Privacy Policy

Last updated: 2026-05-10

What we collect

• HubSpot data via OAuth — deals, companies, contacts (names and emails), line items, and owner IDs. Limited to the scopes our HubSpot app requests.
• Account session — a signed first-party cookie (rf_session) keeps you logged in.
• Product analytics — anonymous usage events via PostHog, identified by a random ID stored in your browser. No personal information is sent. We do not use third-party advertising or cross-site trackers.

How we use it

We act as a processor of your HubSpot data; your organization remains the data controller. We use the data solely to provide the renewal-tracking service to B2B customers; the service is not intended for individuals under 16. We do not sell, rent, or share data for marketing.

Where it is stored

PostgreSQL on Render (US-Oregon). HubSpot tokens are encrypted at rest with Fernet, and all traffic uses HTTPS. We will notify affected customers within 72 hours of confirming a security incident affecting their data.

Sub-processors

• Render — hosting and database.
• HubSpot — source-of-truth integration.
• PostHog — product analytics.

We will update this list when material changes ship.

Retention

While your HubSpot is connected, we retain the data needed to provide the service. To delete it, disconnect HubSpot or email privacy@renewalflow.io. We will publish a defined post-disconnect retention window once one is implemented.

Your rights

You can access, export, correct, or delete your data — email privacy@renewalflow.io. EU residents have rights under GDPR; California residents have rights under CCPA.

Changes

We will email you and update the date above if anything material changes.

Contact

privacy@renewalflow.io