Privacy Policy

1. General Information and Contact Details

Data Controller

The entity responsible for processing your data is Sascha Schwabbauer (sole proprietor of RenderDay).

Address: Oskar-Hoffmann-Str. 127, 44789 Bochum, Germany
Contact Email: support@renderday.com
Contact Phone: +49 234 544 50 610

If you have any questions about this Privacy Policy or about your personal data, you can contact us using the details above. Since we are a small enterprise, we have not appointed a formal Data Protection Officer; however, you can reach out to us directly with any privacy-related inquiries or requests.

2. Data Processing and Legal Basis

We only collect and process personal data that is necessary to provide our services, to comply with legal obligations, or with your consent. Below we explain what data we collect, how it is used in the RenderDay service flow, and the legal bases for processing.

2.1 Service Flow and Data Collection

When you use RenderDay's cloud rendering service, we process your data at various stages:

File Upload and Preprocessing:

You (the user) can upload your Blender project files to our platform. These files, which you provide, are stored on our servers and may be preprocessed (for example, we might analyze the file to estimate rendering requirements). The content of your Blender files is considered your data – we treat it confidentially and only process it to perform the rendering service. (Note: Your Blender files might incidentally contain personal data if you include any within the project. We handle all file content with the same care as personal data.)

Rendering Settings and Email Submission:

After uploading a file, you choose your desired rendering settings (such as resolution, frame range, output format, etc.). We will ask you to provide an email address where we can send notifications and the rendering results. At this stage, the only personal data we require is your email address (and any identifying information you include in your file or project name). We do not require your name, physical address, or other personal details for the rendering service itself – just a contact email to deliver results and updates.

Consent to Terms and Marketing:

Before you can start a render job, you must explicitly agree to our Terms of Service and this Privacy Policy (usually by checking an acceptance box). This ensures you are aware of how we handle your data. At the same time, you will have the choice to opt-in to marketing communications. This opt-in for our newsletter or promotional emails is voluntary and requires your explicit consent (we will not send you any marketing emails unless you affirmatively agree). You can use our service without consenting to marketing emails – this will not affect the core rendering service.

Email Confirmation (Double Opt-In):

After you submit your email and agree to our terms, we will send a confirmation email to the address provided. You need to click the confirmation link in that email to verify that the address is correct and that you have access to it. This double opt-in process helps us ensure the email belongs to you and prevents misuse. We log the time of confirmation and your IP address at confirmation for compliance records (proof of consent).

Cost Estimation and Payment via Stripe:

Once your file is uploaded and settings chosen, our system will calculate the estimated cost for the rendering job (based on factors like render time or resources needed). We will inform you of the price before rendering begins – typically we email you a quote or display it on the website. If you decide to proceed, you will be prompted to make a payment. Payments on RenderDay are handled through Stripe, a third-party payment processor. When you enter your payment details (such as credit card information), that data is collected directly by Stripe on our behalf. We do not store your full credit card number or CVV on our systems. Stripe may collect additional information for payment processing (e.g. billing address or ZIP code, to verify your card, and your IP address for fraud prevention). The only information we retain on our side is a payment confirmation, partial card details (such as the last four digits for reference), and transaction IDs – all other sensitive payment data is securely handled by Stripe (see Section 3 for more on third-party services). You will receive a receipt or invoice via email once payment is successful.

Rendering Process and Delivery of Results:

After payment (if required) is confirmed, our system will proceed to render your Blender file using our cloud rendering backend. This may take some time depending on the complexity of your project. During rendering, our system generates metadata (e.g. logs of rendering progress, resource usage, timestamps, etc.) to monitor the job. This metadata may include technical information but typically does not include your personal content beyond what's necessary to complete the job. Once rendering is complete, we will deliver the results to you. Delivery is usually done by providing a download link (for example, we might email you a unique link to download the rendered images or animation frames, or make them available in your account area). The output files themselves will be stored on our servers (or cloud storage) for you to retrieve. We may also send an email notification to inform you that the render is done. The email address is thus used to communicate status updates and provide the final results.

Support and Communication:

If you contact us for support (via email or through a support portal), we will collect whatever information you choose to provide in your inquiry. This could include your email, a description of the issue, and any attachments (which might include personal data if you send screenshots or additional files). We use this information solely to assist you and resolve your issue (see also Section 3 regarding our support platform, Freshdesk).

Automatic Data (Log Files):

When you interact with our website or service, our servers automatically record certain technical information in server log files. This data includes your IP address, the date and time of access, the pages or endpoints you accessed, error logs if something went wrong, and information about your browser and device (user agent). We collect this information to maintain our service's security and performance (for example, to detect malicious attempts or troubleshoot issues). These server logs are separate from the data you actively submit, and while they may identify you via IP address, we do not use them to profile you. Server log data is only used for technical purposes and is generally purged or anonymized after a short period (see Section 6 on retention).

Cookies and Tracking Technologies:

We use cookies and similar technologies on our website to ensure it functions correctly and to improve your experience. Some cookies are strictly necessary for the service (e.g. to remember your login or rendering session), while others are used only if you consent (e.g. analytics cookies). We detail how we use cookies in Section 4 below. In summary, when you first visit our site, you will be presented with a cookie consent banner to manage your preferences. Through this banner, you can consent to or decline non-essential cookies, such as those for Google Analytics or advertising. We honor your choices – except for essential cookies which are needed for the site to work, no non-essential cookies will be set unless you opt-in.

Personal Data We Collect:

In the course of the above, the personal data we process includes:

• Contact Data: Email address (required). We do not require your name, postal address, phone number, or other identifying details to use the core service (unless you voluntarily provide them during support or payment). In some cases, for billing (if an invoice is needed), we might request your name and address, but this would be explicitly asked and used only for invoice compliance.
• Content Data: The files you upload (Blender projects) and any content within them. These may or may not contain personal data depending on what you include in your project. We treat all user-uploaded content as private data.
• Payment Data: If a payment is made, Stripe will process your payment information. We (RenderDay) receive confirmation of payment, an order ID, and possibly partial billing info. We keep records of transactions (amount, date, your email, and the service rendered) for accounting purposes.
• Technical Data: IP address, device and browser type, operating system, referring webpage, and cookie identifiers. This comes from cookies, analytics tools, and server logs as explained. We may also capture confirmations (timestamps, IP) when you consent or sign the terms for legal record-keeping.
• Rendering Metadata: Data about the job itself, like render settings you chose, job start and end times, resource usage (CPU/GPU time), and any errors encountered. Typically, this metadata is linked to your job ID or email. We use it to bill correctly, optimize our service (e.g. to improve rendering times), and for support diagnostics if something goes wrong.

