RenderlyRenderly Back
Privacy Policy

How we handle the personal data that passes through Renderly.

This policy describes, in a specific and verifiable way, which data we collect, why, on what legal basis and with whom we share it. It covers the requirements of the LGPD (Brazil), the GDPR (European Union) and the CCPA/CPRA (California, USA).

Effective: June 15, 2026Version: 1.0Controller: Renderly

Contents

  1. 1.Who we are and definitions
  2. 2.Data we collect
  3. 3.How we use the data
  4. 4.Legal bases for processing
  5. 5.Sharing and sub-processors
  6. 6.International transfers
  7. 7.Retention and deletion
  8. 8.Information security
  9. 9.Data subject rights
  10. 10.Cookies
  11. 11.Children and minors
  12. 12.Changes to this policy
  13. 13.Contact and Data Protection Officer (DPO)

Product analytics, feedback and consent

To understand usage and improve the product we collect first-party analytics: usage events (e.g. page views, exports, feature actions), session data (duration, page count, device type) and a first-party anonymous id (rnd_anon cookie). We do NOT use ad networks or third-party trackers, and we do not sell data. IP and user-agent, when used for consent proof or security, are stored only as a hash. You may also submit feedback (free text, categorized internally). Legal basis: legitimate interest (LGPD Art. 7 IX / GDPR Art. 6(1)(f)) for essential product analytics, with easy opt-out.

Consent: on first visit you choose between “Accept” and “Essential only” (stored in the rnd_consent cookie). You can change it anytime in Settings → Privacy & data, which also offers data export (JSON) and permanent account deletion (right to portability and erasure — LGPD Art. 18 / GDPR Art. 17 & 20).

0. Who we are and definitions

Renderly is a software-as-a-service (SaaS) that generates documents — PDFs and images — from HTML and templates, through an API. This policy applies to the Renderly website, the dashboard and the API.

For the purposes of this document, and in line with the LGPD and the GDPR, we adopt the following definitions:

Personal data
any information relating to an identified or identifiable natural person (e.g., name, email).
Data subject
the natural person to whom the personal data relates.
Processing
any operation performed on personal data — collection, storage, use, sharing, deletion, etc.
Controller
the party that decides how data is processed. Renderly is the controller of its users’ account and billing data.
Operator / Processor
the party that processes data on behalf of the controller. With respect to the content sent by our customers (render payloads), Renderly acts as the customer’s operator.
Organization (tenant)
the billing and isolation unit. Every account belongs to an Organization, isolated from the others on the server.

Two roles, two sets of data. We act as controller for the data you provide us to have and pay for an account (name, email, billing data). We act as operator for the content you process through the API (the render payload) — you are the controller of that content and we process it only to deliver the document.

1. Data we collect

We collect the minimum necessary to operate the service. Specifically, we process the following categories:

1.1 Account data

When you create an account, we collect name, email and password. The password is never stored in clear text: we keep only a hash generated with Argon2id, from which the original password cannot be recovered. Each account belongs to an Organization (tenant), isolated from the others.

1.2 Content you create (templates)

The templates you create — the HTML and document structure — are stored in our database, linked to your Organization. They may contain text, markup and variables you define. We recommend you do not embed third-party personal data directly in the body of the template; variable data should travel in the render payload (see 1.3).

1.3 Render data (payload) — zero-retention

On each render call, you send a payload (the data field) that is combined with the template to generate the document. That payload and the generated PDF/image are processed in memory and discarded at the end of the request. We do not persist the payload content or the generated document. Of this, we retain only:

  • Metadata: document size, render duration, status (success/error) and date/time.
  • A SHA-256 hash of the document, to allow integrity verification later (see Security page).

What this means in practice. If your payload contains personal data (e.g., a customer’s name on an invoice), that data exists in our systems only for the milliseconds of the render and is not stored. We cannot recover the content of a document we have already generated — we can only confirm, via the hash, that a file you present to us is intact.

