Rentymate App Privacy Policy

Effective date: January 1, 2026

1. GENERAL INFORMATION

1.1. This Privacy Policy sets out the rules for processing the personal data of users of the Rentymate app (hereinafter: "the App") and explains what data we collect, for what purpose, and how we protect it.

1.2. The Controller of personal data is:

Ksenia Krzyżanowska, conducting business activity under the name Rentymate Ksenia Krzyżanowska

Address: ul. Miętowa 40, 42-680 Tarnowskie Góry

NIP: 6482745410

REGON: 243425599

E-mail: [email protected]

(hereinafter: "the Controller" or "we")

1.3. The Controller can be contacted:

  • by electronic mail: [email protected]
  • by postal mail: ul. Miętowa 40, 42-680 Tarnowskie Góry

1.4. The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), as well as the Act of 10 May 2018 on the Protection of Personal Data.

2. CATEGORIES OF PERSONAL DATA PROCESSED

2.1. The Controller processes the following categories of personal data of App users:

  • Registration and contact data:
    • first name and surname
    • e-mail address
    • telephone number
    • company name (if applicable)
  • Payment and billing data:
    • data necessary to issue an invoice (first name and surname / company name, address, NIP)
    • transaction and payment history (excluding payment card data)
  • Technical data:
    • IP address
    • device data (device type, operating system, browser)
    • data on activity within the App (logs, click history, features used)
    • cookies and similar technologies
  • Communication data:
    • e-mail correspondence with the Controller
    • messages sent via the chat in the App (Intercom)
    • requests, complaints, reviews
  • Content entered by the user:
    • product descriptions
    • product photos
    • reservation and rental data
    • other content saved in the Account

2.2. IMPORTANT NOTICE - Data of users' customers:

The Controller informs that App users (e.g. companies renting out equipment) store in the App the personal data of their end customers (e.g. first name, surname, e-mail, telephone, address of customers renting equipment).

With respect to this data:

  • The App User is the controller of their customers' data
  • Rentymate is the Processor of this data
  • The User bears full responsibility for the compliance of the processing of their customers' data with the GDPR
  • The detailed rules of this processing are set out in the Data Processing Agreement (DPA), available in § 9 of this Policy and as a separate document

3. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

3.1. The Controller processes personal data for the following purposes and on the following legal bases:

Purpose of processing Legal basis (GDPR) Categories of data
Registration and maintenance of the user Account Art. 6(1)(b) – performance of a contract Registration data, technical data
Provision of Services within the App Art. 6(1)(b) – performance of a contract All user data, content entered
Handling of payments and issuing invoices Art. 6(1)(b) – performance of a contract, Art. 6(1)(c) – legal obligation (tax regulations) Payment and billing data
Handling of complaints and inquiries Art. 6(1)(b) – performance of a contract, Art. 6(1)(f) – legitimate interest of the Controller Contact data, communication data
Sending system and transactional notifications Art. 6(1)(b) – performance of a contract E-mail address, telephone number
Direct marketing (newsletters, remarketing) Art. 6(1)(a) – consent (in the case of non-customers), Art. 6(1)(f) – legitimate interest (in the case of customers – soft opt-in) E-mail address, technical data
Analytics and statistics (Google Analytics, Hotjar) Art. 6(1)(a) – consent (if required by cookies) or Art. 6(1)(f) – legitimate interest Technical data, activity data
Remarketing (Google Ads, Facebook Pixel) Art. 6(1)(a) – consent Technical data, cookie identifiers
Ensuring security and detecting abuse Art. 6(1)(f) – legitimate interest of the Controller Technical data, logs, IP address
Technical support (Intercom) Art. 6(1)(b) – performance of a contract, Art. 6(1)(f) – legitimate interest Contact data, communication data
Server monitoring and error diagnostics (BetterStack) Art. 6(1)(f) – legitimate interest of the Controller Technical data, server logs
Pursuing claims and defending against claims Art. 6(1)(f) – legitimate interest of the Controller All data necessary for the matter
Archiving for evidentiary purposes Art. 6(1)(f) – legitimate interest of the Controller Data related to the performance of the contract
AI features (generating descriptions, editing photos) Art. 6(1)(b) – performance of a contract Product descriptions, product photos

3.2. The legitimate interest of the Controller includes, in particular:

  • ensuring the security of IT systems
  • detecting and preventing abuse, spam, and fraud
  • improving the quality of services and the functionality of the App
  • conducting marketing activities towards existing customers
  • pursuing claims and defending against claims
  • ensuring compliance with legal requirements

