Privacy Policy
Last updated: 14 July 2026 Effective from: 14 July 2026
This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. It's written in plain English. If anything's unclear, email info@runation.co.uk — we'll explain.
This policy includes the operational detail on subprocessors, retention periods and technical controls.
Who we are
Runation is the trading name of Runation Ltd, company number 17337737.
For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for personal data we collect through this website and our marketing activity. When we process personal data on behalf of a client as part of a paid delivery or support engagement, we are the data processor and the client is the controller — those arrangements are governed by a separate Data Processing Agreement.
- Business address: 2 Castle Meadow Road, Nottingham, NG2 1AJ
- ICO registration: no registration claim is made until the reference is verified
- Data Protection Officer: Hammad Khalid (founder)
- Contact for privacy matters: info@runation.co.uk
What personal data we collect
We collect the minimum necessary to do our work and stay in touch. Specifically:
From you, when you contact us or book an audit
- Name
- Email address
- Phone number (if provided)
- Company name and website
- Job title (if provided)
- Free-text answers to our audit questions (typically about your current workflow pain points)
From you, when you become a client
- All of the above, plus
- Billing address and payment details (handled by Stripe — we never see card numbers)
- Sometimes additional information needed to deliver the engagement (workflow data, sample records, system credentials — handled per the DPA)
Automatically, when you visit the site
- Your approximate location (country / region — derived from IP, not stored)
- Pages visited, time on page, referrer
- Device type and browser
- We use Cloudflare Web Analytics to understand aggregate website traffic. It does not use cookies, fingerprint visitors, or track people across sites. We do not use the data for advertising.
From third parties
We don't buy personal data. We may receive contact details from a referrer (an existing client or partner) when they introduce you, but only with their explicit knowledge.
We do not collect special category data (health, ethnicity, sexual orientation, religious belief, biometric, political opinion, trade union membership) through this website. If a client engagement requires processing special category data, that's handled separately under our DPA with a specific lawful basis recorded.
Why we collect it (lawful basis)
UK GDPR requires us to have a lawful basis for every kind of processing. Ours are:
| Processing activity | Lawful basis |
|---|---|
| Responding to enquiries you initiate | Contract (or steps prior to entering one) — UK GDPR Article 6(1)(b) |
| Running a free Audit | Contract (steps prior to entering one) — Article 6(1)(b) |
| Sending you our quarterly update if you opted in | Consent — Article 6(1)(a) |
| Sending occasional updates to existing clients | Legitimate interest — Article 6(1)(f) |
| Cold outbound messages to business contacts | Legitimate interest — Article 6(1)(f), subject to PECR for marketing emails |
| Keeping client records after engagement | Legal obligation — Companies Act 2006 record-keeping |
| Detecting fraud, abuse, or technical issues | Legitimate interest — Article 6(1)(f) |
We've documented our legitimate interests assessments (LIAs) where they're relied on. You can ask for a summary by emailing info@runation.co.uk.
You can withdraw consent or object to processing based on legitimate interests at any time. See "Your rights" below.
How we use your data
To do the work you've asked us to do, and only that.
If you book an Audit:
- Confirm the booking and send calendar invite
- Send the prep email and the post-audit 1-page report
- Follow up once if you haven't replied to the report within 14 days
If you become a client:
- Deliver a Build Package, Ongoing Support engagement, or Custom Build per the SOW
- Invoice and collect payment
- Send service-related communications (system status, scheduled maintenance, post-launch check-ins)
If you've opted in to our quarterly update:
- Send the quarterly case-study and systems digest (~once a quarter)
We don't use personal data for:
- Sale to third parties (we don't sell data, full stop)
- Targeted advertising (we don't run any)
- Training third-party AI models (our subprocessors' API endpoints are configured to disable training on inputs)
- Any purpose materially different from the one we collected it for
Who we share it with
We share personal data with three categories of recipient:
Our subprocessors
The third-party tools that help us run our operations. The services currently used by this website include Attio (CRM), Cal.com (booking), Vercel (hosting), Cloudflare (DNS and analytics), Google Workspace (email and calendar), and Slack (internal lead alerts).
Our professional advisers
Where strictly necessary — accountants, solicitors, insurers — under their own confidentiality obligations.
Authorities, if legally required
We will share data with law enforcement, courts, or regulators if compelled by law (e.g. a court order or HMRC investigation). We will challenge requests we consider overreaching.
We do not share personal data with:
- Marketing list brokers
- Data enrichment services
- Anyone for advertising or profiling purposes
International transfers
Some of our subprocessors are based outside the UK. Specifically:
- United States — OpenAI, Anthropic, Attio, Beehiiv. Transfers are protected by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
- EU/EEA — some Cal.com and hosting infrastructure may process data in the EU/EEA. Transfers are covered by the applicable UK adequacy regulations or contractual safeguards.
Where Enterprise tiers offer UK or EU residency, we elect them.
How long we keep it
Our current retention summary:
- Audit notes: 12 months (then deleted unless you become a client)
- Active client records: duration of engagement + 6 years (Companies Act requirement)
- Lost lead records: 24 months, then anonymised
- Workflow logs: 30 days rolling
- Email (transactional): 12 months
You can ask for earlier deletion at any time (see "Your rights").
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you (subject access request)
- Rectify any data that's inaccurate or incomplete
- Erasure ("right to be forgotten") — subject to lawful retention requirements
- Restrict processing while a query is resolved
- Portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time, where consent was the lawful basis
- Complain to the Information Commissioner's Office (see below)
- Not to be subject to solely automated decisions with legal or significant effects (we don't make any)
To exercise any of these rights, email info@runation.co.uk. We'll respond within 30 days, usually faster. There's no fee unless requests are excessive or repetitive (UK GDPR Article 12).
We may need to verify your identity before disclosing data — usually a simple confirmation from the email address we have on file.
Cookies
We do not set non-essential cookies on this website. Cloudflare Web Analytics is cookieless. See the Cookie Policy for the current position.
Children
This is a B2B service. Our website and services are not directed at children. We don't knowingly collect personal data from anyone under 18. If you become aware that a child has provided us with personal data, please contact us and we'll delete it.
Security
We take reasonable technical and organisational measures to protect personal data, including MFA, credential management and access controls. No system is 100% secure; we don't claim otherwise. If a breach occurs that affects you, we will notify you in line with UK GDPR Article 33 / 34.
Changes to this policy
If we make material changes, we'll update the "Last updated" date and notify clients with active engagements by email. Minor wording changes may be made without notification. The current version is always the authoritative one — we don't keep historical versions on the public site, but you can ask for one.
Complaints to the ICO
You have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF ico.org.uk 0303 123 1113
We'd appreciate the chance to address concerns first — email info@runation.co.uk — but you don't have to come to us before going to the ICO.
Contact
For any privacy question, request, or concern:
Email: info@runation.co.uk Subject line tag: "Privacy" or "Data request" speeds routing.