Privacy Policy

Version 2.0 Effective 22 May 2026 Last updated 14 Jun 2026 EN

Effective from 22 May 2026 - Version 2.0

This Privacy Policy explains how ToRun ('ToRun', 'we', 'us', 'our'), as data controller, collects, uses, shares, and protects personal data when you access the Service at torun.ai and its sub-domains. It is incorporated by reference into our Terms of Service.

We have written this policy to comply with the EU General Data Protection Regulation 2016/679 (GDPR), the UK GDPR and Data Protection Act 2018, the Turkish Personal Data Protection Law No. 6698 (KVKK) and its implementing regulations, the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), the Brazilian LGPD (Lei No. 13.709), and other privacy laws that apply to our cross-border operations.

If you have questions, contact our Data Protection Officer at /contact?category=legal.

1. Who Is the Controller

ToRun is the data controller for personal data processed in connection with the Service, except where we act as a processor on behalf of an Organization customer (for example, an enterprise tenant managing its employees' accounts). In processor scenarios, the Organization is the controller and we are bound by a separate Data Processing Addendum (DPA).

Our postal contact address is published on the Contact page; correspondence to /contact?category=legal reaches our Data Protection Officer directly.

2. Information We Collect

2.1 Information you provide

  • Account data - email, display name, password hash (never the plain password), optional avatar, language preference, time-zone, and any optional profile fields (bio, social handles, postal address if you opt in for an invoice).
  • Authentication credentials - if you sign in through Apple, Google, Microsoft, GitHub, or other external identity providers, we receive the limited profile information you authorise that provider to share (typically email + display name + provider user-ID).
  • Billing information - billing address, VAT/tax identifier (if any), invoice preferences. Payment instruments themselves (card number, IBAN, wallet token) are collected and stored by our Merchant of Record (Paddle); we receive only the last four digits, the card brand, and the country, for reconciliation purposes.
  • BYOK credentials - third-party AI provider API keys you choose to upload, stored encrypted at rest in a key-management vault.
  • Workspace content - conversations, prompts, system instructions, file uploads, workflow definitions, persona profiles, marketplace listings, comments, memories, and any other content you create or upload.
  • Communications with us - email, chat, support tickets, satisfaction survey responses.

2.2 Information collected automatically

  • Usage telemetry - which routes you visit, which features you use, time spent in features, error events, performance metrics (request latency, model latency, throughput).
  • Device and connection - IP address (truncated for analytics; full for fraud and security investigations), user-agent string, browser language, device type, operating system, screen resolution.
  • Cookies and similar technologies - see Section 11 (Cookies) for the full list and your opt-out controls.
  • AI call metadata - model selected, capability set requested, token counts, latency, cost, fund source, and BYOK tier applied. Each AI call produces a BillingRecord with a pricing snapshot, retained per Section 8 (Retention).

2.3 Information from third parties

  • Payment metadata from Paddle (described above).
  • Identity verification results from compliance providers (for marketplace seller verification or KYC where applicable).
  • Sanctions and risk screening from publicly available watchlists and our fraud-prevention vendors.
  • Open data signals for spam, abuse, and CSAM detection (for example, hash matches against the PhotoDNA library).

2.4 Sensitive categories

We do not solicit special-category data (GDPR Article 9) - race, ethnicity, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health, sex life, sexual orientation - or KVKK Article 6 'special' personal data. If you submit such information voluntarily through prompts, files, or comments, we process it only as needed to deliver the Service to you and we apply enhanced protections.

