Legal · Privacy

Privacy Policy

Last updated: June 20, 2026 · Effective: June 20, 2026

This Privacy Policy explains how RunMyCrew (“RunMyCrew,” “we,” “us”) collects, uses, discloses, and protects information when you use the automation platform at runmycrew.com and app.runmycrew.com (collectively, the “Service”).

Plain-language summary. We collect only what we need to run the Service for you, never sell your data, never use your data to train AI models without your explicit opt-in, and only access third-party APIs (Google, Meta, Slack, etc.) to execute the workflows you have explicitly built and authorized.

1. Information we collect

1.1 Information you provide

  • Account data — email address, password hash (Argon2id), full name, profile picture URL. Optional fields: organization name, role.
  • Authentication via Google Sign-In — when you sign in with Google, we receive the OpenID Connect profile fields you consent to: email, email_verified, name, picture. We do not receive your Google password.
  • Workspace content — workflow definitions, node configurations, run history, knowledge bases, and any files or text you upload.
  • Connected-app credentials — OAuth refresh tokens and API keys for the third-party services you connect (Google, Meta, Slack, GitHub, Notion, Discord, Linear, and others). All credentials are encrypted at rest with AES-256 (Fernet, scoped key derivation).
  • Billing data (paid plans) — handled by Stripe. We store only the Stripe customer ID and the last 4 digits of the card. We do not store full card numbers.
  • Support correspondence — when you email us, we keep the thread for up to 24 months for context.

1.2 Information collected automatically

  • Operational logs — IP address, user agent, request path, response code, timing. Retained 30 days for security and debugging.
  • Workflow run telemetry — execution timestamps, step durations, success/failure status, and the input/output payload of each node. You control retention (free: 7 days, pro: 30 days, enterprise: configurable).
  • Cookies / localStorage — see our Cookie Policy. We use exactly one first-party authentication token stored in localStorage; no advertising or analytics third-party cookies.

1.3 Information from third parties

Only what the third-party API returns when executing the workflows you built. For example, if you connect Gmail, we receive the message metadata and body you specifically asked the workflow to read or send. We do not pre-fetch, index, or store third-party content beyond what is required to execute the current run.

2. How we use information

  • Operate, secure, and improve the Service.
  • Authenticate you and authorize access to your workspaces.
  • Execute workflows you have built — including calling third-party APIs on your behalf with credentials you connected.
  • Provide AI workflow generation (Crew AI). When you submit a prompt, the prompt and the resulting workflow graph are sent to the LLM provider you selected (Anthropic / OpenAI / Google Gemini / etc.). We do not store prompts beyond the run history setting on your plan.
  • Send transactional email (password resets, workspace invites, security alerts) from noreply@runmycrew.com. We do not send marketing email without explicit opt-in.
  • Detect and prevent abuse: rate limits, anomalous-usage detection, brute-force / credential-stuffing protection.
  • Comply with legal obligations and enforce our Terms.

What we do NOT do.

  • We do not use your workspace content, prompts, runs, or connected-account data to train any AI/ML model — neither our own nor any third party’s — without your explicit, separate opt-in.
  • We do not sell, rent, or trade personal data.
  • We do not show third-party advertising on the Service. No ad-targeting cookies, pixels, or SDKs.

3. Google API Services User Data Policy — Limited Use disclosure

RunMyCrew’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Google user data is used only to provide or improve user-facing features that are prominent in the requesting application’s user interface.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets (with appropriate notice).
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless (a) we have your affirmative agreement for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operations.
  • We do not use or transfer Google user data to determine credit-worthiness or for lending purposes.

For a per-scope justification of every Google permission we request, see OAuth Scopes — Google.

4. Meta Platform compliance

When you connect a Meta account (Facebook, Instagram, WhatsApp, or Meta Ads), we comply with the Meta Platform Terms and Meta Developer Policies. We:

  • Request only the scopes required for the connectors you actually use. See OAuth Scopes — Meta.
  • Store Meta access tokens encrypted at rest; refresh them according to Meta’s rotation rules.
  • Process webhook events synchronously into your workflows; do not persist webhook payloads beyond run history retention.
  • Honor user-initiated disconnect (Meta → Settings → Business Integrations) and revoke the credential in our system on the next webhook delivery.
  • Provide a data-deletion endpoint for both account-level and Meta-account-only revocation.

5. How we share information

We share data only:

  • With subprocessors required to operate the Service — see our Subprocessors list. Each is bound by a Data Processing Agreement.
  • When you direct us — every connected-app call is the consequence of a workflow you built. We do not initiate third-party API calls except as your workflow dictates.
  • For legal compliance — when required by law, subpoena, or court order. We will notify you unless legally prohibited.
  • In a business transfer — if we are acquired, the acquirer receives your data subject to the same protections; you will be notified.

6. Data retention & deletion

Workspace data is retained while your account is active. You control granular deletion from the product UI:

  • Delete a workflow → gone immediately, no soft-delete.
  • Disconnect a credential → OAuth token revoked at the provider where supported, credential row deleted from our DB immediately.
  • Delete a workspace → all runs, workflows, knowledge bases, and memberships removed within minutes.
  • Delete your account → full purge within 30 days. See Data Deletion for the exact procedure.

Operational logs roll off automatically after 30 days. Database backups (encrypted, region-pinned) retain for up to 30 days before rotation, after which deleted data is unrecoverable.

7. Security

  • All transport TLS 1.2+. HSTS preload enabled.
  • Passwords hashed with Argon2id (memory-hard).
  • OAuth tokens + third-party API keys encrypted at rest with AES-256 (Fernet) using per-tenant key derivation.
  • Production access restricted to SSH keys; every operator action audit-logged.
  • Container images scanned on every build (Trivy) for CVEs; CRITICAL findings block deploys.
  • Stripe handles all payment data; we never see card numbers.
  • Dependencies updated weekly (Dependabot) with auto-test validation.

Full security posture documented at /security.

8. Your rights

Depending on your jurisdiction (GDPR / UK GDPR / CCPA / LGPD / etc.) you have some or all of the following rights:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (right to erasure).
  • Export your data in a portable format.
  • Restrict or object to certain processing.
  • Withdraw consent at any time.
  • Lodge a complaint with your local data protection authority.

Submit requests to privacy@runmycrew.com. We respond within 30 days.

9. International transfers

The Service is operated from infrastructure in the European Union and the United States. When data is transferred outside your jurisdiction, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, contact privacy@runmycrew.com and we will delete it.

11. Changes to this policy

Material changes are announced at least 30 days in advance via the product UI and email to all account holders. Non-material clarifications are reflected by bumping the “Last updated” date at the top.

12. Contact

Privacy / GDPR / data-subject requests: privacy@runmycrew.com
General support: support@runmycrew.com
Legal entity: RunMyCrew (proprietor: Bibek Timilsina) — registered address available on request.