diff --git a/.github/renovate.json5 b/.github/renovate.json5
new file mode 100644
index 000000000..6ffe37c8d
--- /dev/null
+++ b/.github/renovate.json5
@@ -0,0 +1,64 @@
+// SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+// # SPDX-License-Identifier: Apache-2.0
+
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["config:base"],
+  description: "Renovate configuration for Tracker Service Conan C++ dependencies",
+  enabledManagers: ["conan"],
+  labels: ["dependencies", "renovate", "tracker"],
+  schedule: ["before 10am on the first day of the month"],
+  timezone: "UTC",
+  reviewers: ["saratpoluri", "dmytroye", "tdorauintc", "ltalarcz"],
+  packageRules: [
+    {
+      description: "Conan dependencies - group patch updates (including security fixes)",
+      matchManagers: ["conan"],
+      matchUpdateTypes: ["patch"],
+      groupName: "tracker conan patch updates",
+      schedule: ["at any time"],
+      prPriority: 15,
+      automerge: false,
+    },
+    {
+      description: "Conan dependencies - group minor updates",
+      matchManagers: ["conan"],
+      matchUpdateTypes: ["minor"],
+      groupName: "tracker conan minor updates",
+    },
+    {
+      description: "Conan dependencies - handle major updates individually",
+      matchManagers: ["conan"],
+      matchUpdateTypes: ["major"],
+      groupName: null,
+      labels: ["dependencies", "major-update", "tracker"],
+    },
+    {
+      description: "OpenCV updates - needs careful testing",
+      matchPackageNames: ["opencv"],
+      matchManagers: ["conan"],
+      labels: ["dependencies", "opencv", "needs-testing", "tracker"],
+      prPriority: 10,
+      commitMessagePrefix: "Tracker:",
+      commitMessageTopic: "OpenCV",
+    },
+  ],
+  conan: {
+    enabled: true,
+    fileMatch: ["tracker/conanfile.txt$"],
+  },
+  prConcurrentLimit: 5,
+  prHourlyLimit: 2,
+  commitMessagePrefix: "Tracker Conan:",
+  semanticCommits: "enabled",
+  platformAutomerge: false,
+  rebaseWhen: "behind-base-branch",
+  separateMajorMinor: true,
+  separateMinorPatch: false,
+  rangeStrategy: "pin",
+  vulnerabilityAlerts: {
+    enabled: true,
+    labels: ["security", "tracker"],
+  },
+  osvVulnerabilityAlerts: true,
+}
diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml
new file mode 100644
index 000000000..eb9ab7fd4
--- /dev/null
+++ b/.github/workflows/renovate-config-validator.yml
@@ -0,0 +1,35 @@
+---
+# SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: "[Updates] Validate Renovate configuration"
+
+on:
+  pull_request:
+    paths:
+      - ".github/renovate.json5"
+
+permissions: {} # No permissions by default
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: "Checkout configuration"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: "Validate configuration"
+        run: |
+          # renovate: datasource=docker
+          export RENOVATE_IMAGE=renovate/renovate:43.24
+          docker run --rm --entrypoint "renovate-config-validator" \
+          -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \
+          ${RENOVATE_IMAGE} "/renovate.json5"
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 000000000..f8a69460f
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,51 @@
+---
+# SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: "[Updates] Renovate (Tracker Service)"
+on:
+  schedule:
+    # daily
+    - cron: "0 2 * * *"
+
+  # allow to manually trigger this workflow
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Run Renovate in dry-run mode (no PR)"
+        required: false
+        default: false
+        type: boolean
+
+permissions: {}
+
+jobs:
+  renovate:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: "Get token"
+        id: get-github-app-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PEM }}
+
+      - name: "Self-hosted Renovate"
+        uses: renovatebot/github-action@8b7941943a108b2cc2150730963164aa8baeab8c # v44.2.2
+        with:
+          configurationFile: .github/renovate.json5
+          token: "${{ steps.get-github-app-token.outputs.token }}"
+        env:
+          LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }}
+          # Dry run if the event is workflow_dispatch AND the dry-run input is true
+          RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }}
+          RENOVATE_PLATFORM: github
+          RENOVATE_REPOSITORIES: ${{ github.repository }}