Business Transferee Data Disclosure

What it is

If Runway is sold, merged, or goes through a financing event, your personal data may be shared with or transferred to the acquiring company or prospective buyers, including in the event of bankruptcy.

Why it matters (compliance & governance perspective)

This provision permits disclosure of user personal data, including biometric data and user content, to unaffiliated third parties in connection with corporate transactions, including to prospective counterparties before any transaction is finalized. The scope of data transferable as a business asset is not specifically limited.

Consumer impact (what this means for users)

In the event of a sale, merger, acquisition, or bankruptcy involving Runway, your personal data including account information, content, and potentially biometric data may be transferred to a new owner or unaffiliated parties, who would then be subject to their own privacy practices.

What you can do

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: Business asset transfers involving personal data engage GDPR Articles 13/14 (transparency requirements for new controllers), and may implicate CCPA provisions regarding the transfer of personal information to third parties. In the event of a transfer to an entity outside the EEA or UK, additional transfer mechanism requirements under GDPR Chapter V would apply. The FTC has addressed data transfers in the context of corporate transactions and bankruptcy proceedings. 2) GOVERNANCE EXPOSURE: Medium. The provision permits disclosure to prospective counterparties and advisers during due diligence, prior to any transaction closing, which expands the universe of parties who may access user personal data beyond those who ultimately acquire the business. The policy does not specify what restrictions apply to prospective counterparty use of disclosed data. 3) JURISDICTION FLAGS: EU and UK users have GDPR rights that follow their data regardless of corporate transaction; the acquiring entity would need to establish its own lawful basis for processing. California residents may have rights under CCPA if their data is transferred to an entity that materially changes how it is processed. Insolvency proceedings in the US may be subject to FTC guidance on the treatment of consumer data as a business asset. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers with data processing agreements should review whether those agreements address the treatment of employee and end-user personal data in the event of a Runway corporate transaction. Successor entities should be contractually required to honor existing data processing commitments or provide notice and opportunity to object. 5) COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the privacy policy's business transfer provision is consistent with GDPR requirements to inform data subjects of the identity of new controllers following a transfer. In the event of a transaction, compliance teams should evaluate whether a privacy impact assessment is required and whether regulatory notification obligations are triggered in relevant jurisdictions.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Biometric Data Collection high
• Advertising Partner Disclosure as Potential CCPA Sale high
• User Content Collection Including Prompts and Generated Outputs medium
• Enterprise Account Administrator Access medium
• GDPR Legitimate Interests Legal Basis medium
• Children's Privacy and Age Restriction medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.