Renaissance — Privacy Policy

Last Updated: June 1, 2026
Effective Date: January 1, 2026

This Privacy Policy explains how ExtraordinAi, the operator of the Renaissance application ("ExtraordinAi", "we", "us", "our"), collects, uses, shares, and protects information about you ("you" or "User") when you use Renaissance and related services (the "Service").

This Privacy Policy is incorporated into and forms part of our Terms of Service. By using the Service, you acknowledge that you have read this Privacy Policy.

1. Who We Are

ExtraordinAi operates Renaissance as a sole-developer project based in the State of New Jersey, United States. For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK Data Protection Act 2018 ("UK GDPR"), and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), ExtraordinAi is the data controller of your personal information.

Contact for all privacy matters: [email protected]

2. Information We Collect

We collect only the information needed to provide the Service. We organize what we collect into categories that align with our App Store Privacy Nutrition Label.

2.1 Information You Provide

Category	Specific Data	Purpose
Contact Information	Email address	Account creation, sign-in, account-related communication
Account Information	Display name, profile preferences	Personalization and account identification
User Content	Journal entries (text), photos, audio recordings, tags, and any other content you upload to the Service	Core journaling functionality
Location (optional)	Approximate coordinates and place name attached to entries you create — only when you grant location permission	Auto-tagging entries with location
Communications	Content of any support messages you send us	Customer support

2.2 Information from Third-Party Sign-In Providers

If you sign in using Apple Sign-In or Google Sign-In, we receive your email address and a unique identifier from that provider. We do not receive your password. We do not access any other information from your Apple or Google account.

2.3 Information Automatically Collected

Category	Specific Data	Purpose
Device Identifiers	Device model, OS version, app version, advertising identifier (only if permitted via Apple's App Tracking Transparency framework)	Technical operation, security, fraud prevention
Diagnostics	Crash logs, performance data, error reports	Bug fixes, stability
Usage Data	Features used, screens viewed, interaction events (in aggregate / pseudonymized form)	Service improvement

We do not currently use any third-party tracking SDK that follows you across other apps or websites. If we ever add tracking analytics, we will update this Privacy Policy and request your permission via Apple's App Tracking Transparency dialog.

2.4 What We Do Not Collect

Your contacts, calendar, or other personal files outside the app
Your browser history or activity in other apps
Government identifiers (SSN, passport, etc.)
Financial account numbers or payment cards (Apple handles all subscription payments — we never see your card details)
Biometric data
Health information

3. How We Use Your Information

We use your information solely for the purposes listed below:

Purpose	Data Used	Legal Basis (GDPR / UK GDPR)
Provide the Service (store, display, sync your entries)	Account info, User Content, Device identifiers	Contract (Art. 6(1)(b))
Operate AI Features (semantic search, conversational chat)	User Content (text + image captions), embeddings derived from User Content	Consent (Art. 6(1)(a)) — revocable at any time in Settings → Privacy → AI Features (see Section 4.4)
Authentication and security	Email, device identifiers, login events	Legal obligation + Legitimate interest (Art. 6(1)(c), (f))
Customer support	Email, support messages, diagnostics	Legitimate interest (Art. 6(1)(f))
Maintain and improve the Service	Diagnostics, aggregate usage data	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Account info, transaction records	Legal obligation (Art. 6(1)(c))
Send service-related emails (account verification, security alerts, terms updates)	Email	Contract (Art. 6(1)(b))
Optional marketing emails (only with separate opt-in)	Email	Consent (Art. 6(1)(a)) — revocable at any time

We will not use your information for any purpose materially different from those listed above without notifying you and, where required, obtaining your consent.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

4. AI Features — Specific Disclosures

Because AI processing is a core part of the Service, we want to be especially transparent about how it works.

4.1 What Happens When You Use AI Features

When you save an Entry, we send its text content and, for images, a caption automatically generated from the image to OpenAI for embedding generation. The resulting numerical embeddings (which are not human-readable) are stored in Qdrant Cloud, our managed vector database.
When you ask the AI a question, we send your question and relevant retrieved Entry text to Anthropic to generate a conversational answer.

