Full name, work email, phone number, business name, role, country, time zone.
Legal
Privacy you can read.
A complete account of what we collect, why we collect it, how we use it, and what your rights are. Built in line with Singapore's Personal Data Protection Act (PDPA) and aligned with the EU General Data Protection Regulation (GDPR).
1. Who we are
This Privacy Policy is published by RunDo Pte. Ltd. ('RunDo', 'we', 'us', or 'our'), a private company incorporated in Singapore. RunDo provides a software-as-a-service platform for service businesses, including unified messaging, dispatch, GPS tracking, document templates, AI assistance, and invoicing.
For Singapore PDPA purposes, we are the data controller for personal data we collect about visitors to our marketing site and account holders of the RunDo platform. When our customers (service businesses) use the platform to manage their own customers' data, the customer is the data controller and we act as a data processor under their instructions. See our Data Processing Agreement at /dpa for the processor-side terms.
Our registered address and full contact details are at the end of this policy.
2. What personal data we collect
Only what we need to provide and improve the service. No tracking pixels on customer chats. No third-party analytics that can identify your customers.
Business registration number, service category, website, billing address, GST registration.
Pages visited, features used, click patterns, device type, browser, IP address (truncated for analytics).
WhatsApp / Instagram / Facebook conversations you choose to route through RunDo. Stored encrypted.
Card details handled directly by Stripe under PCI DSS Level 1. We see only the last 4 digits, brand, and expiry.
Session cookies for sign-in, preference cookies. No advertising cookies. No third-party tracking on the marketing site.
Logos, contract templates, photos taken in the mobile app, customer signatures, invoices, service reports.
Crash reports and error logs. Stripped of personally identifying information before storage. Used for product reliability only.
3. How we collect personal data
Directly from you: when you sign up, configure your account, run the setup wizard, or submit forms (waitlist signup, contact, support).
From your use of the service: as you and your team use the dashboard, mobile app, and integrations, we collect activity logs and feature usage telemetry.
From your customers (indirectly): when your customers message you on a connected channel, the message content and metadata flow into RunDo. The customer is interacting with you, not with RunDo, but we process the data on your behalf.
From integration partners (only with your authorization): when you connect Xero, Google Calendar, Traccar, or other third-party services, we receive the data those services share via their APIs, scoped to what you've authorized.
4. Why we collect personal data (purposes and legal bases)
We process personal data for the following purposes, with the corresponding lawful bases under PDPA and GDPR:
- Providing the service (PDPA: contractual necessity / GDPR: contract Art. 6(1)(b)), running your account, dispatching jobs, sending messages, generating documents.
- Billing and account management (PDPA: contractual necessity / GDPR: contract Art. 6(1)(b)), processing payments, sending invoices, managing subscriptions.
- Customer support (PDPA: contractual necessity / GDPR: contract Art. 6(1)(b)), responding to your requests via email, in-app chat, or phone.
- Product analytics and improvement (PDPA: legitimate interest / GDPR: legitimate interest Art. 6(1)(f)), aggregated usage statistics, never used to identify individual customers' end-users.
- Marketing communications to existing customers (PDPA: legitimate interest / GDPR: legitimate interest Art. 6(1)(f)), product updates, occasional newsletters. Opt-out link in every email.
- Compliance with legal obligations (PDPA: legal compliance / GDPR: legal obligation Art. 6(1)(c)), tax records, court orders, fraud prevention.
- Security and abuse prevention (PDPA: legitimate interest / GDPR: legitimate interest Art. 6(1)(f)), detecting and preventing fraud, account compromise, platform abuse.
5. How we use personal data
To deliver and operate RunDo for you: signing you in, processing your dispatch decisions, drafting AI replies, generating documents, sending notifications.
To improve the product: aggregated, de-identified analytics on what features get used, where users get stuck, what's broken. We never use the content of customer messages or any personally identifying analytics for product development.
To communicate with you: operational emails (billing, security alerts, downtime notices), product updates, and occasional research invitations. You can opt out of non-essential emails from your settings or via the unsubscribe link.
To comply with our legal obligations: tax filings, responses to lawful requests from authorities, defending against legal claims.
We do not sell personal data. We do not share customer message content with third parties beyond what is strictly necessary to deliver the message (for example, transmitting via WhatsApp's Cloud API to reach a customer's WhatsApp number).
6. Sub-processors and third parties we share data with
A complete list of the third-party services that touch your data, what they do, and where they're based.
Primary database and file storage. Singapore (ap-southeast-1) region.
Payment processing and card storage. PCI DSS Level 1 certified.
DNS, content delivery, edge security. SOC 2 Type II certified.
Transactional email delivery (invoices, alerts, notifications).
AI model provider for message drafting, only when AI features are enabled. Zero-retention agreement in place.
Backup AI model provider. Same zero-retention agreement.
Sign-in and account security. Operated by Google.
Channel APIs for receiving and sending customer messages on each platform.
7. International transfers
Your account data is stored in Singapore (ap-southeast-1 region). Some sub-processors operate outside Singapore: Stripe is based in the United States; Anthropic and OpenAI process AI requests in the United States; Cloudflare's network is global with regional caching.
Where personal data is transferred outside Singapore, we rely on the following safeguards under GDPR Article 46 and PDPA equivalents: (a) Standard Contractual Clauses (SCCs) with each sub-processor that requires them, (b) verification that the recipient country provides a comparable level of data protection, and (c) contractual zero-retention and access-control commitments from AI providers.
