Skip to content

Privacy Policy

Everything you need to know about using Runway Plan.

Privacy Policy

Last updated: 2026-05-08

This is the privacy policy for Runway Plan (runway-plan.com), a personal financial-planning web app operated by an individual developer (the "operator") on a self-hosted server. Read this alongside our Terms of Service.

We try to keep this short and human-readable. If something is unclear, email [email protected] and ask.

What we collect

When you sign in with Google, we receive:

  • Your Google account email + display name + profile picture URL. Used to identify your account, render your name in the UI, and address transactional email.
  • A Google OAuth refresh token if (and only if) you connect Google Sheets export. Stored encrypted at rest. We do not request any other Google scope by default.

When you use the app, we store the data you enter:

  • Holdings, salary, expenses, family member names + birth years, property valuations, insurance policies, retirement targets, tax inputs, household links. This is the core data the app exists to track. It lives in your private SQLite database file at data/tenants/{your-user-id}/investment.db on the operator's server.
  • Session cookies + IP address + User-Agent of recent logins. Used for "Active sessions" management, abuse detection, and the per-IP rate limiter. Sessions expire after 14 days of inactivity. Login records are pruned after 90 days.
  • Lemon Squeezy subscription metadata (subscription ID, status, expiry, raw webhook payload up to 8KB) if you subscribe to Premium. Audit rows pruned after 365 days.
  • Anthropic API usage logs (per-call token counts + cost) for the AI Reports feature. Pruned after 365 days.
  • Email + push delivery audit rows for transactional messages (welcome, login alert, weekly report ready, payment failed, household invite, tier change). Pruned after 90 days.

Sub-processors (where data goes)

Some features send your data to third-party services. The sub-processors are:

Service What we send What for
Anthropic (api.anthropic.com) Your portfolio, net worth, monthly income breakdown, free-form expense notes, mortgage balance, insurance totals, tax inputs, retirement targets, year-end portfolio history Generating AI Reports — see "AI Reports" below
Resend (api.resend.com) Your email address + the rendered email body Sending transactional email (max 6 events; see template list above)
Cloudflare R2 Encrypted nightly backup of your tenant database Disaster recovery (encrypted with AES-256-GCM via a passphrase only the operator holds)
Lemon Squeezy Your email + a stable user_id token (only if you subscribe to Premium) Subscription billing, card charging, dunning
Google Your account email (during OAuth login). If you connect Google Sheets, the spreadsheet content the app creates lives in your own Google Drive Authentication; Sheets export to your own Drive
GitHub (private repo) No user data — code mirror only Code backup

We do not use Google Analytics or any other behavioral analytics tracker. We do not advertise on the site.

AI Reports — what's sent to Anthropic

When you run an AI Report (manually or via the Premium weekly auto-report), the app POSTs a prompt to Anthropic that includes:

  • Holdings list (symbol, quantity, cost, current price, daily change)
  • Net worth + balance sheet
  • Income structure (salary breakdown — for TW users this includes payroll components)
  • Free-form expense notes (whatever you typed as the notes field on each expense row — this can include sensitive descriptions like "therapist", "alimony", "school fees")
  • Mortgage balance and amortization
  • Insurance totals (annual premium aggregate)
  • Retirement targets and tax inputs
  • Year-end portfolio history (last few years)

This data is processed by Anthropic per their Commercial Terms and Usage Policies. We use Anthropic's web_search_20250305 tool, which forwards search queries (TAIEX/S&P/Fed rate references) to Anthropic's search provider. Anthropic states that API inputs are not used for model training by default.

Basic-tier users automatically get one welcome AI Report on or shortly after signup, using the operator's platform Anthropic API key. Premium-tier users get weekly auto-reports + on-demand reports, also via the platform key. Premium users with their own BYOK Anthropic API key route through their own account — Anthropic's contractual relationship is then with you, not us.

If you don't want any of your data sent to Anthropic, do not run the welcome report and do not subscribe to Premium. There is no AI-disabled mode that still keeps the rest of the app — but if that's important to you, email and we'll find a workaround.

Encryption at rest

  • BYOK Anthropic API key (Premium users only) — Fernet-encrypted with a key derived from SESSION_SECRET + your user_id (PBKDF2-HMAC-SHA256, 600 000 iterations).
  • Google Sheets refresh token (only if you connected Sheets) — same Fernet-encryption shape.
  • Nightly R2 backups — AES-256-GCM with a passphrase the operator holds in Apple Passwords. The operator can re-key by re-encrypting; users cannot recover their own backups directly.

Plaintext data inside your SQLite tenant DB (holdings, expenses, etc.) is not encrypted at the application level — it relies on filesystem permissions on the operator's machine and the encrypted-backup envelope.

Your rights

  • Export. You can download your full tenant database any time via Settings → Export. Returns a SQLite file you can open with any SQLite browser.
  • Deletion. Settings → Delete Account purges your users row (cascades sessions, push subscriptions, household links, Sheets connection) and deletes the data/tenants/{your-user-id}/ directory immediately. Audit-trail tables (anthropic_usage, subscription_events for refund/dispute records) keep your user_id set to NULL — the rows survive but are no longer attributable to you.
  • Backup retention after deletion. Encrypted nightly backups in Cloudflare R2 retain a copy of your data for up to 30 days after deletion. After 30 days the backups themselves are pruned and the data is gone everywhere we hold it. We cannot decrypt + selectively-delete a single user from a backup — the backups are blob-level encrypted snapshots, so the wait-for-30d-rotation is the deletion path.
  • Object. You can object to any specific use; email [email protected]. We'll either disable the feature for your account or delete your account.

Cookies

We use one cookie: rp_session, an HttpOnly + SameSite=Lax + (in production) Secure-flagged signed cookie. It contains an opaque session token. We do not use third-party cookies and do not share session info with anyone. No cookie consent banner is shown because the cookie is "strictly necessary" under GDPR Recital 32 (it just keeps you logged in).

Children

Runway Plan is a financial-planning tool for adults. We don't intentionally collect data from anyone under 18. If you believe a minor has signed up, email [email protected] and we'll delete the account.

Changes to this policy

If we make material changes (new sub-processor, retention extension, new data category), we'll notify users by email and bump the "Last updated" date above. The git history of docs/privacy_en.md in the repo is the canonical changelog.

Contact

[email protected] — for any privacy question, deletion request, or correction.