Your data stays in Europe. Period.

Your data never leaves Europe. Not because we route it through an EU region of a US cloud provider — because every company in our stack is European. No US parent companies. No FISA 702 exposure. No Cloud Act risk.

Our sub-processors

Two companies. Both European-headquartered. That's the entire list.

Full details including data flow and change notification process in our sub-processor list. We have a signed Data Processing Agreement available for customers who need one.

No tracking. At all.

No analytics cookies. No third-party scripts. No fingerprinting. The only cookies we set are a session token and a CSRF token — both strictly necessary, both HttpOnly. There is nothing else.

At a glance

• 2 sub-processors — all EU/EEA-headquartered
• Zero US companies in the data chain
• Execution history auto-deleted — 30 days, all tiers
• Encrypted in transit (TLS 1.2+) and at rest
• European-owned, independently funded — no US parent company, no outside pressure to change jurisdiction
• Company: Whitenoise AS, Oslo, Norway (Norwegian jurisdiction)

Whitenoise AS is a Norwegian company. Norway is part of the European Economic Area (EEA) and subject to GDPR through the EEA Agreement. Your data receives the same protection as in any EU member state.

---

Full Privacy Policy

The details above are the summary. Below is the full legal policy for your compliance team.

This Privacy Policy explains how Whitenoise AS ("we", "us", or "our"), operating the Runlater service, collects, uses, and protects your personal data. We are committed to GDPR compliance and protecting your privacy.

1. Data Controller

The data controller for your personal data is:

• Whitenoise AS
• Org.nr: 821 244 722
• Oslo, Norway
• support@runlater.eu

2. Data We Collect

Account Information

• Email address (required for account creation and login)
• Organization name (if you create one)
• Team member information (email addresses of invited members)

Task Configuration Data

• Task names and descriptions
• Webhook URLs you configure
• HTTP headers and request bodies you specify
• Cron expressions and scheduling configuration

Execution Data

• Task execution timestamps and duration
• HTTP status codes from your webhooks
• Response bodies (truncated to 256KB, stored temporarily)
• Error messages when tasks fail

Usage Data

• Pages visited within the application
• API requests and timestamps
• IP addresses (for security and abuse prevention)
• Browser user agent (for debugging)

3. How We Use Your Data

We use your data to:

• Provide and operate the Service
• Send magic link emails for authentication
• Send usage alerts (when approaching limits)
• Send important service announcements
• Debug issues and improve the Service
• Prevent abuse and enforce our Terms of Service

We do not use your data for advertising or sell it to third parties.

4. Legal Basis for Processing (GDPR)

We process your data based on:

• Contract: To provide the Service you signed up for (Art. 6(1)(b))
• Legitimate interest: To improve the Service and prevent abuse (Art. 6(1)(f))
• Legal obligation: To comply with applicable laws (Art. 6(1)(c))

5. Data Storage and Security

Your data is stored securely in the European Union:

• Location: Nuremberg, Germany (netcup data center)
• Encryption: Data encrypted in transit (TLS 1.2+) and at rest
• Access: Limited to authorized personnel only
• Backups: Regular encrypted backups with limited retention
• API keys: Stored as irreversible hashes (never in plain text)
• Email: Sent directly from our server in Germany — no third-party email provider

6. Data Retention

• Account data: Retained while your account is active
• Execution history: 30 days, then automatically deleted
• Audit logs: 90 days
• Analytics: Aggregated, anonymized, retained for 90 days
• After account deletion: All data deleted within 30 days

7. Sub-processors

We use a limited number of sub-processors to operate the Service. See our Sub-processor list for details. We only share data with:

• Your webhook endpoints: We send HTTP requests to URLs you configure
• Infrastructure provider: netcup (Germany) for hosting
• Payment provider: Creem (Estonia) for payment processing as Merchant of Record

We do not share data with analytics services, advertising networks, or data brokers.

8. International Transfers

Your data is processed and stored within the European Union. All sub-processors are EU-based. See our Sub-processor list for details. We do not transfer personal data to countries outside the EU/EEA.

9. Your Rights (GDPR)

Under GDPR, you have the right to:

• Access: Request a copy of your personal data (Art. 15)
• Rectification: Correct inaccurate data (Art. 16)
• Erasure: Request deletion of your data ("right to be forgotten") (Art. 17)
• Portability: Export your data in a machine-readable format (Art. 20)
• Restriction: Limit how we process your data (Art. 18)
• Objection: Object to processing based on legitimate interest (Art. 21)

To exercise these rights, contact us at support@runlater.eu. We will respond within 30 days.

10. Cookies

We use minimal, essential cookies only:

• Session cookie: Required for authentication (HttpOnly, Secure)
• CSRF token: Required for security (HttpOnly, Secure)

We do not use tracking cookies, analytics cookies, or third-party cookies. No cookie consent banner is required as we only use strictly necessary cookies (GDPR Art. 5(3) ePrivacy Directive exemption).

11. Children's Privacy

The Service is not intended for users under 16 years of age. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. The "last updated" date at the top indicates when changes were made.

13. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority. In Norway, this is Datatilsynet.

14. Contact

For privacy-related questions or requests:

• Whitenoise AS
• Org.nr: 821 244 722
• support@runlater.eu