1.4 Billing data

Payments are processed by Stripe. We do not store card numbers on our servers; Stripe handles payment-method data as its own controller/operator. We keep customer and subscription identifiers, the contracted plan, payment status and invoice history necessary for the contractual relationship.

1.5 API credentials

The API keys are shown in plain text only once, at the moment of creation. In our database we keep only a hash of the key — we cannot recover the original key and you can revoke it at any time.

1.6 Technical and log data

For security and operations, we record limited technical data, such as IP address, request identifier, timestamps and authentication events. These logs do not contain the content of your payloads.

2. How we use the data (purposes)

We process personal data for the determined and legitimate purposes below, and for no others:

  • Provide the service: authenticate you, maintain your account, store your templates and run renders.
  • Billing and invoicing: manage subscriptions, process payments and issue invoices.
  • Security and abuse prevention: detect fraud, quota abuse and unauthorized access; keep audit logs.
  • Support: respond to requests and resolve technical issues.
  • Operation and improvement: monitor availability and performance using aggregated metadata — never the content of your documents.
  • Compliance with legal obligations: meet tax, accounting and regulatory requirements.

What we do NOT do. We do not sell personal data. We do not use the content of your templates or payloads to train artificial intelligence models. We do not perform advertising profiling nor share data with data brokers.

3. Legal bases for processing

Under the LGPD (arts. 7 and 11) and the GDPR (art. 6), all processing relies on a legal basis. We map each purpose to its basis:

PurposeLegal basis — LGPDLegal basis — GDPR
Account, templates and running rendersPerformance of a contract (art. 7, V)Performance of a contract (art. 6(1)(b))
Billing and invoicingPerformance of a contract (art. 7, V)Performance of a contract (art. 6(1)(b))
Security, anti-fraud and logsLegitimate interest (art. 7, IX)Legitimate interest (art. 6(1)(f))
Tax and accounting obligationsCompliance with a legal obligation (art. 7, II)Legal obligation (art. 6(1)(c))
Optional communications (future)Consent (art. 7, I)Consent (art. 6(1)(a))

When processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal. When it is based on legitimate interest, we carry out a balancing test between our interest and your rights and freedoms, and you can object (see the rights section).

4. Sharing and sub-processors

We do not sell or rent personal data. We share data only with providers strictly necessary to operate the service, under contract and on our instructions. Our current sub-processors:

Sub-processorFunctionData processedLocation
NeonManaged Postgres databaseAccount, templates, render metadataUS-East (AWS)
StripePayment processingBilling and payment-method dataUSA / global
Hosting providerApplication and API infrastructureTraffic, technical logs, in-memory processingSee current agreement

A transactional email provider may be added in the future (e.g., for confirmations and password recovery). When that happens, we will update this list before starting the processing. Changes to the sub-processor list are communicated with reasonable advance notice.

We may also disclose data when required by law, court order or competent authority, or to protect the rights, security and integrity of the service and of third parties — always limiting disclosure to what is strictly necessary.

5. International data transfers

Part of the infrastructure is located in the United States (the Neon database operates in the US-East/AWS region; Stripe is a global company). This means that personal data of data subjects in Brazil and the European Union may be transferred and processed outside the country of origin.

  • LGPD (art. 33): transfers rely on adequate contractual safeguards with the sub-processors and on the necessity of performing the contract with you.
  • GDPR (Chapter V): we use the European Commission’s Standard Contractual Clauses (SCCs) and/or other valid mechanisms for transfers to third countries.

Regardless of where data is processed, the technical safeguards described in the Security section and the principle of zero-retention of render content apply.

6. Retention and deletion

We retain each category only for as long as necessary for its purpose:

CategoryRetention period
Payload content and generated PDF/imageNot retained — discarded at the end of the request (zero-retention)
Account data (name, email, password hash)For as long as the account exists; deleted after closure
TemplatesFor as long as the account exists or until you delete them
Render metadata and SHA-256 hashFor the period necessary for billing, support and auditing
Tax and invoicing dataFor the period required by applicable tax/accounting legislation
Technical and security logsA short, proportionate period, as operationally necessary

Once the purpose has ended or upon a valid deletion request, the data is erased or anonymized, except in cases of mandatory retention provided for by law.

