Rental application online for smart tenants and efficient landlords

Privacy policy

This English translation of the privacy notice is provided for convenience and for better understanding only.
In the event of any inconsistency or conflict between this English translation and the original German version, the German version shall prevail and shall be the legally binding version.
Only the German privacy notice (“Datenschutzerklärung”) is legally authoritative and governs the processing of personal data by rentcard in accordance with the GDPR.”

Verification for Landlords

These privacy provisions apply when you use rentcard through a landlord or real estate partner. In this case, you come to rentcard with a specific purpose: you complete your application documents and decide which information you wish to share with the landlord. The landlord is the data controller responsible for processing your data in connection with the rental decision. In this case, rentcard acts as a data processor on behalf of the landlord.

Under data protection law, the landlord is the data controller responsible for processing your data in connection with the rental decision. In this case, rentcard acts as a data processor on behalf of the landlord. If you use rentcard independently of a landlord (e.g., to create an application folder on your own), the provisions in Part A (“Application Folder”) apply.

Note: If you already have a rentcard account from direct use (Part A) and now come to rentcard through a landlord, you can access your existing data and will not need to repeat verifications you have already completed.

1. Data Controller and Data Processor

In the context of verification for landlords, the respective landlord or real estate partner is the data controller within the meaning of Art. 4 No. 7 GDPR. The verification serves the landlord’s rental decision.

rentcard GmbH, Leopoldstraße 169 a, 80804 Munich, acts as data processor within the meaning of Art. 28 GDPR. A data processing agreement exists between rentcard and the landlord.

External Data Protection Officer pursuant to Art. 37 GDPR: IITR Datenschutz GmbH, Dr. Sebastian Kraska (Data Protection Officer, reachable at: email@iitr.de)

If you have questions about data protection, you may contact the Data Protection Officer at email@iitr.de, rentcard at privacy@rentcard.id, or the respective landlord directly as the data controller.

2. Retention Period of Personal Data

In principle, your personal data will be deleted as soon as it is no longer necessary for the purpose for which it was collected.

Data in your user account will be stored for as long as the account exists. At the latest six (6) months after termination of the contract, or after 24 months of inactivity, we will permanently delete your user account including all personal data.

Different, shorter retention periods apply to certain data categories: verification results (creditworthiness, income verification, rent payment verification) will be deleted no later than six (6) months after the expiry of the three-month validity period. Identity data (verified name and address) will be retained for the lifetime of the user account. Bank data (released transactions and average values) will be deleted no later than six (6) months after the expiry of the validity period. Transactions that have not been released are never stored at rentcard.

Data that has already been transmitted to the landlord is subject to the landlord’s own retention policy as the data controller. For questions about retention periods at the landlord’s end, please contact the landlord directly.

Statutory retention obligations (e.g. under the German Tax Code/Commercial Code) remain unaffected. Where data is required to assert or defend legal claims, its processing will be restricted to that purpose.

3. Processing of Personal Data and Purposes of Processing

a) Web Hosting
To provide this website, we use the web hosting service of Google Cloud EMEA Limited (70 Sir John Rogerson’s Quay, Dublin 2, Ireland) at the data center in 9909 TA Eemshaven. This is done pursuant to Art. 6(1)(f) GDPR. We have concluded a data processing agreement with Google.

b) When Visiting the Website
You may visit www.rentcard.app without disclosing your identity. Your browser automatically sends information to our server (e.g. date, URL, browser type, referrer URL). The IP address is temporarily stored and deleted after 12 weeks. Legal basis: Art. 6(1)(f) GDPR. We also use cookies and analytics services (see sections 5 and 6).

c) Registration and User Account
When you come to rentcard through a landlord, a user account will be created for you. For this we require:

First name, last name, phone number, and
a valid email address.

Processing is based on Art. 6(1)(f) GDPR (legitimate interest of the landlord in reviewing the rental application) and Art. 6(1)(b) GDPR (performance of contract — you are using the rentcard service).

d) Allocation of Roles
For verification for landlords, the following data protection roles apply:

The landlord is the data controller within the meaning of Art. 4 No. 7 GDPR. The verification serves their rental decision.
rentcard is the data processor within the meaning of Art. 28 GDPR and processes your data on behalf of the landlord.
As a prospective tenant, you are the “data subject” under data protection law. The fact that you technically initiate the verification process yourself (e.g., via the rentcard app) does not change this division of roles.

rentcard does not make decisions on rental applications. We provide information to you and the landlord as separate modules. The decision for or against a prospective tenant is made solely by the landlord.

e) Self-Disclosure
As part of the verification process, you may complete a self-disclosure form to supplement your rental application. Personal information such as the following may be processed:

Address
Number of rooms
Age
Gender
Nationality
Net household income
Smoking habits
Phone number

Self-disclosure data will be stored for up to 24 months after the last active use. Data from credit reports is handled separately and will be deleted no later than six (6) months after expiry of the three-month validity period.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord in receiving a complete application) and Art. 6(1)(b) GDPR (performance of contract).

