Privacy Policy

DeepRunner AI builds AI-powered business software for freelancers and small businesses. This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. It applies to our website (deeprunner.ai), our product ERPx10, and all other DeepRunner AI services.

We’ve tried to write this in plain language. If anything is unclear, email us at contact@deeprunner.ai.

“DeepRunner,” “we,” and “us” refers to the DeepRunner AI group of companies:

• DeepRunner AI LLC — 18 S 2nd St. #148, San Jose, CA 95113, USA. Parent company and controller for users outside the EEA and UK.
• DeepRunner AI Hellas — registered at 44 Mitropoleos Street, Aigio, Achaia 25100, Greece (branch office: Char. Trikoupi 62, Athens 14562, Greece). Controller for users in the European Economic Area and the United Kingdom.
• DeepRunner AI India — Plot No. 250, Udyog Vihar Phase 4, Palam Road, Gurugram, Haryana 122015, India. Engineering subsidiary; does not access EU customer production data.

For all privacy questions, contact contact@deeprunner.ai.

We wear two different hats depending on the context.

When you visit our website, sign up for our beta, or talk to us as a prospect, we’re the data controller. We decide what data to collect and how to use it.

When you or your company is a customer of ERPx10, your company is the data controller for your business data (your customers, invoices, employees, etc.), and we are the data processor acting on your instructions.

This policy covers both roles. Where we act as a processor, this policy works alongside the contract and DPA you signed with us.

From website visitors and prospects

• Contact information you give us: name, email, company, phone, country, role
• Technical information: IP address, browser type, device, pages visited, referrer
• Any information you send us in emails or forms
• Messages you post on our community channels (Discord)
• Candidates’ information: CVs and any other information that you are sending us

From ERPx10 customers

• Account data: name, email, phone, role, language, business name, tax ID
• Business data: invoices, receipts, expenses, inventory, customers, suppliers, employees, bank transactions, tax filings, and any documents or messages you upload or generate in the product
• Messenger data: when you use RunBot on Viber, WhatsApp, or another messenger, the content of your messages with the bot
• Usage data: feature usage, diagnostic logs, device info, and similar technical data

From partners and accountants

• Firm name, address, tax ID, main contact details, and any client information you choose to share with us

From the Free Invoice Generator

We don’t store the invoices you generate. They exist only in your browser until you download them. We do store the email address you give us if you opt in to our newsletter.

For website visitors and prospects

• Reply to your questions and send you information you’ve requested
• Send you product updates if you’ve subscribed
• Understand how our website is used and improve it
• Comply with our legal obligations

For customers

• Run the ERPx10 service you’re paying for
• Power AI-driven assistance through RunBot, RunBooks, and AIDA
• Provide support
• Send service and billing notices
• Improve the product using aggregated or de-identified data
• Comply with legal, tax, and regulatory obligations that apply to us

Candidates’ personal data

• Candidates’ personal data collected during the recruitment process will be retained for as long as necessary to assess the candidate’s suitability for the position and to comply with applicable legal obligations.
• If the candidate is not selected for employment, their personal data will generally be retained for a period of six months following the conclusion of the relevant recruitment process, unless a longer retention period is required or permitted by applicable law, or the candidate has provided consent for a longer retention period in order to be considered for future employment opportunities.
• Upon expiration of the applicable retention period, the personal data will be securely deleted, anonymized, or otherwise disposed of in accordance with the Company’s data retention and deletion procedures.
• If the candidate is hired, their personal data will become part of their employee file and will be retained in accordance with the Company’s employee data retention policies and applicable legal requirements.

Legal bases under GDPR

• Contract performance — to deliver the services you signed up for
• Legitimate interests — to operate, secure, and improve our business. Our legitimate interests include: fraud prevention and network security; improving product features using aggregated or de-identified usage data; sending service-related communications; and maintaining accurate business records. We have balanced these interests against your rights and have concluded they do not override your fundamental rights or freedoms. You have the right to object to processing based on legitimate interests at any time (see Your Rights below)
• Consent — for marketing emails and non-essential cookies, which you can withdraw anytime
• Legal obligations — tax, accounting, and other laws we must comply with

This is the section most SMB software providers don’t have. Since we’re AI-native, we owe you a clearer explanation.

We do not train AI models on your data. DeepRunner does not build its own foundation models. We use large language models from Anthropic, OpenAI, Google, and open-source projects to power features in our product.

Your data is used to personalize AI responses — not to train AI. When you ask RunBot a question, the relevant parts of your business data (invoices, contacts, inventory, etc.) are retrieved and passed to the model so it can give you an accurate answer about your business. This happens at the moment you ask — the data is used to produce your answer and is not retained by the model provider afterward.

Our AI providers are bound by zero-retention and no-training terms. We only work with AI providers that contractually agree not to train their models on our customers’ data and not to retain it beyond what’s needed to return your answer. The providers we currently use are listed in the next section.

Open-source models run on infrastructure we control. When we use open-source models, they run on servers we operate in the EU (through Hetzner). Your data does not leave that environment.

The AI’s actions are transparent and reversible. ERPx10 is designed so that AI-driven actions are reviewable before they take effect. The AI does not take irreversible actions on your behalf without your confirmation.

We share data with a small number of sub-processors that help us run the service. Each is bound by a data processing agreement with commitments at least as strict as ours.

