Data Processing Agreement
(Data Processing Agreement - DPA)
entered into on the date on which the provision of the Services commences, between:
THE DATA CONTROLLER (hereinafter referred to as the "User" or the "Controller"):
[User's details - filled in automatically based on the registration data]
and
THE PROCESSOR (hereinafter referred to as "Rentymate" or the "Processor"):
Ksenia Krzyżanowska, conducting business activity under the business name Rentymate Ksenia Krzyżanowska
Address: ul. Miętowa 40, 42-680 Tarnowskie Góry
NIP: 6482745410
REGON: 243425599
E-mail: [email protected]
§ 1. DEFINITIONS AND INTERPRETATION
1.1. The terms used in this Agreement shall mean:
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
- Personal Data – any information relating to an identified or identifiable natural person, processed by Rentymate on behalf of the User in connection with the provision of the Services;
- Processing – any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, restriction, erasure or destruction;
- Services – the services provided by Rentymate to the User under the Terms of Service of the Rentymate Application, consisting of granting access to the Application used for managing equipment rental;
- Application – the Rentymate web and mobile application for managing equipment rental;
- Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Personal Data;
- Subprocessor – another data processor engaged by Rentymate to carry out the Processing of Personal Data;
- Supervisory Authority – an independent public authority established by a Member State in accordance with Article 51 of the GDPR, in particular the President of the Personal Data Protection Office (UODO) (Poland).
1.2. This Agreement constitutes an integral part of the agreement for the provision of the Services concluded between the User and Rentymate (as set out in the Terms of Service of the Application).
§ 2. SUBJECT MATTER AND SCOPE OF THE AGREEMENT
2.1. Under this Agreement, the User entrusts Rentymate with the Processing of Personal Data, and Rentymate undertakes to Process such Personal Data solely in accordance with the User's documented instructions and the requirements of the GDPR and other applicable personal data protection laws.
2.2. Subject matter of the Processing:
Personal data of the User's end customers (natural persons renting equipment from the User)
2.3. Nature and purpose of the Processing:
- Storing and managing the data of the User's customers within the functionality of the Application
- Enabling the User to keep records of rentals, reservations and payments
- Sending notifications to the User's customers on the User's behalf (e-mail, SMS)
- Generating reports and documents (invoices, rental agreements)
2.4. Categories of Personal Data:
- Identification data: first name, surname
- Contact data: e-mail address, telephone number, postal address, city, postal code, country
- Transaction data: rental history, payments, reservations
- Other data voluntarily entered by the User
2.5. Categories of Data Subjects:
The User's end customers (natural persons renting equipment)
2.6. Duration of the Processing:
- For the duration of the agreement for the provision of the Services between the User and Rentymate
- Up to 90 days after the termination of the agreement (archiving period) - with the possibility of earlier deletion at the User's request
§ 3. OBLIGATIONS OF RENTYMATE AS PROCESSOR
3.1. Processing in accordance with instructions:
Rentymate undertakes to Process Personal Data solely:
- On the documented instructions of the User, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Rentymate is subject; in such a case, Rentymate shall inform the User of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
- To the extent necessary for the provision of the Services set out in the Terms of Service and this Agreement.
3.2. Confidentiality:
Rentymate ensures that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3. Security of Personal Data:
Rentymate implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the Processing of Personal Data, in particular in order to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Personal Data.
The security measures include, in particular:
- Encryption of data in transit (SSL/TLS - HTTPS)
- Encryption of sensitive data in the database
- Regular data backups
- Access control - restricting access to Personal Data solely to authorized persons
- Multi-factor authentication (MFA) for administrative accounts
- Firewall and network-level threat detection
- Security monitoring and logging of security events
- Regular security updates and security patches
- Protection against DDoS attacks (Cloudflare)
- Separation of production and non-production environments
- Security incident management procedures
3.4. Assistance in fulfilling data subjects' rights:
Taking into account the nature of the Processing, Rentymate shall, to the extent possible, assist the User in fulfilling its obligation to respond to requests by a data subject to exercise the rights laid down in Chapter III of the GDPR (in particular: the right of access, rectification, erasure, restriction of processing, data portability, and objection).
