Privacy Policy

Last updated: 2026-03-21

Overview

Run402 provides cloud infrastructure — databases, APIs, authentication, storage, and static site hosting. Unlike a static website, Run402 necessarily stores and processes data to deliver its services. This policy explains what data we collect, how we use it, and how we protect it.

Data We Collect

Run402 collects and stores the following data as part of normal service operation:

• Project metadata — project IDs, names, tier, creation dates, lease expiration dates, and configuration settings
• API keys — anon keys and service keys generated for each project (stored hashed)
• Database contents — all data you store in your project's PostgreSQL schema, including tables, rows, and application data
• File uploads — files stored through the storage API (S3-backed)
• Payment records — x402 transaction hashes, Stripe customer IDs, allowance billing records, wallet addresses
• Server logs — API request logs including IP addresses, timestamps, endpoints called, and response codes (retained for 30 days)
• Authentication data — email addresses and hashed passwords for users of your applications (stored in your project's schema)

How We Use Data

We use the data we collect exclusively for:

• Service delivery — provisioning and operating your databases, APIs, storage, and hosted sites
• Terms enforcement — detecting and responding to violations of our Acceptable Use Policy
• Abuse detection — identifying malicious activity, spam, or unauthorized access attempts
• Billing — processing payments and tracking usage against lease limits

Run402 does not sell your data. We do not use your data for advertising. We do not train AI models on your data.

Data Storage and Security

• Databases are hosted on AWS Aurora Serverless v2 (PostgreSQL 16) with encryption at rest (AES-256) and in transit (TLS 1.2+)
• File storage uses Amazon S3 with server-side encryption
• Static sites are served via Amazon CloudFront + S3
• Project isolation — each project receives its own PostgreSQL schema with row-level security. Projects cannot access each other's data.
• Backups — automated database backups with 7-day retention

Data Retention

Your data lifecycle follows a ~104-day soft-delete grace. Your live site and end-user traffic keep working throughout — only the project owner's control-plane access (deploys, secret rotation, subdomain claims) is gated after day 14.

• Active — full read/write access to all data
• Past due (days 0–14) — everything works normally; billing contact gets the first warning email
• Frozen (days 14–44) — site keeps serving end users; control-plane writes return 402; subdomain is reserved so no one else can claim it; second warning email
• Dormant (days 44–104) — site still serves; scheduled (cron) functions pause; final warning email 24 hours before deletion
• Purged (day ~104+) — all project data, functions, deployments, and secrets are permanently deleted; subdomain becomes claimable by others 14 days later

Any tier renewal, topup, or upgrade during grace instantly reactivates the project and clears the countdown. Server logs are retained for 30 days and then automatically deleted.

Hosted Application Data

Data stored by the applications you build on Run402 — including end-user data collected by your apps — is your responsibility. You are the data controller for any personal data your applications collect. Run402 acts as a data processor on your behalf. You are responsible for ensuring your applications comply with applicable privacy laws (GDPR, CCPA, etc.).

Third-Party Services

Run402 uses the following third-party services:

• Amazon Web Services (AWS) — infrastructure hosting (Aurora, S3, CloudFront, Lambda). AWS Privacy Policy
• x402 / Coinbase — payment facilitation for USDC transactions on Base. Coinbase Privacy Policy
• Stripe — allowance top-up billing and payment processing. Stripe Privacy Policy
• Google Analytics (GA4) — aggregate marketing analysis on human-facing pages. We also store advertising attribution parameters (such as gclid and UTM tags) in your browser's local storage to measure marketing campaign effectiveness. Google Privacy Policy
• Google Fonts — typography on human-facing pages. Google Privacy Policy

Children's Privacy

Run402 is not directed at children under 13. We do not knowingly collect personal information from children. If you are a developer building an application directed at children, you are responsible for ensuring COPPA compliance in your application.

Your Rights

You may export your data at any time using the Run402 API while your lease is active. If you need to exercise data subject rights (access, correction, deletion) for data stored in your project's database, you can do so directly through the API. For requests related to Run402 account-level data, contact legal@kychee.com.

Changes to This Policy

We may update this privacy policy from time to time. The "last updated" date at the top of this page reflects when changes were last made. Continued use of Run402 after changes constitutes acceptance of the updated policy.

Contact

Privacy questions? Email legal@kychee.com.