Privacy Policy

RunOps ("RunOps," "we," "us," or "our") provides an inventory intelligence platform for specialty retail businesses. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to the RunOps web application at platform.runops.ai, the runops.ai marketing site, and any related services we operate.

If you have questions about this policy, contact us at runops@hexify.ai.

1. Information We Collect

1.1 Account Information

When you sign in to RunOps, we collect your name, email address, profile picture, and Google account identifier through Google OAuth. We use this information to create and authenticate your account.

1.2 Organization and Business Information

When you set up your organization in RunOps, you provide information about your business, including your company name, store locations, store contact information, and team members you invite to the account. You also configure brand representative contact details (name, email, phone) for the vendors you work with.

1.3 Point of Sale and Inventory Data

If you connect a point of sale (POS) system to RunOps, we collect inventory data from that system on your behalf. This includes product information (SKUs, descriptions, sizes, prices), stock levels, sales transactions, purchase orders, and related operational data. The data we collect is determined by the credentials and configuration you provide.

1.4 Google Account Data (Gmail Send-As)

If you choose to connect your Google account for sending fill orders to your brand representatives, we request the https://www.googleapis.com/auth/gmail.send OAuth scope. This is the most narrow Gmail scope available and only allows RunOps to send email on your behalf. We store the OAuth refresh token Google provides so we can send email when you click "Send Orders" inside the RunOps application. Refresh tokens are encrypted at rest using AES-128 (Fernet) symmetric encryption.

RunOps does not read, list, search, modify, or delete any messages in your Gmail inbox. RunOps does not access drafts, labels, settings, contacts, or any other Gmail data. The gmail.send scope is used exclusively to send fill order emails that you explicitly approve through the RunOps application.

1.5 Usage and Log Data

We automatically collect technical information when you use RunOps, including IP address, browser type, device information, request timestamps, and application logs. This data is used to operate, secure, and improve the service.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the RunOps platform
Authenticate you and secure your account
Process inventory data from your connected POS systems
Generate AI-powered inventory recommendations, demand forecasts, and fill order suggestions
Send fill order emails to brand representatives you have configured, when you explicitly request it through the application
Send transactional email about your account (welcome messages, access requests, security notifications)
Respond to your support requests and feedback
Detect, prevent, and respond to fraud, abuse, or technical issues
Comply with legal obligations

3. Google API Services User Data Policy

Limited Use disclosure. RunOps's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Specifically, RunOps:

Uses data accessed through Google APIs only to provide the user-facing fill order sending feature inside the RunOps application
Does not transfer Google user data to third parties except as necessary to provide the service, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users
Does not use Google user data for advertising, including retargeting, personalized advertising, or interest-based advertising
Does not allow humans to read Google user data unless we have your explicit consent for specific messages, it is necessary for security purposes such as investigating abuse, to comply with applicable law, or for internal operations after the data has been aggregated and anonymized

4. How We Share Information

We do not sell your personal information. We share information only in the following circumstances:

4.1 Brand Representatives You Configure

When you click "Send Orders" in RunOps, we send the fill order emails (including any spreadsheet attachments you have approved) to the brand representative email addresses you have entered into the application. You control who receives these emails by configuring the brand representative list. You are responsible for ensuring you have appropriate authorization to communicate with the recipients you configure.

4.2 Service Providers

We use a small number of third-party service providers to operate RunOps. They process information only on our behalf and are bound by contractual confidentiality obligations:

Google LLC · OAuth authentication and Gmail API for sending fill orders
Railway · Application hosting and PostgreSQL database hosting
Resend · Transactional email delivery (welcome emails, access requests, account notifications)
DeepSeek · Large language model API used for inventory recommendation reasoning. Inventory data is sent to DeepSeek for analysis when you run a Wizdom recommendation method. Personally identifiable information is not sent.

4.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of RunOps, our users, or the public.

4.4 Business Transfers

If RunOps is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

5. Data Retention

We retain different types of information for different periods:

Account information · retained while your account is active and for a reasonable period after deletion to comply with legal obligations
Business and inventory data · retained according to the retention policy you configure for your tenant (defaults: 365 days for inventory statistics and audit logs, 90 days for system logs)
Google OAuth refresh tokens · retained until you disconnect your Google account in RunOps, delete your account, or revoke RunOps's access from your Google account settings
Application logs · retained for up to 90 days for operational and security purposes

You can request deletion of your account and all associated data at any time by contacting us at runops@hexify.ai. We will delete your data within 30 days of receiving a verified request, except where retention is required for legal compliance.

6. Data Security

We implement reasonable technical and organizational measures to protect your information, including:

Encryption in transit using TLS 1.2 or higher for all connections to RunOps
Encryption at rest for sensitive credentials (Google OAuth refresh tokens are encrypted using Fernet symmetric encryption with a key stored in environment variables, not in the database)
Logical tenant isolation enforced at the application and database layers, so each customer's data is partitioned from every other customer's data
Role-based access control for users within each tenant
Audit logging of state-changing operations
Regular review of dependencies for known vulnerabilities

No security measure is perfect. If you become aware of a security issue affecting RunOps, please contact us at runops@hexify.ai.

7. Your Rights and Choices

7.1 Revoking Google Access

You can revoke RunOps's access to your Google account at any time by visiting myaccount.google.com/permissions and removing RunOps from the list of connected apps. You can also disconnect your Google account from within the RunOps application under Settings. Once revoked, RunOps will no longer be able to send email on your behalf, and your stored refresh token will become invalid.

7.2 Access, Correction, and Deletion

You may request access to the information we hold about you, request corrections, or request deletion of your account and associated data. To make a request, contact us at runops@hexify.ai. We will respond within a reasonable time and may need to verify your identity before acting on your request.

7.3 Data Portability

You can export your inventory data, order history, and other tenant data from the RunOps application at any time.

8. International Data Transfers

RunOps and its service providers are located in the United States. If you access RunOps from outside the United States, your information will be transferred to and processed in the United States. By using RunOps, you consent to this transfer.

9. Children's Privacy

RunOps is a business-to-business product and is not directed to children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the RunOps application before the changes take effect. The "Effective" date at the top of this page indicates when the latest version became effective. Your continued use of RunOps after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your information, contact us at:

RunOps
Email: runops@hexify.ai