8. How long we keep personal data (retention)
We retain personal data only for as long as needed for the purpose it was collected, plus any period required by law (typically tax law).
- Account information: while your account is active and for 30 days after deletion (soft-delete window), then permanently deleted.
- Customer message content: same as account information. Messages older than 24 months are auto-archived to cold storage with reduced access. You can purge specific threads anytime.
- Billing records: 7 years after the last invoice (Singapore tax law requirement).
- Server logs: 90 days, then aggregated and de-identified.
- Backups: 30-day rolling retention, encrypted, regional secondary copy for disaster recovery only.
- Marketing analytics (aggregated): kept indefinitely as it cannot be re-identified.
9. Cookies and tracking technologies
On the marketing site (rundo.app), we use only first-party session cookies and a minimal preference cookie. We do not use Google Analytics, Facebook Pixel, or any third-party tracking on the marketing site.
On the dashboard (app.rundo.app), we use first-party cookies for sign-in (Firebase Auth), session management, and remembering your in-app preferences (theme, language, default views).
We honour Do Not Track (DNT) browser signals where technically possible. We do not respond to DNT for cookies that are strictly necessary for the service to function.
10. Marketing communications
We send three categories of email: (1) operational (billing, security, breach notification, account changes), (2) product updates and announcements, (3) occasional research and feedback invitations.
Operational emails cannot be opted out of while you have an active account, as they are essential to the service. Categories 2 and 3 can be turned off from Settings, Email preferences or via the unsubscribe link in every such email.
We do not send marketing emails to your customers. The messages your customers receive are sent on your behalf, in the conversations you control, never as RunDo marketing.
11. Your rights
Under PDPA, GDPR, and similar regimes, you have the following rights with respect to your personal data. We honour all of these regardless of where you're based.
Request a copy of all personal data we hold about you. Self-service via Settings, Data export.
Receive your data in a structured, machine-readable format. JSON + CSV exports, anytime.
Update inaccurate or incomplete data. Most editable directly in the dashboard.
Delete your account and all associated data, honoured within 30 days.
Pause processing while a complaint or correction is being investigated. Contact privacy@rundo.app.
Object to processing based on legitimate interest, including marketing communications.
Where AI is used to make decisions affecting you, you can request human review and explanation.
12. How to exercise your rights
Most rights can be exercised directly from your RunDo account: data export, correction, account deletion, marketing preferences. For anything beyond what the dashboard supports, email privacy@rundo.app.
We respond to most data subject requests within 7 calendar days. Complex requests may take up to 30 days, in which case we'll send an interim status update at day 7. If we need to verify your identity, we'll request reasonable proof before processing the request.
If you are an end-user (a customer of one of our customers) and want to exercise rights over data your service provider has stored in RunDo, please contact your service provider directly. They are the data controller for that data; we act as their processor and can only act on their instructions.
13. Children's data
RunDo is a business product not intended for personal use by children. We do not knowingly collect personal data from anyone under the age of 16. If you become aware that a child has provided personal data to RunDo, please contact privacy@rundo.app and we will delete it within 7 days.
14. Security measures
We protect personal data with measures appropriate to the risk: AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication available on all accounts, audit logs on all administrative actions, role-based access control internally, quarterly access reviews, annual third-party penetration testing.
Our infrastructure is hosted in Singapore (Supabase ap-southeast-1) with backups replicated to a secondary region for disaster recovery. Production access is limited to a 2-person team with hardware-key 2FA and quarterly access review.
For full security details, see /security and /data-security.
15. Data breach notification
If we become aware of a personal data breach that affects your data, we commit to: (a) notify you by email within 72 hours of confirming the breach, in line with PDPA's mandatory notification window, (b) explain clearly what data was affected and what we believe happened, (c) describe the steps we're taking to contain and remediate, (d) issue a post-incident report within 30 days of containment.
We test our incident response plan annually with a tabletop exercise. The most senior available founder leads incident response.
16. Changes to this policy
We may update this Privacy Policy from time to time. Material changes (changes that expand the data we collect, change the lawful basis for processing, or affect your rights) require: (a) at least 14 days' email notice before they take effect, sent to all account holders, (b) a new 'Last updated' date at the top of this page, (c) a redline summary on request from privacy@rundo.app.
Continued use of RunDo after the notice period means you accept the updated policy. If you do not agree, you can cancel your account before the change takes effect with no penalty and request a pro-rata refund of any prepaid period.
17. Complaints and supervisory authorities
If you believe we have processed your personal data in a way that breaches PDPA, GDPR, or any applicable law, you have the right to lodge a complaint with a supervisory authority.
- Singapore: the Personal Data Protection Commission (PDPC), https://www.pdpc.gov.sg
- European Union: your local Data Protection Authority. A list is at https://edpb.europa.eu/about-edpb/about-edpb/members_en
- United Kingdom: the Information Commissioner's Office (ICO), https://ico.org.uk
We'd appreciate the chance to address your concern first. Email privacy@rundo.app and we'll respond within 7 days.
18. Contact us
All privacy-related questions, requests, and complaints can be sent to:
- Email: privacy@rundo.app
- Postal: RunDo Pte. Ltd., Singapore. Full registered address available on request.
- Data Protection Officer: dpo@rundo.app (for formal DPO matters).
We aim to respond to every email within 1 business day and to formal data subject requests within 7 calendar days as described in section 12.
Ready to run on autopilot?
Drop your email, we'll send your invite as a slot opens.