Privacy Policy

This English translation of the privacy notice is provided for convenience and for better understanding only.
In the event of any inconsistency or conflict between this English translation and the original German version, the German version shall prevail and shall be the legally binding version.
Only the German privacy notice (“Datenschutzerklärung”) is legally authoritative and governs the processing of personal data by rentcard in accordance with the GDPR.”

Privacy policy for the use of rentcard.app, rentcard.id and the web-based service of rentcard GmbH
When you use this website, we, as the data controller, process your personal data and store it for the period necessary to fulfil the specified purposes and legal obligations. Below, we provide information about what data is involved, how it is processed and what rights you have in this regard.
According to Art. 4 No. 1 of the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’ or ‘user’).

1. Name and contact details of the person responsible for processing

rentcard GmbH
Leopoldstraße 169 a
80804 Munich
Germany

(hereinafter referred to as ‘rentcard’)
E-Mail: info[at]rentcard.id
Phone: +49 89 2154576

Managing Directors:
Dr. Hendrik Braun

Munich, Munich District Court
Commercial register number: HRB283986
USt-ID.: DE361929808

If you have any questions about data protection law or your rights as a data subject, you can contact privacy@rentcard.id directly at any time.

2. Storage period for personal data

In principle, your personal data will be deleted as soon as it is no longer required for the purpose for which it was collected.

The data in your user account will be stored as long as the user account is not deleted.

Insofar as we are subject to statutory retention periods, we will store the data until these expire. Upon termination of the contractual relationship, we will block your user account.

At the latest six (6) months after the end of the contract or 12 months after the last activity or login, we will permanently delete your user account, including all personal data.

This does not apply if we still need the data in question to enforce claims against you or if we are legally or contractually obliged to retain the data. If the user’s data is not deleted in order to comply with contractual or legal obligations, its processing will be restricted.
The data will be blocked accordingly and will not be processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax law reasons.

3. Processing of personal data and purposes of processing

a) Web hosting

We use the web hosting service provided by Google Cloud EMEA Limited (70 Sir John Rogerson’s Quay, Dublin 2, Ireland) in the data centre in 9909 TA Eemshaven (hereinafter: ‘Google’) to provide this website.

The provision of a website requires the commissioning of a web hosting service. The use of Google is based on Art. 6 (1) (f) GDPR due to our legitimate economic interest in providing our services on this website. In connection with hosting, Google processes personal data on our behalf that is collected when using the website.

We have concluded a data processing agreement with Google. Through this agreement, the service provider assures that it will process the data in accordance with the General Data Protection Regulation and guarantee the protection of the rights of the data subject.

b) When visiting the website

You can visit the website www.rentcard.app without having to disclose any information about your identity. The browser used on your device automatically sends information to our website’s server (e.g. date and time of access, name and URL of the file accessed, browser type and version, website from which access is made (referrer URL)).

This also includes the IP address of your requesting device. This is temporarily stored in a so-called log file and automatically deleted after 12 weeks:

The IP address is processed for technical and administrative purposes of establishing and stabilising the connection in order to ensure the security and functionality of our website and to track any illegal attacks on it.

The legal basis for processing the IP address is Art. 6 (1) (f) GDPR. Our legitimate interest arises from the aforementioned security interest and from the need to ensure the smooth provision of our website.

We cannot draw any direct conclusions about your identity from the processing of the IP address in the log file.

In addition, we use cookies and analysis services when you visit our website. You can find more detailed explanations on this in sections 4 and 5 of this privacy policy.

c) When ordering a tenant pass

You can have us create a digital tenant pass for you.

We require the following information from you to process your order:

* First name, surname, telephone number and
* a valid email address.

We will only store your personal data if you have voluntarily given us your consent in accordance with Art. 6 (1) (a) GDPR.

Your data will be automatically deleted for further use as soon as the purpose of storage no longer applies. unless we are obliged to store it for a longer period in accordance with Article 6(1)(c) GDPR due to tax and commercial law storage and documentation obligations (from the German Commercial Code, Criminal Code or Fiscal Code) or you have consented to further storage in accordance with Article 6(1)(a) GDPR.

d) Use of the account information service

We use an account information service (‘AIS’) that has the relevant PSD2 authorisation from BaFin to create your tenant pass.

