Rental application online for smart tenants and efficient landlords

Privacy policy

This English translation of the privacy notice is provided for convenience and for better understanding only.
In the event of any inconsistency or conflict between this English translation and the original German version, the German version shall prevail and shall be the legally binding version.
Only the German privacy notice (“Datenschutzerklärung”) is legally authoritative and governs the processing of personal data by rentcard in accordance with the GDPR.”

Application Folder (Direct Use)

These privacy provisions apply to the direct use of the rentcard platform, where you independently create and manage a digital application folder. In this case, rentcard is the data controller.

If you use rentcard through a landlord or real estate partner, the provisions in Part B (“Verification for Landlords”) additionally apply.

1. Name and Contact Details of the Data Controller

This privacy policy applies to data processing on the website www.rentcard.app. The data controller is:

rentcard GmbH, Leopoldstraße 169a, 80804 Munich

External Data Protection Officer pursuant to Art. 37 GDPR: IITR Datenschutz GmbH, Dr. Sebastian Kraska (Data Protection Officer, reachable at: email@iitr.de)

Email: info[at]rentcard.id Phone: +49 89 2154576

If you have questions about data protection law or your rights as a data subject, you may contact the Data Protection Officer directly at email@iitr.de or reach rentcard at privacy@rentcard.id at any time.

2. Retention Period of Personal Data

As a general rule, your personal data will be deleted once it is no longer necessary for the purpose for which it was collected.

Data in your user account will be stored for as long as the account exists. Where statutory retention periods apply, we will store data until they expire. Upon termination of the contractual relationship, your user account will be suspended.

No later than six (6) months after termination of the contract, or after 24 months of inactivity or since the last login, your user account and all associated personal data will be permanently deleted.

Different, shorter retention periods apply to certain data categories: verification results (creditworthiness, income verification, rent payment verification) will be deleted no later than six (6) months after the expiry of the three-month validity period of the application folder. Identity data (verified name and address) will be retained for the lifetime of the user account, as identity confirmation does not expire. Bank data (released transactions and averages) will be deleted no later than six (6) months after the application folder expires. Unreleased transactions are never stored by rentcard.

This does not apply where we still need the relevant data to enforce claims against you, or where we are legally or contractually obligated to retain the data. Where user data is not deleted in order to comply with contractual or legal obligations, its processing will be restricted. The data will be blocked accordingly and not processed for other purposes — for example, user data that must be retained for commercial or tax law reasons.

3. Processing of Personal Data and Purposes of Processing

a) Web Hosting

For the provision of this website, we use the web hosting service of Google Cloud EMEA Limited (70 Sir John Rogerson’s Quay, Dublin 2, Ireland) in the data center in 9909 TA Eemshaven (hereinafter: “Google”).

A web hosting service is required to operate a website. Google is engaged pursuant to Art. 6(1)(1)(f) GDPR based on our legitimate economic interest in providing our services on this website. In connection with hosting, Google processes personal data on our behalf that is collected during use of the website.

We have entered into a data processing agreement with Google, under which the service provider guarantees that it processes data in accordance with the GDPR and ensures protection of the rights of the data subject.

b) When Visiting the Website

You may visit www.rentcard.app without disclosing your identity. Your browser automatically sends information to our web server (e.g., date and time of access, name and URL of the retrieved file, browser type and version, referring website (referrer URL)).

This includes the IP address of your device, which is temporarily stored in a log file and automatically deleted after 12 weeks.

The IP address is processed for technical and administrative purposes related to establishing and maintaining the connection, and to ensure the security and functionality of our website and to trace any unlawful attacks. The legal basis is Art. 6(1)(1)(f) GDPR. Our legitimate interest lies in the aforementioned security interest and the need to provide our website without disruption.

Processing the IP address in the log file does not allow us to draw direct conclusions about your identity.

We also use cookies and analytics services when you visit our website. Further details can be found in sections 5 and 6 of this privacy policy.

c) When Creating an Application Folder

You may have a digital application folder created for you. To do so, we require the following information:

First name, last name, phone number, and
A valid email address

The processing of your data is based on Art. 6(1)(b) GDPR (performance of a contract — you have requested the service).

