Privacy Policy

Last Updated: May 28, 2026

1. Introduction

Renewly ("we," "our," or "us") is committed to protecting your personal information and your right to privacy.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our vendor contract renewal tracking platform at renewly.gg.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address (required), full name, company name
  • Contract Information: Contract files (PDF), titles, and metadata
  • Settings & Preferences: Notification preferences and communication settings
  • Passkey Credentials: If you register a passkey, we store the public key material and credential identifier returned by your device. The private key never leaves your device.

2.2 Information Collected Automatically

  • Usage Information: Pages visited, features used, time spent on the service
  • Device Information: Browser type, IP address, operating system
  • Cookies: Essential session cookies (always on) and, with your consent, analytics cookies. See our Cookie Policy for details.

2.3 Security and Activity Logs (Audit Log)

We maintain an audit log to protect the security of your account and comply with legal obligations. The audit log records:

  • Authentication events: Sign-in, sign-out, MFA enable/disable, session revocation, passkey registration and removal, magic-link requests
  • Organisation events: Organisation creation, member add/remove, role changes, invitation accept/decline
  • Billing events: Checkout initiated, subscription changes, cancellation
  • Data events: Contract uploads, contract deletions, account deletion requests, GDPR data exports
  • Settings changes: Notification preferences, integration connect/disconnect, workspace switches

Each log entry records the event type, a timestamp, the user ID of the actor, the organisation ID (where applicable), and relevant metadata about the action (for example, which contract was deleted or which member role was changed). IP addresses are not stored in audit log entries.

Audit log entries are retained for 3 years (see section 4, Data Retention). You can view your own account's audit log history by contacting privacy@renewly.gg.

3. How We Use Your Information

3.1 Service Delivery

Legal Basis: Contract Performance

  • Create and manage your account
  • Process and analyze your contracts automatically
  • Send renewal notifications
  • Provide customer support

3.2 Legal Compliance

Legal Basis: Legal Obligation

  • Comply with legal requirements
  • Protect against fraud and abuse
  • Enforce our Terms of Service

4. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services to you.

Retention Periods:

  • Active Account Data: Retained until you delete your account
  • Contracts: Retained until you delete them
  • Audit Logs: 3 years (for security and compliance)
  • Backups: 30 days, then permanently deleted

5. How We Share Your Information

We do not sell your personal information. We only share data with trusted service providers:

Supabase (Database & Storage)

  • Purpose: Store account data, contracts, and metadata
  • Security: SOC 2 Type II, ISO/IEC 27001:2022, GDPR compliant
  • DPA: Signed

Contract Extraction Sub-processors

  • Reducto: PDF text extraction (pre-LLM stage). Sub-processor; data handling governed by our agreement with Reducto. Per-org opt-out available on request.
  • Google Vertex (Gemini): Primary LLM extraction. Runs in-region (europe-west1 for EU, us-east5 for US). Zero retention and no model training on data, per Google Vertex terms.
  • Anthropic (Claude): Validation pass. Runs via Anthropic Direct API for both regions. Zero retention and no model training on API data, per Anthropic API terms. Per-org opt-out available.
  • What's sent: Contract text only (no names, emails, or account info).

See the canonical sub-processor list and operational-log disclosure on /trust.

Resend (Email Service)

  • Purpose: Send renewal notifications and service emails
  • Security: GDPR compliant
  • What's sent: Email address and notification content

5.1 Third-Party Clients You Authorize

Renewly supports OAuth 2.1 authorization so you can connect third-party applications (for example, AI assistants and developer tools) to your account. When you grant consent on the authorization screen, the connected application receives a token that lets it call our API on your behalf within the scopes you approved.

What gets shared

  • Scope: Only the data covered by the scopes you approve (e.g. read contracts, draft emails). The consent screen lists the exact permissions before you confirm.
  • Tenant boundary: The application can only see your own contracts and the data of organizations you are a member of, never another customer's data.
  • What we send: Contract metadata, extracted fields, and any output the requested tool produces. We do not send your password, MFA factors, billing details, or other account credentials.

Your control

  • Revocation: You can revoke any connected application at any time from Settings → Connections. Revocation invalidates the token immediately.
  • Audit: OAuth grants and revocations are logged and surfaced in your settings.
  • Third-party policies: Once data leaves Renewly, it is governed by the connected application's privacy policy. Review that policy before granting access.

5.2 Third-Party Services You Connect (Google Calendar, Microsoft Calendar, Slack, DocuSign, Salesforce)

Renewly can connect outward to third-party services so contract renewal events show up where you already work. When you initiate one of these connections from Settings → Integrations, you complete an OAuth or webhook flow on the third party's side and grant Renewly the minimum permissions required for that integration to function.