To retrieve your bank details, you need the access data for your respective bank accounts (‘access data’), which you enter directly at your bank via a corresponding interface. This gives us access to your account data, i.e. data on incoming and outgoing payments from your bank, credit card and/or payment service accounts that you have activated on the platform by entering your bank details or access data. This data is provided to us on the basis of your consent to your account-holding institution.

We process this data, as well as any related information, in order to provide the services you have requested in connection with the creation of the tenant pass, e.g.

to create the tenant pass you have ordered
to provide it to you for your information
to make it available to our cooperation partners, if this is necessary to provide further services requested by you.

This is carried out via partner services that comply with data protection regulations. You can find more details about the service providers used in section 4 III) a) ff. of these data protection provisions.

e) When creating the tenant pass (account entries)

The creditworthiness and account data you provide during your use of the service, as well as the account transactions read from your account, are used to create the tenant pass.

This is done using an automatic algorithm that searches the account transactions for payment transactions such as salary payments and rent payments and their frequency over the past three to twelve months and uses them to calculate totals and/or average values.

Storage period for tenant pass content (account data evaluation): The tenant pass is generally valid for 90 days after creation. After expiry, the associated content is automatically removed from the active profile. No later than six (6) months after the last activity in the user account or no later than twelve (12) months after the last login, whichever occurs first, we will delete the personal data of the tenant pass, provided that there are no legal retention periods that prevent this or the data is still required in exceptional cases to assert, exercise or defend legal claims. Statutory retention obligations (e.g. from AO/HGB) and the general periods described in section 2 remain unaffected.

This data processing is necessary for the fulfilment of the creation of the tenant pass, Art. 6 para. 1 sentence 1 lit. B GDPR.

f) Use of self-disclosure in the tenant pass

To create the tenant pass, additional data is also processed as part of a tenant self-disclosure, and rentcard uses the personal master data you have provided.

In order to be able to make full use of the self-disclosure in the tenant pass, we also require additional personal information (personal master data) from you, such as:
* Address
* Number of rooms
* Age
* Gender
* Nationality
* Net household income
* Smoking habits
* Telephone number

Storage period for the self-disclosure: The information in the self-disclosure is used in accordance with the validity of the tenant pass and is removed from the active profile after expiry. No later than six (6) months after the last activity in the user account or no later than twelve (12) months after the last login – whichever occurs first – we will delete the personal data from the self-disclosure, provided that there are no legal retention obligations or, in exceptional cases, the data is still required for the assertion, exercise or defence of legal claims.

Statutory retention obligations (e.g. under the German Fiscal Code (AO) or the German Commercial Code (HGB)) and the general periods described in section 2 remain unaffected.

After the expiry of the period, your data will be automatically deleted for further use, unless we are obliged to store it for a longer period in accordance with Article 6(1)(c) GDPR due to tax and commercial law storage and documentation obligations (from HGB, StGB or AO) or you have consented to further storage in accordance with Art. 6 (1) (a) GDPR.

In addition to the basic functions of the tenant pass, rentcard offers various optional additional functions that users can use to expand or verify their rental application (e.g. through identity verification, credit checks or deposit guarantees).

These functions are only activated if the user expressly selects them and process personal data exclusively for the respective purpose described below.

This is carried out via partner services that comply with data protection regulations. For more information on the service providers used, please refer to section 4 III) a) ff. of these data protection provisions.

g) Use of credit checks

Users have the option of having a credit check carried out via the platform in order to supplement their rental application with credit information or to allow a landlord to access such information. For this purpose, personal data such as name, address and date of birth are processed in order to obtain credit information from an affiliated credit agency.

