Rendertize
Back to home

Privacy Policy

Last updated: June 3, 2026

Rendertize (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what data we collect, how we use it, the legal basis for processing, and your rights regarding that data.

1. Data We Collect

Data you provide

  • Email address and name — collected at signup via Supabase Auth. Used for authentication and account management.
  • Rendered images — renders generated by your browser and uploaded to your account storage. Never shared with third parties.
  • Listing metadata — titles, descriptions, tags, and categories you generate or save. Stored in your account.
  • Custom AI instructions — text you provide to guide AI metadata generation. Sent to our AI provider for processing (see Section 4).
  • Profile picture — an optional avatar image you upload in account settings. It is stored in your account and served from a publicly accessible URL so it can be displayed in the app. Removed when you delete it or delete your account.
  • Support requests — when you contact us, we store the name, email address, subject, message, and any file attachments you include, together with our replies, so we can respond to and keep a record of your request. Permanently removed when you delete your account.

Data processed automatically

  • Analysis images — when a rendering session starts, Rendertize automatically captures temporary images of your 3D model from multiple angles. These images are sent to our AI provider for geometry classification and metadata generation, and are not permanently stored. They are processed in memory and discarded after analysis.

Data we do NOT collect

  • 3D model files — your GLB files are loaded and rendered entirely in your browser. They are never uploaded to our servers.
  • Tracking cookies or advertising identifiers.
  • Behavioral profiles for ad targeting.

Usage data

  • Account usage metrics — credit usage, session counts, render counts, listings created, storage used, and first-use timestamps (first render, first AI metadata, first listing) for internal product analytics. Used for billing, enforcing per-tier usage limits, and platform cost monitoring.
  • Operational logs — we retain three logs in our database for up to 90 days, then auto-purge: (a) aggregate bandwidth usage (bucket, file path, byte counts) for cost monitoring and abuse detection; (b) authentication and rate-limit events (path, IP address) for abuse prevention; (c) backend error logs (endpoint, status code, error message). Our hosting providers (Vercel, Railway) also keep short-lived platform request logs containing IP and URL — see Section 4 for their retention policies.
  • Signup and resend rate limiting — IP addresses and email addresses used for signup and password reset attempts are tracked to prevent brute-force abuse. Rate limit records are retained for up to 90 days and then automatically deleted. Processing is based on our legitimate interest in preventing fraud and ensuring service security (Art. 6(1)(f) GDPR).
  • Deleted account email hash — upon permanent account deletion, a one-way SHA-256 hash of your email address is retained indefinitely solely to prevent re-registration credit abuse. This hash is cryptographically irreversible and cannot be used to identify, contact, or profile you. Processing is based on our legitimate interest in maintaining fair access to the Service (Art. 6(1)(f) GDPR).

2. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or UK, we process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)) — processing your account data, renders, and AI-generated listings is necessary to provide the Service you signed up for. This also covers the transaction metadata (plan, amount, timestamp) we retain to determine your subscription tier.
  • Legitimate interest (Art. 6(1)(f)) — usage analytics, fraud detection, platform security, abuse prevention (rate limiting, bot protection), and internal support notifications. We have balanced your privacy rights against our interest in maintaining a secure, reliable service and concluded these activities are proportionate. Specific examples are noted in Sections 1 and 4.
  • Legal obligation (Art. 6(1)(c)) — limited transaction metadata may be retained to support our corporate-tax bookkeeping and respond to lawful requests from regulators. Customer-facing invoices and VAT/sales-tax records are retained by Paddle as Merchant of Record (see Section 4).

3. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To authenticate your account and manage sessions.
  • To enforce usage caps and credit limits.
  • To process payments via Paddle (Merchant of Record).
  • To send transactional emails (account confirmation, password reset).
  • To respond to support requests.
  • To monitor platform costs and detect abuse (no automated profiling for marketing purposes).

4. Third-Party Data Processors

The following third-party services process data on our behalf. This list reflects the current state of our sub-processors and may be updated as providers change.