Your data will be automatically deleted once the purpose of storage no longer applies, unless we are obligated under Art. 6(1)(1)(c) GDPR to retain it longer due to tax and commercial retention and documentation obligations (under HGB, StGB, or AO), or you have consented to extended storage under Art. 6(1)(1)(a) GDPR.

d) Use of the Account Information Service

To create your application folder, we use an Account Information Service (“AIS”) that holds the appropriate PSD2 authorization from BaFin.

To retrieve your banking data, you need the login credentials for your bank accounts, which you enter directly in the iFrame of the account information service (finAPI GmbH, Munich). Your banking credentials are transmitted exclusively to finAPI — rentcard never receives your banking credentials, account balance, IBAN, or other account metadata. With your consent, finAPI retrieves account transactions from the past maximum six months from your bank. From these transactions, potential salary and rent transactions are suggested for your selection. You decide which transactions are released. Only the transactions you release are stored by rentcard.

We process this data to provide the services you have requested as part of creating the application folder, for example:

To create the application folder you have ordered,
To make it available to you for your information,
To share it with third parties, provided you have expressly approved this.

Processing is carried out through data protection-compliant partner services. Further details on the service providers used can be found in Section 4 III) of these privacy provisions.

e) When Creating the Application Folder (Account Transactions)

The account data you provide, along with the account transactions read from it, are used to create the application folder.

This is done by pre-selecting potential salary credits and rent payments from account transactions of the past maximum six months using a defined keyword list. You can view the pre-selection transparently and adjust it freely (add, remove, or recategorize transactions). An average is calculated from the transactions you release. rentcard does not assess your creditworthiness — the interpretation of the values is the responsibility of the recipient of your application folder.

Retention period: The application folder is generally valid for 90 days after creation. After expiry, the associated content is automatically removed from the active profile. No later than six (6) months after the expiry of the validity period, we will delete the personal data, unless statutory retention periods apply.

This data processing is necessary for the creation of the application folder, pursuant to Art. 6(1)(1)(b) GDPR.

f) Use of the Self-Disclosure

Additional data is also processed as part of a self-disclosure to create the application folder, and rentcard uses the personal master data you provide.

To use the self-disclosure in full, we additionally require the following personal information (personal master data):

Address
Number of rooms
Age
Gender
Nationality
Net household income
Smoking behavior
Phone number

Users may create an applicant profile and store self-disclosure information in it for reuse across multiple rental applications. This data is stored in the user account for this purpose.

Self-disclosure data is stored for up to 24 months after the last active use of the user account. After this period, the data will be deleted unless statutory retention obligations apply.

Data from credit reports is handled separately. Such data will be deleted no later than six (6) months after the expiry of the three-month validity period of the respective credit report.

In addition to the basic application folder functions, rentcard offers various optional add-on features to extend or verify your rental application (e.g., identity verification, credit check, document verification, or rental deposit guarantee). These features are only activated upon your explicit selection.

g) Document Verification

As part of your application folder, you may upload documents (e.g., pay slips, employment contracts, tenancy agreements) to substantiate your details. Uploaded documents are processed in two ways:

Data extraction (OCR): Predefined fields are extracted from the uploaded documents (e.g., salary amount, employer, contract details). Extraction is performed via Google Vertex AI Document AI and is limited to predefined fields — no content assessment or full-text analysis takes place.
Authenticity check: For PDF documents, metadata (PDF header, creation date, software signature) is used to check whether the document is original or has been subsequently altered. For documents with a QR code, the code is verified against the issuer’s online original. This is a purely technical check — no content assessment.

The extracted data is displayed to you for review. You decide which information is included in your application folder. Original documents are not permanently stored after processing unless you expressly save them in your application folder.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Processing by Vertex AI takes place on EU servers. Vertex AI does not store documents or results.

h) Sharing Application Folder Data

You may use your application folder as a reusable application profile and authorize rentcard to transmit selected content to landlords or real estate portals. This may include, depending on your selection, identity data, income details, rental payment history information, creditworthiness information, and supplementary application details and documents.

Data is only shared on the basis of your explicit consent (Art. 6(1)(a) GDPR). Before each release, you will be informed of which data categories are transmitted to which recipients and for what purpose. You may revoke consent granted at any time with effect for the future.

Alternatively, you may download your application folder as a PDF and share it yourself. In this case, the data does not leave the rentcard platform.