We maintain an up-to-date list of sub-processors. If we add a new one, we’ll update this page. All customers will be notified of new or changed sub-processors at least 30 days before the change takes effect, giving you the right to object. If you reasonably object on data protection grounds, we will work with you to find an alternative solution or, if none is available, allow you to terminate your subscription without penalty.

Other sharing

• With your accountant or partner, if you’ve authorized that relationship
• With authorities where required by law (court order, tax authority request, and similar) — we push back on overbroad requests
• In a business transfer (merger or acquisition), in which case the receiving party must honor these commitments

We do not sell your data. We do not share it with advertisers. We do not use it for cross-context behavioral advertising.

If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA/CPRA) to opt out of the sale or sharing of your personal information. Because we do not sell or share personal information for cross-context behavioral advertising, no opt-out action is required. To exercise any other CCPA rights (access, deletion, correction, or portability), email contact@deeprunner.ai. We will not discriminate against you for exercising these rights.

Customer production data for EU-based customers stays in the EU. We host with Hetzner in Germany, and our primary processing happens there.

Where we use AI providers based in the United States (Anthropic, OpenAI, Google), those transfers rely on the European Commission’s Standard Contractual Clauses together with each provider’s approved transfer mechanisms. The data sent to them is minimized to what’s needed to return your answer, and it is not retained.

Our India office does not access EU customer production data. Engineers there work on product development in isolated environments with synthetic or de-identified data. For users and employees based in India, personal data is processed by DeepRunner AI India Private Limited in accordance with the Digital Personal Data Protection Act 2023 (DPDP Act) and applicable Indian law. Indian residents may exercise their rights under the DPDP Act by contacting contact@deeprunner.ai.

Website and prospect data — up to 24 months after your last interaction, unless you ask us to delete it sooner.

Customer business data — for as long as you’re a customer, plus the retention period required by applicable accounting and tax laws in your country. For Greece, tax and accounting records are retained for 10 years; employee records for 10 years as required by Greek law. Other countries differ. You can export or delete your own data inside the product at any time.

After account termination — we delete customer data within 90 days of termination, except records we’re required by law to keep (which are archived or anonymized as applicable). You are responsible for exporting anything you want to keep before termination.

Backups — encrypted backups persist for up to 35 days after deletion from our production systems, then are fully removed.

CCTV recordings — video surveillance recordings are retained for 18 days, unless an incident occurs, in which case the retention period may be extended up to one (1) year.

If you’re in the EU, UK, or a jurisdiction with similar laws, you have the right to:

• Access the personal data we hold about you
• Correct it if it’s wrong
• Delete it (“right to be forgotten”), subject to legal retention obligations
• Export it in a portable format
• Restrict or object to certain processing
• Withdraw consent at any time, where we rely on consent
• Lodge a complaint with your data protection authority (in Greece, the Hellenic Data Protection Authority — dpa.gr)

We apply the same rights to everyone who uses our service, not just EU residents. Wherever you are — California, Brazil, India, or elsewhere — you have at least the rights above. To exercise any of them, email contact@deeprunner.ai. We respond within 30 days.

If you’re an ERPx10 customer exercising rights over your own business data (for example, your customer list), you can do most of this yourself inside the product. If you’re an individual whose data was uploaded by an ERPx10 customer — for instance, you’re a customer of one of our customers — you should first contact the business that holds your data. They are the controller. We’ll help them respond.

Some of what we do to keep your data safe:

• Encryption in transit (TLS) and at rest (AES-256)
• Role-based access control; staff access to production is minimized and logged
• Multi-factor authentication for all staff accounts
• Regular backups, with restoration tested
• Vulnerability scanning and penetration testing
• An incident response process, with notification to affected customers and regulators within the timeframes required by law (72 hours under GDPR)

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. Our notification will describe the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures we have taken or propose to take to address the breach. We will also report the breach to the relevant supervisory authority (in Greece, the Hellenic Data Protection Authority) within 72 hours of becoming aware of it, where required by GDPR Article 33.

No system is perfectly secure, but we work hard to get close. If you discover a vulnerability, email contact@deeprunner.ai — we respond quickly and we’re grateful for responsible disclosure.

Our website uses a small number of cookies:

• Essential cookies — needed for the site to work (session, language, security). These can’t be turned off.
• Analytics cookies — PostHog, to understand how the site is used. You can decline these.

We don’t use advertising or tracking cookies. We don’t share cookie data with ad networks.

The first time you visit from the EU, UK, or other regions requiring consent, you’ll see a banner letting you accept or decline non-essential cookies. You can change your choice later from the footer of the site.

The cookies we use are:

• Session cookie — set by DeepRunner; keeps you logged in during your session. Expires when you close your browser. Category: Essential.
• Cookie consent cookie — set by DeepRunner; remembers your cookie preferences. Expires after 12 months. Category: Essential.
• PostHog analytics cookie — set by PostHog; measures how our website and product are used in aggregate. No personal profiling. Expires after 12 months. Category: Analytics (requires consent for EU/UK visitors).

ERPx10 is for businesses, not for children. We don’t knowingly collect data from anyone under 16. If you believe a child has given us personal information, email contact@deeprunner.ai and we’ll delete it.

We may update this policy over time. When we do, we’ll change the effective date at the top. If the change is material, we’ll notify customers by email or in-product before it takes effect.