Introduction
This Privacy Policy explains how rendrOS Ltd ("rendrOS", "we", "our", "us") collects, uses, stores, and protects personal information when you use our website (getrendros.com), product, or communicate with our team. We comply with the UK GDPR, the EU GDPR (where applicable), the UAE Personal Data Protection Law (PDPL), and the UK Data Protection Act 2018.
By using rendrOS, you agree to the practices described here. We last updated this policy on 1 May 2026.
Who we are
rendrOS is a software platform built for CGI and 3D rendering studios. We are the data controller for personal information collected through our marketing site and the data processor for content uploaded by studios into the rendrOS application.
- Legal entity: rendrOS Ltd
- Registered offices: United Kingdom and United Arab Emirates
- Contact email: hello@getrendros.com
Data we collect
We collect only the data we genuinely need to operate the service, communicate with prospects, and improve the product.
| Category | Examples | Source |
|---|---|---|
| Account data | Name, work email, studio name, phone (optional) | You provide it |
| Usage data | Pages visited, features used, IP address, device type | Automatic |
| Studio content | Project files, render references, comments, version history | Uploaded by you |
| Billing data | Card last 4, billing address, VAT/TRN | You provide it (processed by Stripe) |
| Support data | Email threads, screenshots, call recordings if consented | You provide it |
We do not collect special-category data (health, religion, biometrics) and we never buy data from third-party brokers.
How we use it
- To provide and operate the rendrOS application
- To send transactional emails (login credentials, invoices, account notices)
- To respond to your questions and provide support
- To send product updates if you opted in (you can unsubscribe at any time)
- To detect, prevent, and respond to fraud, abuse, or security incidents
- To comply with legal obligations (tax, accounting, lawful requests)
Legal basis for processing
Under UK/EU GDPR we rely on the following lawful bases:
- Contract — to deliver the service you signed up for
- Legitimate interests — to improve the product, prevent abuse, and run our business
- Consent — for marketing emails and non-essential cookies; you can withdraw consent any time
- Legal obligation — for tax, accounting, and lawful requests
Who we share data with
We do not sell your data. We share it only with vetted sub-processors who help us run the service:
| Provider | Purpose | Region |
|---|---|---|
| Amazon Web Services | Hosting, storage, backups | UK (eu-west-2), UAE (me-central-1) |
| Stripe | Payment processing | UK / EU / UAE |
| Postmark | Transactional email | EU |
| Plausible Analytics | Cookie-less analytics | EU |
| Sentry | Error monitoring | EU |
A current list of sub-processors is available in our Data Processing Addendum.
Data retention
We retain account data for as long as your account is active, plus a 90-day grace window for recovery. After that, we delete or fully anonymise it. Billing records are retained for 7 years to meet UK and UAE tax requirements. You can request earlier deletion at any time.
Your rights
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict or object to processing
- Receive your data in a portable format
- Withdraw consent at any time
- Lodge a complaint with the UK ICO or your local supervisory authority
To exercise any right, email hello@getrendros.com. We respond within 30 days.
Security
We use TLS 1.3 in transit and AES-256 at rest. Studio files are stored in encrypted, region-locked S3 buckets. Access to production systems is restricted, audited, and protected by hardware MFA. We run an annual third-party penetration test and publish summary reports to enterprise customers on request.
International transfers
Data is hosted in the region your studio is registered in (UK or UAE). We do not transfer personal data outside these regions except for limited operational use of EU-based sub-processors, covered by Standard Contractual Clauses and the UK International Data Transfer Addendum.