For EU and UK users, Runway identifies itself as the data controller under GDPR and states it processes personal data on the legal bases of contract, consent, legitimate interests, and legal compliance. Legitimate interests is cited as the basis for a broad range of purposes including business analysis and service improvement.
This analysis describes what Runway's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
GDPR's legitimate interests basis requires that processing does not override the rights of individuals; the breadth of purposes Runway attributes to legitimate interests, including analyzing and improving the business and AI service improvement, may require evaluation against GDPR balancing test requirements, particularly for the processing of biometric data and generative AI outputs.
Interpretive note: The policy does not disclose whether a GDPR Article 9 legal basis has been established for biometric data processing in the EEA and UK, and the scope of 'legitimate interests' processing as applied to AI generative service improvement may require evaluation against a documented legitimate interests assessment not included in the policy text.
EU and UK users' personal data including any biometric data submitted through generative features is processed under GDPR legal bases that Runway identifies as contractual necessity, legitimate interests, consent, and legal compliance; users have the right to object to processing based on legitimate interests and to lodge a complaint with their relevant supervisory authority.
How other platforms handle this
If you are in the 'Designated Countries', LinkedIn Ireland Unlimited Company ('LinkedIn Ireland') will be the controller of your personal data provided to, or collected by or for, or processed in connection with our Services. If you are outside of the Designated Countries, LinkedIn Corporation will ...
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
When Glean provides services to an enterprise customer, we process personal data on behalf of that customer. In this context, the enterprise customer is the data controller and Glean acts as a data processor. If you are an employee or authorized user of one of our enterprise customers and have quest...
Monitoring
Runway has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Runway is considered the "data controller" of the "personal data" (as defined under the General Data Protection Regulation) we handle under this Privacy Policy. In other words, Runway is responsible for deciding how to collect, use, and disclose personal data, subject to applicable law. The laws of the European Economic Area and the United Kingdom require data controllers to tell you about the legal ground that they rely on for using, sharing, or disclosing your personal data. To the extent those laws apply, our legal grounds are as follows: Contractual Commitments: We may use, share, or disclose personal data to honor our contractual commitments to you. [...] Legitimate Interests: In many cases, we use, share, or disclose personal data on the ground that it furthers our legitimate business interests in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals, such as customer service, analyzing and improving our business, providing security for the Service and other products and services we may offer, preventing fraud, and managing legal issues.— Excerpt from Runway's Runway Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly implicates the GDPR and UK GDPR, with enforcement by EU member state data protection authorities and the UK Information Commissioner's Office. The reliance on legitimate interests as a legal basis for a broad range of processing activities, including service improvement and business analysis that may encompass AI model training inputs, may require documentation of a legitimate interests assessment and may be subject to regulatory scrutiny. Processing of special category data (including biometric data under GDPR Article 9) requires a separate legal basis in addition to Article 6 grounds, and the policy does not specifically address this for the EEA and UK context. (2) GOVERNANCE EXPOSURE: High for EU and UK operations. The policy's reliance on legitimate interests for activities that may include AI-related processing of biometric data and user-generated content warrants a documented legitimate interests assessment. The absence of a specific reference to Article 9 legal bases for biometric data processing in the EEA and UK section creates a potential compliance gap. (3) JURISDICTION FLAGS: All EEA member states and the UK apply GDPR and UK GDPR respectively. Germany, France, and Ireland may apply additional scrutiny given the involvement of AI processing and biometric data. The absence of a named EU or UK representative or data protection officer contact in the available policy text may be a compliance gap if Runway is required to designate one under GDPR Article 27 or 37. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EU or UK contracting with Runway should ensure that data processing agreements are in place that specify lawful basis, sub-processor lists, and technical and organizational security measures. The policy notes that processing of data on behalf of business customers is governed by separate agreements, which should be verified to confirm GDPR-compliant DPA terms. International data transfer mechanisms (SCCs or UK IDTA) should be confirmed for transfers from the EEA or UK to Runway's US infrastructure. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether Runway has documented legitimate interests assessments for the processing activities attributed to that legal basis, particularly for AI training and service improvement uses. The absence of Article 9 legal basis disclosure for biometric processing in the EU section should be flagged for review. A data protection impact assessment may be required under GDPR Article 35 for high-risk processing activities involving biometric data or large-scale AI processing of personal data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
GDPR's legitimate interests basis requires that processing does not override the rights of individuals; the breadth of purposes Runway attributes to legitimate interests, including analyzing and improving the business and AI service improvement, may require evaluation against GDPR balancing test requirements, particularly for the processing of biometric data and generative AI outputs.
EU and UK users' personal data including any biometric data submitted through generative features is processed under GDPR legal bases that Runway identifies as contractual necessity, legitimate interests, consent, and legal compliance; users have the right to object to processing based on legitimate interests and to lodge a complaint with their relevant supervisory authority.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Runway.