Privacy Policy

1. Who We Are

Agent Runway is a software-as-a-service product operated by Agent Runway Inc., a corporation incorporated under the Canada Business Corporations Act (Canada Corporation No. 1786542-2), with its registered office in the Province of New Brunswick, Canada. Agent Runway Inc. is the data controller responsible for your personal information. You can reach us at privacy@agentrunway.ca for all privacy-related inquiries.

2. Information We Collect

We collect and process the following categories of information:

2.1 Information You Provide Directly

• Account information — email address and password (stored as a secure bcrypt hash) when you create an account.
• Profile and settings — display name, province, brokerage split, annual income goal, transaction goal, experience years, and other preferences.
• Business data — transactions, GCI figures, commission details, pipeline deals, client records (names, emails, phones, notes, tags), expenses, receipts, and goals.
• Client personal information — when you use Agent Runway's CRM features, you may enter personal information about your own real estate clients (names, emails, phones, notes). You are the data controller for this client data and are responsible for ensuring you have appropriate consent and legal basis to store it.
• Communications — support requests, feedback, and correspondence you send to us.
• AI interactions — prompts, queries, and inputs you provide to AI features, including chat messages and outreach editing.

2.2 Information Collected Through Integrations

• Bank transaction data (optional, via Plaid) — if you connect a bank account, we receive from Plaid: account names, account identifiers (last four digits only), and transaction details (date, merchant name, amount). We do not receive your banking login credentials.
• Google Workspace data (optional) — if you connect Gmail, Google Calendar, or Google Drive, we access only the data within the OAuth scopes you approve, limited to what is necessary to provide the integration feature.

2.3 Information Collected Automatically

• Usage data — page views, feature usage, interaction events, session duration, and navigation paths, collected via analytics software to help us improve the product. This data is aggregated and does not directly identify you.
• Device and technical data — browser type, operating system, device type, screen resolution, IP address, and referring URL.
• Log data — server logs including timestamps, API requests, error reports, and authentication events for security and operational purposes.

2.4 Information We Do NOT Collect

• Payment card numbers, CVVs, or expiry dates (handled solely by Stripe)
• Banking login credentials (handled solely by Plaid)
• Social Insurance Numbers (SIN) or government-issued ID numbers
• Biometric data
• Health or medical information

3. How We Use Your Information

We use your information for the following purposes:

• To create and manage your account and authenticate your identity
• To deliver the features of Agent Runway (dashboards, forecasts, reports, CRM, Flight Crew)
• To process subscription payments and send billing confirmations
• To import and categorize bank transactions when you use the optional bank sync feature
• To provide Google Workspace integration features when you connect your Google account
• To generate AI-powered insights, outreach drafts, and recommendations using your business data
• To respond to support requests and communications
• To improve and develop the product based on aggregated usage patterns
• To send important service notifications (security updates, policy changes, billing alerts)
• To detect, prevent, and address fraud, abuse, security incidents, and technical issues
• To comply with legal obligations and enforce our Terms of Service

We do NOT use your information to:

• Sell your personal information or business data to third parties
• Build advertising profiles or target you with third-party ads
• Train general-purpose AI or machine-learning models on your data
• Share your financial data with your brokerage, competitors, or any third party for commercial purposes
• Send unsolicited marketing communications (you may opt in to product updates separately)

4. Consent and Legal Basis for Processing

Under PIPEDA, we process your personal information based on the following grounds:

• Express consent — for sensitive data processing, including: connecting your bank account via Plaid, transmitting business data to AI providers (Anthropic and Groq), connecting Google Workspace integrations, and sending outreach communications on your behalf. Express consent is obtained through affirmative action (e.g., clicking “Connect” or “Send”) after you have been informed of what data will be processed and by whom.
• Implied consent — for processing that is reasonably expected as part of the Service you have signed up for, such as storing your business data, computing dashboards and reports, and sending essential service notifications (security alerts, billing receipts, policy change notices).
• Contractual necessity — processing required to fulfill our contract with you (the Terms of Service), including account management, payment processing, and feature delivery.
• Exceptions without consent (PIPEDA s. 7) — in limited circumstances, we may process personal information without consent where permitted by law: to comply with a court order or subpoena, to investigate a breach of an agreement or contravention of law, to detect or prevent fraud, or where required to protect the safety of an individual.

You may withdraw consent at any time by disconnecting integrations, adjusting your settings, or contacting privacy@agentrunway.ca. Withdrawal of consent may affect your ability to use certain features. We will explain the consequences of withdrawal before processing your request.

