Privacy Policy

This Privacy Policy explains how Rundown ("we", "us", "our") collects, uses, shares and protects personal data when you visit rundown.be, use our application, or otherwise interact with us. Rundown is operated by placeholder_legal_entity_name, registered at placeholder_legal_entity_address, company number placeholder_company_registration_number.

This policy is written to comply with the EU General Data Protection Regulation (GDPR) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. It applies to the Rundown platform, our marketing site, and our communications with you. It does not cover third-party services you connect to Rundown (for example, Atlassian Jira), which are governed by their own privacy policies.

Effective date: placeholder_policy_effective_date.

We collect and receive the following categories of data:

• Account information. Name, email address, hashed password, profile picture, workspace and role, set when you sign up or are invited to a workspace.
• Workspace content. Data you and your colleagues create inside Rundown: projects, tasks, plans, time entries, comments, charts, reports, and files uploaded to our storage.
• Usage and log data. IP address, browser type, device information, pages visited, actions taken, and timestamps, collected automatically through our servers and standard web logs.
• Cookies and similar technologies. Strictly necessary cookies for authentication and session handling, and preference cookies (e.g. theme). See our Cookie Policy for the full list.
• Third-party integration data. When you connect Atlassian Jira to Rundown using OAuth 2.0, we receive the Jira issues, users and projects you authorize us to access, in order to keep them in sync with your Rundown workspace.
• Communications. Messages you send us by email (e.g. privacy@rundown.be), through our contact forms, or through in-app support.
• Billing data. If you are a paying customer, we (or our payment processor placeholder_payment_processor) process billing contact details and invoice information. We do not store full payment card numbers.

We use the data described above for the following purposes:

• To provide the service — create and authenticate your account, host your workspace data, sync with Jira, and make the product work (legal basis: performance of a contract).
• To support you — respond to your questions and troubleshoot issues you report (contract / legitimate interest).
• To secure and improve the service — monitor for abuse, debug errors, analyze usage in aggregate, and improve features (legitimate interest).
• To communicate with you — send service notices, security alerts and product updates. Marketing emails are only sent with your consent and you can unsubscribe at any time.
• To comply with the law — meet legal, accounting, and tax obligations (legal obligation).

We do not sell personal data and we do not use your workspace content to train machine-learning models.

The Rundown Tracker browser extension lets you start and stop your Rundown time tracker directly on Jira issue pages, without installing anything inside Jira.

• Data processed. When you sign in through the extension, your email address and password are sent over an encrypted connection to the Rundown API to authenticate you. We store only the resulting session token locally in your browser's extension storage — never your password. On Atlassian (*.atlassian.net) issue pages, the extension reads the issue key from the page URL so that tracked time is linked to the correct ticket. No other page content is read or collected.
• How it is used. Solely to provide the extension's features: signing you in, starting and stopping timers, and showing your own tracked time.
• Storage and sharing. The session token and your preferences are stored locally in your browser. Time-tracking data is sent to the Rundown API as part of your Rundown account. We do not sell this data, do not use it for advertising, and do not share it with third parties beyond what is necessary to provide the service.
• Removal. Signing out of the extension, or removing it from your browser, clears the locally stored token. Your Rundown account data continues to be governed by this policy.

Each company using Rundown can configure its own data retention period in the workspace's general settings. The default retention period is 2 years from the date workspace content (projects, tasks, plans, time entries, comments, files, etc.) is created or last modified, after which the data is automatically deleted or anonymized.

Account-level data (user account, authentication records) is retained for the duration of the contractual relationship and deleted within placeholder_account_deletion_window after the workspace is closed, except where retention is required by law (for example, invoicing records, which we retain for placeholder_invoicing_retention_period in accordance with Belgian accounting law).

Encrypted backups are retained for up to placeholder_backup_retention_period and rotated automatically. Log data is retained for up to placeholder_log_retention_period.

You can request earlier deletion at any time by contacting privacy@rundown.be — see "Your Privacy Rights" below.

We protect your data using, among other measures:

• Encryption in transit using TLS 1.2 or higher for all communication between your browser and our services.
• Encryption at rest for databases and file storage, provided by our hosting sub-processors.
• Hashed passwords — we never store passwords in plaintext.
• JWT-based authentication with per-environment secrets and short token lifetimes.
• A schema-per-tenant database architecture that isolates each customer's data from every other customer's data.
• Strict access controls — only a limited number of authorized personnel can access production systems, under written confidentiality obligations.
• Regular dependency updates, automated security scanning, and monitoring for known vulnerabilities.

While we apply industry-standard safeguards, no method of transmission or storage over the internet is 100% secure. If we ever become aware of a personal data breach affecting you, we will notify you and the competent supervisory authority in accordance with GDPR Article 33–34.

Rundown is a B2B product intended for businesses and their employees. It is not directed to children. You must be at least 16 years old to create an account or use the service. If we discover we have collected personal data from a child under 16 without verified parental consent, we will delete it as soon as reasonably possible.

We may update this Privacy Policy from time to time to reflect changes in our services, our practices, or applicable law. The "Effective date" at the top of this page indicates when the policy was last revised.

For material changes that affect your rights, we will notify you in advance by email or through an in-app notice. Continued use of Rundown after the changes take effect constitutes acceptance of the updated policy.

Rundown is operated from Belgium and, wherever possible, your data is hosted within the European Economic Area (EEA). Some of our sub-processors may, however, process data outside the EEA. When that happens, we rely on the European Commission's Standard Contractual Clauses (SCCs) and apply additional safeguards as required by GDPR.

Our main sub-processors are:

• Render — hosting of our backend APIs.
• Vercel — hosting of our frontend application and marketing site.
• Amazon Web Services (AWS) — file storage (S3) for files you upload to Rundown.
• Atlassian — only when you choose to connect a Jira workspace; we exchange data with Atlassian on your behalf to keep Jira issues in sync with Rundown.

A current list of sub-processors, including the region in which they process data, is available on request at privacy@rundown.be.

You can contact our Data Protection Officer for any privacy- related inquiry at placeholder_dpo_contact.

Workspace content. For the data you and your colleagues upload into your Rundown workspace (projects, tasks, time entries, files, comments, etc.), your company is the data controller and Rundown acts as a data processor on your behalf, processing data according to your instructions and our Data Processing Agreement (DPA).

Account and marketing data. For data we collect directly — account registration, billing, support communications, and analytics on our marketing site — Rundown is the data controller.

A Data Processing Agreement is available on request at privacy@rundown.be.

Under GDPR, you have the following rights:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — have inaccurate or incomplete data corrected.
• Erasure — have your personal data deleted, subject to retention obligations imposed by law.
• Restriction — limit how we process your data in certain circumstances.
• Objection — object to processing based on legitimate interests, including direct marketing.
• Portability — receive your personal data in a structured, machine-readable format and have it transmitted to another controller.
• Withdraw consent — where processing is based on consent, withdraw that consent at any time.
• Lodge a complaint with a supervisory authority (see next section).

To exercise these rights, email us at privacy@rundown.be. If you use Rundown through your employer, please contact your workspace administrator first — for workspace content they are the controller and we will forward requests to them.

If you believe our processing of your personal data violates GDPR, you have the right to lodge a complaint with the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit / Autorité de protection des données
Rue de la Presse 35, 1000 Brussels, Belgium
Web: www.dataprotectionauthority.be

You also have the right to lodge a complaint with the supervisory authority in the EU Member State where you live or work, or where the alleged infringement took place.

For any question about this Privacy Policy or about how we process your personal data, email us at privacy@rundown.be.

For postal correspondence:
placeholder_legal_entity_name
placeholder_legal_entity_address