GDPR Compliance

Last updated: 23 June 2022

Our privacy commitments

At Runn, we genuinely care about your privacy. We are ready to support you in your role as a data controller and committed to ensuring all personal data we hold and process is safe and secure. As part of this commitment we have undertaken steps to meet GDPR compliance, including:

  1. Not sharing personal data with third parties purely for analytics or advertising purposes.
  2. Automatically deleting any personal data that is no longer deemed required. 
  3. Allowing users and organizations to delete the personal data they control.
  4. Providing data subjects with access to their personal data, if requested.
  5. Building in “privacy by design” as we develop and enhance the Runn product and services.  
  6. Regularly reviewing our privacy statements, DPA, and internal documentation and processes. 
  7. Appointing a Privacy Officer ( to oversee privacy matters.
  8. Offering a Data Processing Agreement (DPA) memorializing our obligations as a data processor. 

Data Processing Agreement (DPA)

If you are doing business in the EU, our terms of service include the Runn Data Processing Agreement. Working with external legal counsel we regularly update this document to be in compliance with GDPR and other generally acceptable privacy laws. Should you require a signed version, please contact us at

Runn sub-processors

As outlined in our DPA, we may use third party service providers to assist us with data processing activities. Where we act as a data processor, these third parties are known as sub-processors. You will find a list of our sub-processors, along with the reason for processing and where the data is held below. From time to time, we may need to add or remove a sub-processor if we feel it is necessary. If you would like to receive email updates about new sub-processors, you can opt in to sub-processor updates here.

  • Heroku
    The primary hosting service for Runn, and Runn’s database.
    Data deleted on account deletion. Backups deleted within 90 days. Data hosted in the EU.
  • Intercom / Userflow
    Used to provide customer and onboarding support, including live chat and email.
    Data deleted on account deletion. Data hosted in US.

  • Rollbar / Coralogix
    Error reporting and monitoring.
    Data hosted in US.
  • AWS S3
    Long-term log archive for audit logging purposes.
    Data hosted in US.

  • Slack
    Used by Runn for internal communications. Integrates with customer support tooling.
    Most data automatically deleted within 30 days. Data hosted in US.

  • Calendly / Zoom
    Used to book and conduct audio and video meetings, as well as online events and webinars.
    Data deleted upon request. Data hosted in US.

  • Google Service (G-suite)
    Used for email, internal communications and documentation.
    Data deleted upon request. Data hosted in US.

  • Mixpanel
    Used for engagement analytics in the app, allowing us to understand how features are used and make better product decisions.
    Does not contain identifiable personal information. Data hosted in EU.

  • Hubspot
    Used for usage analytics, email and phone conversations with our prospects and customers.
    Data deleted on request. Data hosted in US.

  • Mailgun
    Used to send app emails.
    Data automatically deleted after 7 days. Data hosted in US.

  • Cloudinary
    Hosts images uploaded to Runn, such as client logos and people and user avatars.
    Contains Data deleted on request. Data hosted in US.

  • Cloudflare
    Used for Content Delivery Network (CDN) and Web Application Firewall (WAF) processing and securing all requests to the Runn application.
    Due to the nature of this globally distributed system, this data is processed closest to the user’s location. No customer data or personally identifiable information is stored in the service.
    Integration platform for connecting to third party services. Runn uses to offer our customers integrations with HRIS and other systems. Optional product offering that needs to be enabled by a Runn user with administrator permissions. Consent is provided via the customer’s acceptance of Merge's End Customer Terms during the integration setup process. Customers can withdraw their consent by unlinking their integration. In beta as of July 2023, expected release August 2023.
    Data hosted in EU.

Things you should know

  1. Runn is headquartered in Aotearoa New Zealand. New Zealand has been certified by the EU to have adequate data protection laws allowing the transfer of data without any further safeguards.
  2. Runn does not sell your personal data or information. Your personal information is not given to third parties for any external marketing purposes. However we may use it to send you information about Runn including product updates, features and offers.
  3. The Runn application and databases are hosted with Heroku in secure data centers in the EU. 
  4. Our data is always transmitted securely over HTTPS, passwords are kept encrypted and database and software is regularly checked for any potential security issues. 
  5. Runn keeps backup and logs for up to 18 months before they are automatically deleted. When you delete your Runn account, some Customer Data continues to be stored in backups for up to 18 months. Most will be deleted instantly.
  6. You can read more about our security measures at

What if I need more information, or have a special request?

We are continuously looking for ways to strengthen our privacy practices and improving our processes. If you are a Runn customer or partner and have any feedback, concerns or a special request about GDPR or privacy matters in general, please contact our Privacy Officer at