Your vendor contracts contain sensitive commercial terms. This page explains exactly how Renewly stores, processes, and protects that information.
Passwordless by default, hardware keys supported
Renewly uses passwordless authentication. Instead of a password, you receive a magic link by email. There is no stored password to leak or guess. Rate limits apply per intent: 10 attempts per 15 minutes for login, 5 for signup, and 3 for password reset.
You can also register a passkey - Touch ID, Face ID, or a hardware security key (YubiKey, Titan Key). Passkeys use the WebAuthn standard and are bound to your device. You can register multiple passkeys and name or revoke them individually from your account settings.
Two-factor authentication (TOTP) is available as an additional layer. Disabling TOTP requires completing a second authentication step (AAL2) - a session-hijacked attacker at a lower assurance level cannot turn off your 2FA.
Magic links are tied to a trusted origin allowlist. Links generated for one domain cannot be redirected to an external host.
In transit and at rest
All data sent between your browser and Renewly is encrypted with TLS 1.3. Contract files and extracted data stored in our database are encrypted at rest using AES-256.
We never store payment card information. All billing is handled directly by Stripe.
Where your data lives
Renewly is a dual-region service. Your account data, contracts, and extracted metadata are stored in Supabase. Supabase is SOC 2 Type II and carries ISO/IEC 27001:2022 across its full information security management system. You choose your region at signup and it stays in that region for the life of the workspace.
Contract PDF files are stored in Supabase Storage. Each file is accessible only through signed URLs that expire after a short window. There is no public URL for any uploaded contract.
For the full sub-processor map and operational-log disclosures, see our trust page.
Who can see what
Every database query is enforced by row-level security (RLS). Access is checked at the database layer, not just in application code. A user can only query contracts that belong to them or to their organization.
Once a user joins an organization, they see only that organization's contracts. Personal data does not bleed through to the organization view, and one organization's analytics cannot reach another tenant's data. Analytics queries are scoped through a per-session contract ID whitelist.
Workspace switching is handled server-side with membership validation. Switching to an organization you are not a member of is rejected at the server, not just the client.
What happened and when
Renewly writes an audit log entry for every significant user action: authentication events (login, logout, MFA changes, passkey registration and revocation), contract operations (upload, download, delete, version upload), billing events (subscription created, cancelled), team events (invitations, role changes), and account changes (profile update, data export, deletion request).
Audit logs are retained for 3 years for security and compliance purposes. Your own audit log is included in any data export you request.
What leaves our systems
When you upload a contract, the document text is sent to a third-party analysis provider to extract key dates, clauses, and terms. Only the contract text is sent. No account information, email addresses, or other personal data is included.
Our LLM extraction providers (Gemini via Google Vertex, Claude via Anthropic) operate under a zero data retention policy per their API terms - contract text is not retained or used to train models after processing.
Contract text is typically processed in under 10 seconds. The analysis provider receives only the extracted text, processes it in memory, and returns structured data. No contract content is written to disk or persisted beyond the processing window.
Renewal notifications are sent through Resend, a GDPR-compliant email service. Resend receives only your email address and the notification content.
You control when data is removed
You can delete any individual contract at any time. Deleted contracts and their associated files are permanently removed.
If you delete your account, all your data is removed after a 30-day grace period. You can export your data before deletion. Backups are purged after 30 days.
Organization workspaces can configure a data retention policy to automatically purge records older than a set threshold. This runs on a scheduled basis and writes an audit entry for every purge event.
Audit logs are retained for 3 years for security and compliance purposes.
Your rights under data protection law
Non-essential trackers (analytics and session recording) are blocked until you give explicit consent. The consent prompt appears on first visit. You can revisit your choice at any time from Settings → Account → Cookie Preferences.
Essential services (Crisp live chat for support) are not consent-gated because they are functional rather than marketing tools. All other third-party tracking is off until you accept.
