Privacy Policy
Rungate Effective Date: February 24, 2026 Last Updated: February 24, 2026
This Privacy Policy describes how MystLabs Inc. ("Company," "we," "us," or "our") collects, uses, discloses, and retains personal information in connection with the Rungate platform, APIs, website (https://rungate.ai), and related services (collectively, the "Services"). By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.
If you are using the Services on behalf of an organization, this policy applies to you and the individuals whose personal information you submit to us.
Notice at Collection (Summary) When you register or use the Services, we collect: account identifiers (name, email), billing data, API request metadata (model, token counts, timestamps, IP address), and device/log data. We use this information to operate the Services, ensure security, and communicate with you. We do not sell your personal information. We do not use your Input or Output to train our own AI models unless you explicitly opt in. API request metadata is retained for up to 30 days; billing records are retained for 7 years as required by law. For full details, see Sections 1–5 below. To exercise your privacy rights, contact contact@rungate.ai.
1. Information We Collect
1.1 Information You Provide Directly
- Account and Registration Data: Name, email address, username, password, and any other information you provide when creating or maintaining an Account.
- Payment and Billing Information: Credit card details, billing address, and transaction history. Payment card data is processed by our third-party payment processor and is not stored on our servers.
- Communications: Messages, support tickets, feedback, or other content you send to us.
- API Inputs and Outputs: Prompts, instructions, files, images, and other content you submit to the Services ("Input"), and the responses generated by AI models ("Output"). See Section 3 for our data training policy.
- Fine-Tuning and Hosted Model Data: Training datasets, model weights, and related files you upload to use our fine-tuning or model hosting features.
1.2 Information Collected Automatically
When you access or use the Services, we and our third-party service providers automatically collect certain information, including:
- Device and Technical Data: IP address, browser type and version, operating system, device identifiers, and hardware configuration.
- Usage and Log Data: Pages viewed, features accessed, API requests (including request metadata such as model name, token counts, latency, and error codes), timestamps, referral URLs, and session duration.
- Cookies and Similar Technologies: We use cookies, web beacons, pixel tags, and local storage to operate the Services, remember your preferences, analyze usage, and support marketing. See Section 8 for details.
- Analytics: We may use third-party analytics tools (such as PostHog or similar) to collect aggregated behavioral data about how users interact with the Services.
1.3 Information from Third Parties
We may receive personal information about you from:
- Authentication Providers: If you register or log in via a third-party service (e.g., GitHub, Google), we receive basic profile information from that provider.
- Payment Processors: Transaction status and billing confirmation data.
- Public Sources: Publicly available information relevant to fraud prevention or compliance screening.
2. How We Use Your Information
We use the information we collect for the following purposes:
- To Provide and Operate the Services: Processing API requests, managing your Account, delivering inference results, hosting your models, and facilitating billing.
- To Improve and Develop the Services: Analyzing aggregated, de-identified usage patterns (such as request volumes, error rates, and latency statistics), diagnosing technical issues, and developing new features. This does not include using your Input or Output to train AI models — that is governed separately by Section 3.
- Security and Fraud Prevention: Detecting, investigating, and preventing unauthorized access, abuse, fraudulent transactions, and violations of our Terms of Service. We may use automated systems to detect unusual request patterns, rate limit violations, or potential abuse. These systems do not make decisions that produce legal or similarly significant effects on individuals.
- Communications: Sending transactional emails (account confirmations, billing receipts, security alerts) and, with your consent, product updates and promotional materials. You may opt out of marketing communications at any time.
- Legal Compliance: Meeting our obligations under applicable law, responding to lawful requests from government authorities, and enforcing our agreements.
- Business Operations: Internal analytics, financial reporting, and operational planning. In connection with a merger, acquisition, or sale of assets, personal information may be transferred as described in Section 4.
3. AI Model Training Policy
We do not use your Input or Output to train, fine-tune, or otherwise improve MystLabs' own AI models or services without your explicit, affirmative opt-in consent.