To this end, Rentymate:
- Provides the User with data export functions in the Application panel (JSON, CSV, XML)
- Enables the User to modify and delete Personal Data independently
- In the event of receiving a request directly from a data subject, promptly forwards that request to the User
- Cooperates with the User in fulfilling data subjects' requests within a timeframe enabling the User to meet the deadlines prescribed by the GDPR
3.5. Assistance in ensuring compliance:
Taking into account the nature of the Processing and the information available to Rentymate, Rentymate assists the User in fulfilling the obligations set out in Articles 32-36 of the GDPR, concerning:
- Security of Processing (Article 32 of the GDPR)
- Notification of a Personal Data Breach (Articles 33-34 of the GDPR)
- Data protection impact assessment (Article 35 of the GDPR)
- Prior consultation (Article 36 of the GDPR)
3.6. Personal Data Breaches:
In the event of a Personal Data Breach, Rentymate shall, without undue delay and, where feasible, no later than within 72 hours of becoming aware of the Breach:
- Notify the User of the Breach
- Provide the User with the following information (insofar as it is available):
- a description of the nature of the Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned by the Breach
- a description of the likely consequences of the Breach
- a description of the measures taken or proposed by Rentymate to address the Breach, including, where appropriate, measures to mitigate its possible adverse effects
- Cooperate with the User in investigating the Breach and taking remedial action
- Document the Breach in accordance with the requirements of Article 33(5) of the GDPR
3.7. Audit and inspection:
Rentymate makes available to the User all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR. In the first instance, Rentymate satisfies the User's audit rights by providing relevant documentation, descriptions of its technical and organizational measures and any available third-party certifications or audit reports of its infrastructure providers.
An on-site inspection conducted by the User or an independent auditor mandated by the User (and bound by confidentiality) may be carried out only where the documentation made available is not sufficient to demonstrate compliance, or following a Personal Data Breach affecting the User's data, or where required by a Supervisory Authority.
Audit conditions:
- An on-site inspection may take place at most once per calendar year (unless a Personal Data Breach or a requirement of the Supervisory Authority justifies otherwise)
- The User shall notify Rentymate of its intention to conduct an audit at least 30 days in advance
- The audit shall be conducted during business hours and in a manner that minimizes disruption to Rentymate's operations, and shall not grant access to the data of other Rentymate customers or to information that would compromise the security of other customers
- The User or the auditor undertake to maintain the confidentiality of information obtained during the audit
- The costs of the audit shall be borne by the User
3.8. Deletion or return of Personal Data:
After the provision of the Services relating to the Processing has ended, Rentymate shall, at the User's choice:
- Delete all Personal Data, or
- Return to the User all Personal Data in a machine-readable format (JSON, CSV, XML) and subsequently delete the existing copies
Exception: Rentymate may retain Personal Data to the extent that its storage is required by Union or Member State law to which Rentymate is subject.
Procedure:
- After the termination of the agreement, Rentymate retains the Personal Data for 90 days (archiving period)
- During this period, the User may export all data using the export function
- After the expiry of the 90 days (or earlier, at the User's request), Rentymate permanently deletes all Personal Data
- Rentymate confirms the deletion of the data upon the User's written request
§ 4. SUBPROCESSORS
4.1. Consent to the use of Subprocessors:
The User grants Rentymate general authorization to engage Subprocessors for the Processing of Personal Data.
4.2. Current list of Subprocessors:
Rentymate uses the following Subprocessors:
| Subprocessor Name | Location | Service | Transfer safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Server hosting | Location within the EU |
| Cloudflare, Inc. | USA | CDN, security | EU-US DPF, SCC |
| BetterStack, Inc. | USA | Monitoring, logs | SCC |
| Mailtrap (Railsware Products Studio LLC) | USA | E-mail delivery | SCC |
| Stripe, Inc. | USA | Payments (transaction data, no end-customer data) | EU-US DPF, SCC |
| Intercom, Inc. | USA | In-app customer support chat (only data the User voluntarily includes in messages) | SCC |
NOTE: AI providers (Google Gemini, OpenAI) do NOT process the Personal Data of the User's end customers under this DPA.
4.3. Obligations regarding Subprocessors:
Rentymate ensures that:
- A written agreement is concluded with each Subprocessor, imposing on the Subprocessor essentially the same data protection obligations as those set out in this Agreement
- The Subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures
- Where a Subprocessor fails to fulfil its data protection obligations, Rentymate remains fully liable to the User for the performance of that Subprocessor's obligations
4.4. Notification of changes:
Rentymate informs the User of any intended changes concerning the addition or replacement of Subprocessors by means of:
- Updating the list of Subprocessors set out in § 4.2 of this Agreement, available at: www.rentymate.com/dpa
- An e-mail notification sent at least 30 days before the new Subprocessor begins Processing
4.5. Right to object:
The User has the right to object to the engagement of a new Subprocessor within 14 days of receiving the notification referred to in § 4.4(b).
In the event of a justified objection:
- Rentymate will take reasonable steps to provide an alternative solution enabling the provision of the Services without involving that Subprocessor, or
- The User has the right to terminate the agreement for the provision of the Services with immediate effect and without any contractual penalties
§ 5. TRANSFERS OF DATA OUTSIDE THE EEA
5.1. General principles:
The Processing of Personal Data takes place primarily within the European Economic Area (EEA). However, some Subprocessors may process Personal Data outside the EEA (in particular in the USA).