In addition to the self-disclosure, rentcard offers various optional verification modules that the landlord may request for their rental decision. You decide which modules you use and which results you share.

f) Document Review
You may upload documents (e.g. pay slips, employment contracts, tenancy agreements) to support your application. Uploaded documents are processed in two ways:

Data extraction (OCR): Predefined fields are extracted from uploaded documents (e.g. salary amount, employer, contract data). Extraction is carried out via Google Vertex AI Document AI and is limited to predefined fields — no content evaluation or full-text analysis takes place.
Authenticity check: For PDF documents, metadata (PDF header, creation date, software signature) is used to determine whether the document is original or has been subsequently altered. For documents with a QR code, this is verified against the issuer’s online original. This is a purely technical check — no content evaluation.

The extracted data is displayed to you for review. You decide which information is released. The legal basis is Art. 6(1)(f) GDPR (legitimate interest of the landlord in reviewing application documents). Processing by Vertex AI takes place on EU servers. Vertex AI does not store any documents or results.

g) Use of the Account Information Service
To verify your income and rent payment history, a bank account analysis may be carried out. To retrieve your bank data, you enter your login credentials directly in the iframe of the account information service (finAPI GmbH, Munich). Your banking credentials are transmitted exclusively to finAPI — rentcard never receives your banking credentials, account balance, IBAN, or other account metadata.

With your consent, finAPI retrieves account transactions from the last maximum six months from your bank. From these transactions, potential salary and rent transactions are suggested for you to select. You decide which transactions are released. Only transactions released by you are stored at rentcard.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord in assessing financial capacity) and Art. 6(1)(b) GDPR (performance of contract).

h) Account Transactions and Average Calculation
From the transactions you have released, potential incoming salary payments and rent payments are pre-selected based on a defined keyword list. You see the pre-selection transparently and may adjust it freely. An average is calculated from the released transactions.

rentcard does not assess your financial capacity — the interpretation of the values is the landlord’s responsibility.

Retention period: Verification results are valid for 90 days. The data will be deleted no later than six (6) months after expiry of the validity period, unless statutory retention obligations apply.

i) Use of the Credit Check
To supplement your application documents, a credit check may be carried out. For this purpose, your name, address, and date of birth are processed in order to obtain a credit report from an affiliated credit agency.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord in assessing financial capacity) and Art. 6(1)(b) GDPR (performance of contract for the requested service).

rentcard receives only a reduced credit result in the form of a traffic light color (Green = no known payment issues, Yellow = minor irregularities, Red = payment issues present, Grey = insufficient data). Detailed credit data is not stored by rentcard.

Alternatively, you may upload your own credit report (e.g. SCHUFA self-disclosure), the authenticity of which rentcard verifies via QR code.

The credit check is carried out by CRIF GmbH as an independent data controller. The relationship between rentcard and CRIF is not one of data processing, but a transfer of data between independent controllers.

The credit result will only be shared with the landlord with your explicit consent.

j) Use of Digital Identity Verification
You may undergo digital identity verification to confirm your details. Personal data such as your name, date of birth, ID document data, and photo or video sequences (e.g. liveness check) are processed. Identity verification involves the processing of biometric data within the meaning of Art. 9(1) GDPR (comparison of the selfie with the ID photo). This biometric processing is carried out exclusively by Veriff OÜ — rentcard does not store any images, ID document data, or biometric data.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). For the processing of biometric data, separate explicit consent is obtained pursuant to Art. 9(2)(a) GDPR. Without this consent, biometric verification will not be carried out. Identity verification via Veriff is optional — as a non-biometric alternative, identity confirmation via bank account (finAPI) is available.

