Privacy Notice

RentCloud provides cloud-based operational software for car-rental companies. This policy explains what personal data we collect, why, and your rights under the GDPR and applicable laws in the markets we serve.

This Privacy Notice is issued by RentCloud ("RentCloud", "we", "us"), the controller of personal data processed via the RentCloud platform (the dashboard at app.rentcloud.ai, the partner portal, and the customer-facing kiosk and signing surfaces).

You can contact our data team at privacy@rentcloud.ai for any question about how your data is handled, or to exercise the rights described in section 7.

When you book a vehicle through a partner using RentCloud, the rental partner is the controller of your booking, contract, payment, and identification data. RentCloud acts as a processor on their instructions, under a data processing agreement aligned with Article 28 GDPR.

When you sign up as a RentCloud user (partner staff, super-admin, ops user), RentCloud is the controller of your account, sign-in, and audit-log data.

• Account data — name, email, hashed password, role, language preference, two-factor configuration, audit timestamps.
• Booking & contract data — names, addresses, booking references, vehicle and pricing details, contract PDFs.
• Identification data — driver's license number, ID document number, expiry dates, scan images. Stored encrypted at rest; access logged.
• Payment data — Stripe customer + payment-method references. RentCloud never sees or stores raw card numbers; they remain inside Stripe's PCI-DSS Level 1 environment.
• Vehicle handover data — handover/return photos, signatures (drawn or remote-link), odometer + fuel readings, damage notes.
• Technical data — IP address, user-agent, session token hash, audit-log entries describing actions you took inside the dashboard.

• Contract performance (Art. 6(1)(b)) — for the rental contract you sign with a partner and the platform subscription contract partners hold with RentCloud.
• Legal obligation (Art. 6(1)(c)) — invoice retention (10 years), accident reporting, KYC on payment instruments.
• Legitimate interest (Art. 6(1)(f)) — fraud detection, deposit-free rental risk scoring, security monitoring, and aggregate product analytics. Balanced against the "reasonable expectations of the renter" test.
• Consent (Art. 6(1)(a)) — marketing email and optional AI-assist features. You can withdraw consent at any time from Settings → Notifications.

• Contracts & invoices — 10 years after rental completion (Belgian commercial-code minimum).
• ID and licence scans — 5 years after rental completion or until you exercise your erasure right, whichever comes first.
• Audit logs — 2 years rolling.
• Closed user accounts — anonymised (PII fields cleared) within 30 days of closure, then retained in anonymous form for product analytics.

We share the data above with the following categories of recipients:

• Sub-processors — AWS (eu-central-1 hosting), Resend (transactional email), Stripe (payments), Supabase (file storage), Vercel (frontend delivery), Anthropic + Google AI (Cloud / advisory features, anonymised prompts only).
• Rental partner staff — for bookings you make with them, restricted to the bookings on their tenant.
• Authorities — when ordered by a Belgian or EU judicial authority.

A current sub-processor list is available on request. None of the recipients above are based outside the EEA, with the exception of Anthropic and Stripe (US) — those transfers happen under Standard Contractual Clauses.

Under GDPR Articles 15–22 you can request:

• access to your personal data,
• rectification of inaccurate data,
• erasure (subject to retention obligations above),
• restriction or objection to processing based on legitimate interest,
• portability of the data you provided to us,
• to lodge a complaint with the Belgian Data Protection Authority (gegevensbeschermingsautoriteit.be).

Email privacy@rentcloud.ai to exercise any of these. We answer within 30 days.

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 on S3 + RDS). Passwords are hashed with bcrypt (cost 10). Access to production data is restricted to a small set of named operators via SSO + MFA + an SSM-only bastion. Every action against the dashboard is recorded in the audit log.

Material changes are announced by email at least 14 days before they take effect, and the new version is published here with an updated date at the top. Continued use after the effective date constitutes acceptance.