Privacy Policy

How Runebolt collects, uses, and protects your personal information Last updated: June 2025

Runebolt (“we”, “us”, “our”) is a performance marketing agency registered in Karachi, Pakistan, operating globally. We are committed to protecting the privacy of everyone who visits our website at www.runebolt.com (the “Site”) or engages with our Services.
This Privacy Policy explains how we collect, use, store, share, and protect your personal information, and describes your rights in relation to that information. Please read this Policy carefully. By using this Site, you consent to the practices described here.

This Policy should be read alongside our Terms and Conditions. Capitalised terms not defined here have the meaning given in our Terms and Conditions.

1. Who We Are

Runebolt is a performance marketing agency providing paid media management services across Meta Ads, Google Ads, Amazon Advertising, TikTok Ads, and DV360. We serve e-commerce and direct-to-consumer brands primarily in the United States, United Kingdom, Canada, Australia, the European Union, and the MENA region.

For the purposes of applicable data protection laws — including the GDPR (EU and UK), the CCPA (California), and Pakistan's Personal Data Protection Act (PDPA) — Runebolt is the data controller in respect of personal data collected through this Site and in the course of our business relationships. Data Protection Contact: hello@runebolt.com

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

Complete and submit an enquiry, contact, or discovery call booking form on this Site
Submit a client brief, onboarding questionnaire, or platform supplement document
Sign a Scope of Work or Client Service Agreement
Communicate with us by email, phone, or messaging platform
Subscribe to our newsletter or marketing communications
Apply for a role at Runebolt

The personal data you provide may include: full name, business name, email address, phone number, business address, website URL, job title, and any other information you choose to include in forms or correspondence.

2.2 Information We Collect Automatically

When you visit this Site, we automatically collect certain technical and usage data, including:

IP address and approximate geographic location derived from it
Browser type, version, and language settings
Device type, operating system, and screen resolution
Referring URL and exit pages
Pages visited, time spent on pages, and navigation paths
Cookie identifiers and session data (see Section 6)

2.3 Information From Third Parties

We may receive information about you from third-party sources, including:

Google Analytics) — aggregated Analytics providers (e.g., and anonymised usage data about Site traffic
Advertising platforms (e.g., Meta, Google) — where you have authorised us to access your ad account data as part of a contracted engagement
Referral partners or business introducer who refer you to us
Publicly available professional profiles (e.g., LinkedIn) when we conduct prospect research

2.4 Payment Information

We do not collect or store payment card data. Payments are processed via Payoneer and international bank wire transfer. Payment data submitted directly to Payoneer is governed by Payoneer's own privacy policy. We retain records of invoiced amounts, payment dates, and transaction references for accounting purposes.

3. How We Use Your Information

We use personal information only where we have a lawful basis to do so. The purposes and corresponding lawful bases are:

Responding to enquiries and providing information about our services — Lawful basis: Legitimate interests / pre-contractual steps

Onboarding new clients and executing service agreements — Lawful basis: Performance of a contract

Delivering the services described in a signed Scope of Work or Client Service Agreement — Lawful basis: Performance of a contract

Issuing and processing invoices and managing payments — Lawful basis: Performance of a contract / legal obligation

Sending service-related communications (reports, strategy call invites, delivery notifications) — Lawful basis: Performance of a contract

Improving our Site, services, and internal processes — Lawful basis: Legitimate interests

Sending marketing communications about our services and content (where consented) — Lawful basis: Consent

Complying with legal obligations (tax records, regulatory requirements) — Lawful basis: Legal obligation

Protecting our legitimate business interests and preventing fraud — Lawful basis: Legitimate interests

Anonymised performance benchmarking and portfolio case studies — Lawful basis: Legitimate interests

We will not use your personal information for any purpose not described in this Policy without first seeking your consent.

4. Marketing Communications

4.1 We may send you marketing emails about our services, case studies, and resources if you have: (a) requested information from us; (b) engaged our Services; or (c) explicitly opted in to marketing communications.

4.2 You can opt out of marketing communications at any time by clicking the unsubscribe link in any email we send, or by emailing hello@runebolt.com with the subject line “Unsubscribe”. We will process your request within 10 business days.

4.3 Opting out of marketing communications does not affect service-related communications that are necessary for the delivery of contracted services (e.g., performance reports, invoice notifications, strategy call invites).

5. How We Share Your Information

We do not sell your personal information. We do not share your personal information with third parties except in the following circumstances:

5.1 Service Delivery Partners

We share limited personal information with third-party tools and platforms used to deliver our Services, including:

Google Workspace — email, document storage, and collaboration
Google Analytics — anonymised website usage analytics
Notion or similar project management platforms — internal project tracking
Payoneer — payment processing
Loom — video walkthrough recording and delivery
Advertising platforms (Meta, Google, Amazon, TikTok, DV360) — where you have granted us access as part of a contracted engagement

5.2 Legal Requirements

We may disclose your information where required by law, regulation, or court order; to cooperate with law enforcement or regulatory investigations; to enforce our Terms and Conditions; or to protect the rights, property, or safety of Runebolt, our clients, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business, your personal information may be transferred to the relevant successor entity. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information with third parties where you have given us explicit consent to do so.