The processing is carried out

in the case of information requested by the user on the basis of Art. 6 (1) lit. b GDPR (performance of a contract) and
in the case of a query on behalf of a landlord on the basis of Art. 6 (1) lit. f GDPR (legitimate interest in checking solvency).

rentcard only receives the result of the credit check (e.g. score or existence of a negative characteristic) or a certificate from the credit agency and makes this available to the user in their profile. Data will only be passed on to third parties with the express consent of the user.

This is carried out via partner services that comply with data protection regulations. For more information on the service providers used, please refer to Section 4 III) a) ff. of these data protection provisions.

h) Roles and responsibilities in credit assessment

The technical processing of the credit check is carried out by third-party providers in compliance with data protection regulations. rentcard transmits personal data exclusively within the scope of the selected function and only to the extent necessary to carry out the check.

In the case of a credit check commissioned by the prospective tenant, rentcard acts as a technical intermediary for the credit check request. The prospective tenant remains the controller within the meaning of Art. 4 No. 7 GDPR. The processing of personal data is carried out in accordance with the data protection information of the respective credit agency commissioned (see Section 4 III) a) ff).

In the case of a credit check commissioned by the landlord, rentcard acts as a processor within the meaning of Art. 28 GDPR. In this case, rentcard processes the data exclusively on behalf of the landlord, who in turn confirms the existence of a legitimate interest.

There is no joint responsibility under Art. 26 GDPR. Legal responsibility lies with the party that commissioned the check.

The credit check is an optional service. Processing only takes place if the user actively selects this function. It is carried out by partner services that comply with data protection regulations. For more information on the service providers used, please refer to Section 4 III) a) ff. of these data protection provisions.

i) Use of digital identity verification

Users can perform a digital identity check within the scope of certain functions in order to confirm their details and verify their profile. This involves the processing of personal data such as name, date of birth, ID details (e.g. document type, validity, issuing country) and photo or video sequences (e.g. liveness check).

The purpose of the processing is to identify the user, prevent misuse and ensure the authenticity of the application documents. The legal basis is Art. 6(1)(b) GDPR (performance of a contract); if the user expressly consents, Art. 6(1)(a) GDPR (consent) also applies.

The technical implementation of the identity check is carried out by an identification service commissioned by rentcard that complies with data protection regulations. rentcard transmits personal data only to the extent necessary to carry out the check and receives only the check result (e.g. ‘verified’ or ‘not verified’). rentcard does not store any ID data, image or video material.

Identity verification is an optional service. Processing only takes place if the user actively selects this function. It is carried out by partner services that comply with data protection regulations. For more information on the service providers used, please refer to section 4 III) a) ff. of these data protection provisions.

j) Roles and responsibilities in identity verification

The technical processing of the identity check is carried out by third-party providers in compliance with data protection regulations. rentcard transmits personal data exclusively within the scope of the selected function and only to the extent necessary to carry out the check.

When performing the identity check, rentcard acts as a technical intermediary between the user and the identification service. The identification service acts as an independent controller within the meaning of Art. 4 No. 7 GDPR. There is no joint responsibility under Art. 26 GDPR.

Legal responsibility for data processing in the context of identification therefore lies with the service provider used. rentcard only receives the verification result and stores it in the user profile.

This is carried out via partner services that comply with data protection regulations. Further details on the service providers used can be found in Section 4 III) a) ff. of these data protection provisions.

k) Use of sanctions list screening

To ensure the integrity of the platform and prevent fraud, rentcard may compare personal data with publicly available international sanctions, embargo and politically exposed persons (PEP) lists.

This usually involves processing the name, date of birth and nationality. The processing serves to comply with legal requirements, prevent fraud and protect contractual partners from economic risks.

The legal basis for the processing is Art. 6(1)(c) GDPR (fulfilment of legal obligations, in particular to prevent money laundering and terrorist financing) and Art. 6(1)(f) GDPR (legitimate interest in verifying the identity and reliability of users).

The comparison is carried out automatically using verified, GDPR-compliant data sources. rentcard itself does not carry out its own evaluation or storage of these lists, but only processes the technical test result (e.g. ‘hit’ or ‘no hit’).

l) Use of the rent deposit guarantee

Users have the option of applying for a rental deposit guarantee via rentcard or first carrying out a eligibility check (opportunity check) to find out whether a guarantee is possible in principle.