Paddle (Payments)

Paddle.com is our Merchant of Record and processes all payments. When you make a purchase, Paddle collects your email, payment method details — entered into Paddle's PCI-compliant form for card payments, or returned as a tokenized credential from your chosen wallet or account provider for Apple Pay, Google Pay, or PayPal — together with your country (required for tax), IP address, and device/browser information used for fraud prevention. Depending on the payment method, additional details (such as postal code, cardholder name, or PayPal account information) may also be collected by Paddle or the upstream provider. We never see full card numbers or wallet credentials. If you choose to enter a VAT/Tax ID at checkout, Paddle will additionally collect your company name and full billing address to validate the tax exemption. Paddle shares a limited subset of this information with us — your email, a payment method summary (e.g. card brand and last four digits, or a wallet/PayPal indicator), and transaction metadata (transaction ID, price, amount, currency, tax, country, and timestamps) — solely to fulfil your order and manage your account. We do not store your card number or a card summary; payment methods are held by Paddle, and you manage them through Paddle's billing portal. See Paddle's Privacy Policy and their Data Processing Addendum.

Supabase (Database, Auth, Storage)

Your account data, usage logs, rendered images, and listing metadata are stored on Supabase (hosted on AWS). Supabase processes data on our behalf under a Data Processing Agreement. See also Supabase's Privacy Policy.

Google Gemini API (AI Metadata)

During a rendering session, automatically captured analysis images of your 3D model and extracted 3D model metadata (polygon count, materials, textures, etc.) are sent to Google's Gemini API for geometry classification and marketplace metadata generation. We use the paid Gemini API tier. Under Google's Gemini API Terms, data sent through the paid API is not used by Google to train or improve their AI models. Data may be logged for up to 55 days for abuse detection and is then deleted. We do not send your 3D model files or your saved renders — only temporary analysis images and 3D model metadata. See also Google's Privacy Policy.

Vercel (Hosting)

The Rendertize app and marketing website are hosted on Vercel. Vercel collects IP addresses and request logs as part of standard hosting operations. We use Vercel Analytics, which is cookieless and does not collect personally identifiable information. See Vercel's Privacy Policy.

Railway (Backend Hosting)

The Rendertize API and backend services are hosted on Railway. All API requests — including authentication, rendering, AI analysis, and account management — are processed through Railway infrastructure. See Railway's Privacy Policy.

Resend (Transactional & Support Email)

We use Resend to deliver transactional and support emails — including account deletion scheduling and cancellation notices and support ticket confirmations and replies. Resend processes your email address and the contents of these messages solely to deliver them. See Resend's Privacy Policy.

Cloudflare (Bot Protection / CAPTCHA)

We use Cloudflare Turnstile to protect our signup, login, and password reset forms against automated abuse. When you load one of these forms, a challenge widget is served from Cloudflare and your IP address and a challenge token are sent to Cloudflare for verification. Turnstile is privacy-focused: it does not use tracking cookies and does not profile you across sites. Processing is based on our legitimate interest in preventing fraud and ensuring service security (Art. 6(1)(f) GDPR). See Cloudflare's Privacy Policy.

Sentry (Error Monitoring)

We use Sentry to capture application errors and basic performance diagnostics from the app and backend so we can detect and fix problems. When an error occurs, Sentry receives diagnostic data such as the error message, stack trace, browser/device type, and the page or endpoint involved. We have configured Sentry to minimize personal data — IP-address and cookie collection are disabled and we do not use session replay or any behavioral session recording. Diagnostic data may still incidentally contain personal information if it appears in an error message. Error data is retained for up to 90 days and then deleted. Sentry processes this data on our behalf under a Data Processing Addendum. See Sentry's Privacy Policy.

5. International Data Transfers

If you are located in the EEA or UK, your personal data may be transferred to and processed in the United States through our third-party processors. We ensure these transfers are protected by appropriate safeguards:

  • Standard Contractual Clauses (SCCs) — our processors have adopted EU Standard Contractual Clauses approved by the European Commission.
  • EU-US Data Privacy Framework — where applicable, our processors certify compliance with the EU-US Data Privacy Framework.
  • Encryption — all data is encrypted in transit (TLS) and at rest.

