Privacy Policy

1. Who this applies to

This Privacy Policy applies to the Rundown editorial planning platform (the “Service”), provided by Letterhead, Inc. (“Rundown,” “we,” “us”). It covers anyone who visits our marketing pages, signs up for an account, is invited into a Rundown workspace, or interacts with the Service in any way.

Rundown serves two kinds of users with different relationships to your data:

• Workspace Owners and Members — the customer paying for or invited into a Rundown workspace. We are a “data controller” for the personal information of these users.
• Editorial Content stored in a workspace — drafts, briefs, source notes, transcripts, and other content uploaded into the workspace. We are a “data processor” for this content; the Workspace Owner is the controller. The Data Processing Addendum (Section 13) governs this relationship.

2. What information we collect

Information you give us directly

• Account information. Name, work email address, password (hashed), profile photo, role, and the workspace(s) you belong to.
• Workspace and billing information. Workspace name, time zone, plan tier, billing address, last four digits of the payment card, and invoice history. Full payment card numbers are handled by our payment processor (Stripe) and are never stored on Rundown servers.
• Editorial content. Anything you import into the workspace: story briefs, drafts, headlines, source notes, interview transcripts, photos and assets, archive content, calendar entries, comments, and critique results.
• Communications. Email or in-product messages you send us (support requests, feature feedback, design-partner notes).

Information we collect automatically

• Usage data. Which pages or features you used, when, and for how long. Used to debug, improve the product, and shape the roadmap.
• Device data. Browser type, operating system, screen size, IP address, and timestamps.
• Log data. Server logs containing request paths, response codes, and error traces. Retained for 30 days for security and operational debugging.

Information from third-party integrations

• Google Docs. When you connect Google Docs, we receive your name, email, and OAuth scopes to read and import documents you explicitly select. We do not scan your Drive at large.
• CMS connections (WordPress, Ghost, Webflow, Beehiiv, Sanity). Site URLs, API keys or OAuth tokens, and the specific posts you publish or import through Rundown.
• OAuth providers. If you sign in via Google, we receive your name, email, and the Google account ID.

3. How we use it

We use your information to:

• Provide and operate the Service — render the calendar, run critique, store assets, publish to your CMS.
• Authenticate you and keep your account secure.
• Charge for the plan you've chosen and send invoices.
• Send service-related emails (security alerts, plan changes, scheduled downtime).
• Respond to your support requests and feedback.
• Improve the Service. Aggregate, de-identified usage data informs which features get prioritized.
• Detect, prevent, and address abuse, fraud, or violations of the Terms.
• Comply with legal obligations.

We do not sell your personal information, share it with advertisers, or use your editorial content to train AI models.

4. How AI critique works (and what it doesn't do)

The desk editor critique feature sends portions of your drafts, briefs, or headlines to third-party large language model providers (currently OpenAI and Anthropic) for inference. We do this in a specific, contained way:

• Only the content you explicitly request critique on is sent to model providers — not your entire workspace, not your archive, not your assets.
• Content is sent over TLS and the providers' API terms prohibit training on customer inputs. Both OpenAI and Anthropic offer enterprise no-training defaults, which we use.
• Critique inputs and outputs are stored in your workspace database so you can re-read them later. They are not used to train any Rundown model.
• Your house voice profile — a structured set of stylistic features extracted from documents you upload — is stored in your workspace only. It is not aggregated, not shared, and not used outside your workspace.
• You can opt out of AI critique entirely by disabling it at the workspace level. The rest of the Service (calendar, asset hub, workflows, publishing) functions without it.

5. Who we share data with

We share information only with the following categories of recipients, and only as needed to operate the Service:

• Service providers (sub-processors). Cloud hosting (AWS, US-East), database (Postgres on AWS RDS), object storage (AWS S3), email delivery (Postmark), error monitoring (Sentry), payment processing (Stripe), and AI inference (OpenAI, Anthropic). A current sub-processor list is available in the DPA.
• Workspace members. Anyone invited to your workspace can see the content shared in that workspace, scoped by the role you assign them.
• Legal and safety. We may disclose information if required by law, valid legal process, or to protect the rights, safety, or property of Rundown, our users, or the public. Where legally permitted, we will notify the Workspace Owner before disclosure.
• Business transfers. If Rundown is acquired or undergoes a corporate transaction, your information may be transferred as part of that transaction. You'll be notified in advance and given the option to delete your account before the transfer.