Personal data (e.g. name, address, date of birth, contact and rental agreement details, guarantee amount and creditworthiness information) is processed for the eligibility check. This data is used exclusively for the preliminary check by the insurance partner to determine whether the requirements for a guarantee are met. The processing is carried out on the basis of Art. 6 (1) lit. b GDPR (pre-contractual measures at the request of the user) and – insofar as a credit check is necessary – Art. 6 (1) lit. f GDPR (legitimate interest of the insurer in risk assessment) .

When applying for a rental deposit guarantee, the necessary contract data is also processed and transmitted to the insurance partner in order to review the guarantee application and decide on the conclusion of a corresponding contract. Processing is carried out on the basis of Art. 6 (1) (b) GDPR (implementation of pre-contractual measures and contract fulfilment).

rentcard transmits the data only to the extent necessary to process the enquiry or application. After transmission, the insurance partner decides independently on the acceptance or rejection of the entitlement or guarantee and is in this respect the independent controller within the meaning of Art. 4 No. 7 GDPR.

There is no joint responsibility between rentcard and the insurance partner. rentcard acts as a technical intermediary and does not store any creditworthiness or risk assessment data from the insurer.

m) Service and marketing communications

Transactional messages (e.g. registration, order, status and security emails) are sent for the purpose of fulfilling contracts or implementing pre-contractual measures. For this purpose, we process your email address, name and technical delivery information, among other things. Tracking functions (opens/clicks) are not used in transactional messages unless they are absolutely necessary for the provision of the service.

Legal basis: Art. 6(1)(b) GDPR.

We only send marketing, information and upselling emails with your consent (double opt-in). For content personalisation and to control follow-up sequences, we use email tracking (e.g. tracking pixels/link tracking) to record whether messages have been delivered, opened and links clicked. This data is only used for marketing communications. Consent can be revoked at any time with future effect (unsubscribe link in every email or in the user account). Legal basis: Art. 6(1)(a) GDPR (consent) and Section 25(1) TTDSG (access to terminal device information).

Storage period: Shipping and interaction data from marketing emails are stored until consent is revoked, otherwise for a maximum of 24 months after the last interaction or until the user account is deleted (whichever occurs first), provided that there are no legal retention obligations to the contrary. For more information on recipients, see Section 4 III) a) ff.

n) When using the contact form

We offer you the opportunity to send us general enquiries using the online contact form. We collect the following mandatory information:
* Name
* Email address
* Subject
* Your personal message

We need your name to know who the enquiry is from. We need your email address to be able to respond to your enquiry.

This data processing is carried out in the context of responding to the contact enquiry on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.

The personal data collected by us for the use of the contact form will be deleted once your enquiry has been answered and there are no legal retention obligations preventing deletion.

o) When using the user account (“Account”)

To enable you to use our services to their full extent, you have the option of registering with us on the platform (website: www.rentcard.app). To do so, you must open an account and enter your email address and a password.

We use this data

to set up your user account and
to check the plausibility of the data entered.

You can add to or change the profile information in your account by providing further personal details. We store your profile information for the period described in section 2.

4. Data sharing

Your personal data will not be transferred for purposes other than those listed below.

I) Purpose of service provision and billing

We process and use the data you provide to us when placing an order via www.rentcard.app to the extent necessary for the provision and billing of the respective services.

II) For other purposes

Furthermore, we will only pass on your personal data to third parties if:
* you have given your express consent in accordance with Art. 6 (1) (a) GDPR;
* there is a legal obligation to pass on the data in accordance with Art. 6 (1) (c) GDPR.

III) Use of external service providers and partners

rentcard works with selected service providers to provide certain services and additional modules. These partners process personal data either on behalf of rentcard or as independent controllers within the meaning of the GDPR.

