Privacy Policy
RUNWAYFBU AS
Last Updated: February 19, 2026
1. Introduction
Welcome to RunwayFBU AI, operated by RUNWAYFBU AS ("we," "our," or "us"). It is important to us that you can trust that all your personal information is safe with us. We spend considerable effort ensuring that your privacy is protected and safeguarded.
All personal data we hold on you is data you have given us yourself, or data we have received from public organisations in order to deliver the services you are entitled to. We use no other data than is strictly necessary to carry out our work. We do not share your personal data with anyone other than our suppliers who need this data to carry out their duties towards you, and public organisations that request access to your data. In such cases, your data is secured by our data processing agreements. We do not keep your details for any longer than is necessary.
By using RunwayFBU AI, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.
2. Information We Collect
2.1 Account & Personal Information
We collect the following personal information when you create an account or use our service:
- Name and email address
- Telephone number (if provided)
- Address (if provided)
- IP addresses
- Company/organisation details and role
2.2 Google User Data
When you sign in using Google via our authentication provider (Clerk), we access the following Google user data:
- Basic profile information: Your name, email address, and profile picture as provided by your Google account
- Email address: Used as your primary account identifier for authentication
We do not access your Google contacts, calendar, Drive files, Gmail messages, or any other Google service data beyond the basic profile information listed above.
2.3 Startup & Evaluation Data
When you use our platform to evaluate startups, we collect:
- Submitted Information: Startup URLs, company names, descriptions, and metadata
- Evaluation Data: Custom criteria, scores, ratings, and analysis results
- Scraped Content: Publicly available information from startup websites
- Notes and Comments: Any notes, tags, or annotations you add
2.4 Usage & Analytics Information
We automatically collect certain information about your device and usage:
- Log Data: IP address, browser type, operating system, referral URLs
- Analytics Data: Pages visited, features used, time spent, click patterns (via Google Analytics, EU-hosted)
- Device Information: Device type, screen resolution, language preferences
3. How We Use Your Information
3.1 General Use
We use the collected information for the following purposes:
- Service Provision: To provide, operate, and maintain our startup evaluation platform
- Account Management: To create and manage your account and authenticate users
- AI Analysis: To process startup data and generate evaluation scores using AI
- Communication: To send you updates, notifications, and respond to inquiries
- Service Improvement: To understand usage patterns and improve our service
- Security: To detect, prevent, and address technical issues and security threats
- Legal Compliance: To comply with legal obligations, including accounting law requirements
3.2 Use of Google User Data
Google user data (your name, email, and profile picture obtained through Google Sign-In) is used exclusively for:
- Authentication: To verify your identity and sign you in to the platform
- Account Identification: To display your name and profile picture within the application
- Communication: To send you account-related notifications and service updates to your email address
We do not use Google user data for advertising, do not sell Google user data, and do not use Google user data for purposes unrelated to the core functionality of our service.
4. Data Sharing
We do not sell your personal data. We share data only with the following categories of third-party service providers, solely for the purposes described below. Each provider is bound by a data processing agreement where applicable.
Clerk (Authentication)
Purpose: User authentication, account management, and session handling (including Google Sign-In)
Data Shared: Email address, name, profile picture, login timestamps
Privacy Policy: clerk.com/privacy
Google Analytics (EU-hosted)
Purpose: Website analytics, user behavior tracking, and performance monitoring
Data Shared: Anonymized usage data, page views, session duration, device information, IP addresses (anonymized)
Region: Data is processed and stored in the European Union
Privacy Policy: policies.google.com/privacy
Railway (Hosting — EU Region)
Purpose: Cloud hosting infrastructure and database hosting
Data Shared: All application data and user content (stored in EU data centers)
Privacy Policy: railway.app/legal/privacy
OpenAI & Anthropic (AI Processing)
Purpose: AI-powered startup analysis and evaluation
Data Shared: Startup information, evaluation criteria, scraped website content (non-PII)
Note: Personal user data (name, email, etc.) is not sent to AI providers. Only business-context startup information is processed.
Postmark (Email)
Purpose: Transactional email delivery (notifications, alerts)
Data Shared: Email address, name (for personalization)
4.1 Sharing of Google User Data
Google user data obtained through Google Sign-In is shared only with:
- Clerk: Our authentication provider, which processes Google Sign-In and stores your account credentials securely
- Postmark: Your email address is used to deliver transactional notifications
We do not share Google user data with any other third parties, advertisers, or data brokers. Google user data is never sold or used for purposes unrelated to the provision of our service.
5. Data Storage & Protection
We have secured your personal data through data processing agreements where applicable. Where we transfer data to a third country when necessary to deliver the service, this is secured with Standard Contractual Clauses (SCCs).
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
- Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256)
- Authentication: Secure authentication via Clerk with multi-factor authentication support
- Access Controls: Role-based access controls (RBAC) and principle of least privilege
- Infrastructure: Hosted in secure EU data centers (Railway, EU region)
- Database Isolation: Schema-per-tenant isolation ensures your data is separated from other organisations
- Backups: Regular encrypted backups with secure retention policies
While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our security measures.