We do not use your personal data for any purposes other than those described in this policy. In particular, we do not sell your data to third parties or use it for automated decision-making or profiling beyond what is explained (there is no automated decision that affects your legal rights; any analysis we do is to provide the service or for analytics/marketing with your consent).

2.2 Legal Bases for Processing

Under the GDPR, we must have a valid legal basis for each use of your personal data. We rely on the following legal grounds:

Contract (Art. 6(1)(b) GDPR):

Most of the data processing we do is necessary for the performance of our contract with you – namely, to provide the RenderDay service that you requested. When you upload a file and request a render, a contract (even if not formal, it's a service agreement) is formed for us to process your data and deliver results. This legal basis covers: handling your Blender files, using your email to communicate and send results, processing payment, and all related operations that are necessary to render and deliver your project. If you decline to provide required information (like your email or payment), we cannot perform the service. Pre-contractual interactions (e.g. if you enter your email to get a quote) also fall under this basis as necessary steps at your request. In summary, we process your data to fulfill our obligations to you as a user/customer of RenderDay.

Consent (Art. 6(1)(a) GDPR):

We rely on your consent for certain types of processing that are not strictly necessary for the core service. This includes:

• Marketing Communications: We will only use your email to send newsletters, promotions, or updates about RenderDay's services if you have explicitly opted-in. You can choose to give or withhold this consent when you sign up (by checking the appropriate box), and you can withdraw consent at any time (e.g. via the "unsubscribe" link in emails or by contacting us). If you do not consent, we will not send you marketing emails.
• Analytics & Advertising Cookies: As described in Section 4, we ask for your consent before deploying any non-essential cookies or third-party tracking (such as Google Analytics or Google Ads remarketing cookies). Your consent, if given, is the legal basis for us and our analytics/advertising partners to collect data about your website use. If you do not consent, those tools remain inactive. You can also withdraw consent later by adjusting your cookie settings on our site.
• Other Optional Data Sharing: In some cases, we might ask your consent to use or share your data in a way that isn't covered by the other bases – for example, if we wanted to publish a testimonial or case study involving your render results, we would ask for your permission. If we ever process sensitive information (which we do not anticipate for a rendering service), we would also seek explicit consent.

Legitimate Interests (Art. 6(1)(f) GDPR):

We process certain data under the basis of legitimate interests, meaning the processing is necessary for purposes that are legitimate (lawful) interests of ours or a third party, and we have balanced these interests against your rights and freedoms. We only rely on this basis for data that has minimal impact on your privacy, and we always consider your rights. Examples:

• Security and Fraud Prevention: We collect and analyze IP addresses, log data, and usage patterns to protect our platform from attacks, detect fraud, and troubleshoot issues. It is in our legitimate interest to secure our service and ensure integrity. For instance, if we detect unusual activity (like many failed render attempts or possible misuse), we may investigate using log data.
• Error Logging and Performance Optimization: We use tools (like Sentry, see Section 3) to record software errors and performance metrics. This helps us fix bugs and improve the quality of our service. The data involved (e.g. an error stack trace, or high-level usage info) generally does not include personal user content beyond possibly an ID or technical info. We deem this a legitimate interest because maintaining a reliable service benefits both us and our users, and this processing has a limited impact on user privacy (it does not actively identify or profile individuals, and runs in the background for our internal purposes).
• Customer Support Records: When you contact support, we retain the communications and any related data. It's our legitimate interest to keep these records to effectively address your current issue and any future follow-ups, as well as to train our team and improve support. We limit what we keep and for how long, as described in retention (Section 6).
• Analytics with Pseudonymous Data (if any without consent): Generally, we will only run analytics with your consent. If we ever perform basic analytics in-house on anonymized or pseudonymized data (that doesn't require cookies), we might rely on legitimate interest to understand how our service is used and to improve it. This would only involve aggregate data that does not directly identify you (for example, compiling overall render job statistics).

We have assessed these legitimate interests against your privacy and concluded that our processing for these purposes is proportionate and does not override your rights, especially given the safeguards we have (such as minimizing data and honoring opt-outs). You have the right to object to processing based on legitimate interests at any time for reasons related to your situation (see Section 5 on your rights, including Art. 21 GDPR).

Legal Obligation (Art. 6(1)(c) GDPR):

In certain cases, we may need to process or retain personal data to comply with a legal obligation. For instance, financial laws in Germany require us to keep records of transactions (which may include personal data like your email or billing info) for a certain number of years. If we receive a lawful request from authorities (such as a court order or tax authority inquiry), we might process or disclose data as required by law. We will only do so when obligated, and we will inform you if permissible. Processing under this basis is not routine, but it is mentioned for completeness (e.g. invoice retention, compliance with audit requirements, or responding to data protection authorities).

Where we rely on your consent, you have the right to withdraw that consent at any time, as easily as it was given. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. If you withdraw or decline consent for optional processing, we will simply not process your data in that way (for example, you'll no longer receive marketing emails or we won't load analytics scripts).

3. Third-Party Services and Data Sharing

To provide the RenderDay service efficiently, we use several third-party services as processors or partners. This section lists each third-party service we use, the role they play in processing your data, and any relevant data transfer considerations (including transfers to countries outside the European Union, such as the United States). Whenever we share your data with service providers, we do so under strict contracts that bind them to protect your information (Data Processing Agreements under Art. 28 GDPR). If these providers are located in or have infrastructure in third countries (outside the EU/EEA), we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs) for international data transfers, to maintain a high level of data protection. Below are the key third-party services we use:

Amazon Web Services (AWS) – Cloud Infrastructure

We use AWS (Amazon Web Services, operated by Amazon.com, Inc.) to host parts of our infrastructure (such as servers and storage buckets). This means that personal data you provide – including your uploaded Blender files, rendered outputs, and possibly database information – may be stored or processed on AWS servers. We choose AWS data centers in the EU (for example, in Frankfurt or other EU regions) whenever possible to store and process your data within Europe. However, AWS is a U.S.-based company, and it's possible that administrative access or backups might involve data transfer to the United States. We have a Data Processing Addendum with AWS that incorporates EU Standard Contractual Clauses to safeguard any transfers. AWS is obligated to handle personal data according to our instructions and the GDPR.

Role: Data Processor for hosting and storage.
Transferred data: Files, database content, and related data stored on AWS infrastructure.
International transfers: Possible (USA) – safeguarded by SCCs and Amazon's compliance commitments.

RunPod – Cloud GPU Compute Service

RunPod (RunPod, Inc.) is a service that provides on-demand GPU computing power. We utilize RunPod to run rendering jobs on powerful GPU instances in the cloud, which allows us to render your Blender projects quickly and efficiently. When a render job is executed on RunPod, your Blender file and necessary data are sent to a RunPod computing instance. We aim to select RunPod servers in the EU region for these tasks to keep data within Europe. However, RunPod is a global platform and the company is based in the US, so data may be transferred to or accessible from the US (especially if the best available GPU node is outside the EU). We have ensured through agreements that RunPod will process data in compliance with GDPR.