3. How We Use Your Information

We use personal data for the following purposes:

# Purpose GDPR Article 6 lawful basis KVKK basis
a Operate the Service (account, routing, dashboards, notifications) Contract (Art. 6(1)(b)) Performance of contract
b Bill you, prevent fraud, comply with anti-money-laundering law Contract; legal obligation (Art. 6(1)(b), (c)) Performance of contract; legal obligation
c Send transactional emails (receipts, password resets, security alerts) Contract (Art. 6(1)(b)) Performance of contract
d Improve, debug, and secure the Service Legitimate interest (Art. 6(1)(f)) Legitimate interest
e Send marketing communications (opt-in only) Consent (Art. 6(1)(a)) Explicit consent
f Respond to your data-subject requests Legal obligation (Art. 6(1)(c)) Legal obligation
g Defend ourselves against legal claims; comply with court orders Legal obligation; legitimate interest Legal obligation
h Train, fine-tune, or otherwise improve our own AI models We do NOT do this with your content n/a

3.1 We do not train on your content

ToRun does not use your prompts, files, conversations, persona profiles, or generated outputs to train, fine-tune, or otherwise improve any AI model, our own or anyone else's. When you use BYOK, the third-party provider's training posture is governed by that provider's terms; we recommend reviewing them. For non-BYOK calls, we use providers under contractual terms that prohibit them from training on our customers' content.

4. Cookies and Similar Technologies

We use cookies and similar storage (localStorage, IndexedDB) for:

  • Strictly necessary - authentication (OpenIddict access token, refresh token), session continuity, anti-CSRF tokens, load-balancing affinity, cookie-consent persistence.
  • Functional - language preference, theme (dark/light/dim), recently used workspace, last-selected model.
  • Analytics - aggregated usage analytics, never tied to a real identity in our analytics warehouse (we use a salted device hash, not your User ID).
  • Marketing - off by default; if you opt in, we may set first-party attribution cookies.

You can manage these preferences in the cookie banner the first time you visit, and you can change them at any time via the Cookie preferences link in the footer. Some strictly necessary cookies cannot be disabled because the Service would not function without them.

5. How We Share Personal Data

We share personal data only as needed to run the Service. We never sell personal data in the sense of the CCPA/CPRA (Civil Code 1798.140(t)).

5.1 Sub-processors

A current list of our sub-processors is published at torun.ai/sub-processors and updated as we change vendors. The list includes:

  • Paddle.com Market Limited (UK) - Merchant of Record, payment processing.
  • Bunny.net (BunnyWay d.o.o.) (Slovenia) - object storage, CDN, image and video optimizer, video streaming.
  • Microsoft Azure / Hetzner / OVH - infrastructure hosting (region depends on tenant choice).
  • Kafka-compatible event streaming providers - real-time event bus for transactional outbox and analytics.
  • Third-party AI providers - OpenAI, Anthropic, Google, xAI, Mistral, DeepSeek, Together, RunPod, and others as listed at torun.ai/providers. AI providers receive the minimum content necessary to fulfil your specific request, and only when you (or your routing settings) cause a request to be sent to them.
  • PhotoDNA via Microsoft - automated CSAM detection on uploaded image and video content.
  • Identity-verification and KYC vendors - used for marketplace seller verification, persona monetization eligibility, and AML compliance.
  • Email and notification delivery providers - transactional email (receipts, password resets, security alerts).
  • Analytics and product-improvement tooling - aggregated usage analytics on a contractual-no-PII basis.
  • Customer-support tooling - to handle your tickets and feedback.

We may disclose personal data to law enforcement, regulators, or courts in response to a valid legal request (subpoena, court order, search warrant, regulator demand) issued under applicable law. Where permitted, we will notify you before disclosure so you may seek a protective order. We publish an annual transparency report at torun.ai/transparency.

5.3 Business transfers

If we are involved in a merger, acquisition, financing, or sale of substantially all of our assets, personal data may transfer as part of that transaction. We will notify affected users and provide a meaningful chance to object or close their Account before the transfer takes effect, except where notice is precluded by law.

We will share personal data for any purpose not listed above only with your explicit consent.

