Privacy and Security on RateRun: How We Handle Your Data

When you use RateRun, you trust us with your client details, financial data, and business information. We take that seriously. Here is how we handle your data and keep your account secure.

Your data stays yours

RateRun does not sell your data. We do not share it with advertisers, analytics companies, or anyone else. Your client names, invoice amounts, timer sessions, expenses, and directory information are yours — full stop.

We use your data only to run the service you signed up for. That means displaying your dashboard, generating your invoices, showing your listing in the directory, and processing your payments.

Account security

Every RateRun account is protected by:

• Password hashing — your password is never stored in plain text. It is hashed using WordPress’s built-in hashing (bcrypt), so even if the database were compromised, your password would not be readable.
• Email verification — new accounts must verify their email address before they can log in. This prevents fake signups and ensures you control the email on your account.
• Rate limiting — login attempts are rate-limited to prevent brute-force attacks. Too many failed attempts and the system slows down to protect your account.
• Nonce verification — every form submission and API request includes a security token (nonce) that prevents cross-site request forgery (CSRF).

Payment security

Payments are handled entirely by Stripe. When you upgrade to Cloud or Pro, your card details go directly to Stripe — they never touch our server. We do not see, store, or have access to your full card number.

Stripe is PCI DSS Level 1 certified — the highest level of payment security. Your billing is managed through Stripe’s secure portal, and you can update or cancel your subscription at any time from your Settings page.

Directory privacy

Your directory listing is public by design — that is the point, you want to be found. But your contact details (email, phone, website) are gated behind a login. Casual visitors cannot see them, which protects you from scraping and spam.

The messaging system adds another layer — potential clients can contact you through the directory without your email being exposed at all.

What we collect

We collect what we need to run the service:

• Account info — email, password (hashed), plan type
• App data — clients, projects, timer sessions, invoices, expenses, income log entries
• Directory data — listing details, reviews, messages, favourites
• Payment info — Stripe customer ID and subscription ID (not card details)

We do not use tracking pixels, third-party analytics, or advertising cookies. The site uses essential cookies only — session management and security tokens.

HTTPS everywhere

The entire RateRun platform runs over HTTPS. Every page, every API call, every asset is served over an encrypted connection. This means data in transit between your browser and our servers cannot be intercepted or tampered with.