4.1 Meaningful Consent and Just-in-Time Notices

Consistent with the OPC's Guidelines for Obtaining Meaningful Consent, we provide clear, specific information at the point of data collection (“just-in-time” notices) so you can make informed decisions. Before you connect Plaid, use AI features for the first time, connect Google integrations, or send outreach communications, the Service will clearly disclose: what data will be collected, who will process it, where it will be processed (including if outside Canada), and how to disconnect or withdraw consent. We do not bundle consent for unrelated purposes or use deceptive design patterns.

4.2 CASL Compliance for Communications

When you use Agent Runway's outreach features to send communications to your clients, Canada's Anti-Spam Legislation (CASL) applies. You are solely responsible for ensuring you have express or implied consent from each recipient before sending any commercial electronic message. Agent Runway provides communication tools but does not verify recipient consent. See our Terms of Service (Section 19) for your full CASL obligations.

5. Data Storage and Security

Your data is stored using Supabase, a managed database platform hosted on Amazon Web Services in the Canada (ca-central-1) region. Your data is stored in Canada.

We implement the following security measures:

• Encryption in transit — TLS 1.3 for all connections
• Encryption at rest — AES-256 encryption for all stored data
• Row-level security (RLS) — enforced at the database level so your data is never accessible to other users, even in the event of an application logic error
• Access controls — multi-factor authentication for production system access, principle of least privilege
• Password security — bcrypt hashing; passwords are never stored in plaintext
• Regular backups — automated backups with point-in-time recovery
• Monitoring — active monitoring for unauthorized access and anomalous activity

While we take reasonable measures to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security and are not liable for breaches beyond our reasonable control. See our Security page for additional details.

9. Third-Party Market Data (CREA MLS® Statistics)

Agent Runway displays local real estate market data sourced from The Canadian Real Estate Association (CREA) MLS® Statistics portal. This is publicly available aggregate information — it is not personal information about you. No personal information is transmitted to CREA in connection with this feature.

The trademarks MLS®, Multiple Listing Service® and the associated logos are owned by CREA. © 2026 The Canadian Real Estate Association. All rights reserved.

10. Sharing Your Information

We do not sell your personal information.

We may share data with the following categories of service providers, strictly to operate the Service:

• Supabase — database infrastructure (AWS ca-central-1, Canada)
• Stripe, Inc. — payment processing (PCI DSS Level 1 certified). Agent Runway does not handle payment card data.
• Plaid Technologies, Inc. — bank account data retrieval (only if you use bank sync). Governed by Plaid's Privacy Policy.
• Google LLC — Google Workspace integrations (only if you connect Gmail, Calendar, or Drive).
• Anthropic, PBC — primary AI inference processing for AI Features (United States). When you use AI features, relevant portions of your business data are transmitted to Anthropic and processed by the Claude family of large language models. Anthropic operates under a Data Processing Agreement, commits to zero data retention for API traffic by default, and does not use customer data to train its models. See Section 8 and Section 11.
• Groq, Inc. — fallback AI inference and voice transcription (United States). Groq is used as a fallback when Anthropic is unavailable, and for speech-to-text on voice features. Groq operates under a Data Processing Agreement and commits to not retaining or training on customer data. See Section 8 and Section 11.
• Vercel, Inc. — application hosting and edge network infrastructure (United States). Vercel hosts the Agent Runway web application and processes HTTP requests; minimal request metadata (IP addresses, request logs) may be processed on Vercel's infrastructure.
• Analytics providers — aggregated, non-personal usage data only (only if you have accepted analytics cookies).
• Email delivery — transactional email service for password resets, billing receipts, and service notifications.

We maintain signed Data Processing Agreements (DPAs) with each sub-processor listed above. These agreements require each processor to: use personal information only for the specific purposes outlined, implement security safeguards comparable to our own, notify us promptly in the event of a data breach, return or delete personal information upon termination, and permit audit of their data handling practices.

For a complete list of our sub-processors, including the data they process and their locations, see our Sub-Processors page.

We may also disclose information if: (a) required by law, court order, subpoena, or governmental authority; (b) necessary to protect the rights, property, or safety of Agent Runway, our users, or the public; (c) to enforce our Terms of Service; or (d) in connection with a merger, acquisition, or sale of assets, in which case your information would be subject to the privacy commitments made in this policy.

11. International Data Transfers

Your primary data is stored in Canada (AWS ca-central-1). However, some data may be processed outside Canada in the following circumstances:

• Payment processing — Stripe may process payment data in the United States.
• AI processing — third-party AI providers may process AI requests in the United States or other jurisdictions.
• Google integrations — Google processes data in accordance with its own data processing terms.