Role: Data Processor for rendering computation.
Transferred data: Blender project files and rendering output data needed to perform the computation.
International transfers: Possible (USA or other countries depending on server location) – protected by contractual safeguards (SCCs or similar measures).

Beam – Cloud Rendering/AI Service

Beam (Beam.cloud) is another cloud compute provider we use for rendering tasks or related heavy computations. Similar to RunPod, Beam provides scalable GPU resources. We might send your rendering job to Beam's infrastructure if we determine it is optimal for performance or load balancing. Beam's infrastructure may be globally distributed; while we try to utilize EU-based resources, Beam as a service might involve data transfer to non-EU countries. We will have a processing agreement in place with Beam as well.

Role: Data Processor for on-demand compute power.
Transferred data: Blender files and data required to render them on Beam's servers.
International transfers: Possible (including USA) – secured via standard data protection clauses.

Vercel – Web Hosting and Frontend Platform

Our website (including the user dashboard and upload interface) is hosted on Vercel. Vercel, Inc. is a U.S.-based company that provides a global content delivery network and serverless backend for our web application. When you interact with the RenderDay website, your requests are handled by Vercel's servers. This means any data you enter on the site (such as your email or project information) may pass through Vercel's systems. Vercel typically routes data to the nearest edge location to serve content quickly, which can be outside the EU (though Vercel has data centers worldwide, including Europe). We have a Data Processing Agreement with Vercel to ensure any personal data that flows through their platform is protected.

Role: Data Processor for hosting our web service and related backend functions (e.g., serverless functions that handle form submissions).
Transferred data: Any data submitted via our website (email, form inputs, etc.), which is transmitted and temporarily processed by Vercel's servers.
International transfers: Likely (Vercel is global, and headquartered in USA) – protected by SCCs. Vercel is committed to GDPR compliance and security.

Neon – Database Hosting (PostgreSQL-as-a-Service)

We use Neon (provided by Neon Tech, Inc.) as our managed PostgreSQL database service. Neon hosts the database that stores RenderDay's application data, such as user email addresses, job metadata (render settings, status, timestamps), and any other info needed for running the service (excluding large files which go to storage). The Neon service may physically store data in cloud servers; we configure it to use EU-based storage if available. Neon's company may be based in the US, so there is a possibility of data transfer or access from the US. We have a Data Processing Agreement with Neon and utilize SCCs to ensure that your database data remains protected and confidential.

Role: Data Processor for storing structured data (our primary database).
Data stored: Email address, job records, settings, logs of actions, and other account-related data.
International transfers: Possible (USA) – safeguarded via contractual clauses and Neon's compliance measures.

Cloudflare R2 and CDN – File Storage and Content Delivery

We use Cloudflare R2 for storing objects such as your uploaded Blender files and the rendered output files. Cloudflare, Inc. is a U.S.-based company that provides the R2 storage service and a Content Delivery Network (CDN). When you upload files to RenderDay, they may be stored in Cloudflare R2 buckets. Likewise, the results of your render (images, video, etc.) may be kept in R2 for retrieval. Cloudflare's infrastructure is global; R2 is designed to store data in a distributed way and serve it quickly to users via the CDN. We will prefer R2's European locations (if configurable) for data storage, but your data might be replicated in multiple regions for reliability. Cloudflare's network means that when you download your results or view our site, your data could be delivered from a server nearest to you (which could be outside the EU). Cloudflare is Privacy Shield certified (under the new EU-US Data Privacy Framework) and, importantly, we have SCCs and a data processing addendum in place with them.

Role: Data Processor for asset storage and delivery.
Transferred data: Files you upload, rendered outputs, and possibly derivative data (like thumbnails) stored on Cloudflare; also your IP address and technical data when served via CDN.
International transfers: Yes (Cloudflare's servers in US and worldwide) – mitigated by SCCs and Cloudflare's adherence to GDPR requirements.

Stripe – Payment Processing

We use Stripe to handle all credit card and payment transactions on RenderDay. Stripe Payments Europe, Ltd. (located in Ireland) is the Stripe entity that serves European customers, and Stripe, Inc. (USA) is the parent company. When you make a payment, the payment form is either embedded from Stripe or transmitted securely to Stripe's servers. Personal data related to payments (such as your credit card number, cardholder name, expiration date, CVC, and potentially your billing address or postal code) will be collected directly by Stripe. Stripe may also receive your IP address and device information for fraud detection. We (RenderDay) do not store your sensitive payment details on our own servers; we only receive from Stripe a confirmation of payment and basic details like the last four digits of your card, card type, and transaction ID. Stripe may process your payment data outside the EU (for example, in the US). However, Stripe is a global leader in payment security and is PCI-DSS compliant. We have a Data Processing Agreement with Stripe and, through Stripe's terms, the Standard Contractual Clauses are in place for any EU-US data transfers.

Role: Independent Data Controller for payment info (Stripe uses the data for fraud prevention and to process payments under their legal obligations), and Data Processor for us in terms of handling the transaction on our behalf.
Transferred data: Payment details, transaction amount, and your contact info as needed for payment (email, maybe name if provided for receipt).
International transfers: Yes (Stripe's infrastructure includes the US) – protected via Stripe's Binding Corporate Rules or SCCs. Note: Your use of Stripe is subject to Stripe's own privacy policy as well; we encourage you to read it on Stripe's website for more information on how they handle your data.

Google Tag Manager – Tag Management

We use Google Tag Manager (GTM) to manage various scripts on our website. GTM is provided by Google Ireland Limited (for EU region) and Google LLC in the USA. Important: Google Tag Manager itself is a tool that loads other services (like Google Analytics or Ads scripts); it does not collect personal information for its own purposes. However, when GTM loads, it may record generic information such as your IP address and browser details to fetch and run the tags. We ensure that any tags controlled via GTM (such as Analytics) are only executed if you have given consent via the cookie banner. GTM makes it easier for us to add and update code on our site without editing the site code directly.

Role: Data Processor (as part of our website's functionality).
Data handled: primarily configuration data and container scripts; GTM might incidentally process user identifiers or IP to trigger tags.
International transfers: Yes, possibly to the USA (Google LLC) – covered by Google's SCCs and data protection terms. Google Tag Manager will not deploy any non-essential cookies or trackers unless you've consented to those respective services.

