For EU and UK users, Runway relies on 'legitimate interests' as its legal basis for a broad set of data processing activities including analytics, business improvement, security, and fraud prevention. This means Runway has assessed that its business interests outweigh user privacy interests for these activities.
This analysis describes what Runway's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Legitimate interests is one of the broadest GDPR legal bases and is used here to cover analytics, service improvement, security, and fraud prevention. EU and UK users have the right to object to processing carried out under legitimate interests, which could limit how Runway processes their data.
Interpretive note: The scope of legitimate interests reliance and whether specific documented balancing assessments exist cannot be confirmed from the policy text alone; enforcement interpretation by supervisory authorities may constrain the breadth of this basis.
EU and UK users have the right to object to data processing Runway conducts under legitimate interests, which covers analytics, business improvement, and security activities. Exercising this right may affect service functionality. Users can contact Runway at privacy@runwayml.com to exercise their right to object.
Cross-platform context
See how other platforms handle GDPR Legitimate Interests Legal Basis and similar clauses.
Compare across platforms →Monitoring
Runway has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Legitimate Interests: In many cases, we use, share, or disclose personal data on the ground that it furthers our legitimate business interests in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals, such as customer service, analyzing and improving our business, providing security for the Service and other products and services we may offer, preventing fraud, and managing legal issues.— Excerpt from Runway's Runway Privacy Policy
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Article 6(1)(f) and UK GDPR equivalent provisions on legitimate interests as a lawful basis for processing. Under GDPR, reliance on legitimate interests requires a documented three-part balancing test: the interest must be legitimate, processing must be necessary, and the controller's interests must not be overridden by data subject rights. Enforcement authorities including the European Data Protection Board and national supervisory authorities have issued guidance on the scope of legitimate interests. 2) GOVERNANCE EXPOSURE: Medium. The policy names a broad set of activities covered by legitimate interests including customer service, analytics, business improvement, security, and fraud prevention, without disclosing the results of any specific balancing assessment. Supervisory authority enforcement decisions have found that overly broad or undocumented reliance on legitimate interests is a compliance risk, particularly for processing that involves profiling or behavioral analytics. 3) JURISDICTION FLAGS: EU member states and the UK both require that legitimate interests balancing assessments be documented and available to supervisory authorities. The scope of legitimate interests reliance may be subject to heightened scrutiny for AI companies that process large volumes of personal data for analytics and model improvement. German, French, and Irish data protection authorities have been active in examining legitimate interests claims by technology companies. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers subject to GDPR should evaluate whether Runway's reliance on legitimate interests for analytics and improvement processing is compatible with their own data processing obligations and the instructions they provide to Runway as a processor. Where Runway acts as a data controller for these purposes, enterprise customers should assess whether this is disclosed in their user-facing privacy notices. 5) COMPLIANCE CONSIDERATIONS: Runway's data protection team should maintain documented legitimate interests assessments for each category of processing covered by this basis. These assessments should be reviewed and updated when new processing activities are introduced or when the scope of existing activities changes materially. The right to object under GDPR Article 21 must be communicated to data subjects and honored in a timely manner.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Legitimate interests is one of the broadest GDPR legal bases and is used here to cover analytics, service improvement, security, and fraud prevention. EU and UK users have the right to object to processing carried out under legitimate interests, which could limit how Runway processes their data.
EU and UK users have the right to object to data processing Runway conducts under legitimate interests, which covers analytics, business improvement, and security activities. Exercising this right may affect service functionality. Users can contact Runway at privacy@runwayml.com to exercise their right to object.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Runway.