4.2 AI Providers and Training

OpenAI, L.L.C. — Under OpenAI's API privacy terms, data sent to the OpenAI API is not used to train OpenAI's models by default. We do not opt in to data sharing.
Anthropic, PBC — Under Anthropic's Commercial Terms of Service, inputs and outputs sent through the Anthropic API are not used to train Anthropic's models.
Qdrant Solutions GmbH (Qdrant Cloud) — Qdrant stores numerical embeddings only. Qdrant does not have access to your original entry text or images. Qdrant does not use customer data for any purpose other than providing the storage service.

4.3 Limitations of AI Output

AI Output is generated by probabilistic models and may be inaccurate, incomplete, or fabricated. AI Output is not professional advice (medical, legal, financial, or otherwise). See Section 7 of our Terms of Service for the full disclaimer.

4.4 Your Consent for AI Features

Because AI Features require transmitting your User Content to third-party providers (OpenAI and Anthropic), we ask for your explicit, separate permission before any AI feature is activated. This permission is in addition to — and independent of — your acceptance of our Terms of Service.

First-use consent prompt. The first time you open Renaissance after creating or restoring an account, the app displays an AI Features Consent screen that discloses, in plain language: (a) what data is sent (your entry text, image-derived captions, and your chat messages); (b) who it is sent to (OpenAI, L.L.C. and Anthropic, PBC, as listed in Section 5); and (c) how those providers handle it (API processing only; no model training; see Section 4.2). The screen offers two choices: Enable AI Features or Not Now.
What happens if you decline or choose "Not Now". No User Content is sent to OpenAI or Anthropic. Core journaling — writing, browsing, editing, attachments, keyword search, and sync — remains fully available. AI-powered semantic search, conversational chat, and automatic image captioning are disabled until you enable them.
Reviewing and revoking consent. You may review or change your decision at any time in Settings → Privacy → AI Features. Revoking consent stops all new transmission of User Content to OpenAI and Anthropic immediately, and AI Features are disabled in the app.
Deletion of existing embeddings. Vector embeddings already stored in Qdrant Cloud (see Section 4.1) are deleted automatically when you delete the source Entry or your account (see Section 8). If you revoke AI Features consent and also want all existing embeddings deleted at that moment, you can request this via the in-Settings "Delete my AI search index" option or by emailing [email protected].
Re-enabling consent. If you later turn AI Features back on, new Entries you create or edit will be processed by AI Features going forward. Previously created Entries are not automatically re-indexed; the Settings screen provides a one-tap option to re-index past Entries should you want full coverage.

Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal (GDPR Art. 7(3)).

5. Third-Party Services and Sub-Processors

We use the following sub-processors to operate the Service. Each is bound by contractual data-processing terms requiring them to use your information only as needed to provide their service to us.

Sub-Processor	Function	Location of Processing	Privacy Policy
Supabase, Inc.	Authentication, primary database storage (entries, attachments), file storage	United States (AWS infrastructure)	supabase.com/privacy
Qdrant Solutions GmbH (Qdrant Cloud)	Vector database (embeddings for semantic search)	United States or European Union (varies by cluster)	qdrant.tech/legal/privacy-policy
OpenAI, L.L.C.	Text embedding generation and image caption generation	United States	openai.com/policies/privacy-policy
Anthropic, PBC	Conversational AI chat (Claude)	United States	anthropic.com/legal/privacy
Apple Inc.	Apple Sign-In, payments, push notifications, app distribution	United States	apple.com/legal/privacy
Google LLC	Google Sign-In (only if you choose Google to sign in)	United States	policies.google.com/privacy

We will update this list when sub-processors change. Material changes will be notified through the Service.

6. How We Share Your Information

We share your information only in these limited circumstances:

With sub-processors listed in Section 5, strictly for the purposes of providing the Service to you.
With legal authorities when required by valid legal process (subpoena, court order, regulatory request) or when we believe in good faith that disclosure is necessary to protect rights, safety, or property.
In a business transition — if ExtraordinAi is involved in a merger, acquisition, asset sale, or change of operator, your information may be transferred as part of that transaction. We will notify you and provide a meaningful choice if required by applicable law.
With your explicit consent for any other purpose.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not provide your data to advertisers, data brokers, or marketing platforms.

7. International Data Transfers

We are based in the United States, and your information is processed in the United States. Some of our sub-processors may process data in the European Union (for example, Qdrant clusters in the EU).

