Privacy Policy

1. What we collect

Account data

• Name and email (from signup or Google OAuth)
• Password hash (email+password sign-in only — we never store your password)
• Workspace name, slug, membership role

Product data

• Scenarios, line items, milestones, categories, and share links you create
• AI prompts and responses when you use AI features

Billing data

• Stripe customer ID and subscription ID (no card details — Stripe holds those directly)
• Plan, trial status, billing cadence

Technical data

• Server logs (IP address, user-agent, timestamps, request paths)
• Privacy-friendly analytics via Plausible (no cookies, no cross-site tracking, no personal data sent)

2. How we use it

• To provide the Service and operate your workspace
• To process payments via Stripe
• To send transactional email (verify, reset password, trial reminders, invoices)
• To process AI requests you initiate — your scenario data is sent to our AI provider strictly to generate the response, and is not used to train their models
• To protect against fraud, abuse, and security threats
• To comply with legal obligations

We do not sell your data. We do not profile you for advertising.

3. Subprocessors

We share data only with the services needed to operate RocketRunway:

• Railway — infrastructure hosting
• Stripe — payment processing
• Resend — transactional email delivery
• Anthropic — AI features (workspace data sent per-request only)
• Plausible — privacy-first analytics (no cookies)
• Google — OAuth sign-in (for users who choose it)

Each subprocessor has its own privacy policy and data-processing agreement. A current list is available on request.

4. How long we keep it

• Active workspaces: as long as the subscription is active
• Expired trials: read-only for 30 days, archived for 60 days, then hard-deleted
• Deleted workspaces: hard-deleted within 24 hours, with a 30-day backup retention
• Server logs: 30 days
• Billing records: retained per accounting requirements (typically 6 years)

5. Your rights

Under GDPR and similar regimes you have the right to: access your data, correct it, delete it (within limits), port it, object to processing, and lodge a complaint with a supervisory authority. Most of these are self-serve in the app:

• Access / port: export your workspace to CSV any time
• Correct: edit your profile and workspace from Settings
• Delete: delete your account from the Profile page (workspaces you solely own are deleted with you)

For anything else, email privacy@rocketrunway.io.

6. International transfers

Our infrastructure may process data in the US and EU. We rely on Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

7. Security

We encrypt data in transit (TLS) and at rest. Passwords are hashed with industry best-practice algorithms. Access to production systems is limited to the RocketRunway team and logged.

No system is perfectly secure. If you discover a vulnerability, please email security@rocketrunway.io — we take reports seriously and respond quickly.

8. Cookies

We use strictly-necessary cookies for authentication. We do not use tracking or advertising cookies. Our analytics (Plausible) operates without cookies.

9. Children

RocketRunway is not directed at children under 18, and we do not knowingly collect data from them.

10. Changes

We may update this policy. Material changes will be announced by email or in-product at least 14 days before taking effect.

11. Contact

Questions? Email privacy@rocketrunway.io.