Google Analytics – Web Analytics

With your consent, we use Google Analytics to collect data about how visitors use our website. Google Analytics 4 (the latest version) collects information such as what pages you visit, how long you stay, how you arrived at our site, your approximate geolocation (country/region based on IP), and technical information about your device and browser. This information helps us understand user behavior and improve our website and marketing. Data and privacy measures: We have configured Google Analytics to anonymize your IP address by truncating it within the EU (Google Analytics anonymization feature) so that Google should not store your full IP. The data Google Analytics collects is associated with a random identifier (cookies or device IDs); we do not know your name or exact identity from Analytics – just aggregated statistics (however, note that such data still counts as personal data under GDPR because Google may technically be able to link it). We only activate Google Analytics with your opt-in consent (banner choice).

Provider: Google Ireland Limited / Google LLC. The Analytics data is typically transmitted to Google's servers in the United States for processing. We have a Data Processing Agreement with Google for Analytics and use the EU's Standard Contractual Clauses to cover the transfer of data to the US, along with any additional measures Google offers. Google is certified under the EU-US Data Privacy Framework as of 2023, which indicates an adequacy for participating companies, but we still rely on SCCs as required.

Role: Google is a Data Processor for us when providing Analytics, but also to some extent a Controller for its own business purposes.
Data collected via Analytics: Online identifiers (cookie ID, device IDs), usage data (pages viewed, interactions, clicks), technical data (IP (anonymized), OS, browser, screen resolution, etc.), and referral data.
International transfers: Yes (to USA) – protected via SCCs and Google's compliance measures.
Opt-out: You can at any time withdraw consent for Google Analytics by adjusting our cookie settings or using tools like the Google Analytics opt-out browser add-on. Refusing or disabling Analytics will not affect the core functionality of our site.

Google Ads (Google Ads/AdWords Conversion Tracking & Remarketing) – Online Advertising

We may use Google Ads to promote our services. If we do, we also utilize Google Ads conversion tracking on our site to measure the effectiveness of our Google advertisements. For example, if you click a Google ad that leads you to RenderDay, Google Ads may place a cookie or pixel to track that you completed a certain action on our site (like signing up or starting a render). This helps us know which ads are successful. Additionally, we might use Google Ads Remarketing which means we could show you ads about RenderDay on other websites if you visited our site (this uses cookies to recognize that your browser visited RenderDay). These advertising features also rely on cookies or similar identifiers and will only be activated with your consent (through the cookie consent banner).

Data involved: a Google Ads cookie ID, your IP address, and event data (such as "user rendered a file on RenderDay" or "user visited pricing page") – all of which is pseudonymous. We do not see personally identifying info in this process, just aggregated ad reports.

Provider: Google Ireland/Google LLC. Data is processed by Google and may be stored in the USA. We have appropriate agreements in place, including SCCs, and Google as a processor for conversion data. For remarketing, Google and we might be considered joint controllers in some scenarios; nonetheless, your consent controls the usage.

International transfers: Yes (USA) under SCCs.
Opt-out: If you consented and later change your mind, you can disable marketing cookies on our site or adjust Google's ad settings to control personalized ads.

Google Fonts – Web Fonts Service

For a consistent and attractive appearance, our website uses Google Fonts to display certain fonts. These are font files provided by Google's servers. When your browser loads a page on our site that uses Google Fonts, it will attempt to download the font from Google (unless it's already cached on your device). In doing so, your browser connects to Google's font server, which may be located in the U.S. or elsewhere, and transmits your IP address and certain browser info (such as the font request, the browser type, language, and potentially a referer URL indicating our site). We do not see this data, but Google may log the requests. We understand that IP addresses are personal data, and external calls like this should be accounted for.

Legal basis: We have a legitimate interest (Art. 6(1)(f) GDPR) in presenting our website with a uniform look and feel; however, we are also mindful of recent German case law regarding Google Fonts. We are evaluating solutions to host these font files locally to avoid any data transfer to Google. Until then, we include Google Fonts in our cookie consent mechanism. This means, where feasible, we will not load Google Fonts from Google servers unless you have at least accepted functional/external media cookies or given equivalent consent.

Data shared with Google: IP address and device info as part of the font request.
International transfers: Yes, possible to Google in the USA – secured by Google's adherence to SCCs. If you prefer not to use Google Fonts, you can configure your browser to block them (the site should still work with a fallback font).

Google Workspace (Gmail) – Email and Productivity Platform

RenderDay's business communications (including the support@renderday.com email) are operated through Google Workspace, which is Google's suite of cloud services (Gmail, Google Drive, etc.). When you send us an email, it is processed and stored on Google's email servers. This means your email address, the content of your message, and any attachments will pass through and reside in Google's systems. Google Workspace for European customers is provided by Google Ireland Limited, but as a global service, data may be replicated to or accessible by Google LLC in the USA for maintenance or support. We have a Data Processing Agreement with Google for Workspace, and Google Workspace is generally GDPR-compliant (it offers SCCs and has committed to the EU's cloud code of conduct). We use Google Workspace to efficiently manage our communications and documents.

Role: Data Processor for us when holding emails or files containing personal data.
Data processed: Email communications (contact info and message content), documents or files we might store that include user data (e.g. an internal spreadsheet of active jobs associated with emails, stored in Google Drive).
International transfers: Possible (Google global infrastructure, including USA) – protected by SCCs. Rest assured, we treat any data in emails with confidentiality; we will only use your support emails to assist you and for internal reference.

Sentry – Error Monitoring

We use Sentry (provided by Functional Software, Inc.) to monitor and log application errors in our website and rendering pipeline. When an error or exception occurs in our system (for example, a webpage fails to load a component, or a rendering task throws an error), Sentry captures information about the error and the environment in which it happened. This typically includes: the error message, stack trace (the code that was running), and device information like browser type, OS, and possibly your user ID or IP address at the time of error. We do not intentionally send personal user content to Sentry, but it's possible that something like your email or file name could appear in a debug log or error context (we strive to scrub personal data from error reports). Sentry helps us diagnose and fix issues faster, improving the stability of RenderDay.

Provider location: Sentry is a U.S.-based company, and error data is sent to Sentry's servers (we believe they have EU servers available, but our current setup may send data to the U.S.). We rely on legitimate interest for this processing (maintaining a bug-free service is in everyone's interest), but we ensure it's done in a privacy-conscious way.

Role: Data Processor for error analysis.
Data transferred: Technical data about errors, which may include pseudonymous identifiers or incidental personal data like an IP or user agent.
International transfers: Yes (likely USA) – protected via a Data Processing Agreement and SCCs with Sentry. If you would like more information or have concerns about error logging, please contact us – but note that without such monitoring, we might not be able to promptly fix issues you encounter.