Google Calendar

  • Scopes requested: https://www.googleapis.com/auth/calendar.events (read and write events on your calendars) and https://www.googleapis.com/auth/userinfo.email (your primary Google account email, used to label the connection).
  • What we do with it: Create renewal-reminder events on your primary Google Calendar at standard notice windows (90, 60, 30, and 7 days before each contract's renewal date), and update or delete those events when you change or remove the underlying contract in Renewly. We do not read your unrelated calendar events, modify other applications' events, or write to calendars other than your primary calendar.
  • What we store: An encrypted OAuth refresh token (AES-256-GCM at rest), the Google account email you connected with, and a server-side log of which Renewly contract corresponds to which Google event ID so we can update the right event later. We never store the contents of your other calendar events.
  • Retention: Tokens are retained until you disconnect Calendar in Renewly, delete your Renewly account, or the token is revoked from your Google account. Disconnection deletes the encrypted tokens within 24 hours; account deletion deletes them as part of the full account-purge flow described in section 7.
  • Limited use: Renewly's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not use Google user data to train generalised AI/ML models, do not sell or transfer it to third parties, and do not use it for advertising. Access by humans is limited to the minimum necessary for security review, debugging at user request, or legal compliance.

Microsoft Calendar (Outlook / Microsoft 365)

  • Scopes requested: Calendars.ReadWrite and User.Read (your primary email).
  • What we do with it: Same as Google Calendar - create, update, and delete renewal-reminder events on your primary Microsoft calendar.
  • Retention + storage: Same as Google Calendar (encrypted tokens, deleted on disconnect or account deletion).

Slack and Microsoft Teams

  • Mechanism: Outbound Incoming Webhook URL paste. You create the webhook in your Slack workspace or Teams channel and paste the URL into Renewly. No OAuth, no Renewly app installed in your workspace.
  • What we send: Renewal alert messages (contract title, days until renewal, link back to Renewly). One-way: we never read messages from your workspace.
  • What we store: The encrypted webhook URL (AES-256-GCM at rest). Deleted on disconnect or account deletion.

DocuSign and Salesforce

  • Scopes: Limited to what each integration requires - DocuSign signature/envelope read and create, Salesforce contract record read and field-mapped write.
  • What we do with it: Sync contract metadata between Renewly and these systems so contract status is consistent. We never read documents or records outside the field mappings you configure.
  • Retention + storage: Encrypted refresh tokens, deleted on disconnect or account deletion.

Disconnect at any time: Each connected service has a Disconnect control on its card under Settings → Integrations. Disconnection deletes the stored tokens or webhook URL within 24 hours. For Google specifically, you can additionally revoke Renewly from your Google account permissions page.

6. Your Rights

6.1 GDPR Rights (EU/EEA Users)

Right to Access:

Request a copy of your personal data (Settings → Export My Data)

Right to Rectification:

Correct inaccurate personal data (Settings → Profile)

Right to Erasure:

Request deletion of your data (Settings → Delete Account)

Right to Data Portability:

Receive your data in machine-readable format (JSON)

6.2 CCPA Rights (California Residents)

  • Know what personal information we collect and use
  • Access your personal information
  • Delete your personal information
  • Opt-out of sale (Note: We do not sell personal information)

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

Technical Measures

  • ✓ Encryption in transit (TLS 1.3)
  • ✓ Encryption at rest (AES-256)
  • ✓ Passwordless authentication via passkey (WebAuthn) and magic-link email
  • ✓ Multi-factor authentication (TOTP) available for all accounts
  • ✓ Row-level security

Organizational Measures

  • ✓ Limited employee access
  • ✓ Security training
  • ✓ Incident response procedures
  • ✓ Regular security audits

8. Data Location and International Transfers

Renewly is a dual-region service. You choose your region at signup and your contracts, account data, and audit logs are stored in that region for the life of the workspace.

European Union

  • Storage: Supabase eu-central-1 (AWS Frankfurt)
  • Primary extraction: Google Vertex europe-west1

United States

  • Storage: Supabase us-east-1 (AWS N. Virginia)
  • Primary extraction: Google Vertex us-east5

Two stages of contract extraction cross-region today: PDF text extraction (via our sub-processor Reducto) and LLM validation (via Anthropic Direct API for Claude). Both have a per-org opt-out. See /trust for the canonical map.

For personal data transfers from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission (or the UK equivalent), Renewly relies on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. Copies of these mechanisms are available on request from privacy@renewly.gg. We have a signed DPA with Supabase and a Renewly DPA is available on request.

9. Cookies and Tracking

We use two categories of cookies. Essential cookies are always on and required for the service to function. Non-essential analytics cookies (Apollo, Microsoft Clarity, Google Analytics) only load if you explicitly accept them via the cookie banner or in your account settings.

Essential Cookies (Always On)

  • Purpose: Keep you logged in and save your cookie preference
  • Can be disabled: No - the service will not work without them

Analytics Cookies (Consent Required)

  • Services: Apollo, Microsoft Clarity, Google Analytics
  • Purpose: Understand how the product is used so we can improve it
  • Legal Basis: Consent (GDPR Art 6(1)(a))
  • Change preference: Settings → Account → Cookie preferences, at any time

See our Cookie Policy for the full list of cookies, what each service receives, and how to withdraw consent.

10. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you within 24 hours(GDPR requires 72 hours) and provide information about the breach and steps we're taking.

11. Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: privacy@renewly.gg

Response Time: We aim to respond within 5 business days

This Privacy Policy may be updated from time to time. Material changes will be communicated via email to active users. Continued use of the service after changes are posted constitutes acceptance.

For more about how we protect your data, see our Security page.