Privacy Policy — Runtime Code

Last updated:

This document explains what data Runtime Code (the "App") and the Runtime Code service ("the Service") collect, why we collect it, how long we keep it, and the controls you have over it. If anything here is unclear, email us at [email protected].

This policy covers the iOS app distributed under the App Store identifier com.runtimecode.app and the backend service it talks to at runtimecode-proxy.michaelw4ai.workers.dev.

What we collect

On our servers (Cloudflare)

For every chat message you send, we store one record per conversation on Cloudflare's infrastructure (Workers, R2, D1, encrypted at rest by Cloudflare). The record grows turn-by-turn and contains:

• Your messages (the text you typed).
• The AI's replies (the text it generated, plus any tool calls it made and the results those tools returned).
• The model used (e.g. Claude Haiku 4.5).
• Approximate token counts and per-call quota cost.
• Timestamps for when the conversation started and was last touched.
• An identifier that links the conversation to your device or your Pro subscription (described below).

On your iPhone (local-only)

The app also keeps a separate copy of every chat in Documents/RuntimeCode-Chats/ on your device, so the in-app History sheet can show you past conversations even if you delete the server-side copy. This local copy:

• Is included in your iCloud / iTunes device backups if you have those enabled.
• Is wiped if you delete the app.
• Is not sent to us or anyone else by the app.

What we collect regardless of chats

• Quota counters: how many calls you've made in the current window (per day for free, per month for Pro). This is just a number — no content is attached. Stored in Cloudflare KV with an automatic expiry of 24 hours (free) or 30 days (Pro), at which point the window resets.
• Subscription identifier (Pro users only): your Apple StoreKit "original transaction ID." We don't know your Apple ID, name, email, or payment details — Apple handles those. The transaction ID lets us verify you have an active subscription.
• Anonymous device ID (free users only): a random UUID generated the first time you open the app. Used to enforce the daily free quota per device. Not linked to any other identifier and not shared.

What we never collect

• Your GitHub credentials. If you sign in with GitHub or paste a Personal Access Token, the token is stored only in your iPhone's Keychain — we never see it. GitHub API calls (clone / pull / push / PR) are made directly from your phone to api.github.com using that token; we are not in the middle.
• Your project files. Files you create or edit live on your iPhone or in your iCloud Drive — the assistant reads them on the device when it needs to, and the contents are never uploaded to us as raw files. (Note: when the assistant uses a tool like file_read to fetch a file's contents, those contents do become part of the conversation history we store, because the AI sees them on the next turn.)
• Images you attach to chat messages. We strip the image bytes before storing; only a flag "this turn had an image attached" is recorded.
• Location, contacts, calendar, microphone, camera, advertising identifiers, or any other on-device data the iOS Files / Photos pickers don't explicitly hand us.

Why we collect what we collect

• To enforce your quota: free accounts get a daily message limit, Pro accounts get a monthly limit. We need to count.
• To give you continuity: you can come back to a conversation later from another device that's signed in to the same Pro subscription, and we still have what was said.
• To debug problems: if you report a bug, looking at the record of the conversation that broke is sometimes the only way to fix it.
• To prevent abuse: extreme volume or spam patterns are visible in usage counts. We don't read content for this; just look at the counters.

Who we share data with

The Service depends on three third parties, all for the explicit purpose of running it:

1. Anthropic, PBC — the AI provider. When you send a chat message we forward it to Anthropic's API to generate a reply. Anthropic's data handling is governed by their own Privacy Policy and Commercial Terms; by default Anthropic does not train on data sent via API. We send Anthropic only the content of the current conversation — no identifiers tying the conversation to your account.
2. Cloudflare, Inc. — our hosting provider. Cloudflare stores the data described above on our behalf. Cloudflare cannot read individual records as part of normal operations; data is encrypted at rest. Cloudflare's policies are at cloudflare.com/privacypolicy.
3. GitHub (Microsoft Corporation) — used only if you sign in or paste a Personal Access Token. Git clone / pull / push / PR operations go directly from your iPhone to api.github.com; we are not in the middle and do not see your code or tokens. GitHub's policies apply to those calls: docs.github.com/.../github-general-privacy-statement.

The app also loads the Pyodide WebAssembly runtime from the public jsDelivr CDN the first time you use the run_python tool. This is a one-time download of a CPython-in-WebAssembly distribution; no chat content is sent to the CDN.

We do not share data with anyone else. We do not sell data. We do not allow third-party advertising or analytics SDKs in the app.

How long we keep it

Server-side chat records are retained until you delete them. There is no automatic expiry. The deletion controls below give you direct, immediate removal.

Quota counters expire automatically when the quota window closes (24 hours for free, 30 days for Pro). These are just numeric counters; there's no content attached to delete.

The on-device chat copy lives in the app's sandbox and is removed when you uninstall the app or use the in-app History sheet's swipe-to-delete control.

Your controls

• Delete server-stored chats: Settings → Privacy → "Manage server data" → tap the destructive button. We wipe every conversation record we have linked to your device or Pro subscription. The deletion runs synchronously; it's done by the time the confirmation appears. Your local on-device copy is not affected.
• Delete on-device chats: in the Chat tab, tap the history icon to open the chat list; swipe left on any conversation to delete it locally.
• Disconnect GitHub: Settings → GitHub → Sign Out. Wipes the OAuth token / PAT from the iPhone Keychain. To revoke at GitHub's end too, visit github.com/settings/applications.
• Cancel your Pro subscription: Settings → Subscriptions on iOS. Cancellation does not auto-delete data; use the Delete button above for that.
• Email us at [email protected] for any other privacy request: right to access, correct, or restrict processing under GDPR / CCPA / similar laws. We aim to respond within 7 days.

Children

Runtime Code is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has used the App, email us and we'll delete the associated data.

International users

Runtime Code is operated from the United States. Cloudflare and Anthropic operate globally; your data may be processed in or transferred to servers outside your country of residence. We rely on Cloudflare's and Anthropic's standard contractual clauses for any cross-border transfer to the EU/UK.

Changes to this policy

If we change what we collect, how we store it, or how long we keep it, we will:

• Update the "Last updated" date at the top of this page.
• Add an entry to the "Changes" section below summarizing what changed.
• For material changes (new categories of data, longer retention, new third parties), notify you inside the App on next launch and give you a chance to review before continuing.

Contact

Email [email protected].

Mail (for legal notices): (TODO)