Renewley is operated by an individual based in the United States, doing business as Renewley ("Renewley," "we," "us," or "our"). Renewley is not currently organized as a separate legal entity. You can reach us any time at hello@renewley.com.
This policy applies to renewley.com, renewley.app, and the Renewley dashboard application (collectively, the "Service"), regardless of where in the world you're accessing it from.
We collect the minimum we need to run the Service and send you the reminders you ask for.
Anything you add to your Renewley vault — item names, providers, expiry dates, reference numbers, notes, attached photos or documents, and any cards you choose to link for autopay reminders. This is the data the Service exists to store, and it's encrypted as described in Section 3.
If you upgrade to Pro, your payment is processed entirely by Stripe. We never see or store your full card number, and we don't store any payment card data ourselves beyond knowing that you paid and on what date.
We don't run third-party analytics or ad tracking on Renewley. The only usage signals we keep are operational: when your trial started, whether you've completed onboarding steps, and whether you've used certain features (so we can show you the right prompts), all stored alongside your own vault.
Your vault is encrypted at rest using AES-256-GCM. The encryption key for your vault is not stored anywhere — it's derived on the fly, each time your data is read or written, from a server-side secret combined with your unique account ID, using a standard key-derivation function (HKDF-SHA256). In practice, this means that even someone with direct access to our database would see only encrypted bytes, not your items, notes, or attachments.
This protects your vault from unauthorized access to our storage. It does not protect against someone who has already signed into your Renewley account — so the usual advice applies: use a strong, unique password, and enable any additional sign-in protections your Google account offers if you sign in that way.
Pro and trial users can forward renewal emails to a personal Renewley address, or photograph a document, to have an item drafted automatically. Here's specifically what happens to that content:
m9t8nf5gtwsb0at@in.renewley.com). It is not protected by a password — its security depends on keeping it private, the same way you'd keep any other personal inbox address private. Anyone who has it could send drafts into your account, though they cannot see or modify anything already saved in your vault. You can regenerate this address at any time from the Add from Email settings, which immediately invalidates the old one.We rely on a small number of service providers to run Renewley. None of them are permitted to use your data for their own purposes, and we don't sell or share your data with anyone for advertising.
| Provider | What they handle |
|---|---|
| Clerk | Authentication (email/password and Google sign-in) |
| Cloudflare | Hosting, vault storage, and the encrypted database (Workers & KV) |
| Stripe | Payment processing for the one-time Pro upgrade |
| Resend | Sending reminder and draft-notification emails |
| Anthropic (Claude) | Reading scanned documents and forwarded emails to draft items |
| Vercel | Hosting the marketing website |
If you add a payment card to Renewley to get autopay-expiry reminders, we only ever store the card's nickname, network (e.g. Visa), last 4 digits, and expiry date. We never collect, transmit, or store your full card number, CVV, or any other detail that would let anyone actually use the card. This is by design — Renewley's card feature exists purely to remind you when a card is about to expire, not to process payments with it.
We use the information described above to:
We do not use your vault contents for advertising, and we do not sell your personal information to anyone.
Wherever you're located, you can:
If you're a California resident, these rights correspond to those described under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and the right to request deletion. If you're located in the European Economic Area, UK, or Switzerland, these correspond to your rights under the GDPR, including the right of access, rectification, erasure, and data portability. We don't charge a fee to exercise any of these rights, and we won't discriminate against you for doing so.
We keep your vault data for as long as your account is active. If you delete an item, it's removed from your vault immediately (though it may persist briefly in backups before being purged). If you request full account deletion, we remove your vault, your trial/Pro status records, and your account record from our systems, typically within 30 days.
In addition to vault encryption (Section 3), we use HTTPS for all traffic, verify every request against your signed-in session, and verify Stripe webhook signatures to prevent forged payment events. No system is perfectly secure, and we can't guarantee absolute security, but we've designed Renewley so that even a breach of our storage would not expose readable vault contents.
Renewley is not directed at children, and we don't knowingly collect personal information from anyone under 16. If you believe a child has created an account, contact us at hello@renewley.com and we'll delete it.
If we make material changes to this policy, we'll update the date at the top of this page and, where appropriate, notify you by email. Continued use of Renewley after a change means you accept the updated policy.
Questions about this policy or your data? Reach us at hello@renewley.com.