"Your data belongs to you. We collect only what is needed to run the engine. We do not sell it, share it with advertisers, or use it for anything beyond making RenderCurve work for you. Your strategies, scripts, and channel data are yours."
Last updated: May 2026
RenderCurve is operated by Pranav Pravin Mandlik, based in India. For data protection purposes, we are the Data Fiduciary under India's Digital Personal Data Protection Act 2023 ("DPDP Act"). For any data-related requests, contact us at privacy@rendercurve.com.
When you create an account, we collect your name, email address, and subscription tier. This data is required to provide you access to the platform. We use Supabase (Supabase Inc., USA) to store this data securely with AES-256 encryption.
Our order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries and handles returns. RenderCurve never sees or stores your full payment card details. Paddle receives your name, email, and billing address to process your subscription. Paddle's privacy policy is available at paddle.com/legal/privacy.
If you connect your YouTube channel via Google OAuth (or paste a YouTube URL during onboarding), RenderCurve accesses public channel metadata and, with your consent, your private channel analytics on your behalf, using the YouTube Data API v3 and the YouTube Analytics API (Google LLC). RenderCurve's use and transfer of information received from YouTube API Services and other Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. RenderCurve never uploads, modifies, or deletes videos on your behalf.
The full disclosure of what we access, how we use it, who it is shared with, how it is stored and protected, how long it is retained, and how to delete it is documented in Section 3 — How RenderCurve Uses Google User Data below, written in the structure required by the Google API Services User Data Policy. You can review Google's Privacy Policy at https://policies.google.com/privacy and revoke RenderCurve's access to your Google account at any time via https://myaccount.google.com/permissions or from your RenderCurve account settings.
If you connect your Instagram account via Meta OAuth, we access your account insights using the Instagram Graph API (Meta Platforms Inc.). This includes follower count, post reach, impressions, saves, and engagement rate for your own posts. This data is used exclusively to provide you with growth tracking and strategy recommendations within RenderCurve. We do not access your private messages, stories content beyond public metrics, or any data beyond what is necessary for analytics. Raw API response data is processed immediately and not stored beyond 30 days, in compliance with Meta's Platform Terms. You can revoke Instagram access at any time from your account settings.
Scripts, hooks, titles, and strategy documents generated through RenderCurve are stored in your account vault. These belong to you. We do not read, analyse, or use your generated content for any purpose other than displaying it back to you.
We collect basic usage logs including which tools were used, timestamps, and success or failure of operations, for debugging and service improvement purposes. These logs are anonymised after 30 days.
This section documents — in the structure required by the Google API Services User Data Policy and the YouTube API Services Terms of Service — exactly how RenderCurve accesses, uses, shares, stores, retains, and deletes data obtained from your Google account when you sign in with Google or connect your YouTube channel.
Limited Use affirmation: RenderCurve's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
When you authorise RenderCurve via Google OAuth, you grant the following read-only scopes. RenderCurve never requests any write, upload, modify, or delete scope.
| OAuth scope | What this lets RenderCurve read |
|---|---|
openid & email | Your Google account email address and a stable Google subject identifier (sub). Used solely to create and identify your RenderCurve account. |
https://www.googleapis.com/auth/youtube.readonly | Read-only access to your YouTube channel's public metadata via YouTube Data API v3: channel ID, channel title, channel description, subscriber count, total view count, video count, and per-video metadata (video ID, title, description, thumbnail URL, publication date, view count, like count, comment count). |
https://www.googleapis.com/auth/yt-analytics.readonly | Read-only access to your YouTube channel's private analytics via YouTube Analytics API v2: daily views, daily subscriber gains and losses, click-through rate (CTR) on impressions, average view duration (AVD), average percentage viewed, traffic source breakdown (YouTube search, suggested videos, browse features, external, direct/unknown), and aggregated audience retention curves. |
Scopes RenderCurve does NOT request: youtube.upload, youtube (write), youtube.force-ssl, youtubepartner, or any other scope that would permit RenderCurve to upload, edit, delete, or post on your channel. RenderCurve cannot and does not perform any write actions on your YouTube account.