If you are located outside the United States — including in the European Economic Area, the United Kingdom, Switzerland, Canada, or Australia — your information will be transferred to and processed in the United States, which may have different data protection laws than your country.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following legal mechanisms:

Standard Contractual Clauses (SCCs) approved by the European Commission, included in our agreements with sub-processors that handle such transfers; and
Where applicable, our sub-processors' certifications under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.

You may request a copy of the relevant transfer safeguards by emailing [email protected].

8. Data Retention

We retain your information only for as long as needed to provide the Service or to meet legal obligations.

Data Type	Retention Period
Account information (email, profile)	For the lifetime of your account; deleted within 30 days of account deletion
User Content (entries, images, audio)	For the lifetime of your account; deleted within 30 days of account deletion
Vector embeddings in Qdrant	Same as User Content — deleted alongside the source entry
Authentication logs and security events	12 months, then deleted or anonymized
Diagnostic data and crash logs	90 days, then deleted or anonymized
Support correspondence	24 months from last interaction, then deleted
Tax, billing, and legal-compliance records	As required by U.S. and applicable tax law (typically 7 years)
Backups	Backup copies are cycled out within 90 days of deletion

When you delete your account through the in-app Settings → Account → Delete Account function, we begin the deletion process immediately and complete it within the timelines above.

9. Data Security

We protect your information with industry-standard technical and organizational measures, including:

TLS 1.2+ encryption for all data in transit
AES-256 encryption for data at rest (managed by AWS infrastructure underlying Supabase)
JWT-based authentication with short-lived access tokens
Role-based access controls that limit who can access production systems
Logging of all administrative access to user data
Regular dependency updates and security review of third-party SDKs

Important honesty disclosure:

Your data is not end-to-end encrypted. This means that, when technically necessary for support, debugging, or system maintenance, our technical staff may access your stored content. We access user content only when required, log such access, and treat user content as confidential.

No system can guarantee perfect security. If you suspect unauthorized access to your account, contact us immediately at [email protected].

10. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33;
Notify affected users without undue delay, by email and / or in-app notification, where the breach is likely to result in a high risk to those users (GDPR Article 34, and equivalent obligations under U.S. state breach-notification laws).

11. Your Privacy Rights

11.1 Rights Available to All Users

Regardless of where you live, you may:

Access the information we have about you
Correct information that is inaccurate or incomplete
Delete your account and associated data through the in-app Settings → Account → Delete Account feature
Export your data through the in-app data export feature, which provides your data in a structured, commonly used, machine-readable format (typically a ZIP archive containing HTML, JSON, and your original attachments)
Manage your AI Features consent — review or revoke at any time in Settings → Privacy → AI Features (see Section 4.4)

11.2 Additional Rights for Residents of the EEA, UK, and Switzerland (GDPR / UK GDPR)

You have the following rights under GDPR Articles 12–22 and equivalent UK/Swiss law:

Right of access (Art. 15) — confirm whether we process your data and obtain a copy
Right to rectification (Art. 16) — correct inaccurate or incomplete data
Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data
Right to restriction of processing (Art. 18) — limit how we use your data
Right to data portability (Art. 20) — receive your data in a portable format and transmit it to another controller
Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing
Right to withdraw consent (Art. 7(3)) — for any processing based on consent, withdraw consent at any time
Right not to be subject to automated decision-making (Art. 22) — we do not make automated decisions producing legal or similarly significant effects about you
Right to lodge a complaint with your local supervisory authority (e.g., the UK Information Commissioner's Office at ico.org.uk, the Irish Data Protection Commission at dataprotection.ie, or your country's equivalent)

We will respond to verifiable requests within one month, extendable by two further months for complex requests (Art. 12(3)).

11.3 Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights:

Right to know what categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes of collection, and the categories of third parties with whom we share it
Right to delete your personal information, subject to certain exceptions
Right to correct inaccurate personal information
Right to opt out of sale or sharing of personal information — we do not sell or share personal information for cross-context behavioral advertising, so there is no sale to opt out of, but this right is preserved
Right to limit the use of Sensitive Personal Information — your journal content may constitute Sensitive Personal Information; we use it solely to provide the Service and do not use it for inferring characteristics
Right to non-discrimination — we will not discriminate against you for exercising any CCPA right (e.g., we will not deny you the Service or charge a different price)

Categories of personal information collected in the past 12 months (per CCPA § 1798.130):

