Your vendor contracts contain sensitive commercial terms. This page explains exactly how Renewly stores, processes, and protects that information.
In transit and at rest
All data sent between your browser and Renewly is encrypted with TLS 1.3. Contract files and extracted data stored in our database are encrypted at rest using AES-256.
We never store payment card information. All billing is handled directly by Stripe.
Where your data lives
Your account data, contracts, and extracted metadata are stored in Supabase, which provides SOC 2 Type II certified and GDPR-compliant infrastructure. Supabase runs on AWS in the United States.
Contract PDF files are stored in Supabase Storage. Each file is accessible only through signed URLs that expire after a short window. There is no public URL for any uploaded contract.
Who can see what
Every database query is enforced by row-level security (RLS). This means access is checked at the database layer, not just in application code. A user can only query contracts that belong to them or to their organization.
Organization members see shared contracts based on their assigned role. Personal contracts are visible only to the account holder.
Renewly supports two-factor authentication (TOTP) for additional account protection.
What leaves our systems
When you upload a contract, the document text is sent to a third-party analysis provider to extract key dates, clauses, and terms. Only the contract text is sent. No account information, email addresses, or other personal data is included.
Our analysis provider operates under a zero data retention policy. Contract text is not stored or used to train models after processing is complete.
Renewal notifications are sent through Resend, a GDPR-compliant email service. Resend receives only your email address and the notification content.
You control when data is removed
You can delete any individual contract at any time. Deleted contracts and their associated files are permanently removed.
If you delete your account, all your data is removed after a 30-day grace period. You can export your data before deletion. Backups are purged after 30 days.
Audit logs are retained for 3 years for security and compliance purposes.
Standards and regulations
Our infrastructure provider (Supabase) holds SOC 2 Type II certification, covering security, availability, and confidentiality controls.
Renewly is GDPR compliant. EU/EEA users have full rights to access, correct, delete, and export their personal data. We have a signed DPA with Supabase.
California residents have the right to know, access, and delete their personal information. We do not sell personal data.
In the event of a data breach, we will notify affected users within 24 hours and provide details of the breach and remediation steps.
No. Our document analysis provider operates under a zero data retention policy. Contract text is processed and discarded. It is never used for model training.
Access to production data is restricted and audited. We do not routinely access customer contract content. If access is ever needed for support purposes, it requires your explicit consent.
Your data remains accessible. If you downgrade to the free tier and exceed 5 contracts, you can still view all your contracts but cannot add new ones until you are within the limit.
Supabase hosts our database and file storage on AWS infrastructure in the United States.
Not yet. Renewly currently supports email/password authentication with optional two-factor authentication (TOTP). SSO is on our roadmap.
Yes. You can export your contract data in JSON format from Settings. Your original uploaded PDF files are also downloadable at any time.
If you have questions about how we handle your data, or if you need to report a security concern, contact us directly.
security@renewly.gg