Freshdesk – Customer Support Platform

We use Freshdesk (by Freshworks, Inc.) as our support ticketing system. When you send an email to support@renderday.com or use a contact form on our site, your inquiry is funneled into Freshdesk for us to manage responses. Freshdesk will store your email address, the content of your message, and our subsequent correspondence. It helps us keep track of support requests and respond in an organized manner.

Data in Freshdesk: typically your name (if provided in the email or via signature), email, and the conversation contents. If you attach files or screenshots, those are stored too. Freshdesk is a service that might store data on servers in the United States or other locations. Freshworks (the parent company) is headquartered in the US and has significant operations in India as well. We have a Data Processing Agreement with Freshdesk, and they have committed to GDPR compliance (including SCCs for international data movement).

Role: Data Processor for handling support data on our behalf.
Transferred data: Contact info and support case details that you provide.
International transfers: Yes (USA/India) – covered by SCCs and Freshworks' corporate safeguards. We will only use information in Freshdesk to resolve your queries and for internal support analytics (e.g. how quickly we respond, common issues to fix). If you prefer not to use email, you can call us, but we may still log the call details in Freshdesk manually for tracking.

Aside from the above list, we will not share your personal data with third parties unless one of the following applies: (a) it is necessary to fulfill our contract (as with the services above), (b) you have given consent, (c) we are legally required to (e.g., a court order), or (d) it is necessary to protect your vital interests or those of another person. We do not engage in selling personal data to advertisers or unrelated third parties.

Whenever we do share data, we ensure the third party only gets the minimum information necessary for their role (data minimization) and that they are contractually bound to use it only for our specified purpose and keep it secure.

4. Cookies and Consent Management

Cookies are small text files that our website (or third-party services) store on your device (computer, smartphone, etc.) through your web browser. We use cookies and similar tracking technologies to provide and optimize our service. In compliance with GDPR and the German TTDSG, we differentiate between essential cookies and non-essential cookies, and we seek your consent for the latter category.

Essential Cookies (Required):

These cookies are necessary for the website and service to function properly. For example, when you log in or start a rendering session, we might use a session cookie to keep you logged in as you navigate between pages, or to remember the items in your upload queue. Other essential cookies might be used to remember your privacy preferences (so that the cookie banner knows you already made a choice) or to provide basic security and networking functions. Without these cookies, the service you have requested (rendering your files, keeping your session secure) cannot be provided properly. Legal basis: The use of essential cookies is based on our legitimate interest (Art. 6(1)(f) GDPR) in providing a functional service and on §25 (2) TTDSG (the German law which permits storing data on user devices without consent if it's strictly necessary for the service requested by the user). These cookies do not require prior consent. You cannot opt out of essential cookies via the cookie banner, because they are needed – however, you can configure your browser to block all cookies (or alert you), but note that some parts of the site may then not work.

Non-Essential Cookies (Analytics & Marketing):

These are cookies that we only set if you give permission. They are used to analyze your behavior on our site or to advertise to you. For instance, Google Analytics cookies track which pages you view and for how long, helping us improve the site. Google Ads/remarketing cookies help us show you relevant ads on other platforms and measure ad conversions. These cookies are not strictly needed for the core rendering service – they are helpful to us (and potentially to you for a better experience or relevant content), but we respect that they involve your personal data and preferences. Therefore, we ask for your consent before using these cookies. When you first visit our site (and periodically thereafter, e.g., if cookies are cleared or the policy changes), you will see a cookie consent banner. This banner lets you choose which categories of cookies to accept: e.g., "Analytics", "Marketing", etc. We use a consent management tool to record and honor your choices. If you opt "Accept All," you are consenting to all cookie categories we use. If you click "Reject" or decline certain categories, we will not load those cookies or the services associated with them. This granular consent approach ensures compliance with GDPR and TTDSG, which require that non-essential cookies be only set with active, explicit consent.

Cookie Consent (TTDSG & GDPR Compliance):

Under the TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) – the German law governing cookies – and the ePrivacy Directive, we must obtain your prior consent for any cookies or similar tech that are not strictly necessary for providing the service you requested. Additionally, if those cookies involve processing of personal data, the GDPR's consent requirements also apply (consent must be freely given, specific, informed, and unambiguous). Our cookie banner is designed to meet these requirements by giving you clear choices. We also provide an opportunity to read more in this Privacy Policy about what each type of cookie does (hence this section). You can choose to consent or not without being unduly pressured – for example, if you decline analytics cookies, you will still be able to use RenderDay's core features without any loss of functionality.

Changing Your Preferences:

If you have given consent to certain cookies, you can always change your mind later. We provide a way (usually via a "Cookie Settings" link on our website, often in the footer or in your account settings) for you to withdraw consent or adjust preferences. By clicking that link, you can reopen the consent manager and modify which cookies you allow. Alternatively, you can clear cookies in your browser – when you revisit our site, the cookie banner will appear again because we won't have a record of your prior consent. For email marketing, as mentioned, you can unsubscribe at any time. For analytics/ads, you can also use tools like browser extensions or the Do Not Track browser setting (though our site's handling of DNT signals will align with regulatory guidance).

Cookies Used on RenderDay:

To be transparent, here are examples of cookies or similar technologies we may use:

• Session Cookie (first-party, essential): keeps you logged in or stores job information temporarily.
• CSRF Token Cookie (first-party, essential): security cookie to prevent cross-site request forgery attacks.
• Cookie Consent Cookie (first-party, essential): remembers your choice regarding cookies so we don't ask every time.
• Google Analytics Cookies (third-party, non-essential): e.g., _ga, _gid, which identify your browser uniquely for analytics, and _gat which throttles request rate. These help count visits and understand site usage.
• Google Ads Cookies (third-party, non-essential): e.g., _gcl_aw (Google conversion linker) to help attribute conversions to ads, or cookies like IDE and ANID used by Google's DoubleClick/AdSense for displaying personalized ads (only if you consent to marketing).
• Freshdesk Cookie (third-party, could be essential if using support widget): If our site has a support chat or widget from Freshdesk, it might set a cookie to manage your session with support.
• Sentry (if any cookie, but likely not; Sentry usually uses local storage for error correlation, but not a tracking cookie on user side).

Additionally, we might use local storage or session storage in your browser for certain functionalities (for example, saving your last used render settings on your device for convenience). Those storage mechanisms are similar to cookies in concept. We treat them the same way regarding consent (if they are not essential, we'd ask first).

Third-Party Tracking Pixels:

Apart from cookies, we may use tracking pixels or scripts from third parties (like the Google Ads conversion pixel) which operate similarly by dropping a cookie or reading one. Our policy regarding consent covers these as well. No tracking pixel will be activated without your consent if it's not essential. If you give consent for marketing, that covers things like the Google Ads pixel or similar tools (Facebook Pixel, etc., if we ever use them in future – we will update this policy accordingly).