The identity verification service (Veriff OÜ) acts as a data processor (Art. 28 GDPR). Images (front/back of ID, selfie) are transmitted directly from the end device to Veriff — they do not pass through rentcard servers. rentcard receives only: first name, last name, address, and verification status (verified / not verified).

k) Use of Sanctions List Screening
To ensure the integrity of the platform, rentcard may compare personal data against publicly available international sanctions, embargo, and PEP lists. Legal basis: Art. 6(1)(c) GDPR (legal obligations) and Art. 6(1)(f) GDPR. rentcard processes only the screening result and does not make any automated individual decisions.

l) Use of the Rental Deposit Guarantee
You have the option of applying for a rental deposit guarantee through rentcard or carrying out an eligibility check (Chancen-Check). Legal basis: Art. 6(1)(b) GDPR. The insurance partner (R+V Versicherung AG) is an independent data controller. rentcard does not store any risk assessment data.

m) Disclosure of Your Data to the Landlord
Verification results and application documents are only transmitted to the landlord with your explicit consent. Before each release, you will be informed of which data categories will be transmitted to the landlord. You may exclude individual modules or results from the release.

The legal basis for the transmission is Art. 6(1)(f) GDPR (legitimate interest of the landlord in reviewing the rental application). Your consent is additionally obtained.

The principles of data sharing are described in the Shared Data Policy at https://www.rentcard.app/de/shared-data/

n) Note: No Automated Assessment of Your Person
rentcard does not evaluate you and does not make any decision on your rental application. Our platform compiles and verifies information — the decision on the tenancy is made solely by the landlord.

Specifically, this means:

We extract salary data from your documents but do not assess whether your income is sufficient.
We suggest salary and rent transactions from your bank account and calculate an average — without weighting or evaluation.
The credit check is carried out by CRIF GmbH, not by rentcard. We merely pass on the result.
The results of the various modules (identity, creditworthiness, income, documents) are displayed to the landlord individually and independently — we do not combine them into an overall profile.

No automated individual decision within the meaning of Art. 22 GDPR takes place. The landlord makes their rental decision manually.

o) Service and Marketing Communications
Transactional messages are sent for the purpose of contract performance (Art. 6(1)(b) GDPR). Marketing emails are sent only with consent (double opt-in). Withdrawal is possible at any time via the unsubscribe link. Legal bases: Art. 6(1)(a) GDPR and § 25(1) TTDSG.

p) When Using the Contact Form
We collect: name, email address, subject, and your message. Legal basis: Art. 6(1)(f) GDPR. Deletion upon completion of the response.

4. Disclosure of Data

Data will not be transferred for purposes other than those listed above.

I) Transmission to the Landlord
Verification results are transmitted to the landlord exclusively with your consent. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord).

II) For Other Purposes
Beyond this, we only share your data with third parties if:

You have given your explicit consent (Art. 6(1)(a) GDPR); or
a legal obligation exists (Art. 6(1)(c) GDPR).

III) Use of External Service Providers and Partners

To provide verification services, rentcard works with selected service providers:

a) Mailjet (email communication) — Mailjet SAS, Paris. Data processor. Privacy notice: https://www.mailjet.com/de/rechtliches/sicherheit-datenschutz/

b) Brevo (email marketing) — Sendinblue GmbH, Berlin. Data processor. Privacy notice: https://www.brevo.com/de/legal/privacypolicy/

c) Customer.io (marketing & upselling) — Peaberry Software, Inc. EU data processing. DPA in place. Privacy notice: https://customer.io/legal/privacy-policy

d) HERE Global B.V. (mapping services) — Address validation. Privacy notice: https://legal.here.com/de-de/privacy

e) Stripe (payment processing) — Stripe Payments Europe Ltd., Dublin. Independent data controller. Legal basis: Art. 6(1)(b) GDPR (performance of contract), where payment is made by you as the user. In cases where the landlord bears the costs, no payment data from you is processed. Privacy notice: https://stripe.com/de/privacy

f) OpenSanctions.org (sanctions list screening) — OpenSanctions Project gGmbH, Berlin. Privacy notice: https://www.opensanctions.org/docs/privacy/

g) R+V Versicherung AG (deposit guarantee) — Independent data controller. Privacy notice: https://www.ruv.de/datenschutz

h) Veriff OÜ (identity verification) — Data processor (Art. 28 GDPR). Images transmitted directly from end device to Veriff. Privacy notice: https://www.veriff.com/privacy-notice

i) finAPI GmbH (account information service) — BaFin-regulated (PSD2). Independent data controller. Only released transactions stored at rentcard. Banking credentials/account balance/IBAN never stored. Privacy notice: https://www.finapi.io/privacy-policy/

j) CRIF GmbH (credit check) — Independent data controller. rentcard stores only the traffic light result (Green/Yellow/Red/Grey). Art. 14 GDPR information: https://www.crif.de/datenschutz/

k) Lexoffice and Envoix GmbH (accounting) — Data processors. Privacy notices: https://www.lexoffice.de/datenschutz/ | https://envoix.de/datenschutz

l) Freshdesk (support communication) — Freshworks Inc. Data processor. Privacy notice: https://www.freshworks.com/privacy/

5. Cookies and Pixel Tags

We use cookies on our website. These are small files that your browser automatically creates and stores on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause harm to your device and do not contain viruses, trojans, or other malware.

