RUNOSign in
Back to home

GDPR Compliance

Our commitment to data protection

Version 1.0 | Last Updated: January 2026 | Classification: Public

Document Format Options

You are viewing the interactive web version of this document. For a traditional legal document format suitable for records, printing, or legal review, use the options below.

Currently viewing: Interactive Format

1. Introduction

This GDPR Compliance Statement outlines how RUNO Legal Technology Limited ("RUNO") complies with the General Data Protection Regulation (EU) 2016/679 ("EU GDPR") and the UK General Data Protection Regulation ("UK GDPR").

RUNO is committed to protecting personal data and upholding the rights of data subjects. We have implemented comprehensive technical and organisational measures to ensure GDPR compliance across our legal intelligence platform.

2. Our Role Under GDPR

2.1 Data Controller Activities

RUNO acts as a Data Controller for:

  • User account information (name, email, credentials)
  • Platform usage data and analytics
  • Customer relationship management data
  • Marketing and communication preferences

2.2 Data Processor Activities

RUNO acts as a Data Processor for:

  • Documents and contracts uploaded by clients
  • Client matter and case information
  • Legal research and analysis performed on behalf of clients
  • Any personal data contained within client content

3. Lawful Basis for Processing

3.1 Controller Processing

Processing ActivityLawful BasisGDPR Article
Account managementContract performanceArt. 6(1)(b)
Service provisionContract performanceArt. 6(1)(b)
Security monitoringLegitimate interestArt. 6(1)(f)
Fraud preventionLegitimate interestArt. 6(1)(f)
Legal complianceLegal obligationArt. 6(1)(c)
Marketing communicationsConsentArt. 6(1)(a)
Analytics (anonymised)Legitimate interestArt. 6(1)(f)

4. Data Subject Rights Implementation

RUNO has implemented automated and manual processes to fulfil all data subject rights under GDPR:

Article 15

Right to Access

Self-service data export via account settings, automated DSAR portal, response within 30 days

Article 16

Right to Rectification

Self-service profile editing, support ticket for complex corrections

Article 17

Right to Erasure

Automated deletion request portal, 30-day execution, deletion certificate

Article 18

Right to Restriction

Processing pause capability, data retained but not processed

Article 20

Right to Portability

Export in JSON format, direct download or secure transfer

Article 21

Right to Object

One-click unsubscribe, objection logging for legitimate interest

4.7 Automated Decision-Making (Article 22)

Status: RUNO does not make solely automated decisions with legal or significant effects.

  • • AI assists with document analysis and contract generation
  • • All AI outputs are presented as suggestions
  • • Human review and approval required for final decisions
  • • Users can request human review at any time

5. Data Protection by Design and Default

5.1 Privacy by Design

Data Minimisation

Collect only necessary data for service provision

Purpose Limitation

Clear purpose definition for all data processing

Storage Limitation

Automated retention enforcement

Accuracy

Validation controls, user correction capability

Integrity & Confidentiality

Encryption, access controls, audit logging

5.2 Privacy by Default

  • Minimum data collection by default
  • Privacy-preserving settings as default
  • Marketing opt-in (not opt-out)
  • Strictest privacy settings for new accounts

6. Security Measures (Article 32)

6.1 Technical Measures

Encryption at RestAES-256-GCM with per-tenant keys
Encryption in TransitTLS 1.2+ with HSTS
Access ControlRole-based, multi-factor authentication
AuthenticationJWT tokens, bcrypt password hashing
Tenant IsolationStrict logical separation

6.2 Organisational Measures

Staff TrainingAnnual GDPR and security training
Access ReviewsQuarterly access certification
Vendor ManagementDPAs with all sub-processors
Incident ResponseDocumented breach procedures
Audit Logging7-year retention

7. Data Breach Notification (Articles 33-34)

7.2 Breach Response Timeline

ActionTimeline
Internal notificationImmediate upon detection
Initial assessmentWithin 4 hours
Supervisory authority notificationWithin 72 hours (if required)
Data subject notificationWithout undue delay (if high risk)
Client notification (processor role)Within 24 hours
Post-incident reviewWithin 14 days

8. International Data Transfers (Chapter V)

8.1 Transfer Mechanisms

Adequacy Decisions

Transfers within EU/EEA, UK, and adequate countries

Standard Contractual Clauses

Transfers to USA and other non-adequate countries

Supplementary Measures

Additional technical protections where required

8.2 Current Transfer Locations

Data TypeLocationLegal Basis
Primary Application DataEU (Ireland)Adequacy
Database BackupsEU (Germany)Adequacy
AI Processing (Anthropic)USASCCs + Supplementary Measures
Email Delivery (SendGrid)USASCCs

11. Data Protection Officer (Article 37-39)

11.1 DPO Contact

RUNO has appointed a Data Protection Officer:

Email: dpo@runo.legal

DPO Responsibilities

  • • Informing and advising on GDPR obligations
  • • Monitoring compliance with GDPR
  • • Advising on DPIAs
  • • Cooperating with supervisory authority
  • • Acting as contact point for data subjects

16. Supervisory Authority

UK Supervisory Authority

Information Commissioner's Office (ICO)

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

EU Lead Supervisory Authority

To be determined based on main establishment in EU.

17. Contact Information

Data Protection Officer

dpo@runo.legal

Privacy Enquiries

privacy@runo.legal

Data Subject Requests

dsar@runo.legal

18. Document Control

VersionDateAuthorChanges
1.0January 2026DPOInitial release

Next Review: July 2026

This GDPR Compliance Statement demonstrates RUNO's commitment to data protection and is provided for informational purposes. For specific legal advice, please consult qualified legal counsel.

Related Documentation

Privacy PolicyTerms of ServiceCookie PolicyTrust & SecuritySub-Processor List