Overview
rendrOS is built for CGI studios that work with European, UK, and UAE clients — many of whom must demonstrate GDPR compliance up the chain. This page summarises how we meet our GDPR obligations as a data controller for our marketing site and as a data processor for studio content.
Our role
- Controller — for visitors to getrendros.com, prospects, and our own employees
- Processor — for content studios upload into rendrOS (your shots, your comments, your client data are yours)
Data subject rights
Under Articles 15–22 of the GDPR, individuals can exercise the following rights:
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Get a copy of your data | Email us — 30 day SLA |
| Rectification (Art. 16) | Correct inaccurate data | In-app or by email |
| Erasure (Art. 17) | Delete your account & data | Settings → Delete account |
| Restriction (Art. 18) | Pause processing | Email us |
| Portability (Art. 20) | Export your data in JSON/CSV | In-app export |
| Object (Art. 21) | Stop marketing or profiling | Unsubscribe link or email |
Lawful bases we rely on
- Contract — providing the rendrOS service to paying customers
- Legitimate interests — running our business, securing the platform, improving the product
- Consent — marketing emails and non-essential cookies (opt-in)
- Legal obligation — tax, accounting, regulatory requests
International data transfers
Studio data is region-locked. UK studios are hosted in eu-west-2 (London). UAE studios are hosted in me-central-1 (Dubai). Where data must leave these regions for limited operational reasons, we rely on:
- EU Standard Contractual Clauses (2021/914)
- UK International Data Transfer Addendum
- Adequacy decisions where applicable
Breach notification
In the unlikely event of a personal data breach we will notify the relevant supervisory authority within 72 hours as required by Article 33, and notify affected customers without undue delay where the breach is likely to result in high risk to their rights.
Data Protection Impact Assessments
We conduct DPIAs for any new feature that involves systematic profiling, large-scale processing, or new categories of personal data. Summaries are available to enterprise customers under NDA.
Data Protection Officer
While we are not formally required to appoint a DPO under Article 37, we have nominated a Privacy Lead who is the single point of contact for all data protection matters. Reach them at hello@getrendros.com.
Certifications & commitments
- SOC 2 Type II — in progress, expected Q3 2026
- ISO 27001 — roadmap, target Q1 2027
- Cyber Essentials Plus (UK)
- Annual third-party penetration testing