CCPA Category	Collected?	Sources	Disclosed to	Business Purpose
A. Identifiers (email, device ID)	Yes	You, automatically	Sub-processors in Section 5	Provide the Service
B. Customer records (account info)	Yes	You	Sub-processors in Section 5	Provide the Service
F. Internet activity (usage data)	Yes	Automatically	Sub-processors in Section 5	Improve the Service
G. Geolocation (approximate, optional)	Yes (if granted)	You	Sub-processors in Section 5	Tag entries with location
K. Inferences	No	—	—	—
Sensitive PI: Journal content	Yes	You	Sub-processors in Section 5	Provide AI Features
All other categories (biometric, health, financial, government IDs, professional, education, etc.)	No	—	—	—

To exercise any CCPA right, email [email protected] with the subject line "CCPA Request". We may need to verify your identity by confirming control of the email address associated with your account.

Pursuant to California Civil Code § 1789.3, if you have a complaint about the Service, you may contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs at 1625 N. Market Blvd., Suite N-112, Sacramento, CA 95834, or by telephone at (800) 952-5210.

11.4 Rights for Other Jurisdictions

Canada (PIPEDA): rights to access and correction; you may also complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca
Australia (Privacy Act 1988): rights under the Australian Privacy Principles; complaints to the Office of the Australian Information Commissioner at oaic.gov.au
Other U.S. states (Colorado, Connecticut, Virginia, Utah, Texas, and others with comprehensive privacy laws): rights substantially similar to those in Section 11.2 and 11.3, including access, deletion, correction, portability, and opt-out of targeted advertising / sale

We honor all such rights to the extent applicable to you. Contact [email protected] to exercise them.

12. How to Exercise Your Rights

To exercise any privacy right described above:

In-app — for account deletion and data export, use Settings → Account in the Renaissance app (fastest)
By email — for any other rights request, contact [email protected]

To protect your information, we will verify your identity before fulfilling a request. We typically do this by sending a verification email to the address associated with your account.

If we deny your request, we will explain why and inform you of your right to appeal or to lodge a complaint with a supervisory authority.

13. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child under 13 has provided us personal information without your consent:

Email us at [email protected] with your child's account email and your relationship to the child;
We will verify your relationship and delete the child's information and account within 30 days of verification.

This complies with the U.S. Children's Online Privacy Protection Act ("COPPA") and parallel obligations under GDPR (Article 8) and applicable state laws.

14. Marketing Communications

We may send you service-related emails (account verification, security alerts, important changes to these terms or to the Service). You cannot opt out of these emails while you have an active account.

We will send marketing or promotional emails only with your separate, explicit opt-in consent. You may withdraw that consent at any time by clicking the "unsubscribe" link in any marketing email or by emailing [email protected].

15. Cookies and Tracking Technologies

The Renaissance mobile application does not use cookies (cookies are a web-browser technology).

Our website (https://extraordinai.com) may use essential cookies for site functionality and, where you grant consent, analytics cookies. The website will display a cookie consent banner to EEA, UK, and California visitors as required by applicable law.

The Renaissance mobile application does not currently use any third-party tracking SDK that allows tracking you across other companies' apps or websites. If we add such tracking in the future, we will request permission via Apple's App Tracking Transparency dialog and update this Privacy Policy.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes affecting your rights or how we process your data, we will:

Update the "Last Updated" date at the top;
Notify you in-app and / or by email at least 14 days before the change takes effect;
Where required by law, obtain your renewed consent.

Your continued use of the Service after a Privacy Policy update constitutes acceptance of the updated terms. If you do not agree to the updates, you may delete your account before they take effect.

17. Contact Us

For any privacy question, complaint, or to exercise any of your rights:

ExtraordinAi
Email: [email protected]
Website: https://extraordinai.com

We aim to respond to all privacy inquiries within 5 business days and to fulfill formal rights requests within the legal timelines described in Section 11.

18. Apple Privacy Nutrition Label Summary

For convenience, here is how the data we collect maps to Apple's App Store privacy categories. This summary mirrors the disclosures in our App Store listing.

Data Linked to You:

Contact Info: Email Address
User Content: Journal text, photos, audio
Identifiers: User ID
Diagnostics: Crash data, performance data
Location (if granted): Coarse location

Data Not Linked to You:

Usage Data (aggregate, pseudonymized)

Data Used to Track You:

None