Runa Labs logo

RUNA LABS

← Back to Home

Privacy & Cookie Policy

Effective date: July 8, 2026

This policy explains what personal data Runa Labs ("we", "us") collects when you use runalabs.ai and the Runa Labs execution terminal (the "Service"), how we use it, and the rights you have over it. We designed the Service to collect as little personal data as possible: there are no advertising trackers, no analytics scripts, and no sale of data — ever.

1. Data We Collect

Account data: your email address and display name, received from Google when you sign in with Google OAuth.

Exchange API credentials: API keys, secrets, and passphrases you choose to connect. These are encrypted at rest and are used solely to execute your instructions and read your account data on your behalf.

Telegram integration data: if you enable the Telegram bridge, your bot token and chat ID, stored encrypted.

Webhook tokens: a unique token generated for you to authenticate incoming trading signals.

Strategy and trading data: strategies you create or subscribe to, position sizing settings, and trade/order history retrieved from your connected exchanges.

Audit and security logs: timestamped records of significant account actions (e.g., sign-ins, key changes) associated with your email, kept for security and abuse prevention.

Technical data: standard server logs (such as IP address and request metadata) generated when you access the Service.

2. How We Use Your Data

To provide the Service: authenticate you, route your trading signals, aggregate your portfolio, and deliver notifications you configure.

To secure the Service: detect abuse, investigate incidents, and maintain audit trails.

To support you: respond to requests you send us.

Legal bases under the GDPR: performance of our contract with you (service delivery), our legitimate interests (security and audit logging), and your consent where applicable (optional integrations such as Telegram). We do not use your data for marketing or profiling, and we do not sell or share it with advertisers.

3. Cookies & Local Storage

The Service uses essential cookies and local storage only:

auth_session_token — a secure, HttpOnly session cookie set when you sign in. It keeps you logged in for up to 30 days and is strictly necessary to operate the Service.

Theme preference — your dark/light UI preference, stored in your browser's local storage. It never leaves your device.

Cookie notice acknowledgement — a local storage flag remembering that you dismissed our cookie notice.

Because these are strictly necessary for the Service to function, they do not require opt-in consent under the ePrivacy rules. We use no analytics, advertising, or third-party tracking cookies of any kind.

4. Third Parties & International Transfers

Google: handles sign-in via Google OAuth. We receive only your email and name; we never see your password.

Exchanges and brokers (e.g., Bybit, Bitget, Binance, Kraken): receive orders and account queries executed with your own API keys, on your instruction. Their processing of your data is governed by their own privacy policies.

Telegram: if you enable the Telegram bridge, execution reports are delivered through your own private bot via Telegram's infrastructure.

Hosting: the Service runs on cloud infrastructure with execution servers located near Singapore and Tokyo. Where data is processed outside your jurisdiction, we rely on appropriate safeguards such as standard contractual clauses.

5. Data Retention & Deletion

We keep your data for as long as your account is active. You can remove connected API keys and the Telegram integration at any time from within the terminal. To delete your account and associated data, contact us at christian@runalabs.ai and we will action the request without undue delay, subject to any records we must retain for legitimate security or legal purposes.

6. Security

Exchange API credentials and Telegram tokens are encrypted at rest using industry-standard symmetric encryption. All traffic to and from the Service is encrypted in transit (TLS). Session cookies are HttpOnly and same-site restricted. We recommend you create exchange API keys with withdrawals disabled — the Service never needs withdrawal permissions.

7. Your Rights

Depending on your jurisdiction (including under the GDPR), you have the right to access, rectify, erase, and receive a copy of your personal data, to object to or restrict certain processing, and to lodge a complaint with your local data protection authority. To exercise any of these rights, contact us at christian@runalabs.ai.

8. Children

The Service is not intended for, and may not be used by, anyone under 18 years of age.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be announced on this page with an updated effective date. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

10. Contact

Questions about this policy or your data: christian@runalabs.ai.

Terms

|

Privacy & Cookies

|

© 2026 Runa Labs