Privacy Policy

Overview

Person.run, Inc. (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws. When we act as a data processor on behalf of our customers (e.g., processing end-user conversation data), our customers' privacy policies apply.

Information We Collect

Information you provide directly

• Account data: name, email address, company name, role, and password (hashed).
• Billing data: credit card number and billing address (processed by Polar; we do not store card numbers).
• Communications: emails, support tickets, and chat messages you send to us.
• Persona content: persona descriptions, configuration settings, and any content you upload.

Information we collect automatically

• Usage data: API calls, dashboard page views, feature interactions, and error events.
• Device data: browser type, operating system, IP address, and referring URL.
• Conversation data: messages sent to and from your deployed Personas (processed to provide the Service; see below).
• Cookies and similar technologies: see our Cookie Policy.

Information from third parties

• Authentication providers (e.g., Google OAuth) may share your name and email address with us upon login.
• Payment processors may share transaction confirmation and fraud signals.

How We Use Information

We use your information to:

• Provide, operate, and improve the Service;
• Process payments and manage subscriptions;
• Authenticate users and maintain account security;
• Send transactional emails (receipts, password resets, usage alerts);
• Send product updates and marketing communications (opt-out available at any time);
• Analyse usage patterns to improve product features;
• Comply with legal obligations and enforce our Terms of Service;
• Detect, investigate, and prevent fraud and abuse.

Conversation data: We process end-user conversation data solely to route, generate, and deliver Persona responses. We do not use your end-users' conversation data to train our own models without explicit consent. Customers may configure data retention and export settings in their dashboard.

How We Share Information

We do not sell your personal data. We share information with:

• AI model providers (e.g., OpenAI, Anthropic) to generate Persona responses, subject to their privacy policies;
• Cloud infrastructure providers (e.g., AWS, Vercel) for hosting and storage;
• Payment processors (Polar) for billing;
• Analytics tools (e.g., PostHog) under data processing agreements;
• Legal and regulatory authorities when required by law or to protect our rights;
• Acquiring entities in the event of a merger, acquisition, or sale of assets, with appropriate notice to you.

Data Retention

We retain account data for as long as your account is active, plus 3 years after account deletion (for legal and audit purposes). Conversation data is retained for 90 days by default; paid plans may configure shorter or longer retention windows in their settings.

Anonymised and aggregated analytics data may be retained indefinitely. You may request deletion of your personal data at any time (see Your Rights below).

Security

We implement industry-standard security measures including:

• AES-256 encryption at rest for all stored data;
• TLS 1.3 for all data in transit;
• API keys hashed using bcrypt before storage;
• Regular penetration testing and vulnerability scanning;
• Role-based access controls and audit logging internally;
• SOC 2 Type II certification in progress (expected Q3 2026).

No system is perfectly secure. Please notify us immediately at security@person.run if you discover a vulnerability.

International Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. For transfers from the European Economic Area, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. A copy is available on request.

Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase your personal data (right to be forgotten);
• Restrict or object to processing;
• Port your data in a machine-readable format;
• Withdraw consent at any time (where processing is based on consent);
• Opt out of the sale or sharing of personal information (CCPA).

To exercise any of these rights, email us at privacy@person.run. We will respond within 30 days. We may verify your identity before fulfilling requests.

Children's Privacy

The Service is not directed at children under 13 years of age (or 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Cookies

We use cookies and similar tracking technologies. Please see our Cookie Policy for details on what we use and how to control them.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent notice on the Service. The “Last updated” date at the top reflects the most recent revision.

Contact

For privacy-related questions or requests, contact our Data Protection Officer at privacy@person.run or:

Person.run, Inc.
Attn: Privacy Team
548 Market St, PMB 99999
San Francisco, CA 94104
United States

EU/UK Representative: [Representative details to be added upon appointment]