The principles of data sharing are described in the Shared Data Policy at https://www.rentcard.app/de/shared-data/.

i) Use of the Credit Check

You have the option to carry out a credit check through the platform in order to add a credit report to your application folder. For this purpose, personal data such as name, address, and date of birth is processed in order to obtain credit information from a connected credit agency.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract — you have requested the service).

rentcard receives only a reduced credit result in the form of a traffic light color (Green = no known payment disruptions, Yellow = minor irregularities, Red = payment disruption present, Grey = insufficient data available). Detailed credit data is not stored by rentcard. Alternatively, a personal credit report (e.g., SCHUFA self-disclosure) may be uploaded, the authenticity of which rentcard verifies via QR code.

The credit check is carried out by CRIF GmbH as an independent controller. rentcard forwards your data to CRIF and receives the result. There is no data processing agreement between rentcard and CRIF.

The credit result is only shared with third parties with your explicit consent.

j) Roles and Responsibilities in the Credit Check

When directly using the application folder, rentcard is the data controller for processing your data. You commission rentcard to create your application folder and carry out the necessary verifications.

CRIF GmbH is independently responsible for conducting the credit check. There is no data processing arrangement between rentcard and CRIF — this is a data transfer between independent controllers.

rentcard does not make decisions about rental applications. We provide information to you as separate modules. The decision on whether to rent is made solely by the landlord.

k) Use of the Digital Identity Verification

As part of your application folder, you may undergo digital identity verification to confirm your details and verify your profile. Personal data such as name, date of birth, ID document data (e.g., document type, validity, issuing country), and photo or video sequences (e.g., liveness check) are processed. Identity verification involves the processing of biometric data within the meaning of Art. 9(1) GDPR (matching of the selfie with the ID photo). This biometric processing is carried out exclusively by Veriff OÜ — rentcard does not store any images, ID document data, or biometric data.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract). For the processing of biometric data, a separate, explicit consent pursuant to Art. 9(2)(a) GDPR is obtained. Without this consent, biometric verification will not be performed. Identity verification via Veriff is optional — as a non-biometric alternative, identity confirmation via bank account (finAPI) is available.

rentcard receives only the verification result (e.g., “verified” or “not verified”). No storage of ID document data, images, or video material by rentcard takes place.

l) Roles and Responsibilities in Identity Verification

The identity verification service (Veriff OÜ) acts as a data processor within the meaning of Art. 28 GDPR. rentcard has entered into a data processing agreement with Veriff. Images (front/back of ID, selfie) are transmitted directly from the user’s device to Veriff — they do not pass through rentcard’s servers. rentcard receives only: first name, last name, address, and verification status (verified / not verified).

m) Use of Sanctions List Screening

To ensure the integrity of the platform, rentcard may compare personal data against publicly available international sanctions, embargo, and PEP (Politically Exposed Persons) lists. In general, name, date of birth, and nationality are processed.

The legal basis is Art. 6(1)(c) GDPR (legal obligations) and Art. 6(1)(f) GDPR (legitimate interest). rentcard processes only the screening result (“match” or “no match”) and does not make automated individual decisions on this basis.

n) Use of the Rental Deposit Guarantee

You have the option to apply for a rental deposit guarantee through rentcard or to first carry out a preliminary eligibility check.

For the eligibility check, personal data (e.g., name, address, date of birth, tenancy agreement data, guarantee amount) is processed. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures).

After transmission, the insurance partner (R+V Versicherung AG) independently decides on acceptance or rejection and is an independent controller in this regard. rentcard does not store any credit or risk assessment data from the insurer.

o) Service and Marketing Communications

Transactional messages (e.g., registration, order, status, and security emails) are sent for the purpose of contract performance. Legal basis: Art. 6(1)(b) GDPR.

Marketing emails are only sent with your consent (double opt-in). We use email tracking for personalization. Consent may be revoked at any time (unsubscribe link in every email). Legal basis: Art. 6(1)(a) GDPR and § 25(1) TTDSG.

