Last updated: August 8, 2025
Controller: Rendera Software OÜ, Paju tn 2, 50603 Tartu, Estonia
Email: privacy@render-a.com
Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

1) What Personal Data We Process

  • Account Data: name, email, password hash, organisation, billing details, VAT where applicable.
  • Usage Data: IP address, device/browser info, logs, timestamps, feature usage, crash reports.
  • Project Data: models, scenes, render assets and associated metadata you upload or create.
  • Support/Comms: support tickets, emails, in‑product messages.
  • Marketing & Preferences: newsletter opt‑ins, cookie consent choices, referral info (only with consent).

We do not intentionally process special categories of data (GDPR Art. 9). Please do not upload such data.

2) Purposes & Legal Bases (GDPR Art. 6)

  • Provide the Service & billing (Art. 6(1)(b) – contract): create/manage accounts, process payments, provide features, render projects.
  • Security & fraud prevention (Art. 6(1)(f) – legitimate interests): protect accounts and systems, prevent abuse, ensure integrity.
  • Service improvement & analytics (Art. 6(1)(a) – consent or 6(1)(f) where strictly necessary/aggregated): usage analytics, quality, and performance insights.
  • Marketing communications (Art. 6(1)(a) – consent): newsletters, product updates. You can withdraw at any time.
  • Legal compliance (Art. 6(1)(c)): tax, accounting, court orders.

3) Sources of Data

Directly from you (account setup, uploads, support), automatically via the Service (logs/telemetry), and, if applicable, from your organisation administrator.

4) Recipients & Subprocessors

Categories: cloud hosting, CDN, storage, email delivery, analytics, payment processing, customer support tooling, logging/monitoring, and anti‑abuse services. Current material providers include (non‑exhaustive): Google Cloud PlatformAWS (where used), Stripe for payments, and email/analytics providers as configured. We vet subprocessors and bind them to written terms.

5) International Transfers (Ch. V GDPR)

If data is transferred outside the EEA, we use appropriate safeguards such as Standard Contractual Clauses (SCCs)and, where relevant, documented transfer risk assessments and supplementary measures.

6) Retention

  • Account & billing records: for the life of the account and up to 7 years where accounting/tax laws require; otherwise 90 days after termination.
  • Project Data: for the life of the account; deleted within 90 days of termination unless we receive a timely export request.
  • Support tickets/logs: typically 12–24 months, or longer where security or legal requirements apply.
    We anonymise or aggregate data when we no longer need personal identifiers.

7) Your Rights

You have the right to accessrectifyeraserestrict processing, object, and data portability (Arts. 15–21 GDPR). Where processing is based on consent, you may withdraw it at any time. To exercise rights, email privacy@render-a.com. You can also lodge a complaint with the Estonian Data Protection Inspectorate.

8) Children

The Service is not directed to individuals under 18. If we learn a minor’s data was provided, we will delete it promptly.

9) Security Measures

We implement defence‑in‑depth controls including encryption in transit, least‑privilege access, MFA for staff, secure SDLC practices, regular backups, and vulnerability management. If we become aware of a personal‑data breach likely to result in a high risk to your rights and freedoms, we will notify you and the competent authority as required by law.

10) Automated Decisions / Profiling

We do not engage in automated decision‑making producing legal or similarly significant effects (GDPR Art. 22).

11) Third-Party Cloud Integrations and User Data

Render-a allows users to connect external cloud storage services (such as Google Drive, Microsoft OneDrive, and Dropbox) to conveniently import drone images and other project assets. This section explains how data accessed through these integrations — including Google user data accessed via the Google Drive API — is handled.

Data Accessed:
When connecting a cloud storage account, Render-a may access:

The content of files explicitly selected by the user (e.g., drone photos).

Limited metadata such as file name, size, and MIME type.
For Google Drive integrations, this includes Google user data as defined by Google’s API Services User Data Policy. No other account data is accessed.

Data Usage:
The accessed files are used solely for project-related operations within the Render-a platform, such as 3D model generation. They are not used for analytics, advertising, or any unrelated purposes.

Data Sharing:
Data imported from Google Drive, OneDrive, Dropbox, or other supported services is not shared with any third parties. It remains within the Render-a environment and is only linked to the user’s specific project.

Data Storage & Protection:
Uploaded files are securely stored using encryption in transit and at rest. Access to user data is controlled through strict, role-based permissions. Render-a’s infrastructure follows enterprise-grade security practices, including continuous monitoring and vulnerability management.

Data Retention & Deletion:
Files imported from external cloud services remain associated with the user’s project for as long as that project exists. When a project or account is deleted, the corresponding files are permanently removed within 90 days.
Users can revoke Render-a’s access to external integrations, including Google Drive. At any time via their respective account settings (e.g., Google Account permissions page).

12) Changes to this Policy

We may update this Policy; material changes will be notified in‑app or via email, with the effective date shown above.