisation that sent it can see your answers and photos. This is core to how the product works.

5. Data retention

Account data and run records are retained for as long as your account is active. If you delete your account, your personal data is deleted within 30 days and photos within 90 days. Billing records are retained for 7 years as required by tax law. Anonymised, aggregated usage statistics may be retained indefinitely.

Organisations that are deleted follow the same schedule — all run data and photos are deleted within 90 days of deletion.

6. Your rights

Depending on your location, you may have rights under GDPR, CCPA, or other applicable privacy laws, including:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Deletion — ask us to delete your personal data
  • Portability — export your run data at any time from your account settings
  • Objection — object to processing based on legitimate interests

To exercise any of these rights, email privacy@rundun.app. We will respond within 30 days.

7. Cookies

We use a single session cookie to keep you signed in. We do not use advertising cookies, tracking pixels, or cross-site analytics. No cookie consent banner is shown because we do not use cookies for any purpose other than authentication.

8. Security

All data is encrypted in transit using TLS. Photos and run data are encrypted at rest. We enforce authentication on every API endpoint. Access to production data is restricted to authorised personnel.

No system is perfectly secure. If you discover a security vulnerability, please report it to security@rundun.app rather than disclosing it publicly.

9. Children

Rundun is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have done so inadvertently, contact us and we will delete the data promptly.

10. International transfers

Elmeris LLC is based in the United States. If you use Rundun from outside the United States, your data is transferred to and processed in the United States. By using the service you consent to this transfer. We take steps to ensure your data is handled with appropriate safeguards.

11. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify you by email and update the effective date above. Continued use of the service after the effective date constitutes acceptance of the revised policy.

12. Contact

Questions about this policy? privacy@rundun.app

Elmeris LLC · 30 N Gould St Ste R · Sheridan, WY 82801 · United States