Privacy Policy
Last updated: February 2025
1. Who we are
Rune ("we", "us", or "our") provides runtime security monitoring for AI agents. This policy explains what data we collect, how we use it, and your rights regarding that data. If you have questions, contact us at hello@runesec.dev.
2. What data we collect
We collect two categories of data:
Account data
Your name, email address, and organisation name when you sign up. Payment information is handled by Stripe and never stored on our servers.
Agent event data
Tool call metadata from your AI agents — tool names, arguments, outputs, timestamps, agent identifiers, and scanning results. This is the core data Rune processes to provide security monitoring. We do not collect the content of conversations between your agents and their LLMs unless it is passed as part of a tool call argument.
3. How we store your data
Agent event data is stored in ClickHouse, a columnar database optimised for time-series analytics. Account state, policies, alerts, and configuration are stored in Convex, our application database. All data is encrypted at rest and in transit.
Data is retained per your plan tier:
| Plan | Event retention |
|---|---|
| Community (Free) | 30 days |
| Starter | 90 days |
| Pro | 180 days |
| Growth | 365 days |
After the retention period, event data is automatically deleted. Account data is retained until you delete your account.
4. How we use your data
- To provide the Rune security monitoring service
- To generate alerts, risk scores, and analytics for your account
- To send transactional emails (alerts, account notifications)
- To improve our scanning models and threat detection — using aggregated, anonymised patterns only
- To comply with legal obligations
We do not sell your data. We do not use your event data to train third-party AI models.
5. Data sharing
We share data with the following third parties solely to operate the service:
- Stripe — payment processing
- Clerk — authentication
- Resend — transactional email delivery
- Vercel — application hosting
We do not share data with advertisers, data brokers, or any other third party not listed here.
6. GDPR and your rights
If you are located in the European Economic Area, you have the following rights:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and associated data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
To exercise any of these rights, email hello@runesec.dev. We will respond within 30 days.
7. Cookies
Rune uses only essential cookies required for authentication and session management. We do not use tracking or advertising cookies.
8. Changes to this policy
We may update this policy from time to time. We will notify you by email for material changes. Continued use of Rune after a change constitutes acceptance of the updated policy.
9. Contact
Questions or concerns? Email us at hello@runesec.dev.