We only work with providers who have certified their systems in accordance with applicable data protection law (in particular the GDPR, ISO 27001 or equivalent standards). Below, we provide information about the most important providers we use:

a) Mailjet (email communication)

We use the provider Mailjet SAS, 13-13 bis, Rue de l’Aubrac, 75012 Paris, France, to send system and service emails.
Mailjet processes personal data (email address, name, sending and opening statistics) exclusively on behalf of rentcard.
The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in a functioning communication infrastructure).
Data protection information:https://www.mailjet.com/de/rechtliches/sicherheit-datenschutz/

b) Brevo (Sendinblue GmbH – email marketing)

We use Brevo (Sendinblue GmbH), Köpenicker Straße 126, 10179 Berlin, Germany, to send marketing and information emails.
Brevo acts as a processor within the meaning of Art. 28 GDPR. No data is transferred to third countries.
Data protection information: https://www.brevo.com/de/legal/privacypolicy/

c) Customer.io (Marketing & Upselling)

For marketing, information and upselling emails (including journeys/sequences), we use Peaberry Software, Inc. d/b/a Customer.io, data processing in the EU region. There is no transfer to third countries. Email addresses, names, segment/event data and email interaction data (delivery/opening/clicks) are processed exclusively for the purpose of controlling and measuring the success of marketing communications on the basis of your consent. An AVV in accordance with Art. 28 GDPR is in place; consent can be revoked or adjusted at any time via an unsubscribe link at the end of every email sent via customer.io.
Data protection information: https://customer.io/legal/gdpr | https://customer.io/legal/privacy-policy

d) HERE Global B.V. (Kartendienste)

The service HERE Global B.V., Kennedyplein 222-226, 5611 ZG Eindhoven, Netherlands, may be used for location and address validation in forms.
The IP address and address data entered are transmitted to HERE in order to validate geographical data.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in user-friendliness and data validity).
Data protection information: https://legal.here.com/de-de/privacy

e) Stripe (payment processing)

For payment processing, rentcard uses Stripe Payments Europe Ltd., The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland.
Stripe processes payment data (name, billing address, email address, credit card information) as an independent controller for the purpose of executing payments.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Privacy policy: https://stripe.com/de/privacy

f) OpenSanctions.org (sanctions list check)

For automated sanctions list checks, data (name, date of birth, nationality) is compared with publicly available sanctions lists aggregated by OpenSanctions.org (data source: OpenSanctions Project gGmbH, Berlin).
OpenSanctions does not collect or maintain its own data, but obtains it from official sources (EU, UN, OFAC, UK OFSI).
Data protection information: https://www.opensanctions.org/docs/privacy/

g) R+V Versicherung AG (deposit guarantee/entitlement)

When applying for a rent deposit guarantee or a eligibility check (opportunity check), personal data (name, address, date of birth, guarantee amount, contract information) is transmitted to R+V Versicherung AG, Raiffeisenplatz 1, 65189 Wiesbaden.
The data is processed in order to review the insurance application, assess creditworthiness and, if necessary, grant a guarantee.
R+V is an independent controller within the meaning of the GDPR.
Data protection information: https://www.ruv.de/datenschutz

h) Veriff OÜ (identity verification)

Veriff OÜ, Niine 11, 10414 Tallinn, Estonia, is used for digital identity verification.
This involves the processing of personal data (name, date of birth, ID details, photo/video liveness check).
Veriff acts as an independent controller.
Data protection information: https://www.veriff.com/privacy-notice

i) FinAPI GmbH (account information service / open banking)

FinAPI GmbH (account information service, open banking interfaces) – independent controller / regulated third-party provider
To perform the optional account analysis to determine income, regular rent payments or other relevant household information, rentcard uses the regulated account information service finAPI GmbH, Ganghoferstraße 39, 80339 Munich. finAPI is a provider regulated by BaFin in accordance with the Payment Services Directive (PSD2) (§ 1 ZAG, § 16 ZAG) and acts as an independent controller within the meaning of the GDPR when querying accounts.

