Privacy Policy

1. Data Controller

RunOpti is the data controller responsible for your personal data. For privacy-related inquiries, contact us at [email protected].

2. Information We Collect

We collect the following categories of data when you use our service:

• Account Data: Email address and name provided during registration.
• Usage Data: Running parameters, optimization results, and settings you create within the platform.
• Analytics Data: Page views, session duration, device type, and interaction patterns collected through Google Analytics 4 (with Consent Mode v2), Microsoft Clarity (heatmaps and session recordings), and Umami (self-hosted analytics). Analytics data is collected only with your consent, except for Umami which is privacy-focused and does not use cookies.
• Error & Diagnostics: Anonymized error reports and stack traces collected through Sentry to help identify and fix issues.
• A/B Testing: Experiment exposure data collected through GrowthBook (self-hosted) to evaluate feature variations. No personal data is shared with third parties for this purpose.
• Contact Data: Messages submitted through the contact form.

3. Legal Basis for Processing

We process your data based on the following legal grounds:

• Contract performance: To provide the optimization service you registered for.
• Legitimate interest: To improve our service, prevent fraud, ensure security, and conduct A/B testing for product improvement.
• Consent: For analytics cookies, marketing cookies, and optional communications. You can withdraw consent at any time through the cookie settings banner.
• Legal obligation: To comply with applicable laws and regulations.

4. How We Use Your Information

• Provide and improve the optimization service
• Send transactional emails (verification, password reset) via Resend
• Analyze aggregated usage patterns to improve performance and user experience
• Identify and fix errors through anonymized error tracking
• Conduct A/B tests to evaluate and improve features
• Respond to support requests and contact form messages
• Protect against fraud, abuse, and unauthorized access

5. Cookies & Tracking Technologies

We use cookies and similar technologies, organized into three categories. You can manage your preferences through our cookie consent banner at any time.

• Necessary Cookies: Required for the website to function. Includes session authentication tokens and CSRF protection. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website. Includes cookies from Google Analytics 4 (with Consent Mode v2), Microsoft Clarity, and Umami. Enabled only with your consent.
• Marketing Cookies: Used for advertising measurement and campaign attribution. Includes Meta Pixel and TikTok Pixel. These are currently inactive and will only be enabled with your explicit consent.

6. Third-Party Services

We share data with the following third-party services, each under their own privacy policies:

• Google Analytics 4: Web analytics with Consent Mode v2. Data processing subject to Google's privacy policy.
• Microsoft Clarity: Heatmaps and session recordings. Subject to Microsoft's privacy policy.
• Umami: Self-hosted, privacy-focused analytics. No data is shared with third parties.
• Sentry: Error tracking and performance monitoring. Receives anonymized error reports.
• Resend: Transactional email delivery (verification, password reset).
• GrowthBook: Self-hosted A/B testing platform. No data is shared with third parties.
• Meta Pixel: Advertising measurement (currently inactive). Will be enabled only with consent.
• TikTok Pixel: Advertising measurement (currently inactive). Will be enabled only with consent.

7. Data Retention

• Account data: Retained while your account is active. After deletion, personal data is permanently removed within 30 days.
• Optimization data: Free plan data retained for 7 days; Pro plan data retained while account is active.
• Analytics data: Google Analytics data retained per Google's default retention policy. Umami data retained on our self-hosted server.
• Error logs: Sentry error reports retained for 90 days.
• Audit logs: Retained for 90 days for security purposes.
• Authentication tokens: Automatically cleaned up after expiration.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. Third-party services such as Google Analytics, Sentry, and Resend process data in the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where applicable.

9. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS), hashed passwords (bcrypt), HTTP-only secure cookies, CSRF protection, and rate limiting. We regularly review and update our security practices.

10. Your Rights

Under applicable data protection laws (including GDPR), you have the right to:

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data (available through account settings).
• Data portability: Export your data in a machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interest.
• Withdraw consent: Withdraw consent at any time for consent-based processing (e.g., analytics and marketing cookies).

To exercise these rights, visit your account settings or contact [email protected].

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.

13. Contact

For privacy-related inquiries, contact us at [email protected]