Under GDPR Article 15, you can export all personal data Renewly holds about you. The export covers your profile, contracts and extracted data, tags, notifications, audit logs, inbox aliases, vendor alerts, session records, calendar integrations, and webhook endpoints. Credential material (OAuth tokens, webhook secrets) is redacted from the export.
EU and EEA users have full rights to access, correct, delete, and export their personal data. We have a signed DPA with Supabase.
Standards and regulations
Our hosting providers (Supabase and Vercel) hold SOC 2 Type II certification. Renewly itself is not in audit scope; the certifications belong to our infrastructure vendors. Supabase is certified to ISO/IEC 27001:2022 across its full information security management system. Renewly itself is not in audit scope.
Renewly is GDPR compliant. EU and EEA users have full rights to access, correct, delete, and export their personal data. We have a signed DPA with Supabase.
California residents have the right to know, access, and delete their personal information. We do not sell personal data.
In the event of a data breach, we will notify affected users within 24 hours and provide details of the breach and remediation steps.
Third parties that process your data
This table lists the primary sub-processors that handle your data. For the full disclosure (including operational-log vendors that do not see contract content), see our trust page.
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, file storage, authentication | Account data, contracts, extracted metadata, uploaded files |
| Vercel | Application hosting | Request logs, IP addresses |
| Stripe | Payment processing | Email, billing details (no contract data) |
| Resend | Email notifications | Email address, notification content |
| Reductoopt-out | PDF text extraction (pre-LLM stage) | PDF text only — no account data or identifiers. |
| Google Vertex (Gemini) | Structured field extraction (primary LLM) | Parsed contract text only |
| Anthropic (Claude)opt-out | Cross-check / validation pass (secondary LLM) | Parsed contract text only |
| Crisp | Live chat support | Email address, chat messages |
Not by our LLM extraction providers: Gemini (via Google Vertex) and Claude (via Anthropic) do not train on your data and discard contract text after processing, per their API terms. The PDF parser stage (Reducto) is a sub-processor whose data handling is governed by our agreement with them; a per-org opt-out is available on request.
Your contract data (uploaded files, extracted fields, account info, audit logs) is stored exclusively in your selected region. EU customers on Supabase eu-central-1, US customers on Supabase us-east-1. Contract data extraction runs in-region: Google Vertex europe-west1 for EU, Google Vertex us-east5 for US.
Two stages cross-region:
Both choices give every customer the same extraction quality regardless of region. If your compliance program requires either stage to run in-region too, contact support and we'll enable the opt-out flag on your workspace; affected stages will be skipped (extractions still run, with slightly lower accuracy on the primary pass alone). An in-region migration of the validation pass is planned. See /trust for the full residency posture.
Access to production data is restricted and audited. We do not routinely access customer contract content. If access is ever needed for support purposes, it requires your explicit consent.
Your data remains accessible. If you downgrade to the free tier and exceed 5 contracts, you can still view all your contracts but cannot add new ones until you are within the limit.
Supabase hosts our database and file storage on AWS in the region you choose at signup. EU customers are on AWS Frankfurt (eu-central-1). US customers are on AWS N. Virginia (us-east-1). Your region is set when you sign up and stays in that region for the life of the workspace.
Not yet. Renewly currently supports passwordless email authentication (magic links), passkeys (Touch ID, Face ID, hardware keys), and optional TOTP two-factor authentication. SSO is on our roadmap.
Yes. Under GDPR Article 15, you can request a full export of your personal data from Settings. The export covers your profile, contracts, extracted data, tags, notifications, audit logs, inbox aliases, vendor alerts, session records, calendar integrations, and webhook endpoints (with credentials redacted). Your original uploaded PDF files are also downloadable at any time.
Go to Settings → Account → Cookie Preferences. You can accept or reject non-essential trackers (analytics and session recording) at any time. Changes take effect immediately.
If you have questions about how we handle your data, or if you need to report a security concern, contact us directly.
security@renewly.gg