Legal

Privacy Policy

Effective 16 June 2026 · Last updated 16 June 2026

Runelm is privacy-pure. The product contains zero telemetry and sends nothing to us. This policy covers the little data the runelm.com website and the license server touch — and the lawful bases for each.

§1

Who we are

Runelm is a fail-closed data-sanitization proxy for outbound LLM calls, operated by BlackUnicorn OÜ, a private limited company (osaühing) registered in Estonia — registry code 16604183, registered office Tornimäe tn 5, 10145 Tallinn, Estonia. BlackUnicorn OÜ is not VAT-registered. In this policy “BlackUnicorn”, “we” and “us” mean BlackUnicorn OÜ; the trading style “Black Unicorn” refers to the same entity.

Runelm is self-hosted software. When you run Runelm, you are the controller of the prompts, responses, substitution maps, and audit records it processes on your own infrastructure — we neither run your deployment nor receive any of that data. We are the controller only of the limited data the runelm.com website collects and the license/entitlement data the future license server will process.

  • General contact: info@blackunicorn.tech
  • Privacy / Data Protection Officer: contactable at info@blackunicorn.tech. We publish the DPO’s contact details (GDPR Art. 37(7)); the DPO’s name is not published.
  • EU representative: not required — BlackUnicorn OÜ is established in the EU (Estonia).
§2

Scope — which surfaces this covers

Three surfaces, with sharply different data exposure:

Runelm self-hosted product

Community (Apache-2.0) · Complete (BUSL-1.1)

You control everything. We receive no prompts, responses, maps, audit records, or telemetry.

runelm.com website

Static hosting / CDN

We control the release-notes email you choose to submit, plus standard hosting and security logs.

License / update server

Complete edition — planned, not yet built

We control the license/entitlement and update-check data needed to deliver the license you bought. Content-free by design.

§3

What we collect

From the Runelm product: nothing.

Runelm contains no telemetry, no analytics, no usage reporting, and no phone-home of any kind. It transmits nothing to us. The only network calls it makes are the ones you configure: to the LLM providers you choose, under your own API keys, and to the audit and observability sinks you choose. All of it stays within your infrastructure and your chosen providers.

From the runelm.com website:

  • Your email address, only if you submit it to the release-notes list — to send you release notes (new recognizers, threat-model updates, breaking changes). Submitting it is optional.
  • Standard hosting and security logs from our CDN/host (e.g. IP address, user-agent, timestamps), used to deliver and protect the site.

From the license/update server (when it ships): the license key / entitlement identifier, the product version requested, and the minimal technical metadata needed to validate your entitlement and serve updates. By design this server is content-free.

§4

What we never collect

  • No prompts you send through Runelm. No model responses. No substitution maps. No audit-log contents. No API keys or secrets — these stay entirely within your self-hosted deployment and are never transmitted to us.
  • The license/update server never receives prompts, content, customer data, or product usage — only the license/entitlement and version metadata above.
  • No special-category data (GDPR Art. 9): we do not seek or knowingly collect data revealing health, race, political opinions, biometrics, or similar.
§5

Why we collect it, and our lawful basis

The bases are per-surface, because the surfaces differ sharply. Privacy is identical in the free Community and paid Complete editions — you pay for features, never for privacy — so none of this is a “consent or pay” arrangement.

  • The Runelm product — no lawful basis is required, because we collect no personal data from it. GDPR Art. 6 does not engage for the running software.
  • Website release-notes email — consent (GDPR Art. 6(1)(a)). You opt in by submitting your address and can withdraw any time via the unsubscribe link, at no cost.
  • Website hosting and security logs — legitimate interests (GDPR Art. 6(1)(f)): delivering and protecting the site, balanced against your rights.
  • License/update server (Complete) — contractual necessity (GDPR Art. 6(1)(b)): processing your license key / entitlement is necessary to deliver the perpetual license and updates you purchased. We additionally rely on legitimate interests (Art. 6(1)(f)) for license integrity, anti-piracy, and security.
§6

How data is transmitted (current build)

Stated honestly for the build as it exists today:

  • The product transmits nothing to us — there is no telemetry transport in the build, wired or unwired. Its only network calls are to the LLM providers and audit/observability sinks you configure.
  • The website release-notes endpoint is not yet wired: the signup form is currently a client-side demo that stores nothing server-side. On first deploy it will POST to an endpoint fronted by our CDN over HTTPS.
  • The license/update server is not yet built. When it ships it will operate over HTTPS, and this section will be updated.
§7

Sharing and sub-processors

We do not sell personal data.

  • Product: no sub-processors — nothing is transmitted to us.
  • Website: our static host and CDN act as infrastructure sub-processors for serving the site and (once wired) receiving signups. This list is kept current at deploy.
  • License/update server (future): any infrastructure sub-processor will be listed here before the server ships.
§8

International data transfers

The product causes no international transfers — there is no egress to us. For the website and the future license server, our hosting and CDN providers may process data outside the EU; any such transfer relies on appropriate safeguards (EU Standard Contractual Clauses, the UK IDTA, or an adequacy decision), and we prefer EU data residency where the provider offers it.

§9

Data retention

  • Product data: we hold none.
  • Release-notes email: until you unsubscribe or we retire the list.
  • Hosting / security logs: a short rolling window per our provider’s defaults.
  • License / entitlement records (when the server ships): for the life of the license plus any applicable limitation period.
§10

Your rights

Depending on your jurisdiction you may have rights to access, rectify, erase, restrict or object to processing, and to data portability (GDPR Ch. III), and rights to know / delete / opt-out and non-discrimination (CCPA/CPRA).

  • Self-service today: unsubscribe from the release-notes list any time via the link in every message. Because the self-hosted product sends us nothing, there is no product data of yours for us to hold — those requests are satisfied on your own instance.
  • To exercise statutory rights, contact info@blackunicorn.tech.
§11

Security

We keep these statements to what the software and site verifiably do: your secrets, substitution maps, and audit records stay in your environment and are never sent to us; the product performs no egress to us; the website is served over HTTPS; and the license/update server will operate over HTTPS when it ships.

§12

Children

Runelm is a business security tool, not directed to children and not intended for anyone under 16. We do not knowingly collect data from children.

§13

Changes to this policy

We may update this policy; material changes will be announced via the repository release notes and a notice on runelm.com, and the “Last updated” date revised.

§14

Contact

General and Privacy / DPO: info@blackunicorn.tech.

BlackUnicorn OÜ, Tornimäe tn 5, 10145 Tallinn, Estonia.

← Back to runelm.com