The Run System ("TRS") is operated by Run With Ops Ltd, a company registered in England and Wales with company number 16939192 and registered office at Flat 2 Bluebolt House, 4 Bickerton Road, London N19 5JR ("we", "us", "our").

We are the data controller for the personal data described in this policy. Our ICO registration number will appear here once registration is complete.

This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this policy or how we handle personal data, contact us at [email protected].

1. Who this policy applies to

This policy applies to personal data we collect when you:

• visit therunsystem.com or any related marketing site we operate;
• start a free trial of TRS or contact us about a subscription;
• subscribe to TRS as a paying customer (the "Service");
• use the Service or interact with our agents and the app at app.therunsystem.com;
• email, call, message or otherwise communicate with us;
• attend a meeting, demo, event or webinar we host.

It does not cover personal data that belongs to your end-customers and is processed by us solely on your instructions as a data processor (for example, audience data uploaded to the platform). That processing is governed by our Data Processing Addendum.

2. The personal data we collect

Account and identity data. Name, business email address, business phone number, job title, company name, country of residence, password (stored hashed), and any profile information you choose to provide.

Service usage data. Records of how you use the Service: log-in events, agents you've run, files you've uploaded, work receipts and audit logs we generate, support tickets, and feature usage telemetry.

Customer content. Media plans, taxonomies, creative matrices, campaign sheets, reports, instructions, and any other content you upload to or generate within the Service. Customer content may include personal data of your colleagues, your clients' staff, or end-users — that data is processed by us as a processor under our DPA.

Ad-platform credentials and connected data. OAuth tokens and connection metadata for the third-party ad platforms you connect to TRS (such as Meta, Google Ads, CM360, DV360, LinkedIn Marketing, TikTok Marketing, Reddit Ads, Snapchat Ads). When you authorise a connection, we receive the access scopes you grant — typically campaign read/write access. We do not store your platform passwords.

Billing and transaction data. Billing contact name, business address, VAT number, invoice records, and payment-card metadata (we use a regulated payment processor — full card numbers are not stored by us).

Communications data. The content of emails, support messages, scheduled meetings, and any recordings or transcripts of demo or onboarding calls (where you have given consent or we have notified you on the call).

Device and technical data. IP address, browser type and version, operating system, device identifiers, referral URL, pages viewed, time-stamps, and similar log information collected automatically when you visit our sites or use the Service.

Marketing data. Marketing preferences, subscription status to our updates, and engagement with our marketing emails (opens, clicks).

3. Why we collect it (legal bases)

Under UK GDPR we must have a lawful basis for each processing purpose:

• Provide the Service and perform our contract — Performance of a contract (Art 6(1)(b)).
• Set up free trials before any contract is in place — Steps taken at your request prior to entering into a contract (Art 6(1)(b)).
• Billing, payment collection, VAT and tax — Legal obligation (Art 6(1)(c)) and legitimate interests (Art 6(1)(f)).
• Respond to support and communicate about the Service — Performance of contract and legitimate interests.
• Monitor systems, detect abuse, prevent fraud — Legitimate interests in operating a secure service.
• Improve and develop the Service — Legitimate interests.
• Marketing emails to B2B prospects — Legitimate interests and the PECR "soft opt-in" exception, with consent where required.
• Comply with legal obligations — Legal obligation and legitimate interests.

You can object to processing based on legitimate interests at any time — see section 9.

4. How we collect it

We collect personal data directly from you, automatically when you visit our sites or use the Service (technical logs, cookies — see our Cookie Policy), from third parties you connect to the Service, and from publicly available sources (LinkedIn, Companies House, your company website) for B2B prospect research.

5. Who we share it with

Our sub-processors. A current list is published at therunsystem.com/sub-processors. We use sub-processors for hosting, AI inference, email delivery, analytics, payment processing and customer support tooling. Each sub-processor is bound by a written agreement requiring it to process personal data only on our instructions and to implement appropriate technical and organisational security.

Our group, professional advisers and auditors — including legal, accounting, insurance and tax advisers, in the normal course of running our business.

Authorities — if required by law, court order or in connection with a regulatory request.

A buyer of our business — if we are involved in a merger, acquisition, financing round, asset sale or restructuring, personal data may be transferred to the counterparty under appropriate confidentiality protections.

We do not sell personal data. We do not share personal data with advertising networks for cross-context behavioural advertising.

6. International transfers

Some of our sub-processors are located outside the UK and the European Economic Area, including in the United States. Where personal data is transferred outside the UK we rely on the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, an adequacy regulation (for example the UK-US Data Bridge for participating US recipients), or another transfer mechanism permitted under UK GDPR.

You can ask us for a copy of the safeguards in place for any specific transfer by emailing [email protected].

7. How long we keep it

• Account data — for the life of your account, plus 12 months after closure.
• Customer content and ad-platform connection data — for the life of the contract, then deleted or returned in line with the DPA (typically within 30 days of termination unless you ask for longer).
• Billing and tax records — six years from the end of the relevant accounting period (HMRC requirement).
• Marketing data — until you unsubscribe or object, then suppressed on a do-not-contact list.
• Support and communications data — three years from the most recent interaction.
• Server logs — typically 90 days unless retained longer for a security investigation.

We may retain longer where required to defend a legal claim or comply with a legal obligation.

8. Cookies

We use cookies and similar technologies on our marketing site and inside the Service. Our use of cookies, including the categories, durations and how to manage them, is described in our Cookie Policy.

9. Your rights

Under UK GDPR you have the following rights: Access to a copy of the personal data we hold about you; Rectification of inaccurate or incomplete data; Erasure in certain circumstances; Restriction of how we process your data in certain circumstances; Objection to processing based on legitimate interests, and to direct marketing at any time; Portability — to receive certain personal data in a structured, machine-readable format and have it transmitted to another controller; Not to be subject to automated decision-making that produces legal or similarly significant effects on you (we do not currently make such decisions); Withdraw consent at any time where we rely on consent.

To exercise any of these rights, email [email protected]. We will respond within one month (extendable by two further months for complex requests). We may need to verify your identity before responding.

If you are unhappy with how we handle your personal data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. We'd appreciate the chance to address your concerns directly first.

10. Security

We take the security of personal data seriously and implement appropriate technical and organisational measures, including: TLS encryption in transit; encryption at rest for customer content and ad-platform credentials; application-layer encryption for PII columns (AES-128-CBC with HMAC-SHA256); role-based access control and least privilege for staff access to production; multi-factor authentication for admin access; ongoing security monitoring, logging and incident response; documented vendor due-diligence before adding any sub-processor.

No internet-based service can be guaranteed 100% secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required and notify you without undue delay if the breach is high-risk.

11. Children

The Service is for business use. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will change. Material changes will be notified by email to active account holders before they take effect.

13. Contact us

Data controller: Run With Ops Ltd, Flat 2 Bluebolt House, 4 Bickerton Road, London N19 5JR
Privacy enquiries: [email protected]
ICO complaints: ico.org.uk

---

Questions about this document? Email [email protected].