Legal

Privacy Policy

Last Updated: 12 November 2025

Provider: DroidRun GmbH, Rheinstraße 82, 49090 Osnabrück, Germany

Thank you for using Moiblerun ("Mobilerun", "we", "us", "our").
We are committed to protecting your personal data and handling it responsibly.

This Privacy Policy explains how we process personal data when you use our website, platform, APIs, and virtual device environments (collectively, the "Service").

You can contact us anytime at contact@droidrun.ai.

1. Scope

This Privacy Policy applies to:

  • our website and app
  • our platform and APIs
  • cloud-based virtual device sessions
  • all workflows, automations, and agent executions

This Privacy Policy does not apply to external third-party services you automate (apps, APIs, websites, proxies, LLMs, app stores).
Their respective terms and policies apply.

2. Roles Under GDPR

We act in different roles depending on the data category.

2.1 Controller

We act as Controller for:

  • account & profile data
  • authentication data
  • billing information
  • security and access logs
  • platform analytics (non-sensitive)
  • customer communication
  • legal compliance

2.2 Processor

We act as Processor (Art. 28 GDPR) for all Task Data that you instruct us to process, including:

  • workflows, prompts, instructions
  • app configurations and selections
  • APK uploads
  • runtime logs, screenshots, and outputs
  • steps performed by agents
  • virtual device telemetry
  • LLM input/output executed on your behalf
  • credentials injected into apps
  • trajectories (session history)
  • metadata generated during execution

We process this data solely according to your instructions and only for providing the Service.

A Data Processing Agreement (DPA) is part of our Terms.

2.3 Co-Controller (Training Opt-In)

If you explicitly opt in, we may use Task Data to:

  • improve our models
  • analyze trajectories
  • enhance navigation strategies
  • develop new agent capabilities

For this specific purpose, we act as (co-)controller.
You may withdraw consent at any time.

If you do not opt in, Task Data is strictly processed as Processor only.

3. Data Categories We Process

3.1 Account Data (Controller)

  • name
  • email
  • authentication details
  • user settings

3.2 Billing & Subscription Data (Controller)

  • payment information
  • subscription details
  • invoices and billing history

3.3 Technical & Usage Data (Controller)

We collect technical data to maintain and improve the Service:

  • access logs
  • IP address
  • device/browser metadata
  • performance and error telemetry
  • aggregated usage analytics

3.4 Task Data (Processor)

Generated when running workflows or agents:

  • workflow steps
  • LLM messages
  • screenshots, logs, outputs
  • extracted information
  • internal navigation events
  • runtime metadata
  • video or step recordings (if enabled)
  • app interaction data

3.5 Credentials (Processor)

Credentials stored by you:

  • are encrypted
  • are only injected at runtime
  • are never used outside your tasks
  • are never shared with model providers

4. How We Use Data

4.1 As Controller

We use data to:

  • operate accounts and subscriptions
  • provide access to the Service
  • secure the infrastructure
  • detect misuse and abuse
  • improve performance and reliability
  • fulfill legal obligations
  • communicate with you

4.2 As Processor (Task Execution)

We process Task Data solely to:

  • run workflows and agents
  • provide results, history, and debugging data
  • maintain platform security
  • comply with your retention settings

4.3 Training & Improvement (Opt-In)

Only with explicit opt-in, we may use Task Data to:

  • improve internal models
  • analyze quality and outcomes
  • enhance agent behavior
  • develop new features

You may withdraw consent anytime.

5. Categories of Third-Party Recipients

We use trusted third-party providers in the following categories:

  • Cloud hosting & infrastructure providers
    (compute, storage, networking, database)
  • Secrets management providers
    (encrypted storage and runtime injection)
  • Analytics & telemetry providers
    (aggregated usage data, performance metrics, error tracking)
  • Payment & subscription management providers
    (billing, invoicing, payment processing)
  • Proxy & networking providers
    (IP routing and network services as instructed by users)
  • App distribution / installation providers
    (retrieving, installing, or deploying apps within virtual environments)
  • AI/LLM providers
    (language model inference executed on your behalf)

Each provider is contractually bound to GDPR-compliant processing obligations.
A full list of subprocessors is available in the DPA, provided to customers upon request.

6. Legal Bases

We rely on:

  • Art. 6(1)(b) (contract)
  • Art. 6(1)(c) (legal obligation)
  • Art. 6(1)(f) (legitimate interest: security, stability, fraud prevention)
  • Art. 6(1)(a) (consent, for training opt-in)

7. Retention

7.1 Task Data

  • Trajectories and history: retained until deleted by you
  • Runtime artifacts (e.g., screenshots, logs): retained as long as needed for history/debugging

7.2 Technical Logs

  • retained for a limited period (typically 30–90 days)

7.3 Backups

System-level backups may include Task Data.
Backups follow automated retention policies and are encrypted and access-restricted.

7.4 Billing & Legal Data

  • retained for statutory periods (e.g., 6–10 years under German law)

8. International Transfers

We may transfer data to countries outside the EU/EEA.
We ensure appropriate safeguards such as:

  • adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • supplementary technical and organizational measures

9. Your Rights

Under the GDPR, you have the right to:

  • access your data
  • correct inaccurate data
  • delete data
  • restrict processing
  • request portability
  • object to processing
  • withdraw consent
  • lodge a complaint with a supervisory authority

For Processor data (Task Data), requests must be routed through your organization's Controller.

10. Security

We implement strong security measures:

  • encryption in transit and at rest
  • isolated runtime environments
  • strict access controls
  • secret injection at runtime
  • network segmentation
  • monitoring & anomaly detection
  • vulnerability management
  • secure backup procedures

A full Technical & Organizational Measures (TOMs) document is included in the DPA.

11. Changes

We may update this Privacy Policy from time to time.
You will be notified of material changes.
Continued use of the Service means you accept the updated policy.

12. Contact

DroidRun GmbH
Rheinstraße 82
49090 Osnabrück, Germany
Email: contact@droidrun.ai