Do Not Track:

Some browsers offer a "Do Not Track" (DNT) feature that can send a signal to websites that you do not want to be tracked. Currently, there is no universal standard for how to interpret DNT signals. However, our practice is to honor your explicit choices in our consent banner. If you have already opted out of analytics and marketing via our banner, that is the preference we follow. If you have DNT enabled but still accept cookies on our banner, we will assume you consent to those selected cookies (since you could decline them in our interface). We will continue to monitor the industry standards for DNT and adjust if a clear standard emerges.

In summary, we aim to be fully transparent and compliant with how we use cookies. We only use non-essential cookies with your permission. We also provide you information about these cookies (via this policy and possibly via a "cookie details" section in the banner) so you know what you are agreeing to. Our goal is to balance useful functionality and analytics with respect for your privacy choices.

If you ever have questions about specific cookies or find any cookies on our site that you didn't expect, please contact us at support@renderday.com. We will assist and, if needed, adjust our practices.

5. Your Rights as a Data Subject

As a user of RenderDay and as a data subject under the GDPR, you have a number of important privacy rights. We respect your rights and have processes in place to help you exercise them. Below we outline these rights and what they mean:

Right of Access (Art. 15 GDPR):

You have the right to obtain confirmation from us as to whether or not we are processing personal data about you. If we are, you have the right to access that data and be provided with information such as the purposes of processing, the categories of data, the recipients (or categories of recipients) to whom the data has been disclosed, the envisaged storage period, and the source of the data (if not collected directly from you). In practice, this means you can ask us, "What information do you have about me?" and we will provide you with a copy of the personal data we hold on you, along with relevant details. The first copy is free of charge; for any additional copies, we may charge a reasonable fee based on administrative costs. (We will not charge for electronic copies delivered via email, for example.)

Right to Rectification (Art. 16 GDPR):

You have the right to ask us to correct or update any personal data we hold about you that is inaccurate or incomplete. For instance, if you believe we have an incorrect email address or you've changed your contact info, you can request a correction. We will promptly make the corrections upon verification. Many changes you can also do yourself (if we provide an account area to edit your profile or email), but in any case, we will assist to rectify errors.

Right to Erasure (Art. 17 GDPR):

Also known as the "Right to be Forgotten," this right allows you to request the deletion of your personal data in certain circumstances. You can ask us to erase your data, and we will do so without undue delay if: the data is no longer necessary for the purposes we collected it for; you withdraw consent (and we have no other legal basis to keep it); you object to processing based on legitimate interests and we have no overriding grounds to continue; we processed your data unlawfully; or erasure is required to comply with a legal obligation. Please note there are some exceptions where we may refuse deletion – for example, if we must keep certain data to comply with a legal obligation (such as tax records), or if the data is needed to establish, exercise, or defend legal claims. If we cannot delete data you requested, we will inform you of the reason.

Right to Restriction of Processing (Art. 18 GDPR):

You have the right to request that we limit the processing of your personal data in certain situations. This means we would store your data but not actively use it until the restriction is lifted. You can request restriction if: you contest the accuracy of your data (we'll restrict processing while we verify accuracy); or if the processing is unlawful but you prefer restriction instead of deletion; or if we no longer need the data but you need it retained for legal claims; or if you have objected to processing (see below) and we are considering whether our interests override yours. When processing is restricted, we will not do anything with your data except store it (and only process it as necessary for legal claims or if you consent or to protect another's rights). We will let you know before a restriction is lifted.

Right to Data Portability (Art. 20 GDPR):

You have the right to receive the personal data that you have provided to us in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller without hindrance from us, where the processing is based on your consent or a contract and is carried out by automated means. In simpler terms, for data that we process electronically and that you gave us (for example, your account information, or the list of your render jobs), you can ask for a copy in a format like CSV or JSON so that you can import it into another service. If technically feasible, you can also ask us to directly transfer that data to another service provider on your behalf. Data portability applies to data you actively provided and also data generated by your activities (e.g. your usage history), but not to data we derived or inferred internally. We will comply with portability requests as far as it covers data we have about you in the relevant scope.

Right to Object (Art. 21 GDPR):

• Objection to processing based on legitimate interests: When we process data on the legal basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to that processing at any time, on grounds relating to your particular situation. This means if you have reasons to believe that our legitimate interest processing is impacting you negatively or you simply do not want it, you can object. If you do object, we will review your request and stop processing the data in that way unless we have compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. For example, you can object to our use of your data for service improvement analytics under legitimate interest – and unless we have a strong justification to override, we would cease that processing for your data.
• Objection to direct marketing: Separately, if we process your data for direct marketing purposes, you can object at any time and we must stop. This is an absolute right and does not require any justification. If, for instance, you had consented to marketing emails and later you object (or simply unsubscribe), we will stop using your email for that purpose immediately and no questions asked. Even if you somehow receive marketing without explicit consent (which shouldn't happen in our case), you can always opt-out. We will treat any objection to marketing as a high-priority request. You can inform us of your objection to marketing through any channel – clicking "unsubscribe" in an email, or emailing us a request, etc., and we will promptly remove you from marketing lists.

Right to Withdraw Consent (Art. 7(3) GDPR):

Where we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. This is similar to the above but specifically for consent. For example, if you consented to analytics cookies, you can later withdraw that consent by changing your cookie settings (then we will stop analytics for your visits). If you consented to receive newsletters, you can withdraw by unsubscribing. Withdrawal of consent does not affect the lawfulness of any processing we did before you withdrew. Once consent is withdrawn, we will stop the processing that relied on it. There are no formal requirements for a withdrawal – you can contact us and simply say "I withdraw my consent for X." We may ask you to verify your identity for security (so someone else can't withdraw your consent), but we make the process as simple as possible.

Right to Complain to a Supervisory Authority (Art. 77 GDPR):

In addition to the above rights that you exercise with us, you also have the right to lodge a complaint with a data protection supervisory authority if you believe our processing of your personal data violates data protection laws. You can do this in the EU member state where you live, where you work, or where the alleged infringement took place. For example, if you reside in Germany, you could complain to the authority in Germany. RenderDay is based in North Rhine-Westphalia, Germany, so our lead supervisory authority is the one in that state. We provide their contact details in Section 9 of this policy. We would, however, appreciate the chance to address your concerns directly before you approach a regulator – so please feel free to contact us and we will do our best to resolve any issue.

We will do our best to respond to your requests without undue delay and within one month at most, as required by GDPR. If the request is complex or we have received many requests, we can extend the deadline by two further months, but we would inform you about that extension.