During use, access data is never transmitted to rentcard; it is entered exclusively to finAPI.
With the express consent of the user, finAPI retrieves account information directly from the bank and provides rentcard exclusively with the verified analysis results derived from this (e.g. regular rent payments, income, payment history).
The legal basis is Art. 6 (1) (b) GDPR (contract performance by user request) and Art. 6 (1) (a) GDPR (consent to account evaluation).
Processing takes place exclusively in the EU.
Further information on data processing by finAPI can be found at: https://www.finapi.io/privacy-policy/

j) CRIF GmbH (credit assessment)

We use CRIF GmbH, Leopoldstraße 244, 80807 Munich, Germany, for credit checks.
Your name, address and date of birth will be transmitted to CRIF.
CRIF is an independent controller within the meaning of the GDPR.
Art. 14 GDPR information: https://www.crif.de/datenschutz/

k) SCHUFA Holding AG (additional credit rating source)

A credit check may also be carried out via SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany.
Data will only be processed with the user’s consent or on the basis of a legitimate interest.
Data protection information: https://www.schufa.de/datenschutz/

l) Lexoffice (accounting) and Envoix GmbH (data transfer from Stripe)

For invoicing and accounting, rentcard uses Haufe Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany, and Envoix GmbH, Hanauer Landstraße 204, 60314 Frankfurt am Main, Germany, for automated document dispatch.
Both companies act as processors.
Data protection information:
– Lexoffice: https://www.lexoffice.de/datenschutz/
– Envoix: https://envoix.de/datenschutz

5. Cookies and Pixel-tags

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your device and do not contain viruses, Trojans or other malware.

Information relating to the device used is stored in the cookie. However, this does not mean that we immediately become aware of your identity.

We use pixel tags (also known as tracking pixels) as part of our online offering. Pixels are small graphics that are integrated into the HTML code of our website. The pixel tag itself does not store or change any information on your device, so pixels do not cause any damage to your device and do not contain any viruses, Trojans or other malware.

The pixels send your IP address, the referrer URL of the website you visited, the time at which the pixel was viewed, the browser used and previously set cookie information to a web server. This enables us to carry out reach measurements and other statistical evaluations that serve to optimise our offering.

The use of cookies serves, on the one hand, to make the use of our offering more pleasant for you. For example, we use so-called session cookies to recognise that you have already visited individual pages on our website.

In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your device for a specific period of time. Visit our site again to use our services. It automatically recognises that you have already been with us and what entries and settings you have made so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimising our offer for you (see section 5). These cookies enable us to automatically recognise that you have already visited our site when you visit it again. These cookies are automatically deleted after a defined period of time.

The data processed by cookies is necessary for the purposes mentioned above in order to protect our legitimate interests and those of third parties in accordance with Art. 6 (1) (f) GDPR.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website. You can use appropriate tools or browser add-ons that prevent the use of pixels on our pages (e.g. the ‘AdBlock’ add-on for the Firefox browser).

You can find further opt-out options in the following information on the tools we use.

6. Web Analytics

The tracking and targeting measures listed below and used by us are carried out on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR.

We use tracking measures to ensure that our website is designed to meet your needs and to continuously optimise it. We also use tracking measures to statistically record the use of our website and to optimise our offering for you.

We use the targeting measures to ensure that only advertising that is relevant to your actual or presumed interests is displayed on your end devices.

These interests are to be regarded as legitimate within the meaning of the aforementioned provision.

The respective data processing purposes and categories can be found in the corresponding tracking and targeting tools.

a) Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”), on our website. In this context, pseudonymized user profiles are created and cookies are used (see section 4). The information generated by the cookie about your use of this website, such as:
* browser type/version,
* operating system used,
* referrer URL (the previously visited page),
* hostname of the accessing computer (IP address),
* time of the server request,

is transmitted to and stored on a Google server in the USA. Google complies with the data protection regulations of the “US Privacy Shield” and is registered with the “US Privacy Shield” program of the US Department of Commerce. We have also concluded a data processing agreement [HR27] with Google for the use of Google Analytics. Through this agreement, Google assures us that it will process the data in accordance with the General Data Protection Regulation (GDPR) and guarantee the protection of the rights of the data subject.

