Renovo
Trust & safety

Security & disclosure

How Renovo protects service data and how researchers can report a potential vulnerability responsibly.

Effective July 16, 2026

01

Security program

Renovo uses administrative, technical, and organizational safeguards proportionate to the service and data. Measures include authenticated access, account-scoped authorization, transport encryption, protected cloud storage, expiring and single-decision quote links, payment-provider tokenization, restricted operational access, dependency review, and security logging. No system can guarantee absolute security.

02

Account-owner responsibilities

Use unique credentials and available device security, remove lost or former-worker devices, review recipients before sending private links, keep applications current, protect exported documents, and report suspected compromise promptly. Do not share individual credentials or publish private quote links.

03

What to report

Reports may cover a reproducible weakness in a Renovo-controlled website, application, API, authentication flow, authorization boundary, private-link control, or data-exposure path. Availability issues, support disputes, spam, and vulnerabilities solely in an unrelated third-party service are not security research reports.

04

Research rules

Use only accounts and data you own or have written authorization to test. Avoid social engineering, phishing, denial of service, destructive testing, persistence, malware, high-volume automation, physical attacks, privacy violations, or accessing another person's data. Stop immediately if private data is encountered and report only the minimum evidence needed to reproduce the issue.

05

Submitting a report

Use the public Support page and identify the message as a security report; authenticated in-app support is preferred for account-specific issues. Include the affected product and route, impact, reproducible steps, relevant time, and a safe proof of concept. Do not attach secrets, raw customer records, or exploit data beyond what is essential.

06

Our response

Renovo will triage good-faith reports, seek clarification when needed, validate impact, prioritize remediation, and communicate material status when practical. Renovo does not promise a bounty, a particular resolution, or a fixed response time. Public disclosure should be coordinated until users have had a reasonable opportunity to receive a fix.

07

Good-faith research

To the extent within Renovo's control, Renovo does not intend to pursue legal claims against research conducted in good faith and in full compliance with this policy. This statement does not authorize violations of law or third-party rights and cannot bind another organization, regulator, or law-enforcement agency.

08

Urgent account incidents

For suspected account takeover, exposed private links, lost devices, or unauthorized billing, stop using the affected session, secure the relevant email and device accounts, preserve non-sensitive timestamps, and contact authenticated support. Contact the payment provider or financial institution directly for payment-card emergencies.