4. RECIPIENTS OF PERSONAL DATA

4.1. Personal data may be transferred to the following categories of recipients:

  • Payment service providers:
    • Stripe, Inc. (USA) - payment processing
    • Data transfer: USA (EU-US Data Privacy Framework)
  • AI service providers:
    • OpenAI, LP (USA) - AI content generation
    • Google LLC (USA) - AI content generation (Gemini)
    • Data transfer: USA (EU-US Data Privacy Framework)
    • NOTE: Data is not used to train AI models
  • IT infrastructure providers:
    • Hetzner Online GmbH (Germany) - server hosting
    • Cloudflare, Inc. (USA) - CDN and security
    • BetterStack, Inc. (USA) - server monitoring and logs
  • Marketing and analytics tools:
    • Google Ireland Limited (Ireland) - Google Analytics, Google Ads
    • Meta Platforms Ireland Limited (Ireland) - Facebook Pixel
    • Hotjar Ltd (Malta) - user behavior analytics
    • Mailtrap (Railsware Products Studio LLC) (USA) - sending transactional e-mails
  • Communication tools:
    • Intercom, Inc. (USA) - chat and customer support
  • Other entities:
    • Providers of legal, accounting, and audit services
    • State authorities (upon lawful request)

4.2. All recipients are obliged to ensure appropriate safeguards for personal data. With entities that process data on our behalf, we conclude data processing agreements (DPAs) in accordance with Art. 28 of the GDPR.

4.3. In the case of a transfer of data outside the European Economic Area (EEA), we apply appropriate safeguards, such as:

  • Standard Contractual Clauses approved by the European Commission (SCC)
  • Certification under the EU-US Data Privacy Framework
  • Other mechanisms compliant with Chapter V of the GDPR

5. DATA RETENTION PERIOD

5.1. Personal data is retained for the following periods:

  • Data related to the performance of the contract:
    • For the duration of the contract
    • Subsequently, for an archiving period: up to 90 days after the termination of the contract (with the option of earlier deletion upon request)
  • Data for accounting and tax purposes:
    • 5 years from the end of the year in which the tax obligation arose (in accordance with tax regulations)
  • Marketing data (consent):
    • Until consent is withdrawn or for a maximum of 3 years from the last activity
    • After withdrawal of consent: deleted without delay
  • Data for the purpose of pursuing claims:
    • For the period of limitation of claims resulting from legal provisions (up to 6 years)
  • Server logs and technical data:
    • A maximum of 12 months (for security and diagnostic purposes)
  • Data in analytics cookies:
    • In accordance with the retention periods of the tools: Google Analytics (14 months), Hotjar (12 months)

5.2. After the expiry of the above periods, data is permanently deleted or anonymized in a manner that prevents the identification of the individual.

6. RIGHTS OF DATA SUBJECTS

6.1. The data subject is entitled to the following rights:

  • Right of access to data (Art. 15 GDPR):
    • The right to obtain information on whether the Controller processes personal data
    • The right to obtain a copy of the data
  • Right to rectification of data (Art. 16 GDPR):
    • The right to request the correction of inaccurate data
    • The right to have incomplete data completed
  • Right to erasure of data - "right to be forgotten" (Art. 17 GDPR):
    • The right to request the erasure of data in specified cases
    • This right does not apply if the processing is necessary, e.g. to pursue claims or to fulfill a legal obligation
  • Right to restriction of processing (Art. 18 GDPR):
    • The right to request the restriction of data processing in specified situations
  • Right to data portability (Art. 20 GDPR):
    • The right to receive data in a structured, commonly used, machine-readable format (JSON, CSV, XML)
    • The right to transmit this data to another controller
    • The data export function is available in the user panel
  • Right to object (Art. 21 GDPR):
    • The right to object to the processing of data on the basis of the legitimate interest of the Controller
    • The right to object to the processing of data for marketing purposes (at any time)
  • Right to withdraw consent (Art. 7(3) GDPR):
    • In the case of processing based on consent: the right to withdraw consent at any time
    • The withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR):
    • The right to lodge a complaint with the President of the Personal Data Protection Office (UODO) (ul. Stawki 2, 00-193 Warszawa, www.uodo.gov.pl)

6.2. To exercise the above rights, please contact the Controller via:

6.3. The Controller responds to requests concerning GDPR rights without undue delay, and no later than within one month of receiving the request. Where necessary, this period may be extended by a further two months on account of the complex nature of the request or the number of requests.

7. COOKIES AND SIMILAR TECHNOLOGIES

7.1. What are cookies?

Cookies are small text files saved on the user's device (computer, phone, tablet) while browsing websites. Cookies allow a website to recognize the user's device on subsequent visits.

