Privacy Policy
Effective date: 17 May 2026
1. Who we are
RunnerDuck ("we", "our", "us") is an SEO metadata monitoring service operated at runnerduck.pro. We are established in the European Union and our primary data infrastructure is hosted in Lithuania, EU. This policy applies to all users of the service.
Contact: hello@runnerduck.pro
2. Our role — controller and processor
RunnerDuck acts in two distinct roles depending on the data being processed:
Data Controller
For account data (your name, email, billing information), RunnerDuck is the Controller — we determine why and how this data is processed.
Data Processor
For website metadata crawled on your behalf, you (the agency) are the Controller and RunnerDuck is the Processor — we act on your instructions. This relationship is governed by our Data Processing Agreement (DPA), which is incorporated into your subscription by reference.
3. Data we collect
Account data
Name and email address collected at sign-up via Clerk (our authentication provider). We do not store passwords — authentication is handled entirely by Clerk.
Site and crawl data
URLs you add to your account and the metadata extracted from crawling them: page titles, meta descriptions, H1 headings, canonical tags, robots directives, Open Graph tags, structured data (JSON-LD), HTTP status codes, and internal link structure. Raw page HTML is never stored — only extracted metadata fields.
Google Search Console data (optional)
If you connect a Google Search Console property, we request the read-only scope https://www.googleapis.com/auth/webmasters.readonly. We retrieve weekly click and impression counts per URL solely to calculate traffic-weighted health scores within your account. OAuth tokens are encrypted at rest. You can disconnect GSC at any time from site settings — all tokens and synced data are deleted immediately.
Billing data
Payment details are processed and stored by Stripe. We receive only a subscription status and customer reference — no card numbers or bank details are held by RunnerDuck.
Usage and audit data
We log actions taken within your account (sites added, settings changed, crawls triggered) for security and support purposes. Server access logs are retained for 90 days.
4. Legal bases for processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Account creation and management | Art. 6(1)(b) — performance of contract |
| Website crawling and metadata storage | Art. 6(1)(b) — performance of contract |
| Sending change alert emails and digests | Art. 6(1)(b) — performance of contract |
| Subscription billing via Stripe | Art. 6(1)(b) — performance of contract |
| GSC OAuth token storage and data sync | Art. 6(1)(b) — performance of contract (explicit user action required) |
| Security logging and audit events | Art. 6(1)(f) — legitimate interests (fraud prevention, security) |
| Billing record retention | Art. 6(1)(c) — legal obligation (tax and accounting law) |
| Support communication | Art. 6(1)(f) — legitimate interests (customer support) |
5. How we use your data
- To provide and operate the RunnerDuck service
- To send change alert emails and daily digest notifications you have enabled
- To calculate health scores and traffic-weighted metrics
- To process subscription billing via Stripe
- To respond to support requests
- To detect and prevent abuse or security incidents
We do not sell your data. We do not use your data to train machine learning models. We do not use your site crawl data for any purpose beyond delivering the service to your account.
6. Sub-processors and international transfers
Our primary infrastructure is hosted in the EU (Lithuania). Some sub-processors are located in the United States. Transfers to US sub-processors are made under EU Standard Contractual Clauses (SCCs) or other lawful mechanisms as indicated below.
| Sub-processor | Country | Purpose | Transfer basis |
|---|---|---|---|
| Hostinger International | Lithuania (EU) | VPS hosting, database | EU — no transfer |
| Clerk Technologies Inc. | USA | Authentication, session management | SCCs + Clerk DPA |
| Resend Inc. / Amazon SES | USA / EU | Transactional email delivery | SCCs + Resend DPA |
| Stripe Inc. | USA / Ireland (EU) | Subscription billing | EU entity + Stripe DPA |
| Google LLC | USA / EU | CrUX API, GSC API (when connected) | EU adequacy + Google DPA |
| Anthropic PBC | USA | AI recommendations (anonymised data only — no personal data) | No personal data transferred |
7. Data retention
| Data type | Retention |
|---|---|
| Crawled page metadata | 30 days |
| Change history and health scores | Until account deletion |
| GSC click/impression data | Until GSC disconnected or account deleted |
| Audit and crawl event logs | 90 days |
| Account and billing records | Duration of subscription + 7 years (legal requirement) |
8. Your rights (GDPR)
As a data subject under GDPR, you have the following rights:
- Access (Art. 15): Request a copy of personal data we hold about you
- Rectification (Art. 16): Request correction of inaccurate data
- Erasure (Art. 17): Request deletion of your account and associated data
- Portability (Art. 20): Request your data in a machine-readable format
- Restriction (Art. 18): Request we restrict processing while a dispute is resolved
- Objection (Art. 21): Object to processing based on legitimate interests
- Withdraw GSC consent: Disconnect GSC at any time from site settings — tokens and data deleted immediately
To exercise any right, email hello@runnerduck.pro. We will respond within 30 days. You also have the right to lodge a complaint with your local Supervisory Authority. RunnerDuck's lead supervisory authority is the Data State Inspectorate of Latvia (dvi.gov.lv).
9. Security
All data is transmitted over HTTPS (TLS 1.2+). OAuth tokens are encrypted at rest using AES-128-CBC (Fernet). Database access is restricted to the application server. Row-level security ensures each agency can only access their own data. Authentication uses RS256 JWT tokens via Clerk.
10. Cookies
We use only functional cookies required to operate the service: a session cookie set by Clerk for authentication. We do not use advertising or tracking cookies.
11. Business customers (DPA)
If you use RunnerDuck to process data on behalf of your own clients, a Data Processing Agreement is in place between you (Controller) and RunnerDuck (Processor), incorporated by reference into your subscription. The DPA governs all processing carried out on your behalf and includes the sub-processor list, security measures, breach notification obligations, and your rights to audit.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email at least 30 days before taking effect. The effective date at the top of this page always reflects the latest version.
13. Contact
Questions about this policy or our data practices: hello@runnerduck.pro