Rendertize
Back to home

Privacy Policy

Last updated: April 19, 2026

Rendertize (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what data we collect, how we use it, the legal basis for processing, and your rights regarding that data.

1. Data We Collect

Data you provide

  • Email address and name — collected at signup via Supabase Auth. Used for authentication and account management.
  • Rendered images — renders generated by your browser and uploaded to your account storage. Never shared with third parties.
  • Listing metadata — titles, descriptions, tags, and categories you generate or save. Stored in your account.
  • Custom AI instructions — text you provide to guide AI metadata generation. Sent to our AI provider for processing (see Section 4).

Data processed automatically

  • Analysis images — when a rendering session starts, Rendertize automatically captures temporary images of your 3D model from multiple angles. These images are sent to our AI provider for geometry classification and metadata generation, and are not permanently stored. They are processed in memory and discarded after analysis.

Data we do NOT collect

  • 3D model files — your GLB/glTF files are loaded and rendered entirely in your browser. They are never uploaded to our servers.
  • Tracking cookies or advertising identifiers.
  • Behavioral profiles for ad targeting.

Usage data

  • Credit usage, session counts, render counts, and storage usage — used for billing, usage caps enforcement, and platform cost monitoring.
  • Request logs (IP address, timestamps, endpoints) — retained for up to 90 days for security and debugging purposes.
  • Deleted account email hash — upon permanent account deletion, a one-way SHA-256 hash of your email address is retained indefinitely solely to prevent re-registration credit abuse. This hash is cryptographically irreversible and cannot be used to identify, contact, or profile you. Processing is based on our legitimate interest in maintaining fair access to the Service (Art. 6(1)(f) GDPR).

2. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or UK, we process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)) — processing your account data, renders, and AI-generated listings is necessary to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — usage analytics, fraud detection, and platform security. We have balanced your privacy rights against our interest in maintaining a secure, reliable service and concluded that these processing activities are proportionate.
  • Legal obligation (Art. 6(1)(c)) — payment and billing records retained to comply with tax and financial reporting requirements.
  • Consent (Art. 6(1)(a)) — if we ever send marketing emails, we will obtain your explicit consent first. You can withdraw consent at any time.

3. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To authenticate your account and manage sessions.
  • To enforce usage caps and credit limits.
  • To process payments via Paddle (Merchant of Record).
  • To send transactional emails (account confirmation, password reset, account deletion confirmation and cancellation).
  • To respond to support requests.
  • To monitor platform costs and detect abuse (no automated profiling for marketing purposes).

4. Third-Party Data Processors

The following third-party services process data on our behalf. This list reflects the current state of our sub-processors and may be updated as providers change.

Paddle (Payments)

Paddle.com is our Merchant of Record and processes all payments. When you make a purchase, Paddle collects your name, email, payment information, and IP address. Paddle shares your name and email with us solely to fulfil your order and manage your account. See Paddle's Privacy Policy and their Data Processing Addendum.

Supabase (Database, Auth, Storage)

Your account data, usage logs, rendered images, and listing metadata are stored on Supabase (hosted on AWS). Supabase processes data on our behalf under a Data Processing Agreement. See also Supabase's Privacy Policy.

Google Gemini API (AI Metadata)

During a rendering session, automatically captured analysis images of your 3D model and extracted 3D model metadata (polygon count, materials, textures, etc.) are sent to Google's Gemini API for geometry classification and marketplace metadata generation. We use the paid Gemini API tier. Under Google's Gemini API Terms, data sent through the paid API is not used by Google to train or improve their AI models. Data may be logged for up to 55 days for abuse detection and is then deleted. We do not send your 3D model files or your saved renders — only temporary analysis images and 3D model metadata. See also Google's Privacy Policy.

Vercel (Hosting)

The Rendertize app and marketing website are hosted on Vercel. Vercel collects IP addresses and request logs as part of standard hosting operations. We use Vercel Analytics, which is cookieless and does not collect personally identifiable information. See Vercel's Privacy Policy.

Railway (Backend Hosting)

The Rendertize API and backend services are hosted on Railway. All API requests — including authentication, rendering, AI analysis, and account management — are processed through Railway infrastructure. See Railway's Privacy Policy.

