Privacy Policy

Last updated: 2026-03-21

Overview

Run402 provides cloud infrastructure — databases, APIs, authentication, storage, and static site hosting. Unlike a static website, Run402 necessarily stores and processes data to deliver its services. This policy explains what data we collect, how we use it, and how we protect it.

Data We Collect

Run402 collects and stores the following data as part of normal service operation:

• Project metadata — project IDs, names, tier, creation dates, lease expiration dates, and configuration settings
• API keys — anon keys and service keys generated for each project (stored hashed)
• Database contents — all data you store in your project's PostgreSQL schema, including tables, rows, and application data
• File uploads — files stored through the storage API (S3-backed)
• Payment records — x402 transaction hashes, Stripe customer IDs, allowance billing records, wallet addresses
• Server logs — API request logs including IP addresses, timestamps, endpoints called, and response codes (retained for 30 days)
• Authentication data — email addresses and hashed passwords for users of your applications (stored in your project's schema)

How We Use Data

We use the data we collect exclusively for:

• Service delivery — provisioning and operating your databases, APIs, storage, and hosted sites
• Terms enforcement — detecting and responding to violations of our Acceptable Use Policy
• Abuse detection — identifying malicious activity, spam, or unauthorized access attempts
• Billing — processing payments and tracking usage against lease limits

Run402 does not sell your data. We do not use your data for advertising. We do not train AI models on your data.

Data Storage and Security

• Databases are hosted on AWS Aurora Serverless v2 (PostgreSQL 16) with encryption at rest (AES-256) and in transit (TLS 1.2+)
• File storage uses Amazon S3 with server-side encryption
• Static sites are served via Amazon CloudFront + S3
• Project isolation — each project receives its own PostgreSQL schema with row-level security. Projects cannot access each other's data.
• Backups — automated database backups with 7-day retention

Data Retention

Your data lifecycle is tied to your lease:

• Active lease — full read/write access to all data
• Lease expired (days 0–7) — project becomes read-only; data is preserved
• Archived (days 7–37) — project is archived; data is preserved but not accessible via API
• Deleted (day 37+) — all project data, files, and hosted sites are permanently deleted

You may renew your lease at any time before permanent deletion. Server logs are retained for 30 days and then automatically deleted.

Hosted Application Data

Data stored by the applications you build on Run402 — including end-user data collected by your apps — is your responsibility. You are the data controller for any personal data your applications collect. Run402 acts as a data processor on your behalf. You are responsible for ensuring your applications comply with applicable privacy laws (GDPR, CCPA, etc.).

Third-Party Services

Run402 uses the following third-party services:

• Amazon Web Services (AWS) — infrastructure hosting (Aurora, S3, CloudFront, Lambda). AWS Privacy Policy
• x402 / Coinbase — payment facilitation for USDC transactions on Base. Coinbase Privacy Policy
• Stripe — allowance top-up billing and payment processing. Stripe Privacy Policy
• Google Analytics (GA4) — aggregate marketing analysis on human-facing pages. We also store advertising attribution parameters (such as gclid and UTM tags) in your browser's local storage to measure marketing campaign effectiveness. Google Privacy Policy
• Google Fonts — typography on human-facing pages. Google Privacy Policy

Children's Privacy

Run402 is not directed at children under 13. We do not knowingly collect personal information from children. If you are a developer building an application directed at children, you are responsible for ensuring COPPA compliance in your application.

Your Rights

You may export your data at any time using the Run402 API while your lease is active. If you need to exercise data subject rights (access, correction, deletion) for data stored in your project's database, you can do so directly through the API. For requests related to Run402 account-level data, contact privacy@run402.com.

Changes to This Policy

We may update this privacy policy from time to time. The "last updated" date at the top of this page reflects when changes were last made. Continued use of Run402 after changes constitutes acceptance of the updated policy.

Contact

Privacy questions? Email privacy@run402.com.