7. Information security

We adopt technical and organizational measures proportionate to the risk, including:

  • Encryption in transit: all traffic over TLS (HTTPS).
  • Encryption at rest: persisted data is encrypted with AES-256 by the managed database provider.
  • Protected passwords and keys: passwords with Argon2id; API keys stored only as a hash.
  • Multi-tenant isolation: every query is scoped by Organization on the server; one tenant’s data does not cross into another’s.
  • Content zero-retention: payload and generated document exist only in memory during the render.

Honesty about compliance. We describe the measures we actually apply. We do not claim certifications we do not hold — we are not SOC 2 certified, for example. No system is 100% immune to incidents; in the event of a relevant security incident, we will notify the data subjects and the competent authorities as required by the LGPD and the GDPR.

8. Data subject rights

You have rights over your personal data. The exact set varies according to the regime applicable to you. We list them by regime, transparently.

8.1 LGPD — Brazil (Law 13.709/2018, art. 18)

  • Confirmation that processing exists and access to the data;
  • Correction of incomplete, inaccurate or outdated data;
  • Anonymization, blocking or deletion of unnecessary, excessive or non-compliant data;
  • Portability of the data to another provider;
  • Deletion of data processed on the basis of consent;
  • Information about the entities with which we share data;
  • Information about the possibility of withholding consent and the consequences thereof;
  • Withdrawal of consent.

8.2 GDPR — European Union

  • Access to the data (art. 15);
  • Rectification (art. 16);
  • Erasure / right to be forgotten (art. 17);
  • Data portability (art. 20);
  • Objection to processing, including processing based on legitimate interest (art. 21);
  • Restriction of processing (art. 18);
  • Right to lodge a complaint with a supervisory authority.

8.3 CCPA / CPRA — California (USA)

  • Right to know what personal information we collect and how we use it;
  • Right to delete personal information;
  • Right to correct inaccurate personal information;
  • Right to opt out of the “sale” or “sharing” of personal information — we do not sell or share personal data within the meaning of the CCPA/CPRA, so there is no sale to opt out of;
  • Right to non-discrimination for exercising your rights.

How to exercise them. Send your request to privacy@renderly.dev. We may ask for information to confirm your identity. We will respond within the applicable legal deadlines (as a rule, up to 15 days for simplified access under the LGPD; up to 1 month under the GDPR; up to 45 days under the CCPA/CPRA, extendable where the law allows). Exercising these rights is free, except for manifestly unfounded or excessive requests.

9. Cookies and similar technologies

We use the minimum cookies necessary for the service to work. By default, we set a single essential session cookie (renderly_session), marked as HttpOnly — inaccessible to JavaScript — to keep you authenticated. It does not serve advertising or tracking.

Essential session cookie
Set-Cookie: renderly_session=<token-opaco>;
  HttpOnly;
  Secure;
  SameSite=Lax;
  Path=/;
  Max-Age=2592000

We do not use third-party trackers by default. Full details about each cookie, its purpose and duration are in our Cookie Policy.

10. Children and minors

Renderly is a tool for developers and businesses; it is not directed at minors and we do not knowingly collect children’s data. Under the LGPD (art. 14), processing the data of children and adolescents requires specific care and, where applicable, the consent of at least one parent or guardian. If we become aware that we have collected a child’s data without the appropriate basis, we will delete that data.

11. Changes to this policy

We may update this policy to reflect changes in the service, in legislation or in our sub-processors. When there are material changes, we will update the effective date and the version number at the top and, where appropriate, notify you by reasonable means. Continued use of the service after the changes take effect constitutes awareness of the updated version.

12. Contact and Data Protection Officer (DPO)

For questions about privacy, exercising your rights or to reach our Data Protection Officer (DPO), use the channel below:

Data Protection Officer

Email: privacy@renderly.dev

Data subjects in the European Union have the right to lodge a complaint with their local supervisory authority. Data subjects in Brazil may contact the ANPD (National Data Protection Authority).