By default, your API requests are processed to fulfill your request and are not used for any training purpose. If you choose to opt in, you must submit a written request to contact@rungate.ai or through our support portal; opt-in is off by default and requires explicit authorization from us. Once enabled, you grant us a license to use your Input and Output to improve our models and services. You may withdraw this consent at any time by contacting contact@rungate.ai; withdrawal applies prospectively and does not affect data processed prior to withdrawal.
Fine-tuning datasets you upload are used solely to create your Fine-Tuned Model and are not used for any other purpose without your consent.
When you use a third-party AI model through the Services, your Input is transmitted to that model provider to fulfill your request. We do not authorize third-party model providers to use your Input or Output for their own model training purposes; however, your use of third-party models is also subject to those providers' own terms and privacy policies, and we cannot guarantee their data handling practices. We note in our documentation where a third-party model's terms may permit or restrict such use.
Aggregated, de-identified usage statistics (such as aggregate request volumes, error rates, and latency distributions) that cannot be linked back to you may be used for service improvement without restriction.
4. How We Share Your Information
We do not sell your personal information to third parties. We may share personal information as follows:
Service Providers (Subprocessors): We engage third-party vendors to support our operations, including cloud infrastructure providers, payment processors, analytics tools, customer support platforms, and security services. These providers access personal information only as necessary to perform services on our behalf and are contractually required to protect it. Enterprise customers and those subject to GDPR may request our current list of subprocessors by emailing contact@rungate.ai.
Business Partners and Integrations: With your direction or consent, we may share information with third-party platforms you connect to the Services (e.g., via API keys or OAuth integrations). You are responsible for reviewing the privacy practices of any third party you connect.
Third-Party Model Providers: When you use a third-party AI model through the Services, your Input (and potentially metadata) may be transmitted to the relevant model provider to fulfill your request. We identify applicable third-party providers in our documentation. Your use of third-party models is subject to those providers' own privacy policies.
Legal and Regulatory Disclosure: We may disclose personal information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Where legally permitted, we will attempt to notify you before disclosing your information in response to such requests.
Business Transfers: In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred to or acquired by a successor entity. We will notify you via email or a prominent notice on the Services if such a transaction results in a material change to how your personal information is used.
Affiliates: We may share information with our corporate affiliates and subsidiaries, subject to this Privacy Policy.
With Your Consent: We may share personal information for any other purpose with your express consent.
We do not share your Input, Output, or fine-tuning data with other customers.
5. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account plus 30 days after deletion |
| API request logs (metadata) | Up to 30 days for debugging and security monitoring |
| Input and Output content | Not persistently stored beyond the API response, unless you opt into logging features |
| Fine-tuning datasets and Hosted Models | Until you delete them or your Account is terminated |
| Billing and payment records | 7 years, or as required by applicable tax and financial law |
| Security and fraud logs | Up to 12 months |
| Anonymized / aggregated data | Indefinitely |
When retention periods expire, we delete, anonymize, or securely isolate the data. Anonymized data that can no longer be linked to you may be retained and used indefinitely without further notice.
Upon account deletion, your personal information is removed or anonymized within 30 days, except for data we are required to retain by law or that is necessary to resolve disputes, enforce agreements, or complete pending transactions.
6. Security
We implement technical, organizational, and physical safeguards designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption in transit (TLS), access controls, and security monitoring.
However, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, and we are not responsible for unauthorized access caused by factors beyond our reasonable control, including your failure to protect your account credentials. If you become aware of a security issue, please notify us immediately at contact@rungate.ai.
In the event of a data breach that affects your personal information, we will notify you as required by applicable law.
7. International Data Transfers
MystLabs Inc. is headquartered in San Francisco, California, USA. If you access the Services from outside the United States, your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. Privacy laws in those countries may differ from, and in some cases offer less protection than, the laws of your home jurisdiction.
By using the Services, you consent to the transfer of your personal information to the United States and other countries as described in this Privacy Policy. Where required by applicable law (such as the GDPR), we rely on appropriate transfer mechanisms, including the European Commission's Standard Contractual Clauses (SCCs), to legitimize such transfers. You may request a copy of the applicable transfer mechanism by contacting contact@rungate.ai.
