RH
Note: RunHub is currently in its launch phase. This privacy policy is a working draft and will be updated as features are added and our legal review is completed. If you have questions in the meantime, please contact us.

Privacy Policy

Last updated: April 2026 — Draft

1. Data Controller

The data controller responsible for this website is RunHub. If you have any questions about how your data is handled, please use the contact page.

2. Data We Collect

Account data

When you register, we store your email address, your name, and optionally a profile picture. This is necessary to provide your account (Art. 6(1)(b) GDPR).

Sign-in data

You can sign in via email magic link, passkey (WebAuthn), or social login (Google, GitHub, Apple, Facebook/Meta). When you use a social login, the provider shares your email, name, and profile picture with us. OAuth tokens required for the sign-in flow are stored but never shared with third parties. The legal basis is Art. 6(1)(b) GDPR.

Session cookies

We use strictly necessary cookies to keep you signed in (session token, CSRF token, callback URL). These are required for the site to function and do not require your consent under § 25 TTDSG.

Security & audit logs

For security purposes we log sign-in events and content changes. These logs may include your IP address, browser user-agent, and a timestamp. The legal basis is our legitimate interest in protecting the platform (Art. 6(1)(f) GDPR).

Analytics

We use a self-hosted instance of Umami to understand how visitors use the site. Umami does not use cookies and does not collect personal data — it records aggregated, anonymised statistics such as page views, browser language, and country. No consent is required.

3. Third-Party Services

If you choose to sign in with a social provider, your browser will connect directly to that provider. The following providers may receive your data as part of the OAuth flow:

  • Google LLC (USA) — Google Sign-In
  • GitHub Inc. / Microsoft (USA) — GitHub Sign-In
  • Apple Inc. (USA) — Sign in with Apple
  • Meta Platforms Inc. (USA) — Facebook Login

These providers are located in the United States. Transfers are safeguarded by Standard Contractual Clauses (Art. 46 GDPR). You are not required to use a social login; email and passkey sign-in are available as alternatives.

4. Data Retention

Account data is retained for as long as your account is active. Security audit logs are retained for up to 12 months. Session tokens expire automatically. If you delete your account, your personal data is removed from our systems, except where retention is required by law.

Account deletion is not yet available through the UI. During this launch phase, please contact us to request deletion.

5. Your Rights

Under GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Have inaccurate data corrected (Art. 16)
  • Request erasure of your data (Art. 17)
  • Restrict how we process your data (Art. 18)
  • Receive your data in a portable format (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)

To exercise any of these rights, please use our contact page.

6. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority in the EU member state of your habitual residence, place of work, or the place of an alleged infringement (Art. 77 GDPR).