Google user data obtained through the scopes above is used only for the following purposes, all of which are user-facing features of RenderCurve:
Prohibited uses (matching Google's Limited Use requirements). RenderCurve does not:
Google user data is processed by the limited set of sub-processors listed below. We do not share Google user data with any other third party.
| Recipient | What they receive | Purpose | Their policy |
|---|---|---|---|
| Supabase, Inc. (USA) | OAuth tokens as AES-256-GCM ciphertext only (plaintext never leaves the application server); your Google email; derived Channel Intelligence Profile; monitoring snapshots. | Hosted Postgres database (Singapore region). | supabase.com/privacy |
| Render Services, Inc. (USA) | Application runtime; transient Google API responses held in process memory only during the request that fetched them. | Application hosting. | render.com/privacy |
| Anthropic, PBC (USA) — Claude API | Derived strategic context only: niche label, topic prompts, anonymised performance summary, and goals you have authored. Raw YouTube identifiers (channel ID, video IDs), raw analytics metrics, video titles, video descriptions, and OAuth tokens are never sent to Anthropic. | Generating user-facing strategy and content text. | anthropic.com/privacy |
RenderCurve does not share, sell, rent, or transfer Google user data to advertising networks, data brokers, analytics vendors, marketing platforms, model-training datasets, or any party outside the three sub-processors listed above. The full list of sub-processors is also published in our Data Processing Agreement.
Note on the Google Gemini API. RenderCurve uses Google's Gemini API for image generation and topical research. Gemini receives only topic and niche text that you have authored; it does not receive any data fetched from your Google or YouTube account (no channel metadata, no analytics, no OAuth tokens).
Note on payment processing. Paddle.com (our Merchant of Record for subscriptions) is not listed in the table above because Paddle does not receive any Google user data. Paddle only processes the billing information you enter at checkout (name, billing address, payment instrument); it has no access to your YouTube channel, your YouTube analytics, your OAuth tokens, or any data fetched from Google APIs. Paddle is described in Section 2.2 and listed in our broader third-party services table in Section 4.
Google user data is protected by the following technical and organisational measures:
TOKEN_ENCRYPTION_KEY) that is never present in client code, browser bundles, or version control. A unique 96-bit IV is generated per token and a 128-bit GCM authentication tag protects every record against tampering.ap-southeast-1).state parameter stored server-side with a 10-minute expiry; the state is validated and consumed exactly once.Retention schedule for Google user data:
| Google data category | Retention | Notes |
|---|---|---|
| Raw YouTube Data API v3 responses | Held in process memory only; not persisted beyond the request that fetched them, and never longer than 30 days even when transiently cached. | Per YouTube API Terms of Service. |
| Raw YouTube Analytics API v2 responses | Same as above. | Per YouTube API Terms of Service. |
| OAuth access token (encrypted) | Until automatic expiry (~1 hour) or user-initiated disconnect, whichever is first. | Refreshed silently using the refresh token. |
| OAuth refresh token (encrypted) | Until you click Disconnect YouTube or Delete Account, OR you revoke RenderCurve at myaccount.google.com/permissions. | We call Google's /revoke endpoint on disconnect. |
| Derived Channel Intelligence Profile | Duration of account; refreshed monthly. | Synthesised insight, not raw API data. |
| Strategy Blueprint | Duration of account; refreshed every 90 days. | Synthesised insight. |
| Monitoring snapshots (Layer 8/9 96h check-in) | Duration of account. | Stores compliance-risk summaries, not raw video data. |
Google email and account identifier (sub) | Duration of account. | Used only to identify your RenderCurve account. |
How to request deletion of your Google user data. Any of the four paths below is sufficient — choose whichever you prefer:
https://oauth2.googleapis.com/revoke to revoke RenderCurve's access to your Google account, (b) marks your connected-account record as disconnected, (c) deletes your user record (which cascades and removes all derived engine data — diagnostics, goal maps, topic runs, monitoring snapshots, and rescue analyses), and (d) removes your authentication identity. You are redirected to a deletion-status page with a confirmation code.After deletion, the only thing retained is payment records (name, email, billing address, transaction reference), kept for 7 years as required by Indian tax and accounting law. These records contain no Google user data — no channel data, no analytics, no tokens.