5.2. Transfer safeguards:
In the event of a transfer of Personal Data outside the EEA, Rentymate ensures that such transfer takes place solely by means of one of the following mechanisms set out in Chapter V of the GDPR:
- A European Commission decision establishing an adequate level of protection (Article 45 of the GDPR), including the EU-US Data Privacy Framework
- Standard Contractual Clauses (SCC) approved by the European Commission (Article 46(2)(c) of the GDPR)
- Binding corporate rules (Article 47 of the GDPR)
- Other mechanisms compliant with Articles 46-49 of the GDPR
5.3. Additional security measures:
In the event of a data transfer to the USA, Rentymate additionally:
- Verifies that the Subprocessor is certified under the EU-US Data Privacy Framework (where applicable)
- Carries out a Transfer Impact Assessment
- Implements additional technical measures (e.g. end-to-end encryption) where possible
5.4. Information for the User:
The current list of Subprocessors processing data outside the EEA, together with the safeguards applied, is set out in § 4.2 of this Agreement, available at: www.rentymate.com/dpa
§ 6. LIABILITY
6.1. Rentymate's liability:
Rentymate is liable for damage caused by the Processing on the terms set out in Article 82 of the GDPR and in the agreement for the provision of the Services.
6.2. Exclusions and limitations of liability:
Rentymate is not liable for:
- Damage resulting from the User's acts or omissions that are inconsistent with the GDPR or this Agreement
- Damage resulting from the User's instructions that are contrary to the GDPR or other provisions of law
- Damage resulting from force majeure
- Damage caused by Subprocessors, to the extent that Rentymate has demonstrated that it exercised due diligence in their selection and supervision
6.3. Duty to cooperate:
The Parties undertake to cooperate with each other in:
- Minimizing damage in the event of a Personal Data Breach
- Cooperation with Supervisory Authorities
- Fulfilling data subjects' rights
§ 7. OBLIGATIONS OF THE USER AS CONTROLLER
7.1. The User represents and warrants that:
- It is the controller of the Personal Data within the meaning of the GDPR
- It Processes the Personal Data in accordance with the GDPR and other data protection provisions
- It has an appropriate legal basis for the Processing of the Personal Data (e.g. consent, contract, legitimate interest)
- It has provided the data subjects with the information required by Articles 13-14 of the GDPR
- The Personal Data provided to Rentymate is accurate and up to date
7.2. The User bears sole responsibility for:
- The compliance of the Processing of Personal Data with the GDPR
- Obtaining appropriate consents or establishing another legal basis for the Processing
- Informing its customers of the entrustment of the Processing of their data to Rentymate
- Fulfilling the rights of its customers (access, rectification, erasure, restriction, portability, objection)
- Carrying out a data protection impact assessment (DPIA) - where required
- Reporting a Personal Data Breach to the Supervisory Authority and to data subjects (based on the information provided by Rentymate)
7.3. The User undertakes to provide Rentymate only with such Personal Data the Processing of which is necessary for the provision of the Services.
§ 8. DURATION AND TERMINATION OF THE AGREEMENT
8.1. This Agreement enters into force on the date on which Rentymate begins providing the Services to the User and remains in effect for the entire duration of the agreement for the provision of the Services.
8.2. The Agreement terminates automatically upon the termination of the agreement for the provision of the Services.
8.3. Upon termination of the Agreement, Rentymate acts in accordance with § 3.8 (deletion or return of Personal Data).
§ 9. FINAL PROVISIONS
9.1. Order of precedence:
In the event of a conflict between the provisions of this Agreement and the agreement for the provision of the Services (the Terms of Service), the provisions of this Agreement shall prevail with respect to the Processing of Personal Data.
9.2. Amendments to the Agreement:
Rentymate reserves the right to introduce amendments to this Agreement in the following cases:
- Changes in the laws relating to the protection of personal data
- Guidelines or recommendations of Supervisory Authorities
- Changes in the functionality of the Services
- Changes of Subprocessors
The User will be notified of any amendments 30 days in advance. The absence of an objection within 14 days of the notification shall be deemed acceptance of the amendments. In the event of an objection, the User has the right to terminate the agreement for the provision of the Services.
9.3. Governing law and jurisdiction:
This Agreement is governed by Polish law. Any disputes shall be settled by the common courts having jurisdiction over Rentymate's registered seat.
9.4. Severability clause:
In the event that any provision of this Agreement is found to be invalid or ineffective, the remaining provisions shall remain in full force. The invalid or ineffective provision shall be replaced by a valid and effective provision that achieves, to the fullest extent possible, the purpose of the invalid or ineffective provision.
9.5. Availability of the Agreement:
The current version of this Agreement is available:
- In the user panel of the Application (downloadable in PDF format)
- At: www.rentymate.com/dpa
- Upon request: [email protected]
Effective date: January 1, 2026
ACKNOWLEDGMENT OF ACCEPTANCE:
The User's commencement of use of the Services constitutes acceptance of this Data Processing Agreement.