Privacy Policy

Last updated: March 27, 2026

1. Who We Are

RunOpSync ("we", "us", "our") is a business operations platform operated by RunOpSync Technologies. We provide software-as-a-service tools for multi-zone business operations, e-commerce inventory management, and related services.

Contact: privacy@runopsync.com

2. What Data We Collect

Account Data (our customers)

  • Name, email address, password (hashed)
  • Organization name and billing information
  • Usage data and activity logs

End-Customer Data (your customers' data)

When you connect e-commerce platforms (Shopify, Amazon, Noon), we import:

  • Customer names and email addresses from orders
  • Shipping addresses
  • Order details (items, amounts, dates)

We process this data solely on your behalf as a data processor. You remain the data controller for your customers' data.

3. How We Use Data

  • To provide and operate the RunOpSync platform
  • To sync inventory and orders across your connected platforms
  • To generate analytics, forecasts, and reports
  • To send service-related communications
  • To maintain security and prevent fraud

We do not sell, rent, or share personal data with third parties for marketing purposes.

4. Data Storage & Security

  • Database: PostgreSQL hosted on Neon (AWS EU Frankfurt region), encrypted at rest
  • Application: Hosted on Vercel with HTTPS/TLS encryption in transit
  • Authentication: Passwords are hashed using bcrypt with a cost factor of 12
  • API credentials: Platform tokens (Shopify, etc.) are stored as encrypted environment variables, never in the database
  • Access control: Role-based access control (RBAC) with 5 permission levels

5. Data Retention

  • Account data: Retained for the duration of your subscription plus 30 days after cancellation
  • Order and customer data: Retained as long as your account is active or as required by law
  • Audit logs: Retained for 12 months
  • You may request deletion of all data at any time

6. Your Rights

Under GDPR, UAE PDPL, Canada's PIPEDA, and applicable privacy laws, you and your customers have the right to:

  • Access: Request a copy of data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of data ("right to be forgotten")
  • Portability: Export data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to data processing
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact privacy@runopsync.com. We will respond within 30 days.

6A. PIPEDA Compliance (Canada)

For our Canadian customers and their end-users, we comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (including Quebec's Law 25). Our practices align with PIPEDA's 10 Fair Information Principles:

1. Accountability

We have designated a Privacy Officer responsible for our compliance with PIPEDA. Our sub-processors (see Section 8) are contractually required to protect personal information to a comparable standard. Contact: privacy@runopsync.com

2. Identifying Purposes

We collect personal information solely to provide our SaaS platform services: syncing orders, managing inventory, processing analytics, and generating reports. We identify the purpose at or before the time of collection.

3. Consent

As a B2B service, our customers (the data controllers) obtain consent from their end-users. By connecting your Shopify, Amazon, or other platform accounts, you authorize us to import and process the associated customer data on your behalf. You may revoke this by disconnecting your platform at any time.

4. Limiting Collection

We only collect information necessary to provide the service. From e-commerce platforms, we import: customer name, email, shipping address, and order details. We do not collect payment card numbers, government IDs, or health information.

5. Limiting Use, Disclosure, and Retention

Personal information is used only for the purposes identified. We do not sell, share, or disclose personal information to third parties for their own purposes. Data is retained only as long as needed (see Section 5) and deleted within 30 days of account closure.

6. Accuracy

Data synced from your platforms is kept accurate through regular synchronization. You may correct any inaccurate information through the platform or by contacting us.

7. Safeguards

We protect personal information with: encryption at rest and in transit (TLS 1.3), bcrypt password hashing, role-based access controls, secure API token storage, and regular security reviews. See Section 4 for full details.

8. Openness

This Privacy Policy is publicly available at all times. We will notify users of material changes at least 30 days in advance.

9. Individual Access

Individuals may request access to their personal information held by us. Account holders can export all data via Settings → Data & Privacy → Export. End-customers should contact the business (our customer) who will coordinate with us.

10. Challenging Compliance

Individuals may challenge our compliance by contacting our Privacy Officer at privacy@runopsync.com. We will investigate and respond within 30 days. If unsatisfied, individuals may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

Cross-Border Data Transfers

Our database is hosted in the EU (Frankfurt). For Canadian personal information transferred outside of Canada, we ensure comparable protection through contractual safeguards with our sub-processors, consistent with PIPEDA requirements and OPC guidance on cross-border transfers.

7. Data Processing Agreement

For business customers who require a formal Data Processing Agreement (DPA), we provide one upon request. Our DPA covers:

  • Scope and purpose of data processing
  • Sub-processors (Vercel, Neon, Stripe)
  • Data breach notification procedures (within 72 hours)
  • Data deletion upon contract termination
  • Technical and organizational security measures

Contact legal@runopsync.com to request a DPA.

8. Sub-Processors

ProviderPurposeLocation
VercelApplication hostingUS / Edge
NeonDatabase hostingEU (Frankfurt)
StripePayment processingUS / EU
ResendTransactional emailUS

9. Cookies

We use only essential cookies for authentication (session token). We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Changes to This Policy

We may update this policy from time to time. We will notify active users of material changes via email at least 30 days before they take effect.