Cookies store information relating to the device you are using. This does not, however, mean that we immediately become aware of your identity.

We also use pixel tags (also called tracking pixels or web beacons) in our online offering. Pixels are small graphics embedded in the HTML code of our website. The pixel tag itself does not store or modify any information on your device, and pixels similarly cause no harm and contain no malware.

Pixels transmit your IP address, the referrer URL of the visited webpage, the time the pixel was viewed, the browser used, and previously set cookie information to a web server. This enables us to carry out reach measurements and further statistical analyses to optimize our offering.

Cookies serve, on one hand, to make using our offering more convenient. We use session cookies, for example, to recognize that you have previously visited individual pages of our website.

We also use temporary cookies to optimize user-friendliness; these are stored on your device for a defined period. When you visit our site again to use our services, it is automatically recognized that you have been with us before and what inputs and settings you made, so you do not need to enter them again.

We also use cookies to statistically record the use of our website and evaluate it for the purpose of optimizing our offering. These cookies allow us to automatically recognize, upon a return visit, that you have been on our site before. They are automatically deleted after a defined period.

The data processed by cookies is necessary for the stated purposes to protect our legitimate interests and those of third parties, pursuant to Art. 6(1)(1)(f) GDPR.

Most browsers accept cookies automatically. However, you can configure your browser to prevent cookies from being stored on your computer or to display a notice before a new cookie is created. Completely disabling cookies may mean you cannot use all functions of our website. You can also use appropriate tools or browser add-ons that block the use of pixels on our pages (e.g., the “AdBlock” add-on for Firefox). Further opt-out options can be found in the information below about the tools we use.

6. Web Analytics

The tracking and targeting measures listed below that we use are carried out on the basis of Art. 6(1)(1)(f) GDPR.

We use tracking measures to ensure our website is designed to meet user needs and is continuously optimized. We also use tracking to statistically record the use of our website and to optimize our offering for you.

Through targeting measures, we aim to ensure that only advertising aligned with your actual or presumed interests is displayed on your devices.

These interests are considered legitimate within the meaning of the aforementioned provision.

The respective data processing purposes and categories are detailed in the corresponding tracking and targeting tools.

a) Google Analytics

We use Google Analytics on our website, a web analytics service of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”). Pseudonymized usage profiles are created and cookies are used in this context (see section 5). The information generated by the cookie about your use of this website — including browser type/version, operating system, referrer URL (previously visited page), hostname of the accessing computer (IP address), and time of the server request — is transmitted to a Google server in the USA and stored there.

Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF), which has ensured an adequate level of data protection within the meaning of Art. 45 GDPR since July 2023. We have additionally entered into a data processing agreement with Google for the use of Google Analytics.

The information is used to evaluate use of the website, compile reports on website activity, and provide further services relating to website and internet usage for market research and demand-oriented design of these web pages.

This information may also be transferred to third parties where required by law or where third parties process this data on our behalf. Your IP address will never be merged with other data held by Google. IP addresses are anonymized so that attribution is no longer possible (IP masking).

You can prevent cookies from being installed by adjusting your browser settings accordingly. You can also prevent data collection by Google Analytics by downloading and installing a browser add-on. Alternatively, particularly on mobile devices, you can prevent collection by Google Analytics by setting an opt-out cookie.

b) Google AdWords Conversion Tracking

We use Google Conversion Tracking by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: “Google”) to statistically record the use of our website and evaluate it for the purpose of optimizing our offering. Google AdWords stores a cookie on your computer if you arrived at our website via a Google ad. These cookies expire after 30 days.

The information generated by the cookie is transmitted to a Google server in the USA and stored there. Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF). We have additionally entered into a data processing agreement with Google for the use of Google AdWords.