Resend (Transactional Email)

We use Resend to deliver transactional emails (account deletion confirmations and similar service notifications). Resend processes your email address solely to deliver these messages. See Resend's Privacy Policy.

Crisp (Live Chat)

We use Crisp for live chat support on our marketing website (rendertize.com). Crisp does not set cookies until you interact with the chat widget. If you initiate a chat, Crisp may collect your name, email (if provided), and chat transcript. All Crisp data is hosted in the European Union. See Crisp's Privacy Policy.

5. International Data Transfers

If you are located in the EEA or UK, your personal data may be transferred to and processed in the United States through our third-party processors. We ensure these transfers are protected by appropriate safeguards:

  • Standard Contractual Clauses (SCCs) — our processors have adopted EU Standard Contractual Clauses approved by the European Commission.
  • EU-US Data Privacy Framework — where applicable, our processors certify compliance with the EU-US Data Privacy Framework.
  • Encryption — all data is encrypted in transit (TLS) and at rest.

6. AI Data Processing

Rendertize uses Google Gemini API (generative AI) to classify your 3D models and create marketplace listings. AI analysis is performed automatically as part of the rendering workflow. When this occurs:

  • Automatically captured analysis images of your model and extracted 3D model metadata (polygon count, materials, textures, mesh names, etc.) are sent to Google over an encrypted connection. Your saved renders are not sent.
  • Google does not use paid API data to train or improve Gemini models. Data is logged for up to 55 days for abuse detection only.
  • AI-generated listings may contain inaccuracies. You are responsible for reviewing all outputs before publishing.

7. Cookies

  • Supabase Auth — sets essential session cookies for authentication. These are strictly necessary for the app to function and do not require consent.
  • Vercel Analytics — cookieless. No tracking cookies.
  • Paddle — sets cookies during checkout for payment security. These are strictly necessary for processing transactions.
  • Crisp — sets session cookies only after you interact with the chat widget on our marketing website. Used solely for messaging, not tracking.
  • We do not currently use advertising, retargeting, or analytics tracking cookies. If this changes, we will update this policy and notify you.

8. Data Retention

  • Account data (email, name, profile) — retained while your account is active. Deleted within 30 days of account deletion.
  • Rendered images — retained until you delete them or your account. Removed within 30 days of account deletion.
  • AI-generated listings — retained until you delete them or your account. Removed within 30 days of account deletion.
  • Analysis images — not permanently stored. Processed in memory during sessions and discarded.
  • Request and usage logs — purged after 90 days.
  • Chat transcripts (Crisp) — retained for up to 1 year for support quality purposes.
  • Payment records — retained by Paddle for up to 7 years to comply with tax and financial reporting obligations.

9. Your Rights

GDPR (EEA/UK residents)

Under the General Data Protection Regulation, you have the right to:

  • Access (Art. 15) — request a copy of all personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
  • Restrict processing (Art. 18) — request that we limit processing to storage only while we verify contested data.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interest.

We will respond to all requests within 30 days. Complex requests may take up to 60 days with prior notification. Requests are free unless manifestly unfounded or excessive.

Right to lodge a complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

CCPA (California residents)

Under the California Consumer Privacy Act, you have the right to:

  • Right to know — what personal data we collect, the sources, purposes, and categories of third parties with whom we share it.
  • Right to delete — request deletion of your personal data, subject to legal exceptions.
  • Right to correct — request correction of inaccurate personal data.
  • Right to opt-out of sale/sharing — we do not sell your personal information. We do not share personal data for cross-context behavioral advertising.
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

To exercise any of your rights, contact us at support@rendertize.com. We will verify your identity before processing any request.

10. Children's Privacy

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will promptly delete that information. If you believe a child under 13 has provided us with personal data, please contact us at support@rendertize.com.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. In the event of a data breach that poses a high risk to your rights, we will notify affected users without undue delay and report to relevant supervisory authorities within 72 hours as required by GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

Data controller: Rendertize (rendertize.com), United States.

Privacy questions or requests: support@rendertize.com