7.2. What types of cookies do we use?

  • Strictly necessary cookies:
    • Purpose: to enable the basic operation of the App (login, user session, cart)
    • Legal basis: Art. 6(1)(b) and (f) GDPR - performance of a contract and legitimate interest
    • Retention period: session or up to 1 year
    • Do not require consent
  • Functional cookies:
    • Purpose: to remember the user's preferences (language, settings)
    • Legal basis: Art. 6(1)(f) GDPR - legitimate interest
    • Retention period: up to 1 year
    • Require consent
  • Analytics cookies:
    • Providers: Google Analytics, Hotjar
    • Purpose: analysis of website traffic, statistics, UX optimization
    • Legal basis: Art. 6(1)(a) GDPR - consent
    • Retention period: up to 14 months (Google Analytics), up to 12 months (Hotjar)
    • Require consent
  • Marketing and advertising cookies:
    • Providers: Google Ads, Facebook Pixel
    • Purpose: remarketing, ad personalization, conversion tracking
    • Legal basis: Art. 6(1)(a) GDPR - consent
    • Retention period: up to 13 months
    • Require consent

7.3. Managing cookies:

The User may at any time:

  • Manage their cookie preferences via the cookie banner on the website
  • Delete cookies saved in the browser
  • Block cookies in the browser settings

Instructions for managing cookies in popular browsers:

  • Chrome: chrome://settings/cookies
  • Firefox: about:preferences#privacy
  • Safari: Preferences > Privacy
  • Edge: edge://settings/privacy

7.4. Consequences of rejecting cookies:

Rejecting strictly necessary cookies may make it impossible to use certain features of the App (e.g. login, session retention). Rejecting analytics and marketing cookies does not affect the functionality of the App.

7.5. Third-party cookies:

Some cookies are set by third parties (Google, Facebook, Hotjar, Intercom). The Controller has no direct control over these cookies. We recommend reviewing the privacy policies of these entities:

  • Google: https://policies.google.com/privacy
  • Facebook: https://www.facebook.com/privacy/explanation
  • Hotjar: https://www.hotjar.com/legal/policies/privacy
  • Intercom: https://www.intercom.com/legal/privacy

8. DATA SECURITY

8.1. The Controller applies appropriate technical and organizational measures to ensure the security of the personal data processed, including:

  • Technical measures:
    • SSL/TLS connection encryption (HTTPS)
    • Encryption of data at rest
    • Regular backups
    • Firewall and network-level threat detection
    • Security updates and security patches
    • Continuous automated monitoring (BetterStack)
    • Protection against DDoS attacks (Cloudflare)
  • Organizational measures:
    • Information security policies
    • Restricted access to personal data (need-to-know basis)
    • Employee training in the field of data protection
    • Confidentiality agreements
    • Security incident response procedures

8.2. In the event of a personal data breach, the Controller will take action in accordance with Art. 33-34 of the GDPR, including:

  • Notification of the supervisory authority (UODO) within 72 hours (if the breach poses a risk to the rights of individuals)
  • Notification of the data subjects (if the breach poses a high risk)

9. PROCESSING OF USERS' CUSTOMERS' DATA - CONTROLLER-PROCESSOR RELATIONSHIP

9.1. As indicated in § 2.2, App users store in the Rentymate system the personal data of their end customers.

9.2. In this relationship:

  • The User (e.g. a company renting out equipment) = the DATA CONTROLLER of their customers
  • Rentymate = the PROCESSOR of this data

9.3. Rentymate processes the data of users' customers solely:

  • On the documented instructions of the user (Controller)
  • To the extent necessary to provide the Services
  • In accordance with the Data Processing Agreement (DPA)

9.4. Obligations of the user as data controller:

The User bears full responsibility for:

  • The compliance of the processing of their customers' data with the GDPR
  • Obtaining the appropriate consents or establishing another legal basis for processing
  • Ensuring that their customers are informed about the processing of their data
  • Exercising the rights of their customers (access, rectification, erasure, etc.)
  • Ensuring that the data entered into the App is accurate and up to date

9.5. Obligations of Rentymate as Processor:

Rentymate undertakes to:

  • Process data solely in accordance with the user's instructions
  • Ensure appropriate security measures
  • Maintain the confidentiality of the data
  • Cooperate with the user in exercising the rights of data subjects
  • Notify the user without delay of any personal data breach
  • Delete or return the data after the provision of the Services has ended

9.6. Data Processing Agreement (DPA):

The detailed terms for processing the data of users' customers are set out in the Data Processing Agreement (DPA), which forms an integral part of the agreement for the provision of Services. The DPA is available:

9.7. Notifications sent by Rentymate:

Rentymate sends e-mail and SMS notifications to users' customers (e.g. about an upcoming reservation, the issuance of an invoice) solely:

  • On behalf of the user (Controller)
  • On their instructions
  • To the extent necessary to provide the Services

The User (Controller) bears responsibility for obtaining the appropriate consents or establishing another legal basis for sending such notifications to their customers.