6. AI Data Processing

Rendertize uses Google Gemini API (generative AI) to classify your 3D models and create marketplace listings. AI analysis is performed automatically as part of the rendering workflow. When this occurs:

  • Automatically captured analysis images of your model and extracted 3D model metadata (polygon count, materials, textures, mesh names, etc.) are sent to Google over an encrypted connection. Your saved renders are not sent.
  • Google does not use paid API data to train or improve Gemini models. Data is logged for up to 55 days for abuse detection only.

7. Cookies

  • Supabase Auth — sets essential session cookies for authentication. These are strictly necessary for the app to function and do not require consent.
  • Paddle — sets cookies during checkout for payment security. These are strictly necessary for processing transactions.
  • Cloudflare Turnstile — may set a strictly necessary token on signup, login, and password reset pages to run its bot protection challenge. No tracking cookies are used.
  • We do not currently use advertising, retargeting, or analytics tracking cookies. If this changes, we will update this policy and notify you.

8. Data Retention

  • Account data (email, name, profile) — retained while your account is active. Permanently deleted 30 days after you request account deletion (cancellable during that window).
  • Rendered images — retained until you delete them or your account. Permanently removed 30 days after you request account deletion.
  • AI-generated listings — retained until you delete them or your account. Permanently removed 30 days after you request account deletion.
  • Profile picture — retained until you remove it or delete your account. Permanently removed 30 days after you request account deletion.
  • Support requests and attachments — retained while your account is active to maintain a support history. Permanently removed 30 days after you request account deletion.
  • Analysis images — not permanently stored. Processed in memory during sessions and discarded.
  • Request and usage logs — purged after 90 days.
  • Admin audit log — records of administrative actions taken on an account, including limited identifiers such as the affected account's email, are retained for up to 24 months for security and accountability purposes, then automatically deleted.
  • Payment records — retained by Paddle for up to 7 years to comply with tax and financial reporting obligations.

9. Your Rights

GDPR (EEA/UK residents)

Under the General Data Protection Regulation, you have the right to:

  • Access (Art. 15) — request a copy of all personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
  • Restrict processing (Art. 18) — request that we limit processing to storage only while we verify contested data.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interest.

Access, portability, restriction, and objection requests are handled manually — email support@rendertize.com and we will respond within 30 days. Complex requests may take up to 60 days with prior notification. Requests are free unless manifestly unfounded or excessive.

Right to lodge a complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. EU residents can find their national authority at edpb.europa.eu. UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

CCPA (California residents)

Under the California Consumer Privacy Act, you have the right to:

  • Right to know — what personal data we collect, the sources, purposes, and categories of third parties with whom we share it.
  • Right to delete — request deletion of your personal data, subject to legal exceptions.
  • Right to correct — request correction of inaccurate personal data.
  • Right to opt-out of sale/sharing — we do not sell your personal information. We do not share personal data for cross-context behavioral advertising.
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

To exercise any of your rights, contact us at support@rendertize.com. We will verify your identity before processing any request.

10. Children's Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we become aware that we have inadvertently collected data from a person under 18, we will promptly delete that information. If you believe someone under 18 has provided us with personal data, please contact us at support@rendertize.com.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. In the event of a data breach that poses a high risk to your rights, we will notify affected users without undue delay and report to relevant supervisory authorities within 72 hours as required by GDPR.

Internal access: Authorized Rendertize personnel may access your account data — including your email, tier, credit and usage history, transaction records, and support requests — through a secure internal admin tool, strictly on a need-to-know basis to operate, support, secure, and bill the Service. Access is limited to a small number of approved administrators and is subject to confidentiality obligations. Administrative actions affecting an account (such as adjusting credits, restricting processing, or deleting an account) are recorded in an internal audit log.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

Data controller: Operated by Mohamed Ahmed Mohamed Ibrahim, sole proprietor based in Cairo, Egypt.

Privacy questions or requests: support@rendertize.com