We are required to be transparent about every service that receives your data:
| Service | Purpose | Data shared | Their privacy policy |
|---|---|---|---|
| Supabase | Database & auth | Account data, channel profiles, generated content | supabase.com/privacy |
| Paddle | Payment processing | Name, email, billing address | paddle.com/legal/privacy |
| YouTube Data API v3 (Google) | Channel intelligence | Channel URL, public video metadata, statistics | policies.google.com/privacy |
| YouTube Analytics API (Google) | Private channel metrics | CTR, AVD, traffic sources — your channel only | policies.google.com/privacy |
| Instagram Graph API (Meta) | Instagram analytics | Follower count, post reach, engagement — your account only | privacycenter.instagram.com |
| Anthropic API | AI content generation | Topic inputs, niche, strategic context | anthropic.com/privacy |
| Google Gemini API | Image generation & research | Topic and niche context for image generation | policies.google.com/privacy |
We do not use any advertising networks, tracking pixels, or behavioural analytics services. RenderCurve is an ad-free platform.
We may use anonymised, aggregated data — for example, average engagement rates across creators in the same niche — to improve the accuracy of our strategy recommendations and niche benchmarks. This aggregated data contains no personally identifiable information, no channel names, no usernames, and no content. It is never sold or shared externally. To opt out of anonymised benchmarking, email privacy@rendercurve.com.
| Data Type | Retention Period |
|---|---|
| Raw platform API responses (YouTube, Instagram) | Processed immediately. Not stored beyond 30 days. |
| Channel Intelligence Profile | Duration of your account. Refreshed monthly. |
| Generated scripts, hooks, titles, strategies | Duration of your account. Auto-archived after 90 days of inactivity. |
| Strategy Blueprint | Duration of your account. Refreshed every 90 days. |
| OAuth tokens (AES-256 encrypted) | Until you disconnect the platform or delete your account. |
| Payment records | 7 years (legal requirement for financial records). |
| Usage logs | 30 days, then permanently anonymised. |
| Account data after deletion request | Deleted within 30 days of request. Payment records retained for legal compliance. |
Under India's DPDP Act 2023 and applicable international law, you have the following rights:
Access: Request a full export of all personal data we hold about you. Email privacy@rendercurve.com and we will provide a complete export within 7 days.
Correction: Update your name and email directly in account settings. For other corrections, contact us.
Deletion: Delete your account and all associated data from account settings, or email privacy@rendercurve.com. All data is deleted within 30 days, except payment records retained for legal compliance.
Restriction: Request that we stop processing your data in specific ways, subject to our legal obligations.
Portability: Request your generated content in a downloadable format.
Platform disconnection: Disconnect any connected platform account at any time from account settings, immediately revoking our access.
In compliance with Meta's Platform Terms, if you delete your Facebook account, Meta will send a data deletion request to our callback URL at https://www.rendercurve.com/facebook-data-deletion. Upon receiving this request, we will delete all associated data within 30 days. You can check the status of your deletion request at https://www.rendercurve.com/data-deletion-status.
We use three categories of cookies:
Essential cookies: Required for the platform to function. Login session cookies, CSRF protection tokens, and calibration flow progress. These cannot be disabled while using the platform.
Analytics cookies: Basic, privacy-respecting analytics to understand platform usage (which tools are most used, where users encounter problems). No cross-site tracking. No fingerprinting. You can opt out in account settings.
No advertising cookies: We do not use advertising cookies, retargeting pixels, or any third-party tracking. RenderCurve is an ad-free product.
We implement industry-standard security measures including AES-256 encryption for sensitive data at rest, HTTPS/TLS encryption for all data in transit, OAuth 2.0 for all platform integrations, server-side API proxy architecture ensuring API keys are never exposed client-side, and Row Level Security in our database ensuring users can only access their own data.
Your data may be processed by our service providers in the United States (Supabase, Anthropic, Google) and the United Kingdom (Paddle). These transfers are subject to appropriate safeguards including Standard Contractual Clauses where required. By using RenderCurve, you consent to these international transfers as described in this policy.
We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address at least 14 days before changes take effect. The date of the last update is shown at the top of this page.
For privacy requests, data deletion, or questions about this policy:
Privacy: privacy@rendercurve.com
Support: support@rendercurve.com
Legal: legal@rendercurve.com
Operator: Pranav Pravin Mandlik, India