This information is transmitted to and stored on a Google server in the USA. The information is used to evaluate website usage, compile reports on website activity, and provide other services related to website and internet usage for market research and to tailor these web pages to user needs.

This information may also be transferred to third parties if required by law or if third parties process this data on our behalf. Under no circumstances will your IP address be combined with other Google data. IP addresses are anonymized so that they can no longer be associated with a specific individual (IP masking).

You can prevent the installation of cookies by adjusting your browser settings. However, please note that in this case, you may not be able to fully utilize all the functions of this website.

Furthermore, you can prevent Google from collecting and processing data generated by the cookie and related to your use of the website (including your IP address) by downloading and installing a browser add-on.

As an alternative to the browser add-on, especially on mobile devices, you can also prevent data collection by Google Analytics by clicking this link. This will set an opt-out cookie that prevents the future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you will need to set the opt-out cookie again.

Further information on data protection in connection with Google Analytics can be found, for example, in the Google Analytics Help Center.

b) Google AdWords Conversion Tracking

We use Google Conversion Tracking from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: “Google”) on our website to statistically record the use of our website and to evaluate it for the purpose of optimizing our services for you. Google AdWords places a cookie on your computer if you have reached our website via a Google ad.

These cookies expire after 30 days. If the user visits certain pages of the AdWords customer’s website and the cookie has not yet expired, Google and the customer can recognize that the user clicked on the ad and was redirected to this page.

The information generated by the cookie about your use of this website is transmitted to and stored on a Google server in the USA. Google complies with the data protection regulations of the “US Privacy Shield” and is registered under the “US Privacy Shield” program of the US Department of Commerce. In addition, we have concluded a data processing agreement with Google for the use of Google AdWords. Through this agreement, Google assures us that it will process the data in accordance with the General Data Protection Regulation (GDPR) and guarantee the protection of the data subject’s rights.

Each AdWords customer receives its own unique cookie. Therefore, cookies cannot be tracked across the websites of different AdWords customers. The information collected using the conversion cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. We learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, we do not receive any information that can personally identify users.

If you do not wish to participate in the tracking process, you can also refuse the necessary placement of a cookie – for example, via a browser setting that generally disables the automatic placement of cookies. You can also disable conversion tracking cookies by configuring your browser to block cookies from the domain “www.googleadservices.com”.

Google’s privacy policy regarding conversion tracking can be found here:
https://policies.google.com/privacy

c) Google DoubleClick

Our website uses cookies to collect and analyze information to optimize ad placements. For this purpose, we use targeting technologies from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (DoubleClick, DoubleClick Exchange Buyer, DoubleClick Bid Manager).

These technologies allow us to target you with personalized, interest-based advertising. The cookies used record, for example, which of our content you have viewed. Based on this information, we can also show you offers on third-party websites that are specifically tailored to your interests, as determined by your previous browsing behavior. The collection and analysis of your browsing behavior is carried out exclusively using pseudonyms and does not allow us to identify you.

The cookie is automatically deleted after 30 days.

You can also adjust your settings for interest-based advertising via Google’s Ads Settings Manager.

Further information on data protection in connection with Google can be found in Google’s Privacy Policy.

d) Google Tag Manager

Our website uses Google Tag Manager, a tool provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”). We use Google Tag Manager to manage the tools described in this privacy policy. Details about these tools can be found in their respective information.

The Tag Manager tool itself (which implements the tags) is a cookieless domain. The tool triggers other tags, which may in turn collect data. Google Tag Manager does not access this data. If you have deactivated tracking at the domain or cookie level, this deactivation will remain in effect for all tracking tags implemented with Google Tag Manager.

Further information about Google Tag Manager can be found in the product’s terms of service.

e) Google Dynamic Remarketing

We use the features of Google Dynamic Remarketing in conjunction with the cross-device capabilities of Google AdWords and Google DoubleClick.

This feature allows us to link advertising audiences created with Google Dynamic Remarketing to the cross-device capabilities of Google AdWords and Google DoubleClick. This way, interest-based, personalized advertising messages, tailored to you based on your previous usage and browsing behavior on one device (e.g., mobile phone), can also be displayed on another of your devices (e.g., tablet or PC).

