Document Format Options
You are viewing the interactive web version of this document. For a traditional legal document format suitable for records, printing, or legal review, use the options below.
Privacy Policy
Effective Date: January 2026 | Version 1.0
1. Introduction
RUNO Legal Technology Limited ("RUNO", "we", "us", or "our") is committed to protecting your privacy and handling your personal data transparently. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our legal intelligence platform and services.
RUNO acts as a data processor when processing data on behalf of our clients (law firms, corporate legal departments, and businesses) and as a data controller for data we collect directly from users for account management and service provision.
Contact Information:
Data Protection Officer: dpo@runo.legal
General Enquiries: privacy@runo.legal
2. Data Controller Information
RUNO Legal Technology Limited
A company incorporated in England and Wales.
Companies House registration pending.
ICO registration pending.
Registered Address: London, United Kingdom
EU Representative (Article 27 GDPR):
If you are located in the European Economic Area and wish to exercise your rights or have questions about our processing of your data, you may contact us at:
Email: dpo@runo.legal
EU representative appointment in progress. Contact our DPO for any GDPR enquiries.
3. Information We Collect
3.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email, job title, organisation | Account creation and management |
| Authentication Data | Password (hashed), MFA tokens | Secure access to services |
| Contact Information | Phone number, business address | Communication and support |
| Payment Information | Billing address, payment method | Subscription management |
| Communication Data | Support tickets, emails, feedback | Customer service |
3.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Features accessed, time spent, actions | Service improvement, analytics |
| Device Information | Browser type, OS, device type | Compatibility and optimisation |
| Log Data | IP address, access times, pages viewed | Security, troubleshooting |
| Location Data | Country, region (from IP) | Compliance, security monitoring |
3.3 Information Processed on Behalf of Clients
When you use RUNO through your organisation, we process data as instructed by our client (your employer or organisation). This may include:
- • Documents you upload or create
- • Client and matter information you enter
- • Contract and legal document content
- • Communication records within the platform
Note: For this data, your organisation is the data controller. Please refer to your organisation's privacy policy.
4. How We Use Your Information
4.1 Lawful Bases for Processing
| Purpose | Legal Basis | Details |
|---|---|---|
| Service Provision | Contract | Necessary to provide the RUNO platform |
| Account Management | Contract | Managing your subscription and access |
| Security & Fraud Prevention | Legitimate Interest | Protecting users and the platform |
| Customer Support | Contract / Legitimate Interest | Responding to enquiries and issues |
| Service Improvement | Legitimate Interest | Analytics to improve features |
| Legal Compliance | Legal Obligation | Meeting regulatory requirements |
| Marketing | Consent | Product updates and newsletters (opt-in) |
AI Data Handling: Our AI provider Anthropic does NOT train their models on your data. Your documents are processed only to provide the requested service.
5. How We Share Your Information
5.1 Service Providers (Sub-processors)
| Provider Type | Purpose | Location |
|---|---|---|
| Cloud Infrastructure | Hosting and storage | EU |
| AI Services (Anthropic) | Document analysis, contract intelligence | USA (with safeguards) |
| Email Services (SendGrid) | Transactional emails, notifications | USA (with safeguards) |
| Payment Processing (Stripe) | Subscription billing | EU/USA |
| Security (Cloudflare) | DDoS protection, WAF | Global |
All sub-processors are bound by data protection agreements.
5.2 Your Organisation
If you access RUNO through an organisation:
- • Your organisation's administrators may access your account information
- • Usage data may be reported to your organisation
- • Your organisation controls data retention settings
5.3 Legal Requirements
We may disclose information:
- • To comply with legal obligations
- • In response to lawful requests from authorities
- • To protect our rights, privacy, safety, or property
- • In connection with a merger, acquisition, or sale of assets
6. International Data Transfers
When we transfer personal data outside the UK/EEA, we ensure adequate protection through:
- • Adequacy Decisions: Transfers to countries with equivalent protection
- • Standard Contractual Clauses (SCCs): EU/UK approved contractual safeguards
- • Supplementary Measures: Additional technical and organisational protections
| Data Type | Destination | Safeguard |
|---|---|---|
| Primary Data | European Union | Adequacy |
| AI Processing | United States | SCCs + Technical Measures |
| Email Delivery | United States | SCCs |
| CDN/Security | Global | SCCs |
7. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Active Account Data | Duration of service | Service provision |
| Audit Logs | 7 years | Legal/regulatory compliance |
| Support Tickets | 3 years after resolution | Quality assurance |
| Marketing Preferences | Until consent withdrawn | Compliance |
| Deleted Account Data | 90 days | Recovery period |
| Backup Data | 90 days after source deletion | Disaster recovery |
8. Your Rights
Under GDPR and UK data protection law, you have the following rights:
Right to Access (Article 15)
Request a copy of your personal data and information about how we process it.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17)
Request deletion of your personal data ("right to be forgotten").
Right to Restriction (Article 18)
Request limitation of processing in certain circumstances.
Right to Data Portability (Article 20)
Receive your personal data in a structured, machine-readable format (JSON).
Right to Object (Article 21)
Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw at any time.
Right to Lodge a Complaint
Complain to the ICO (ico.org.uk) or your local supervisory authority.
How to Exercise Your Rights: Submit a request via your account settings or email dpo@runo.legal. We respond within 30 days.
9. Data Security
Technical Measures
- • Encryption: AES-256-GCM at rest, TLS 1.2+ in transit
- • Access Control: Role-based access, multi-factor authentication
- • Network Security: Firewall, DDoS protection, rate limiting
- • Monitoring: 24/7 security monitoring, anomaly detection
Organisational Measures
- • Staff Training: Regular security and privacy training
- • Access Reviews: Periodic review of access permissions
- • Vendor Management: Security assessment of all sub-processors
- • Incident Response: Documented procedures for security incidents
Breach Notification
In the event of a personal data breach:
- • We will notify the relevant supervisory authority within 72 hours
- • We will notify affected individuals if there is a high risk to rights and freedoms
- • We will document all breaches and responses
10. Cookies and Tracking
In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and ePrivacy requirements:
- • Essential cookies are placed without consent as they are strictly necessary
- • Non-essential cookies (functional and analytics) require your consent
- • You can change your preferences at any time via our Cookie Preference Centre
For full details, see our Cookie Policy.
11. Children's Privacy
RUNO is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the data promptly.
12. Changes to This Policy
We may update this Privacy Policy periodically. We will:
- • Post the updated policy on our website
- • Update the "Last Updated" date
- • Notify users of material changes via email or platform notification
13. Contact Us
14. Additional Information for Specific Jurisdictions
California Residents (CCPA)
You have the right to know what personal information is collected, opt-out of sale (we do not sell personal information), and non-discrimination for exercising your rights.
Brazilian Residents (LGPD)
You have rights similar to GDPR rights, enforceable under the Lei Geral de Proteção de Dados.
South African Residents (POPIA)
You have rights under the Protection of Personal Information Act, including access, correction, and deletion rights.
Nigerian Residents (NDPR)
You have rights under the Nigeria Data Protection Regulation, including consent, access, and portability rights.