6. Cookies and Tracking Technologies

6.1 This Site uses cookies and similar technologies to enhance your experience, understand how the Site is used, and support our marketing activities.

6.2 Types of cookies we use:

Essential cookies: Required for the Site to function correctly. Cannot be disabled.

Analytics cookies: Collect anonymised data on Site usage (e.g., Google Analytics). Help us understand traffic patterns and improve the Site.

Marketing cookies: Used to track visitors across websites and display relevant advertisements. Only set where you have consented.

Preference cookies: Remember your settings and preferences across visits.

6.3 You can manage cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of this Site.

6.4 For California residents: our use of analytics and marketing cookies may constitute a “sale” of personal information under the CCPA. You have the right to opt out. See Section 9 for California-specific rights.

7. Data Retention

We retain personal information for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Our general retention periods are:

Client engagement records (contracts, briefs, reports): 7 years from the end of the engagement (accounting and legal requirements)

Invoice and payment records: 7 years (tax and accounting obligations)

Marketing enquiry records: 3 years from the date of last contact if no engagement commenced

Website analytics data: 26 months (Google Analytics default)

Job application records: 12 months from the date of application

Email marketing lists: Until you unsubscribe or 3 years of inactivity, whichever comes first

After the applicable retention period, personal information is securely deleted or anonymised.

8. Data Security

8.1 We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, disclosure, alteration, loss, or destruction. These measures include:

Access controls — personal data is accessible only to team members who need it to perform their duties
Encryption — sensitive data is encrypted in transit (TLS/HTTPS) and at rest where applicable
Third-party security — we select service providers who maintain appropriate security standards
Incident response — we maintain procedures for identifying, assessing, and responding to data breaches

8.2 No method of transmission over the internet or electronic storage is completely secure. While we take all reasonable precautions, we cannot guarantee absolute security. If you have reason to believe your interaction with us is no longer secure, please contact us immediately at hello@runebolt.com.

9. Your Rights

9.1 Rights Under GDPR (EU and UK residents)

If you are located in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation:

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate or incomplete data
Right to erasure ("right to be forgotten") — request deletion of your personal data in certain circumstances
Right to restrict processing — request that we limit how we use your data in certain circumstances
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interests or for direct marketing
Right to withdraw consent — where processing is based on consent, you may withdraw at any time
To exercise any of these rights, email hello@runebolt.com with the subject line "Data Rights Request". We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

9.2 Rights Under CCPA (California residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

Right to know — the categories and specific pieces of personal information we have collected about you, and how we use and share it
Right to delete — request deletion of personal information we have collected, subject to certain exceptions
Right to opt out of sale — we do not sell personal information in the traditional sense; however, certain advertising and analytics cookies may constitute a "sale" under CCPA. You may opt out by adjusting your cookie preferences
Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
To submit a CCPA request, email hello@runebolt.com with the subject line "CCPA Request" or write to: Runebolt, Karachi, Pakistan.

9.3 Rights Under Pakistan PDPA

Runebolt processes data in compliance with Pakistan's Personal Data Protection Act. Pakistani residents have the right to access, correct, and request deletion of their personal data. To exercise these rights, contact hello@runebolt.com.

10. International Data Transfers

10.1 Runebolt is based in Pakistan. When we collect personal information from individuals in the EU, UK, US, Canada, Australia, or other regions, that information is processed in Pakistan and may also be processed in the countries where our service providers operate (e.g., the US for Google Workspace and Google Analytics).

10.2 Where we transfer personal data from the EU or UK to countries not deemed to provide an adequate level of data protection by the European Commission, we rely on appropriate safeguards — including Standard Contractual Clauses (SCCs) or equivalent data transfer mechanisms — to ensure your data remains protected.

10.3 By using this Site or engaging our Services, you acknowledge that your personal information may be transferred to and processed in countries outside your country of residence. We take all reasonable steps to ensure such transfers comply with applicable data protection laws.

11. Children's Privacy

This Site and our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have inadvertently collected personal data from a minor, we will take steps to delete that information promptly. If you believe we may have collected data from a minor, please contact us at hello@runebolt.com.

12. Third-Party Websites

This Site may contain links to third-party websites. This Privacy Policy applies only to this Site. We are not responsible for the privacy practices of any linked third-party sites. We encourage you to review the privacy policy of any third-party website you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Policy on this page with a revised “Last updated” date. For material changes, we will provide more prominent notice (such as a banner on the Site or an email to active clients).

Your continued use of this Site following any change constitutes your acceptance of the updated Policy.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact: