Privacy Policy

The data controller is Runoot, with registered office in Milan, Italy.

For all privacy-related matters, you can contact us at: legal@runoot.com.

We may collect and process the following categories of personal data:

• •Account data: email address, password (hashed), full name, user type (tour operator or private).
• •Profile data: company name, phone number, profile information.
• •Listing data: listing descriptions, prices, availability, event details.
• •Communication data: messages exchanged between users on the platform.
• •Technical data: IP address, browser type, device information, access logs.
• •Referral data: invitation records, referral attributions.

We process your personal data for the following purposes and on the corresponding legal bases under Article 6(1) GDPR:

• •Service delivery (account creation, listings, messaging): contractual necessity — Art. 6(1)(b).
• •Platform security (fraud prevention, abuse detection, access logs): legitimate interest — Art. 6(1)(f).
• •Service communications (account notifications, system updates): legitimate interest — Art. 6(1)(f).
• •Legal compliance (tax obligations, law enforcement requests, dispute resolution): legal obligation — Art. 6(1)(c).
• •Analytics and platform improvement (optional, anonymized where possible): consent — Art. 6(1)(a).

We may share your data with the following categories of third-party processors, acting on our behalf and under contractual data processing agreements:

• •Hosting and infrastructure: cloud hosting providers (Supabase / AWS).
• •Authentication: identity and access management services (Supabase Auth).
• •Email delivery: transactional email providers (Resend).
• •Analytics: optional analytics services (PostHog), with data collection routed through a first-party proxy endpoint at /ph on the Runoot domain.

Some of our service providers may process data outside the European Economic Area (EEA). In such cases, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries that have received an adequacy decision.

You may request information about specific transfer safeguards by contacting legal@runoot.com.

We retain personal data only as long as necessary for the purposes described in this Policy. Specifically:

• •Account and profile data: retained for the duration of your account, plus up to 5 years after account deletion for legal and compliance purposes.
• •Messages and communication data: retained for the duration of your account.
• •Technical and security logs: retained for up to 12 months.
• •Referral and invitation records: retained for the duration of the referring user's account.

Under the GDPR, you have the following rights regarding your personal data:

• •Right of access: obtain confirmation of whether your data is being processed and request a copy.
• •Right to rectification: request correction of inaccurate or incomplete data.
• •Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
• •Right to data portability: receive your data in a structured, commonly used, machine-readable format.
• •Right to restriction: request limitation of processing in certain circumstances.
• •Right to object: object to processing based on legitimate interest.
• •Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, send a request to legal@runoot.com. We will respond within 30 days, as required by the GDPR.

You also have the right to lodge a complaint with the competent supervisory authority. For users in Italy, this is the Garante per la protezione dei dati personali (www.garanteprivacy.it).

Runoot is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, we will take steps to delete their account and associated data.

We may update this Privacy Policy from time to time. Users will be notified of material changes via email or a notice on the platform. The date of the last update is indicated at the top of this document.

For all privacy-related requests and questions: legal@runoot.com.