Retention period: Sending and interaction data is stored until revocation, for a maximum of 24 months after the last interaction, or until the user account is deleted.

p) Use of the Contact Form

We offer you the option to submit inquiries via the contact form. We collect: name, email address, subject, and your message. Legal basis: Art. 6(1)(f) GDPR. Data is deleted once your inquiry has been fully answered.

q) Use of the User Account

To use our services, you may register at www.rentcard.app (email address and password). Use is for the purpose of setting up your account and checking for plausibility. Your profile information is stored for the duration specified in section 2.

r) Note: No Automated Assessment of Your Person

rentcard does not assess you and does not make decisions about your rental application. Our platform compiles and verifies information — the decision on whether to rent is made solely by the landlord. Specifically:

We extract salary data from your documents, but do not assess whether your income is sufficient.
We suggest salary and rent transactions from your bank account and calculate an average — without weighting or assessment.
The credit check is carried out by CRIF GmbH, not by rentcard. We only forward the result.
The results of the various modules (identity, creditworthiness, income, documents) are displayed individually and independently — we do not combine them into an overall profile.

No automated individual decision-making within the meaning of Art. 22 GDPR takes place.

4. Disclosure of Data

Your data will not be transferred for purposes other than those listed below.

I) Purpose of Service Provision and Billing

The data you transmit to us via www.rentcard.app is processed for the provision and billing of the respective services.

II) For Further Purposes

Beyond this, we only share your data with third parties if:

You have given your explicit consent (Art. 6(1)(a) GDPR);
A legal obligation exists (Art. 6(1)(c) GDPR).

III) Use of External Service Providers and Partners

To provide certain services, rentcard works with selected service providers. These process personal data either on behalf of rentcard or as independent controllers.

a) Mailjet (Email Communication) — Mailjet SAS, Paris. Data processor. Legal basis: Art. 6(1)(f) GDPR. Privacy notice: https://www.mailjet.com/de/rechtliches/sicherheit-datenschutz/

b) Brevo (Email Marketing) — Sendinblue GmbH, Berlin. Data processor. No third-country transfer. Privacy notice: https://www.brevo.com/de/legal/privacypolicy/

c) Customer.io (Marketing & Upselling) — Peaberry Software, Inc. Data processing in the EU. DPA in place. Privacy notice: https://customer.io/legal/privacy-policy

d) HERE Global B.V. (Mapping Services) — Address validation. Legal basis: Art. 6(1)(f) GDPR. Privacy notice: https://legal.here.com/de-de/privacy

e) Stripe (Payment Processing) — Stripe Payments Europe Ltd., Dublin. Independent controller. Legal basis: Art. 6(1)(b) GDPR. Privacy notice: https://stripe.com/de/privacy

f) OpenSanctions.org (Sanctions List Screening) — OpenSanctions Project gGmbH, Berlin. Data matching with official sources (EU, UN, OFAC). Privacy notice: https://www.opensanctions.org/docs/privacy/

g) R+V Versicherung AG (Rental Deposit Guarantee) — Independent controller. Privacy notice: https://www.ruv.de/datenschutz

h) Veriff OÜ (Identity Verification) — Data processor (Art. 28 GDPR). Images are transmitted directly from the user’s device to Veriff. Privacy notice: https://www.veriff.com/privacy-notice

i) FinAPI GmbH (Account Information Service) — BaFin-regulated provider (PSD2). Independent controller. Login credentials are entered exclusively with finAPI. Only released transactions are stored by rentcard. Banking credentials, account balance, and IBAN are never stored. Privacy notice: https://www.finapi.io/privacy-policy/

j) CRIF GmbH (Credit Check) — Independent controller. rentcard stores only a traffic light color (Green/Yellow/Red/Grey). Detailed credit data is not stored. Art. 14 GDPR information: https://www.crif.de/datenschutz/

k) Lexoffice and Envoix GmbH (Accounting) — Haufe Lexware GmbH & Co. KG, Freiburg, and Envoix GmbH, Frankfurt. Data processors. Privacy notices: https://www.lexoffice.de/datenschutz/ | https://envoix.de/datenschutz

l) Freshdesk (Support Communication) — Freshworks Inc. Data processor. Legal basis: Art. 6(1)(b) and (f) GDPR. Privacy notice: https://www.freshworks.com/privacy/

5. Cookies and Pixel Tags

We use cookies on our website. These are small files that your browser automatically creates and stores on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause harm to your device and do not contain viruses, trojans, or other malware.