When data is transferred outside Canada, we ensure that appropriate safeguards are in place through contractual commitments (Data Processing Agreements) from each service provider requiring them to protect personal information to a standard comparable to Canadian law. By using the Service and its integrations, you consent to these transfers to the extent required to provide the features you have enabled.

Important notice regarding US-based processing:

Data processed in the United States (by Anthropic, Groq, Stripe, Vercel, and other US-based sub-processors) is subject to United States law, including the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and other US federal and state laws. This means that US authorities may, under certain circumstances, access data held by US-based companies regardless of where that data was originally collected or where the individual is located. No contract can override a foreign government's legal authority to access data under its own laws. We disclose this so you can make an informed decision about using integrations that involve US data processing.

Alberta residents: If you have questions about Agent Runway's use of service providers outside Canada, you may contact our Privacy Officer at privacy@agentrunway.ca (Agent Runway Inc., New Brunswick, Canada), which is the designated representative responsible for answering questions about cross-border data transfers.

12. Team Accounts and Data Visibility

If you participate in a Team Account:

• Team Leaders may view aggregated and individual Team Member performance data to the extent enabled by the platform's permission settings.
• Team Members acknowledge and consent to this data visibility by accepting the Terms of Service.
• The Team Leader is an independent data controller for Team Member data they access and is responsible for their own compliance with privacy laws.
• Agent Runway acts as a data processor when processing Team Member data on behalf of the Team Leader.

13. Your Privacy Rights

Under PIPEDA and applicable provincial laws, you have the following rights:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Withdrawal of consent — withdraw your consent for non-essential uses of your data at any time, including disconnecting integrations. Withdrawal of consent may affect your ability to use certain features.
• Deletion — request deletion of your account and associated data (including Plaid tokens, Google OAuth tokens, and imported data).
• Data export / portability — request a copy of your data in a structured, commonly used, machine-readable format (CSV or JSON). We are developing a self-serve “Download My Data” feature in your account settings. In the interim, email privacy@agentrunway.ca and we will provide your data export within 30 days at no cost.
• Object to processing — object to specific uses of your data where you believe those uses are not necessary for the Service or where your rights outweigh the processing purpose.
• Complaint — file a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated.

To exercise any of these rights, email privacy@agentrunway.ca. We will verify your identity and respond within 30 days. We will not charge a fee for reasonable access requests. We will not discriminate against you for exercising your privacy rights.

14. Quebec Residents (Law 25)

If you are a resident of Quebec, you have additional rights under Loi 25 (Act respecting the protection of personal information in the private sector), including:

• Data portability — the right to have your personal information communicated to you or transferred to another organization in a structured, commonly used technological format.
• Automated decision-making (Law 25, s. 12.1) — Agent Runway's Flight Crew feature uses automated processing of your personal business data (GCI, pipeline metrics, expense ratios, activity data) to generate insights and recommendations presented to you. Under Quebec's Law 25, you have the right to: (a) be informed that a decision or recommendation was generated using automated processing; (b) request a list of the personal information used and the principal factors and parameters that influenced the output; and (c) submit your observations to a human representative at Agent Runway and request that the decision be reconsidered by a person. All AI outputs in Agent Runway are clearly labeled as AI-generated and are presented for your review — no automated action is taken without your explicit approval. To exercise these rights, contact privacy@agentrunway.ca.
• De-indexing — the right to request de-indexing of personal information from any hyperlink attached to your name where dissemination of that information contravenes the law or a court order.

Quebec residents may contact the Commission d'accès à l'information (CAI) with privacy concerns.

15. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete — request deletion of your personal information, subject to exceptions.
• Right to opt-out of sale — we do not sell personal information. No opt-out is necessary.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
• Right to correct — request correction of inaccurate personal information.
• Right to limit use of sensitive personal information — we do not use or disclose sensitive personal information for purposes other than those allowed under CCPA.

To exercise these rights, email privacy@agentrunway.ca with the subject line “CCPA Request.”

16. European Residents (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation, including the rights to access, rectification, erasure, restriction of processing, data portability, and objection. You also have the right to lodge a complaint with your local supervisory authority.

Our legal bases for processing your data are described in Section 4. For international data transfers, see Section 11. To exercise your GDPR rights, contact privacy@agentrunway.ca.

17. Data Retention

We retain your data according to the following schedule:

• Active accounts — data is retained for as long as your account is active.
• Account deletion — personal information and business data are removed within 30 days of account deletion, except where retention is required by law.
• Billing records — retained for 7 years per Canadian tax requirements.
• Plaid tokens — permanently deleted immediately upon bank disconnection or account deletion.
• Google OAuth tokens — revoked and deleted upon integration disconnection or account deletion.
• AI interaction logs — retained for up to 90 days for debugging and quality assurance, then deleted.
• Server logs — retained for up to 90 days for security and operational purposes.
• Analytics data — aggregated usage data may be retained indefinitely in de-identified form.

18. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@agentrunway.ca.

19. Cookies and Tracking Technologies

Agent Runway uses the following types of cookies and tracking technologies:

• Essential cookies — required for authentication, session management, and core functionality. These cannot be disabled without breaking the Service.
• Analytics cookies — used to measure aggregate page views, feature usage, and user flows to help us improve the product. You may accept or decline these via our cookie banner.

We do not use advertising cookies, tracking pixels for ad retargeting, or cross-site tracking technologies. You may configure your browser to refuse optional cookies. Our cookie preferences are stored locally and can be changed at any time.

20. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. As there is no industry-standard technology for recognizing or honoring DNT signals, we do not currently respond to them. However, we limit tracking to essential analytics as described in Section 19 and do not engage in cross-site tracking.

21. Data Breach Notification and Response

Under PIPEDA Section 10.1, organizations must report breaches of security safeguards that create a “real risk of significant harm” (RROSH) to affected individuals and to the OPC. Given the sensitivity of the data Agent Runway processes (financial records, bank connection data, CRM contacts), we take this obligation seriously.

Breach Response Plan

Agent Runway maintains a documented breach response plan that includes the following steps:

• Detection and containment — immediately isolate affected systems, revoke compromised credentials, and engage security expertise to stop the breach
• Assessment — determine what personal information was involved, the sensitivity of that information, the number of affected individuals, and whether the breach creates a real risk of significant harm (financial loss, identity theft, damage to reputation, or other harm)
• OPC notification — if the breach meets the RROSH threshold, report to the Office of the Privacy Commissioner of Canada using the prescribed form, as soon as feasible
• Individual notification — notify affected users as soon as feasible, including: a description of the breach, the types of personal information involved, what we have done to address it, what steps you can take to protect yourself, and contact information for questions
• Third-party notification — if another organization or government institution can reduce the risk of harm, we will notify them as well
• Remediation — address the root cause, implement additional safeguards, and update our security practices to prevent recurrence

Breach Record Keeping

We maintain records of all breaches of security safeguards — including breaches that do not meet the RROSH threshold for notification — for a minimum of 24 months, as required under PIPEDA. These records include: the date of the breach, a description of the circumstances, the personal information involved, our risk assessment, and the actions taken. These records are available to the OPC upon request.

Quebec Residents

For Quebec residents, we will additionally report qualifying breaches to the Commission d'accès à l'information (CAI) if the breach creates a risk of serious injury, and maintain an incident register as required under Law 25.

22. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address on your account or through an in-app notification at least 30 days before they take effect. The “Last updated” date at the top of this page indicates the most recent revision. Continued use of Agent Runway after the effective date of a change constitutes acceptance of the revised policy. If you do not agree with a change, you must stop using the Service and delete your account before the change takes effect.

23. Privacy Impact Assessments

Agent Runway conducts Privacy Impact Assessments (PIAs) before introducing new features or integrations that involve the collection or processing of sensitive personal information. This includes our AI-powered features (which transmit business data to third-party providers), our Plaid bank sync integration (which involves financial credentials and transaction data), and our Google Workspace integrations. PIAs evaluate: the necessity and proportionality of the data collection, the risks to individuals, the safeguards in place to mitigate those risks, and whether alternatives exist that are less privacy-intrusive. We review and update our PIAs when material changes are made to data processing activities.

24. Evolving Canadian Privacy Legislation

Agent Runway actively monitors developments in Canadian privacy law. Federal Bill C-27 (the Digital Charter Implementation Act), which includes the proposed Consumer Privacy Protection Act (CPPA), would introduce significant changes to Canadian privacy obligations if enacted, including:

• Administrative monetary penalties for privacy violations
• Explicit rules for automated decision-making systems, including notice requirements, explanation of logic, and rights to human review
• Enhanced data portability rights
• A private right of action for individuals affected by privacy violations
• Stricter requirements for meaningful consent and de-identified data

We are committed to adapting our privacy practices as Canadian privacy law evolves. When material changes to our data processing practices are required by new legislation, we will update this policy and notify you in accordance with Section 22.

25. Contact Us

For questions about this policy, to exercise your privacy rights, or to file a privacy complaint, contact:

You may also contact the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated. Quebec residents may contact the Commission d'accès à l'information (CAI). California residents may contact the California Attorney General.