6. International Data Transfers

ToRun operates from Istanbul, Turkey, and uses sub-processors in the European Union, the United Kingdom, the United States, and other jurisdictions. Whenever we transfer personal data outside your country of residence, we rely on a lawful transfer mechanism:

  • GDPR Chapter V - EU Standard Contractual Clauses (2021/914 Commission Decision) plus supplementary measures (encryption in transit and at rest, restricted access, audit logging) per the EDPB Recommendation 01/2020.
  • UK GDPR - UK International Data Transfer Addendum to the EU SCCs.
  • KVKK Article 9 - explicit consent or one of the Article 9(2) safeguards (binding commitment, adequate-country recognition).
  • Adequacy decisions - where the European Commission has issued an adequacy decision, we may rely on it.

You may request a copy of the transfer-mechanism documentation by writing to /contact?category=legal.

7. Security

We apply technical and organisational measures appropriate to the risks of processing personal data, including:

  • Encryption in transit for every API request via TLS 1.3.
  • Encryption at rest for BYOK secrets, billing data, audit logs, and document content via cloud key-management service.
  • Access control - role-based, least-privilege, with mandatory multi-factor authentication for staff; access reviewed quarterly.
  • Audit logging - hash-chained tamper-evident logs for billing, moderation, and administrative actions, retained 5 years.
  • Network security - rate limiting, web-application firewalling, anomaly detection, denial-of-service mitigation.
  • Vulnerability management - automated dependency scanning, code-review gates, biannual penetration testing by an independent firm.
  • Incident response - documented runbooks, on-call rotation, breach-notification procedures.
  • Vendor due diligence - all sub-processors are reviewed against our security and privacy baseline before onboarding.

No system is perfectly secure. If you become aware of a security issue, please report it to /contact?category=trust so we can investigate.

8. Data Retention

Data category Retention period
Account profile and credentials Lifetime of Account + 30 days
Workspace content (chats, files, workflows) Lifetime of Account + 30 days
BillingRecord and invoices 5 years (legal accounting and audit)
Audit logs (hash-chained) 5 years (Section 7)
Tax-related documents 10 years (Turkish tax legislation)
Marketing-consent records Lifetime of consent + 3 years
Email transactional logs 12 months
Web analytics (aggregated, no PII) 26 months
BYOK secret material Until you remove the key, plus 30-day grace
Backup snapshots Up to 90 days after primary deletion

Closed accounts are soft-deleted immediately and hard-deleted (cryptographic erasure where supported, secure overwrite otherwise) 30 days after closure, subject to retention requirements above.

9. Your Rights (GDPR / UK GDPR)

If GDPR or UK GDPR applies to you, you have the following rights with respect to your personal data:

  • Access (Article 15) - obtain a copy of the personal data we process and information about that processing.
  • Rectification (Article 16) - correct inaccurate or incomplete data.
  • Erasure (Article 17, the 'right to be forgotten') - request deletion in defined circumstances.
  • Restriction (Article 18) - request that we pause processing pending verification.
  • Portability (Article 20) - receive your data in a structured, commonly used, machine-readable format.
  • Objection (Article 21) - object to processing based on legitimate interests; you have an absolute right to object to direct marketing.
  • Automated decision-making and profiling (Article 22) - not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects (see Section 13).
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint with the supervisory authority in the EU/UK Member State where you live, work, or where the alleged infringement took place.

To exercise these rights, submit a Data Subject Request from your Account dashboard or by emailing /contact?category=legal. We respond within 30 days (Article 12(3)). Where appropriate we may verify your identity before responding.

10. Your Rights (KVKK - Turkey)

Under Article 11 of the Turkish KVKK, you have the right to:

  • learn whether your personal data are being processed;
  • request information if your data have been processed;
  • learn the purpose of processing and whether the data are used in line with that purpose;
  • know to whom personal data have been transferred at home and abroad;
  • request correction of incomplete or incorrect data;
  • request deletion or destruction of personal data;
  • request notification of any correction, deletion, or destruction to third parties to whom the data were transferred;
  • object to a decision based solely on automated processing that produces unfavourable results;
  • claim compensation for damage arising from unlawful processing.