Cookies store information relating to the device you are using. This does not, however, mean that we immediately become aware of your identity.

We also use pixel tags (also called tracking pixels or web beacons) in our online offering. Pixels are small graphics embedded in the HTML code of our website. The pixel tag itself does not store or modify any information on your device, and pixels similarly cause no harm and contain no malware.

Pixels transmit your IP address, the referrer URL of the visited webpage, the time the pixel was viewed, the browser used, and previously set cookie information to a web server. This enables us to carry out reach measurements and further statistical analyses to optimize our offering.

Cookies serve, on one hand, to make using our offering more convenient. We use session cookies, for example, to recognize that you have previously visited individual pages of our website.

We also use temporary cookies to optimize user-friendliness; these are stored on your device for a defined period. When you visit our site again to use our services, it is automatically recognized that you have been with us before and what inputs and settings you made, so you do not need to enter them again.

We also use cookies to statistically record the use of our website and evaluate it for the purpose of optimizing our offering. These cookies allow us to automatically recognize, upon a return visit, that you have been on our site before. They are automatically deleted after a defined period.

The data processed by cookies is necessary for the stated purposes to protect our legitimate interests and those of third parties, pursuant to Art. 6(1)(1)(f) GDPR.

Most browsers accept cookies automatically. However, you can configure your browser to prevent cookies from being stored on your computer or to display a notice before a new cookie is created. Completely disabling cookies may mean you cannot use all functions of our website. You can also use appropriate tools or browser add-ons that block the use of pixels on our pages (e.g., the “AdBlock” add-on for Firefox). Further opt-out options can be found in the information below about the tools we use.

6. Web Analytics

The tracking and targeting measures listed below that we use are carried out on the basis of Art. 6(1)(1)(f) GDPR.

We use tracking measures to ensure our website is designed to meet user needs and is continuously optimized. We also use tracking to statistically record the use of our website and to optimize our offering for you.

Through targeting measures, we aim to ensure that only advertising aligned with your actual or presumed interests is displayed on your devices.

These interests are considered legitimate within the meaning of the aforementioned provision.

The respective data processing purposes and categories are detailed in the corresponding tracking and targeting tools.

a) Google Analytics

We use Google Analytics on our website, a web analytics service of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”). Pseudonymized usage profiles are created and cookies are used in this context (see section 5). The information generated by the cookie about your use of this website — including browser type/version, operating system, referrer URL (previously visited page), hostname of the accessing computer (IP address), and time of the server request — is transmitted to a Google server in the USA and stored there.

Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF), which has ensured an adequate level of data protection within the meaning of Art. 45 GDPR since July 2023. We have additionally entered into a data processing agreement with Google for the use of Google Analytics.

The information is used to evaluate use of the website, compile reports on website activity, and provide further services relating to website and internet usage for market research and demand-oriented design of these web pages.

This information may also be transferred to third parties where required by law or where third parties process this data on our behalf. Your IP address will never be merged with other data held by Google. IP addresses are anonymized so that attribution is no longer possible (IP masking).

You can prevent cookies from being installed by adjusting your browser settings accordingly. You can also prevent data collection by Google Analytics by downloading and installing a browser add-on. Alternatively, particularly on mobile devices, you can prevent collection by Google Analytics by setting an opt-out cookie.

b) Google AdWords Conversion Tracking

We use Google Conversion Tracking by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: “Google”) to statistically record the use of our website and evaluate it for the purpose of optimizing our offering. Google AdWords stores a cookie on your computer if you arrived at our website via a Google ad. These cookies expire after 30 days.

The information generated by the cookie is transmitted to a Google server in the USA and stored there. Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF). We have additionally entered into a data processing agreement with Google for the use of Google AdWords.