If you have given Google your consent, Google will link your web and app browsing history to your Google account for this purpose. This allows the same personalized advertising messages to be activated on any device where you sign in with your Google account.

To support this feature, Google Analytics collects Google-authenticated user IDs, which are temporarily linked to our Google Analytics data to define and create audiences for cross-device advertising.

You can permanently opt out of cross-device remarketing/targeting by disabling personalized advertising in your Google account. Follow this link: https://www.google.com/settings/ads/onweb/.

Further information and the privacy policy can be found in Google’s Privacy Policy at: https://www.google.com/policies/technologies/ads/.

f) Mouseflow

We use the analytics tool “Mouseflow” from Mouseflow ApS, Denmark (www.mouseflow.com) on our website and in our applications to record randomly selected visits (using only anonymized IP addresses). This creates a log of mouse movements, mouse clicks, scrolling, and keyboard interactions, with the intention of reproducing individual visits to this website as session replays and evaluating them in the form of heatmaps to identify potential improvements for our website.

The data collected by Mouseflow is not personally identifiable and is not shared with third parties. The collected data is stored and processed within the EU. If you do not wish to be tracked by Mouseflow, you can opt out on all websites that use Mouseflow by clicking the following link: https://mouseflow.com/opt-out/. This will set an opt-out cookie that prevents the future tracking of your visits to websites that use Mouseflow. The opt-out cookie is only valid in this browser and is stored on your device. If you delete the cookies in this browser or use a different device, you will need to set the opt-out cookie again. Further information about data protection at Mouseflow can be found at https://mouseflow.com/privacy/.

7. Data subject rights

You have the right:

* to withdraw your consent at any time in accordance with Article 7(3) GDPR. This means that we will no longer be permitted to process data based on this consent in the future.

* to request information about your personal data processed by us in accordance with Article 15 GDPR. In particular, you can request information about the purposes of the processing, the categories of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if they were not collected by us, and the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved;

* to request the immediate rectification of inaccurate personal data or the completion of incomplete personal data stored by us in accordance with Article 16 GDPR;

* to request the erasure of your personal data stored by us pursuant to Article 17 GDPR, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims;

* to request the restriction of processing of your personal data pursuant to Article 18 GDPR, where the accuracy of the data is contested by you, the processing is unlawful but you oppose its erasure, we no longer need the data but you require it for the establishment, exercise, or defense of legal claims, or you have objected to processing pursuant to Article 21 GDPR;

* to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format or to request its transmission to another controller pursuant to Article 20 GDPR; and

* to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR. As a rule, you can contact the supervisory authority at your usual place of residence, your workplace or our company headquarters for this purpose.

8. Information about your right to object according to Art. 21 DSGVO

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) of Article 6(1) GDPR (processing necessary for the performance of a task carried out in the public interest) and point (f) of Article 6(1) GDPR (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party), including profiling based on those provisions as defined in Article 4(4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

If your objection is directed against the processing of your data for direct marketing purposes, we will cease processing immediately. In this case, it is not necessary to specify a particular situation. This also applies to profiling insofar as it is related to such direct marketing.

If you wish to exercise your right to object, simply send an email to privacy@rentcard.id.

9. Data security

All personal data you transmit to us is encrypted using the widely accepted and secure TLS (Transport Layer Security) standard. TLS is a secure and proven standard also used, for example, in online banking. You can recognize a secure TLS connection by the “s” appended to “http” (i.e., “https://”) in your browser’s address bar or by the padlock icon in the lower part of your browser window.

Furthermore, we employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, and unauthorized access by third parties. Our security measures are continuously improved in line with technological advancements.

10. Actuality and change of this privacy policy

This privacy policy is currently valid and was last updated in November 2025.

Due to the ongoing development of our website and the services offered through it, or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. The current privacy policy can be accessed and printed at any time on the website at www.rentcard.app/privacy.

Privacy policy