You may exercise these rights by writing to /contact?category=legal or by submitting a request via the Veri Sorumlusuna Başvuru Usul ve Esasları Hakkında Tebliğ. We respond within 30 days of receiving a properly formed request.

Complaints may be lodged with the Kişisel Verileri Koruma Kurumu (KVKK) at kvkk.gov.tr.

11. Your Rights (CCPA / CPRA - California Residents)

California residents have the right to:

  • Know the categories of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it (Civil Code 1798.110, 1798.115).
  • Delete personal information subject to exceptions (1798.105).
  • Correct inaccurate personal information (1798.106, CPRA).
  • Limit the use and disclosure of sensitive personal information (1798.121).
  • Opt out of any 'sale' or 'sharing' for cross-context behavioural advertising. We do not sell personal information, and we do not share for cross-context behavioural advertising.
  • Non-discrimination - we will not deny services, charge different prices, or provide a lower quality of service because you exercised a privacy right.

To exercise your CCPA rights, email /contact?category=legal. You may designate an authorised agent to act on your behalf with verifiable written permission.

12. Children's Privacy

The Service is not directed to children under 13 (or the applicable digital-consent age in your jurisdiction, for example 16 in some EU Member States). We do not knowingly collect personal data from children under those ages. If you believe a child has provided us personal data, contact /contact?category=legal and we will delete the data promptly.

13. Automated Decision-Making

The Service uses automated decision-making to:

  • route AI calls to specific providers based on capability and price;
  • flag content for moderation review using automated classifiers;
  • detect fraud and abuse using risk-scoring systems;
  • compute marketplace and persona payouts.

These decisions do not produce legal effects in the sense of GDPR Article 22 in most cases, but where they do (for example a decision to permanently terminate an Account for fraud), you may request human review by writing to /contact?category=legal.

14. Marketing Communications

We send marketing emails only with your prior, freely given, informed consent. Each marketing email includes an unsubscribe link, and you can manage marketing preferences in your Account settings. Transactional messages (security alerts, billing receipts, password resets, important Service updates) are not marketing and you cannot unsubscribe from them while your Account is open.

15. Data Breach Notification

We notify the relevant supervisory authority and affected individuals of any personal-data breach without undue delay and in any event within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to your rights and freedoms (GDPR Article 33; KVKK Communiqué on Personal Data Breach Notification).

Notifications are sent to the email address on your Account and to a public incident page at torun.ai/incidents where appropriate.

16. Cookies, Tracking and Do-Not-Track

We honour the Global Privacy Control (GPC) signal where applicable. We do not respond to legacy 'Do Not Track' browser headers as there is no industry consensus on what they mean. Cookie-level preferences set in our banner take effect immediately and synchronise across your sessions.

17. Changes to This Policy

We may update this policy from time to time. The current version is always available at torun.ai/privacy-policy with an effective date and version number. Material changes will be notified by email at least 30 days before they take effect. The latest version controls; archived versions are available on request.

18. Contact and Supervisory Authorities

Data Protection Officer: /contact?category=legal

Postal address: available on request at the Contact page.

Supervisory authorities:

  • Turkey - KVKK (Kişisel Verileri Koruma Kurumu) - kvkk.gov.tr
  • European Union - find your local DPA at edpb.europa.eu/about-edpb/about-edpb/members_en
  • United Kingdom - ICO - ico.org.uk
  • California, USA - CPPA (California Privacy Protection Agency) - cppa.ca.gov

If you are not satisfied with our response to your request, you have the right to lodge a complaint with the supervisory authority for your jurisdiction.

19. Language

This policy is provided in English as the master version. Translations are offered for convenience; in case of conflict between the English version and a translation, the English version controls, except where mandatory data-protection law of your country requires otherwise.

Get product updates, not noise

New models, features, and changelog highlights - a short email when something actually ships.

Subscribe
ToRun

Every AI model, one transparent interface - yours to own.

© 2026 ToRun. All rights reserved.