Introducing RunAsh AI - The AI Live Commerce Platform

Privacy at RunAsh

RunAsh AI Pvt. Ltd. ("RunAsh", "we", "our") operates the RunAsh live commerce platform available at runash.ai and via our mobile apps. This Privacy Policy explains what personal data we collect when you use our products, how we use it, with whom we share it, and what choices and rights you have.

This policy applies to all RunAsh products including the web platform, mobile apps, API, RunAsh Chat, and RunAsh VideoGen. It does not apply to third-party services linked from our platform — those are governed by their own privacy policies.

Plain English summary: We collect only what we need to run the service. We never sell your data. You can request deletion any time.

Data We Collect

We collect data in three ways: data you give us directly, data generated when you use the service, and data we receive from partners.

Category	Examples	Why we collect it
Account data	Name, email, phone, password hash	Identity & authentication
Profile data	Avatar, bio, business name, bank details	Seller profile & payouts
Streaming data	Video/audio streams, chat messages, product catalog	Core product functionality
Usage data	Pages visited, features used, click events, session duration	Product improvement & analytics
Device data	IP address, browser type, OS, device identifiers	Security & fraud prevention
Payment data	Card last 4 digits, billing address (full card number stored by Stripe/Razorpay)	Billing & subscription management
Viewer data	Watch time, reactions, purchases, chat (anonymised after 30 days)	Commerce AI personalisation

We do not collect biometric data, racial or ethnic origin, health information, or precise geolocation without your explicit consent.

How We Use Your Data

We use your personal data for the following purposes, each tied to a lawful basis under applicable law:

Providing the service — operating streaming infrastructure, processing payments, delivering AI features. Lawful basis: contract performance.
Improving the product — analysing usage patterns, running A/B tests, training internal models on anonymised aggregate data. Lawful basis: legitimate interests.
Safety & fraud prevention — detecting abuse, protecting users, complying with law enforcement requests. Lawful basis: legal obligation / legitimate interests.
Marketing communications — sending product updates, offers, and newsletters to opted-in users. Lawful basis: consent.
Compliance — meeting our obligations under GDPR, DPDP, CCPA, and other applicable regulations. Lawful basis: legal obligation.

We never use your data for third-party advertising, nor do we sell or rent your personal data to any third party for their independent marketing purposes.

Data Sharing & Sub-Processors

We share your data only with the following categories of recipients:

Service providers — companies that help us operate RunAsh (hosting, CDN, payment processing, email delivery). They process data only on our behalf under written data processing agreements.
Analytics partners — we share anonymised, aggregated usage data with analytics providers. No personally identifiable information is included.
Business transfers — if RunAsh is acquired or merges with another company, your data may transfer to the new entity, subject to equivalent protections.
Legal requirements — we may disclose data to law enforcement or government agencies if required by law or to protect safety.

Sub-processor	Purpose	Location
AWS / Cloudflare	Hosting, CDN, edge compute	Global (data residency options)
Stripe / Razorpay	Payment processing	USA / India
Anthropic API	AI model inference	USA
Twilio / SendGrid	SMS, transactional email	USA
PostHog	Product analytics	EU (self-hosted option)

A full list of sub-processors is available at runash.ai/legal/sub-processors. We will notify you of material changes 30 days in advance.

Data Retention

We keep your personal data for as long as necessary to provide the service and meet our legal obligations. The table below summarises our standard retention periods:

Data type	Retention period
Account & profile data	Duration of account + 90 days after deletion
Stream recordings	30 days (extendable to 1 year on paid plans)
Chat & viewer messages	Anonymised after 30 days; raw data deleted after 90 days
Analytics & usage logs	13 months (aggregated only)
Payment records	7 years (legal obligation)
Security logs	12 months
Marketing consent records	Until consent withdrawn + 3 years

After the retention period, data is either deleted or irreversibly anonymised. You may request early deletion under your rights below.

Your Privacy Rights

Depending on your jurisdiction, you have some or all of the following rights:

Access — request a copy of all personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention obligations.
Portability — receive your data in a machine-readable format (JSON or CSV).
Restriction — ask us to stop processing your data in certain circumstances.
Objection — object to processing based on legitimate interests, including for direct marketing.
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Lodge a complaint — you have the right to complain to your local supervisory authority (e.g. ICO in the UK, CNIL in France, MEITY in India).

To exercise any right, submit a request at runash.ai/privacy/request or email privacy@runash.ai. We will respond within 30 days (or 72 hours for DPDP-governed requests).

India residents (DPDP Act 2023): You may nominate a representative, access data in local languages, and raise grievances with our Grievance Officer at grievance@runash.ai.

How We Protect Your Data

We implement technical and organisational measures designed to protect your personal data against unauthorised access, loss, or destruction. Our security programme includes:

AES-256 encryption at rest for all stored personal data
TLS 1.3 in transit for all API and web communications
SOC 2 Type II certification (renewed annually)
Role-based access controls with mandatory MFA for all staff
Quarterly third-party penetration testing
Bug bounty programme at runash.ai/security
24-hour incident response team

In the event of a data breach that affects your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours.

Cookies & Tracking Technologies

We use cookies, pixel tags, and local storage to operate and improve RunAsh. For full details, see our Cookie Policy. In summary:

Essential cookies — required for authentication, security, and core functionality. Cannot be disabled.
Analytics cookies — help us understand how people use RunAsh (e.g. PostHog). You can opt out via cookie settings.
Preference cookies — remember your settings (language, theme, timezone). Disabled if you clear cookies.

We do not use third-party advertising cookies. You can manage your preferences at any time from runash.ai/cookies/preferences.

International Data Transfers

RunAsh is headquartered in India and operates globally. Your data may be processed in countries outside your home country, including the United States, the European Union, and Singapore.

For transfers from the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Copies are available on request.

For Indian users, we store personal data on servers located in India by default. Enterprise customers may request specific data residency configurations.

Children's Privacy

RunAsh is not directed at children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal data from children.

If you believe a child has provided us with personal data, please contact privacy@runash.ai and we will delete the information promptly.

Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will:

Update the "Last reviewed" date at the top of this page
Send an in-app notification and email to affected users at least 14 days before the change takes effect
Publish a changelog at runash.ai/policies/changelog

Continued use of RunAsh after the effective date constitutes acceptance of the updated policy. If you do not agree, you may delete your account before the effective date.

Contact & Data Protection Officer

For any privacy-related queries, please contact:

Role	Contact
General privacy enquiries	privacy@runash.ai
Data Protection Officer (DPO)	dpo@runash.ai
India Grievance Officer (DPDP)	grievance@runash.ai
Postal address	RunAsh AI Pvt. Ltd., 12th Floor, DLF Cyber City, Gurugram, Haryana 122002, India

Questions? Contact legal@runash.ai. Always check runash.ai/policies for the latest version.