If you do not wish to participate in the tracking process, you can refuse the setting of a cookie — for example, via a browser setting that generally deactivates the automatic setting of cookies. You can also disable conversion tracking cookies by setting your browser to block cookies from the domain “www.googleadservices.com“. The Google privacy policy for conversion tracking can be found here: https://policies.google.com/privacy

c) Google DoubleClick

On our website, cookies are used to collect and analyze information for the optimization of advertising. For this purpose, we use targeting technologies of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (DoubleClick, DoubleClick Exchange Buyer, DoubleClick Bid Manager). These technologies enable us to target you with individually interest-based advertising. The collection and analysis of your user behavior is carried out exclusively on a pseudonymous basis. The cookie is automatically deleted after 30 days. You can adjust interest-based advertising settings via Google’s Ad Settings Manager.

d) Google Tag Manager

Our website uses Google Tag Manager by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is used to manage the tools about which we inform you in this privacy policy. The Tag Manager tool itself (which implements the tags) is a cookie-free domain. The tool triggers further tags, which may in turn collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in effect for all tracking tags implemented with Google Tag Manager.

e) Google Dynamic Remarketing

We use the features of Google Dynamic Remarketing in conjunction with the cross-device features of Google AdWords and Google DoubleClick. This feature allows interest-based, personalized advertising messages to be displayed on other devices you use as well. If you have given Google the appropriate consent, Google links your web and app browsing history to your Google account for this purpose.

You can permanently opt out of cross-device remarketing/targeting by deactivating personalized advertising in your Google account: https://www.google.com/settings/ads/onweb/

Further information and the privacy policy can be found in Google’s privacy statement at: https://www.google.com/policies/technologies/ads/

f) Mouseflow

We use the analytics tool “Mouseflow” by Mouseflow ApS, Denmark (www.mouseflow.com) on our website and in our applications to record randomly selected visits (only with anonymized IP addresses). This creates a log of mouse movements, mouse clicks, scroll movements, and keyboard interactions, with the aim of replaying individual visits as so-called session replays and evaluating them in the form of heatmaps, in order to derive potential improvements for our website.

Data collected by Mouseflow is not personal and is not shared with third parties. Storage and processing of the collected data takes place within the EU. If you do not wish to be recorded by Mouseflow, you can opt out on all websites that use Mouseflow at the following link: https://mouseflow.com/opt-out/

7. Rights of Data Subjects

You have the right to:

Pursuant to Art. 7(3) GDPR, withdraw any consent you have given us at any time. This means we may no longer continue the data processing based on that consent going forward.
Pursuant to Art. 15 GDPR, request information about your personal data processed by us, including the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned retention period, the existence of a right to rectification, erasure, restriction of processing or objection, the right to lodge a complaint, the origin of your data if not collected directly from you, and the existence of automated decision-making including profiling and, where applicable, meaningful information about the details thereof.
Pursuant to Art. 16 GDPR, request the immediate correction of inaccurate or completion of incomplete personal data stored by us.
Pursuant to Art. 17 GDPR, request the erasure of your personal data stored by us, unless processing is necessary for the exercise of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.
Pursuant to Art. 18 GDPR, request restriction of the processing of your personal data where the accuracy of the data is contested by you, the processing is unlawful but you oppose erasure, we no longer need the data but you require it for the establishment, exercise, or defense of legal claims, or you have objected to processing pursuant to Art. 21 GDPR.
Pursuant to Art. 20 GDPR, receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, or request its transmission to another controller.
Pursuant to Art. 77 GDPR, lodge a complaint with a supervisory authority. As a rule, you may contact the supervisory authority of your habitual residence, place of work, or our place of business.

8. Information about Your Right to Object under Art. 21 GDPR

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) GDPR (processing in the public interest) or Art. 6(1)(f) GDPR (processing based on balancing of interests); this also applies to profiling based on these provisions within the meaning of Art. 4(4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

If your objection is directed against the processing of your data for direct marketing purposes, we will cease processing immediately. In this case, there is no need to state a particular situation. This also applies to profiling insofar as it is related to such direct marketing.

If you wish to exercise your right to object, simply send an email to email@iitr.de or privacy@rentcard.id.

9. Data Security

All personal data you transmit to us is encrypted using the generally accepted and secure TLS (Transport Layer Security) standard. TLS is a secure and proven standard also used, for example, in online banking. You can recognize a secure TLS connection by the “s” appended to “http” (i.e., “https://”) in your browser’s address bar, or by the padlock symbol in the lower area of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

10. Currency and Changes to This Privacy Policy

This privacy policy is currently valid and is dated April 2026.

Due to the ongoing development of our website and the services offered on it, or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. The current version of the privacy policy can be accessed and printed at any time on the website at www.rentcard.app/privacy.