Exercising Your Rights:

You can exercise any of these rights by contacting us at support@renderday.com or by mail/phone using the contact information in Section 1. There is no fee for making a request concerning your rights, except in rare cases of excessive or unfounded requests (then we might charge a reasonable fee or refuse, as permitted by law). When you contact us with a request, we may need to verify your identity to ensure we don't disclose data to the wrong person. This might involve asking you to reply from the email address we have on file, or asking for other identification if necessary. We will only use such identification data for verifying your identity and will delete it afterward.

Your rights are very important to us. We want you to feel in control of your information. If you need any assistance understanding or exercising your rights, just let us know – we are here to help.

6. Data Storage and Deletion

We keep your personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal obligations. Different types of data may have different retention periods based on the context and legal requirements. Here is an overview of our data retention and deletion practices:

User Files and Rendered Outputs:

The Blender files you upload to RenderDay, as well as the resulting rendered output files (images, videos, etc.), are stored on our systems for a limited time. By default, we retain uploaded project files and renders for up to 3 months after your last edit or interaction with them. This retention allows you to re-download results or resume work on a project without having to re-upload files repeatedly. The 3-month period resets each time you actively use the file (for instance, if you re-render or make an edit, the clock starts again). If a file has not been accessed or updated in 3 months, it is considered inactive, and we will delete it from our storage. We will also delete the associated outputs. In some cases, we might send you a reminder before deletion or allow you to opt in to keep it longer, but the general rule is 3 months of inactivity = removal. You can also proactively delete your files from the platform at any time (and we will then remove them from our storage promptly, typically within a few days from all backups as well).

Metadata and Rendering Records:

We may retain metadata about your rendering jobs for longer periods, even after the files themselves are deleted. Metadata includes information like: job ID, user email, render settings, duration of render, resource usage statistics, and error logs. We keep this data to analyze service usage, troubleshoot issues, gather aggregate performance metrics, and improve our rendering algorithms. Whenever possible, we anonymize or pseudonymize this metadata over time so that it's not readily linked to your identity. For example, we might disassociate your email from historical job records after a certain period, keeping the job details but not who ran it. We might keep metadata (in identifiable form) for a period like 1-2 years for analytical purposes, and possibly aggregated data (with no personal identifiers) indefinitely for business intelligence. If any metadata is directly tied to your personal data and we have no ongoing need, we will delete or anonymize it according to the principles of data minimization.

Account Information and Contact Data:

If you have an "account" with RenderDay (for instance, if we implement user accounts tied to your email and a password), we will retain your account data as long as your account is active. If you request account deletion or if you haven't used our service for a very long time, we may deactivate and eventually delete your account data. Specifically, if you withdraw consent or ask to be forgotten, we will erase your email and any other personal identifiers, effectively deleting your account. If you simply stop using the service, we might retain your email and account info for a certain period (e.g., 1-2 years) in case you return, but this is subject to reevaluation. We don't want to hold onto data unnecessarily. We will periodically purge accounts that have been completely inactive for an extended duration. Prior to deletion, we may reach out to the email on file to confirm if the account can be removed, to avoid accidental loss.

Payment and Transaction Data:

Records of transactions (payments) are kept as long as necessary for accounting and tax purposes. In Germany, commercial and tax laws (e.g., AO and HGB) often require retention of financial records for 6 to 10 years. This means that even if you delete your account or files, we may need to retain certain information about payments you made to us (such as invoices, amount, date, and associated email or customer name) for the legally mandated period. Such data will be restricted to archive/storage for compliance only. We will not use it for other purposes after your relationship with us has ended, except as needed for audits or legal obligations. Once those retention periods expire, we will delete the data.

Communication Records:

If you contacted us via support or email, we may retain those communications for a period of time to have context for any follow-up issues and to improve our support process. Typically, support tickets and emails are kept for a few years (often 2-3 years) before being purged, unless you request earlier deletion. If you want us to delete a specific email thread or support ticket that contains personal data, and we have no ongoing need or legal obligation to keep it, we will certainly delete it upon request.

Server Logs:

Our server logs (which contain IP addresses and site visit information) are generally kept for a short duration, typically 90 days. We use this period to analyze any security incidents or debug issues. After 90 days, logs are either deleted or anonymized (e.g., we might retain aggregated statistics of site usage but not the raw logs). In cases of serious security events, we might retain relevant log excerpts for longer to support investigations or to cooperate with law enforcement, but those would be specific and isolated. Normal logs rotate out and are overwritten regularly.

Backups:

We perform regular backups of our systems to prevent data loss. These backups may contain snapshots of your data (files, database, etc.). If we delete data from our main systems (for example, you delete a file or request erasure of your personal data), that data will also be removed from active use. It's possible, however, that the data could remain in our encrypted backups for a short period until those backups expire and are overwritten. Our backup retention is typically up to 30-60 days. We do not use backup data for any active purpose except if needed for disaster recovery. We have processes to purge or securely destroy backups after their retention period. In the event we need to restore a backup (e.g., after a system crash), we will re-delete any data that had already been deleted (to honor your request) as soon as possible after restoration.

Legal Holds:

If we are in a situation where data must be retained due to a legal dispute, investigation, or similar situation (often called a "legal hold"), we will retain the data until it is safe to delete. This is an exception to normal schedules – for example, if we receive a preservation order or if data is needed as evidence, deletion might be paused for that data. We would ensure it's only used for that legal purpose during this time.

Once the retention period for any personal data expires, or if you validly request erasure, we will ensure the data is deleted or irreversibly anonymized. Deletion means removing the data from our active databases and deleting associated files. Anonymization means altering the data so that it can no longer be associated with you (for example, hashing an email, or stripping identifying components from a dataset).

If for technical or operational reasons complete deletion is not immediately possible (for example, data stored in a legacy archive or very large distributed systems), we will secure and isolate the data from any further processing until deletion is feasible.

In summary, we do not keep your personal data indefinitely. We have defined retention policies to ensure data is purged when no longer needed. If you have specific questions about how long a certain type of data is kept, feel free to contact us. We can provide tailored answers or make accommodations if necessary and lawful.

7. Security Measures

We take the security of your personal data very seriously at RenderDay. We implement a variety of technical and organizational measures (TOMs) to protect your data from unauthorized access, loss, alteration, or disclosure. While no system can be 100% secure, we follow industry best practices and continually improve our safeguards. Here's an overview of our security measures:

Encryption:

All communication between your browser and our website is encrypted using HTTPS (TLS encryption). This means that the data you transmit (like uploading a file or entering your email) is encrypted in transit and cannot easily be intercepted by third parties. For data at rest, we use encryption where supported by our infrastructure providers. For example, our databases and cloud storage buckets employ encryption at rest (often provided by AWS, Cloudflare, etc., with strong encryption algorithms like AES-256). Any backups we store are also encrypted. Additionally, sensitive data such as passwords (if any accounts) are hashed with secure algorithms (we do not store plaintext passwords).