If you do not wish to participate in the tracking process, you can refuse the setting of a cookie — for example, via a browser setting that generally deactivates the automatic setting of cookies. You can also disable conversion tracking cookies by setting your browser to block cookies from the domain “www.googleadservices.com“. The Google privacy policy for conversion tracking can be found here: https://policies.google.com/privacy

c) Google DoubleClick

On our website, cookies are used to collect and analyze information for the optimization of advertising. For this purpose, we use targeting technologies of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (DoubleClick, DoubleClick Exchange Buyer, DoubleClick Bid Manager). These technologies enable us to target you with individually interest-based advertising. The collection and analysis of your user behavior is carried out exclusively on a pseudonymous basis. The cookie is automatically deleted after 30 days. You can adjust interest-based advertising settings via Google’s Ad Settings Manager.

d) Google Tag Manager

Our website uses Google Tag Manager by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is used to manage the tools about which we inform you in this privacy policy. The Tag Manager tool itself (which implements the tags) is a cookie-free domain. The tool triggers further tags, which may in turn collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in effect for all tracking tags implemented with Google Tag Manager.

e) Google Dynamic Remarketing

We use the features of Google Dynamic Remarketing in conjunction with the cross-device features of Google AdWords and Google DoubleClick. This feature allows interest-based, personalized advertising messages to be displayed on other devices you use as well. If you have given Google the appropriate consent, Google links your web and app browsing history to your Google account for this purpose.

You can permanently opt out of cross-device remarketing/targeting by deactivating personalized advertising in your Google account: https://www.google.com/settings/ads/onweb/

Further information and the privacy policy can be found in Google’s privacy statement at: https://www.google.com/policies/technologies/ads/

f) Mouseflow

We use the analytics tool “Mouseflow” by Mouseflow ApS, Denmark (www.mouseflow.com) on our website and in our applications to record randomly selected visits (only with anonymized IP addresses). This creates a log of mouse movements, mouse clicks, scroll movements, and keyboard interactions, with the aim of replaying individual visits as so-called session replays and evaluating them in the form of heatmaps, in order to derive potential improvements for our website.

Data collected by Mouseflow is not personal and is not shared with third parties. Storage and processing of the collected data takes place within the EU. If you do not wish to be recorded by Mouseflow, you can opt out on all websites that use Mouseflow at the following link: https://mouseflow.com/opt-out/

7. Rights of Data Subjects

You have the right to:

Pursuant to Art. 7(3) GDPR, withdraw any consent you have given us at any time. This means we may no longer continue the data processing based on that consent going forward.
Pursuant to Art. 15 GDPR, request information about your personal data processed by us, including the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned retention period, the existence of a right to rectification, erasure, restriction of processing or objection, the right to lodge a complaint, the origin of your data if not collected directly from you, and the existence of automated decision-making including profiling and, where applicable, meaningful information about the details thereof.
Pursuant to Art. 16 GDPR, request the immediate correction of inaccurate or completion of incomplete personal data stored by us.
Pursuant to Art. 17 GDPR, request the erasure of your personal data stored by us, unless processing is necessary for the exercise of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.
Pursuant to Art. 18 GDPR, request restriction of the processing of your personal data where the accuracy of the data is contested by you, the processing is unlawful but you oppose erasure, we no longer need the data but you require it for the establishment, exercise, or defense of legal claims, or you have objected to processing pursuant to Art. 21 GDPR.
Pursuant to Art. 20 GDPR, receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, or request its transmission to another controller.
Pursuant to Art. 77 GDPR, lodge a complaint with a supervisory authority. As a rule, you may contact the supervisory authority of your habitual residence, place of work, or our place of business.

8. Information about Your Right to Object under Art. 21 GDPR

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) GDPR (processing in the public interest) or Art. 6(1)(f) GDPR (processing based on balancing of interests); this also applies to profiling based on these provisions within the meaning of Art. 4(4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

If your objection is directed against the processing of your data for direct marketing purposes, we will cease processing immediately. In this case, there is no need to state a particular situation. This also applies to profiling insofar as it is related to such direct marketing.

If you wish to exercise your right to object, simply send an email to email@iitr.de or privacy@rentcard.id.

9. Data Security

All personal data you transmit to us is encrypted using the generally accepted and secure TLS (Transport Layer Security) standard. TLS is a secure and proven standard also used, for example, in online banking. You can recognize a secure TLS connection by the “s” appended to “http” (i.e., “https://”) in your browser’s address bar, or by the padlock symbol in the lower area of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

10. Currency and Changes to This Privacy Policy

This privacy policy is currently valid and is dated April 2026.

Due to the ongoing development of our website and the services offered on it, or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. The current version of the privacy policy can be accessed and printed at any time on the website at www.rentcard.app/privacy.