Privacy Policy
Last updated: 2026-05-25
What we collect
- HubSpot data via OAuth — deals, companies, contacts (names and emails), line items, and owner IDs. Limited to the scopes our HubSpot app requests.
- Account session — a signed first-party cookie (
rf_session) keeps you logged in. - Product analytics and error reports — anonymous usage events and unhandled errors (exception message, stack trace, file path, line number) via PostHog, identified by a random ID stored in your browser. We do not capture request bodies, cookies, authorization headers, or OAuth tokens. We do not use third-party advertising or cross-site trackers.
How we use it
We act as a processor of your HubSpot data; your organization remains the data controller. We use the data solely to provide the renewal-tracking service to B2B customers; the service is not intended for individuals under 16. We do not sell, rent, or share data for marketing.
Where it is stored
PostgreSQL on Render (US-Oregon). HubSpot tokens are encrypted at rest with Fernet, and all traffic uses HTTPS. We will notify affected customers within 72 hours of confirming a security incident affecting their data.
Sub-processors
- Render — hosting and database.
- HubSpot — source-of-truth integration.
- PostHog — product analytics.
We will update this list when material changes ship.
Retention
We retain your data while your HubSpot remains connected. You can request deletion at any time by emailing privacy@renewalflow.io. We also delete data for accounts that have neither synced HubSpot nor maintained an active subscription for more than 12 months.
Your rights
You can access, export, correct, or delete your data — email privacy@renewalflow.io. EU residents have rights under GDPR; California residents have rights under CCPA.
Changes
We will email you and update the date above if anything material changes.