Access Controls:

We limit access to personal data strictly to those who need it to perform their job. As a small team (sole proprietorship), this essentially means the owner/operators of RenderDay and select contractors if any (like a system admin or developer under strict confidentiality) have access. Every person with access is bound by confidentiality obligations. We implement access control mechanisms such as strong authentication for our administrative interfaces, and use principles of least privilege (each service or person only gets the minimum access needed). For example, our rendering servers can access the files to render them, but they may not have access to billing info; our support platform can see your email and support tickets but not your stored Blender files unless you send them.

Network Security:

Our servers are protected by firewalls and network security groups that restrict connections. We keep our software and dependencies up-to-date with security patches to protect against vulnerabilities. We utilize cloud security features (like AWS Security Groups, Cloudflare firewall rules) to mitigate threats such as DDoS attacks, SQL injection, XSS, and other web exploits. Our website is also behind Cloudflare's content delivery network and protection services, which adds an additional layer of defense against malicious traffic.

Monitoring and Logging:

We continuously monitor our systems for suspicious activity or anomalies. Our use of Sentry (error logging) and other monitoring means we get alerts if something is going wrong. We also monitor access logs for unusual patterns that could indicate security issues. If we detect any potential breach or issue, we have an incident response plan to address it promptly, including steps to mitigate harm and notify users or authorities as required by law.

Organizational Practices:

We ensure that data protection is considered in all aspects of our operations. This includes training any staff or helpers on privacy and security, using strong passwords and two-factor authentication for accounts, and avoiding any unnecessary printing or local storage of personal data. We also perform data protection impact assessments for high-risk processing (if applicable) to systematically analyze and improve our security posture.

Secure Development:

When developing the RenderDay platform, we follow secure coding practices. We also perform testing (including possibly security testing or code reviews) to catch vulnerabilities. We try to use well-vetted frameworks and libraries, and avoid deprecated or insecure components. Before deploying changes, we often test in staging environments to ensure stability and security.

Third-Party Security:

We choose reputable third-party providers (as listed in Section 3) that have strong security measures and certifications. Many of our providers (AWS, Cloudflare, Stripe, etc.) have industry-standard certifications like ISO 27001, SOC 2, etc. We review their security documentation and stay updated on any incidents or changes. Our Data Processing Agreements with them also require them to maintain appropriate security for the personal data they handle.

Physical Security:

Since we use cloud services, we do not maintain physical servers ourselves. The data centers used by our providers are physically secured (with measures like guards, access badges, biometric controls, CCTV, etc. as per their standards). Our own devices (like development computers) are encrypted and secured with passwords, and we ensure any local data is minimal and synced to secure cloud storage.

Payment Security:

As mentioned, we outsource payment processing to Stripe, which is PCI-DSS Level 1 certified. This is to ensure that any financial information is handled in the most secure manner by experts in payment security.

Penetration Testing:

From time to time, we may conduct or hire experts to conduct security audits and penetration tests of our systems to identify and fix any weaknesses. If we discover any vulnerability, we address it as a top priority.

Despite all these measures, it's important to note that no electronic storage or transmission is ever 100% secure. However, we strive to use commercially acceptable means to protect your personal information. We also encourage you to play a part in security: use a strong, unique password if you create an account with us, do not share your account details with others, and be cautious with suspicious emails or links (phishing attempts) that purport to be from us. We will never ask you for your password via email, for example.

In the unlikely event of a data breach that poses a risk to your rights and freedoms (e.g., if personal data is accidentally or unlawfully accessed by unauthorized parties), we will follow GDPR's breach notification requirements. This means we will notify the competent supervisory authority (Section 9 contact) within 72 hours of becoming aware, and if the risk is high, we will also inform you without undue delay (via email or prominent notice) with information on what happened and any steps you should take to protect yourself.

Our commitment is to continuously monitor and improve security to keep your data safe. If you have any specific concerns about the security of your data or if you suspect any vulnerability in our service, please let us know immediately through our contact channels.

8. Updates to this Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy on this page and update the "Last Updated" date at the top.

If the changes are significant, we will provide a more prominent notice of the update. For example, we might notify you via email (if you have provided one) or display a notification on our website when you log in or visit after the policy has been updated. This is to ensure you are informed of any material changes. Significant changes could include, for instance, adding new purposes for processing, introducing new third-party services that handle your data, or changing how your data is stored.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. It's important to us that you are aware of the current policy that applies to your use of RenderDay.

If you do not agree with any updates to the Privacy Policy, you may consider discontinuing use of our service. However, we hope our updates will always be in the direction of improved transparency and enhanced privacy protections. In any case, if you have an active account, and we have your email, we will do our best to notify you of major changes in advance.

For minor changes (clarifications, typos, or changes that do not impact your rights or our obligations), we may update the policy by posting the new version and changing the date, without a specific notification. This policy is always accessible on our website, so you can check the effective date and review any differences.

By continuing to use RenderDay after a new version of the Privacy Policy takes effect, you will be deemed to have accepted the updated terms (to the extent permitted by law). We will always note the effective date and possibly keep previous versions archived for reference. If you wish to see a prior version, you can contact us.

9. Supervisory Authority and Contact

If you have concerns about your data or wish to lodge a complaint, you have the right to contact the relevant data protection supervisory authority. RenderDay's lead supervisory authority in terms of GDPR compliance is the one in our jurisdiction of North Rhine-Westphalia, Germany. You can reach out to them using the following contact details:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
(State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia)
Address: Kavalleriestraße 2-4, 40213 Düsseldorf, Germany
Phone: +49 211 38424 0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de

This is the official authority overseeing data protection compliance for private companies in our region. You can contact them in German or English. They can provide guidance or take up your complaint if you believe your rights under the GDPR have been infringed by our company.

Of course, we sincerely hope we can address any issues by communicating with you directly. Your satisfaction and trust are extremely important to us. So please, if you have any issue, question, or complaint regarding your personal data or this privacy policy, do not hesitate to contact us first (at support@renderday.com or the mailing address in Section 1). We will do our utmost to resolve your concern to your satisfaction.

Thank you for reading our Privacy Policy. We aim to be transparent and straightforward in how we handle your personal data. Using RenderDay implies trust on your part, and we value that greatly. We are continuously working to keep that trust by safeguarding your data and respecting your privacy rights.

If you have any further questions about this Privacy Policy or any other privacy matter, feel free to reach out to us. We appreciate your interest in RenderDay and your understanding of our privacy practices. Happy rendering!