6. Data Retention & Deletion
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The following table outlines our retention periods:
| Purpose | Legal Basis | Data Kind | Deleted After |
|---|---|---|---|
| Accounting | Art. 6.1.c | Name, Email address, IP addresses | 10 years |
| CRM / Service | Art. 6.1.b | Name, Email address, Telephone number, Address, IP addresses | 5 years |
| Email Service | Art. 6.1.f | Name, Email address, IP addresses | 5 years |
| Marketing | Art. 6.1.f | Name, Email address | 6 months |
| Website / Analytics | Art. 6.1.b | IP addresses (anonymized) | 2 years |
| Workspace / Platform | Art. 6.1.b | Name, Email address, IP addresses | 5 years |
| Account Data | Art. 6.1.b | All account information | 30 days after deletion |
| Startup Evaluations | Art. 6.1.b | Evaluation data, scores, notes | While account active or until deleted |
| Backup Data | Art. 6.1.b | Encrypted backups | 30 days |
6.1 Google User Data Retention
Google user data (name, email, profile picture) obtained through Google Sign-In is retained only for as long as your account is active. Upon account deletion, all Google user data is removed within 30 days.
6.2 Requesting Data Deletion
You may request deletion of your personal data at any time by:
- Deleting your account from your account settings within the platform
- Contacting us at sagar@runwayfbu.com to request deletion
- Using our contact form
Please note that deletion may be affected by our duties under accounting law, as we may not be able to delete certain information before we have fulfilled our legal obligations. We will inform you if such restrictions apply and process the deletion as soon as legally permitted.
7. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):
- Art. 6.1.b — Contract Performance: Processing necessary to provide our service and fulfill our contract with you (account management, platform functionality, workspace data)
- Art. 6.1.c — Legal Obligation: Processing necessary to comply with legal obligations, including accounting and tax requirements
- Art. 6.1.f — Legitimate Interests: Processing necessary for our legitimate interests in operating and improving our platform (email service, marketing, analytics)
- Art. 6.1.a — Consent: Processing based on your explicit consent (e.g., for analytics cookies, optional marketing communications)
8. Your Rights
As a user, you have rights regarding your personal data and how we process it. Data privacy law gives you the following rights:
If we have collected your data with your consent, you may withdraw your consent at any time. Please contact sagar@runwayfbu.com to request this.
Right to Access
You have the right to see your personal data. You can request a copy of all personal information we hold about you.
Right to Rectification
You have the right to ask for corrections. If something is wrong, we will correct it. You can also update most information directly in your account settings.
Right to Erasure (Right to be Forgotten)
You have the right to be deleted. This may be affected by our duties in relation to accounting law, as we are not able to delete information before we have carried out our legal obligations. You can delete your account from your account settings or contact us to request deletion.
Right to Restrict Processing
You have the right to limit what we collect. If we have collected too much information, let us know and we will address it.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON/CSV). If you wish to move your personal data, we can arrange this.
Right to Object
If you disagree with how we use your data, you have the right to object to our processing of your personal information in certain circumstances.
Right to Lodge a Complaint
You have the right to complain to the Data Protection Authority. You can file a complaint with the Norwegian Data Protection Authority (Datatilsynet) here: datatilsynet.no — How to complain
To exercise any of these rights, please contact us using the information provided in Section 12. We will respond to your request within 30 days as required by GDPR.
9. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to track activity on our service. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. We display a cookie consent banner on your first visit to allow you to choose.
Types of Cookies We Use:
- Essential Cookies: Required for authentication, security, and basic functionality. These cookies are necessary for the service to function and cannot be disabled.
- Analytics Cookies: Used by Google Analytics (EU-hosted) to understand how visitors interact with our service. These cookies collect anonymized data and are only set with your consent.
You can manage your cookie preferences through your browser settings or our cookie consent banner. Disabling essential cookies may affect the functionality of our service.
10. International Data Transfers
We primarily process and store data within the European Union. However, some of our third-party service providers may process data outside the EEA:
- OpenAI / Anthropic: May process startup evaluation data in the United States
- Clerk: May process authentication data globally
Where we transfer data to a third country when necessary to deliver the service, this is secured with Standard Contractual Clauses (SCCs) approved by the European Commission. All providers maintain GDPR compliance measures.
11. Children's Privacy
Our service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us. If we discover that a child under 16 has provided us with personal information, we will delete such information immediately.
12. Contact Us
If you have questions related to your personal data or this Privacy Policy, please contact:
RUNWAYFBU AS
Contact Person: Sagar Chandna
Email: sagar@runwayfbu.com
Contact Form: runwayfbu.com/contact
We will respond to your inquiry within 30 days as required by GDPR.
13. Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last Updated" date at the top of this policy
- Sending you an email notification for significant changes
You are advised to review this Privacy Policy periodically for any changes. Changes are effective when they are posted on this page. Your continued use of the service after changes are posted constitutes your acceptance of the updated policy.