6. Integrations and connected accounts

When you connect a third-party service (Google Docs, WordPress, Ghost, Webflow, Beehiiv, Sanity), Rundown receives access tokens scoped to the actions you authorize. You can revoke that access at any time:

• From inside Rundown — Settings → Integrations → Disconnect.
• From the third party's own settings (e.g., your Google Account permissions page).

Disconnecting an integration removes the stored tokens immediately and stops Rundown from making further requests on your behalf. Any content already imported into the workspace stays in the workspace until you delete it.

7. How long we keep it

• Active workspace data. For as long as the workspace is active.
• Cancelled workspaces. Workspace data is retained for 30 days after cancellation to allow reactivation, then permanently deleted from primary storage. Backup copies are purged within 90 days.
• Billing records. Invoices and tax-relevant records are retained for 7 years to comply with U.S. tax law.
• Server logs. 30 days.
• Critique inputs and outputs. Retained with the story they belong to. Deleted when the story or workspace is deleted.

8. Security

We treat the security of your editorial work as a first-order product feature. Specifically:

• All data in transit is encrypted with TLS 1.2 or higher.
• Data at rest is encrypted with AES-256 (database, object storage, backups).
• Passwords are hashed with bcrypt (work factor 12).
• Access to production infrastructure is restricted to a named list, enforced by SSO + hardware-key MFA.
• We follow secure-development practices including dependency scanning, code review, and automated vulnerability scanning. SOC 2 Type I audit is in progress (target: Q4 2026).
• Annual third-party penetration test.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you without undue delay and consistent with applicable law.

9. Your rights (GDPR, CCPA, and similar)

Depending on where you live, you may have rights under data protection laws like the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Brazil's LGPD, or others. These rights generally include:

• Access. A copy of the personal information we hold about you.
• Correction. Fixing inaccurate information.
• Deletion. Removing your information, subject to legal exceptions (e.g., we must keep billing records).
• Portability. A machine-readable export of your data.
• Restriction and objection. Limiting how we process your information.
• Withdrawal of consent. Where we process information on the basis of consent.
• Non-discrimination. We will not penalize you for exercising any of these rights.

To exercise any of these rights, email privacy@tryletterhead.com. We will respond within 30 days. If you are a Workspace Member (rather than Owner), some requests must be directed to the Workspace Owner, who is the controller of editorial content stored in that workspace.

You also have the right to lodge a complaint with a supervisory authority — for EU residents, that's your local data protection authority.

10. International data transfers

Rundown is operated from the United States and our primary infrastructure is in AWS US-East. If you use the Service from outside the U.S., your information will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards for transfers from the EU/UK, and we will update this section if and when additional adequacy frameworks become available.

11. Children's privacy

Rundown is a tool for professional editorial teams. The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided information to us, please contact us and we will delete it.

12. Cookies and analytics

We use a minimal number of strictly necessary cookies (session, CSRF, authentication state). We do not run third-party advertising pixels or marketing trackers on the Service or our marketing site. Internal product analytics are collected on a first-party basis with IP truncation and no cross-site tracking.

You can disable cookies via your browser settings, though some Service features (like staying signed in) require them.

13. Data Processing Addendum (DPA)

For customers who require a DPA — typically required if you process personal data of EU/UK residents in your editorial work — our DPA incorporates the EU Standard Contractual Clauses, lists current sub-processors, and supplements this Privacy Policy. Email privacy@tryletterhead.com to request a counter-signed copy.

Current sub-processors: AWS (hosting, US), Stripe (payments, US), Postmark (transactional email, US), Sentry (error monitoring, US), OpenAI (AI inference, US, no-train enabled), Anthropic (AI inference, US, no-train enabled). We give at least 30 days' notice before adding a new sub-processor; you may object and we'll work in good faith to resolve.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make a material change, we will notify Workspace Owners by email at least 30 days before the change takes effect and update the “Last updated” date at the top of this page. Continued use of the Service after a change constitutes acceptance.

15. How to contact us

Privacy questions, data requests, and DPA requests:
privacy@tryletterhead.com

Security disclosure:
security@tryletterhead.com

General questions:
hello@tryletterhead.com

Postal:
Letterhead, Inc.
Attn: Privacy
[Mailing address to be added before public launch]