10. AI FEATURES AND DATA PROCESSING

10.1. The App uses artificial intelligence (AI) for the following features:

  • Generating product descriptions
  • Generating descriptions of product photos
  • Product photo editor

10.2. AI model providers:

  • Google Gemini (Google LLC, USA)
  • OpenAI GPT (OpenAI, LP, USA)

10.3. Data transferred to AI providers:

For the purpose of generating content, only the following is transferred to AI providers:

  • Product descriptions entered by the user
  • Product photos uploaded by the user
  • Other data necessary for context (e.g. product category)

We do NOT transfer:

  • Users' personal data (first name, surname, e-mail, telephone)
  • The data of users' customers
  • Payment and billing data

Product photos are processed by the AI providers as uploaded. The User should not upload to the AI features photographs containing identifiable individuals or other personal data, as such content is not necessary for generating product descriptions.

10.4. Use of data by AI providers:

In accordance with the agreements with AI providers:

  • Data is NOT used to train AI models
  • Data is processed solely for the purpose of generating specific content for the user
  • Data is retained by the providers only transiently and in accordance with their API data-retention policies (which may include short-term retention, typically up to 30 days, for abuse monitoring), after which it is deleted

10.5. Legal basis:

Art. 6(1)(b) GDPR - processing necessary for the performance of a contract

10.6. Data transfer:

  • Data is transferred to the USA
  • Safeguards: EU-US Data Privacy Framework, Standard Contractual Clauses (SCC)

10.7. User rights:

The User has the right to:

  • Not use the AI features (the features are optional)
  • Delete content generated by AI
  • Request information about the processing of data by AI providers

11. MARKETING AND COMMUNICATION

11.1. Transactional and system notifications:

We send notifications concerning:

  • Confirmation of registration and account activation
  • Payment and invoice confirmations
  • Changes to the Terms of Service or the Privacy Policy
  • Technical issues and planned interruptions in the operation of the App
  • Responses to inquiries and complaints

Legal basis: Art. 6(1)(b) GDPR - performance of a contract

The User cannot opt out of these notifications, as they are necessary to provide the Services.

11.2. Marketing newsletter:

We send newsletters containing:

  • Information about new features of the App
  • Tips and advice on using the App
  • Promotions and special offers
  • Invitations to webinars and events

Legal basis:

  • Art. 6(1)(a) GDPR - consent (for non-customers)
  • Art. 6(1)(f) GDPR - legitimate interest (for existing customers - soft opt-in)

The User may at any time:

  • Unsubscribe from the newsletter by clicking the "unsubscribe" link in the e-mail footer
  • Manage communication preferences in the user panel
  • Contact us: [email protected]

11.3. Remarketing:

We use remarketing to display personalized advertisements for the App to individuals who have visited our website or used the App.

Remarketing tools:

  • Google Ads (Google LLC)
  • Facebook Pixel (Meta Platforms Ireland Limited)

Legal basis: Art. 6(1)(a) GDPR - consent (expressed through the acceptance of marketing cookies)

The User may at any time:

  • Withdraw consent to remarketing by managing cookies
  • Disable ad personalization in Google settings: https://adssettings.google.com
  • Disable ad personalization in Facebook settings: https://www.facebook.com/settings?tab=ads

12. PROFILING AND AUTOMATED DECISION-MAKING

12.1. The Controller does not make decisions that are based solely on automated processing, including profiling, and that produce legal effects concerning the user or similarly significantly affect them (Art. 22 GDPR). Where the Controller uses cookie-based profiling for analytics and remarketing purposes (e.g. Google Ads, Facebook Pixel), this takes place only on the basis of the user's consent and does not lead to such decisions.

12.2. Analytics and statistics (Google Analytics, Hotjar) are used solely to:

  • Understand how users use the App
  • Optimize functionality and the interface
  • Improve the quality of the Services

These activities do not result in automated decisions being made concerning specific users.

13. CHANGES TO THE PRIVACY POLICY

13.1. The Controller reserves the right to make changes to this Privacy Policy in the following cases:

  • Changes to legal provisions concerning the protection of personal data
  • Changes to the functionality of the App
  • Changes to the manner of processing personal data
  • The addition of new external tools or services

13.2. Users will be informed of any changes through:

  • Publication of the updated Privacy Policy at www.rentymate.com/privacy-policy
  • E-mail notification (in the case of significant changes)
  • A notice in the user panel upon the next login

13.3. The date of the last update of the Privacy Policy is provided at the beginning of the document.

13.4. The current version of the Privacy Policy is always available at: www.rentymate.com/privacy-policy

14. CONTACT REGARDING DATA PROTECTION

If you have any questions regarding the processing of personal data or wish to exercise your rights, please contact us:

  • E-mail: [email protected]
  • Postal address: Rentymate Ksenia Krzyżanowska, ul. Miętowa 40, 42-680 Tarnowskie Góry

We will respond to all inquiries without undue delay, and no later than within one month of receiving the message.