8. Cookies and Tracking Technologies
We use the following categories of cookies and similar technologies:
| Category | Purpose | Examples |
|---|---|---|
| Strictly Necessary | Required for the Services to function (authentication, security, session management) | Session cookies, CSRF tokens |
| Functional | Remember your preferences and settings | Language, display preferences |
| Analytics | Understand how users interact with the Services to improve them | PostHog, aggregated usage metrics |
| Marketing | Deliver relevant communications (used only on our marketing site, not in the API) | Email pixel tracking |
You can control cookies through your browser settings. Note that disabling certain cookies may impair functionality of the Services. You may also manage your analytics and non-essential cookie preferences through the Cookie Settings link in the footer of our website.
Do Not Track: We currently do not alter our data collection practices in response to "Do Not Track" browser signals. We do not authorize third parties to track users across unaffiliated websites or services through the Rungate platform for advertising purposes.
9. Your Privacy Rights
9.1 All Users
Regardless of where you are located, you may:
- Access and update your account information through your Account settings.
- Opt out of marketing emails by clicking "unsubscribe" in any marketing email or contacting contact@rungate.ai.
- Request deletion of your Account by contacting contact@rungate.ai.
- Manage AI training opt-in by contacting contact@rungate.ai or submitting a support request (off by default; requires explicit written authorization).
9.2 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we share it.
- Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information as defined by the CPRA, you may request that we limit its use to what is necessary to provide the Services.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise these rights, contact us at contact@rungate.ai. We will respond within 45 days (extendable by an additional 45 days where reasonably necessary with notice). We will verify your identity before processing your request — typically by confirming access to the email address associated with your Account. You may also designate an authorized agent to submit requests on your behalf; authorized agents must provide written proof of authorization, and we may still verify your identity directly. We will not discriminate against you for exercising any of these rights.
9.3 EEA, UK, and Swiss Users (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, the processing of your personal information is subject to the GDPR or equivalent legislation. Our lawful bases for processing include:
- Performance of a contract: Processing necessary to provide the Services you have requested.
- Legitimate interests: Processing where our interests (or those of a third party) are not overridden by your rights. Examples include: operating and improving the security of the platform, preventing fraud and abuse, maintaining accurate billing records, and sending service-relevant communications to existing customers. You have the right to object to processing based on legitimate interests at any time.
- Legal obligation: Processing required to comply with applicable law, including tax, financial reporting, and law enforcement requirements.
- Consent: Where you have given explicit consent (e.g., for AI training opt-in or marketing communications). You may withdraw consent at any time without affecting the lawfulness of prior processing.
You have the right to access, rectify, erase, restrict, or object to processing of your personal information, and the right to data portability. You also have the right to lodge a complaint with your local supervisory authority (e.g., the data protection authority in your EU member state). To exercise these rights, contact contact@rungate.ai.
Data Protection Officer: We have not appointed a Data Protection Officer at this time. If this changes, we will update this policy. Privacy-related inquiries may be directed to contact@rungate.ai.
DPA and Transfer Mechanisms: Enterprise and GDPR-subject customers may request our Data Processing Agreement (DPA) and a copy of the applicable Standard Contractual Clauses by contacting contact@rungate.ai.
10. Children's Privacy
The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child under 18, please contact us at contact@rungate.ai and we will promptly delete it.
11. Third-Party Links and Services
The Services may contain links to third-party websites, tools, or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Services. We are not responsible for the privacy practices or content of third parties.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, by sending an email notification to the address associated with your Account or posting a prominent notice on the Services. Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Privacy Policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
MystLabs Inc. Attn: Privacy 2261 Market Street, STE 22655 San Francisco, CA 94114 USA Email: contact@rungate.ai Website: https://rungate.ai
We will respond to privacy inquiries within a reasonable time, and within the timeframes required by applicable law.
This Privacy Policy was last updated on February 24, 2026.