01Who we are
Renviq is operated as a sole proprietorship by an individual established in the European Union. For the purposes of the GDPR we are the data controller for the personal data described in this policy. Because the operator is established in the EU, no separate representative under GDPR Article 27 is appointed. You can reach our privacy team at support@renviq.io.
If you are a customer of one of our rental operators (you booked a car, motorbike, or boat through them), the operator is the data controller for your booking data and Renviq is a data processor acting on their instructions. This policy describes the data we hold directly — the rental operator's own privacy notice describes the data they hold about you.
Paid Renviq subscriptions are sold through Polar Software Inc. (USA), which acts as the Merchant of Record. Polar is the seller of record on customer invoices and collects all applicable EU VAT and sales taxes. Detailed legal entity information about the operator is provided on invoices issued by Polar.
02What we collect
From visitors to this website: pages you view, the language you chose, approximate region inferred from your IP for the OG image and currency display, and — only if you accept the analytics banner — anonymous product analytics and session heatmaps.
From signed-up users of the Renviq application: your name, email, hashed password, the workspace you belong to, the actions you take in the app, and metadata about your sessions. We do not collect payment card numbers — those are handled directly by our billing provider and never touch our servers.
We do not buy, rent, or otherwise acquire personal data about you from third parties.
03Lawful basis
We rely on three GDPR lawful bases depending on the activity. Contract: processing necessary to provide the service you signed up for — your account, your data in the app, your invoices. Legitimate interest: keeping the service secure, preventing abuse, and improving the product (analytics rely on your prior opt-in, not legitimate interest). Consent: explicit opt-in for analytics cookies and for marketing emails.
You can withdraw consent for analytics at any time by clicking 'Manage cookies' at the bottom of any page. Withdrawing consent does not affect processing that already happened.
04How we use your data
To run your account: authentication, sending you transactional email (sign-up confirmation, password reset, invoice receipts), keeping your data safe, and providing customer support when you contact us.
To improve the product: aggregated, anonymous analytics about which features get used, where users get stuck, and which pages load slowly. This relies on the analytics consent you give on the banner — opt out and this stops for you.
We do not sell your data. We do not share your data with advertisers. We do not build a profile of you to sell to anyone.
05How long we keep it
Account data: kept while your account is active and for 12 months after you close it, so we can restore the account if you change your mind and so we can respond to any disputes or chargebacks that arrive after closure.
Invoicing and financial records: kept for as long as the law of your country of establishment requires us to keep them — typically 7 to 10 years for tax records.
Web analytics: anonymous events expire after 12 months. Server access logs are kept for 30 days for security and abuse investigation, then deleted.
06Subprocessors
We use the following third-party processors to deliver the service. We have a data processing agreement (DPA) with each one. We do not add a new subprocessor without updating this list.
If your organization needs a signed standalone DPA with us, see /legal/dpa for how to request one.
- Polar Software Inc.
Merchant of Record for paid plans — billing, invoicing, EU VAT collection, refunds.
USA (Delaware) — transfers covered by SCCs in Polar's DPA
- netcup GmbH
Application server hosting (web, API, background workers).
EU (Germany)
- Neon Inc.
Managed PostgreSQL database — stores application data (fleet, bookings, customer records, invoices).
Data in EU (AWS Frankfurt); Neon Inc. is US-incorporated — SCCs in Neon's DPA
- Cloudflare, Inc.
CDN, DDoS protection, edge proxying, and R2 object storage of customer files (KYC documents, agreements, invoices, vehicle photos).
USA (Delaware), global edge; file storage in EU — SCCs in Cloudflare's DPA
- PostHog
Product analytics, loaded only after consent.
EU Cloud (eu.posthog.com)
- Plerdy
Session heatmaps and recordings, loaded only after consent.
Ukraine
- Resend
Transactional email (sign-up confirmations, password resets, invitations).
USA (Delaware) — transfers covered by SCCs in Resend's DPA
- Functional Software, Inc. (Sentry)
Application error and performance monitoring; reports may incidentally contain personal data.
USA — transfers covered by SCCs in Sentry's DPA
- Groq, Inc.
AI-assisted OCR of uploaded documents (vehicle registration, identity documents) to auto-fill data entry.
USA — transfers covered by SCCs in Groq's DPA
07Your rights under GDPR
You have the right to access the data we hold about you, to correct it if it's wrong, to ask us to delete it (subject to legal retention obligations), to restrict our processing, to receive a copy in a portable format, and to object to processing based on legitimate interest. You can also lodge a complaint with your national data protection authority.
To exercise any of these rights, email support@renviq.io from the address attached to your account. We respond within 30 days, free of charge.
08International transfers
Our application servers run in the EU (netcup, Germany) and our database runs on Neon (AWS, Frankfurt). Customer data is stored within the EU.
Several subprocessors are US-incorporated: Polar (billing), Cloudflare (CDN/edge and file storage), Resend (email), Sentry (error monitoring), and Groq (document OCR). For all transfers outside the EU we rely on the standard contractual clauses (SCCs) included in those subprocessors' data processing agreements. One analytics subprocessor, Plerdy, is located in Ukraine (outside the EU); it loads only after you accept analytics cookies, and this transfer relies on your consent.
09Security
We use industry-standard measures to protect your data: TLS in transit, encryption at rest for the database, strict tenant isolation enforced in the application layer on every data query, hashed passwords with a modern algorithm, and regular dependency audits. No system is perfectly secure, but we treat security as a continuous operational priority rather than a one-time audit.
If we discover a personal data breach that's likely to result in a risk to your rights, we will notify the relevant data protection authority within 72 hours and notify affected users without undue delay.
10Children
Renviq is a B2B product. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact support@renviq.io and we will delete it.
11Changes to this policy
We will update this page when the policy changes — the 'Last updated' date at the top reflects the most recent revision. Material changes (new subprocessors, new categories of data, new purposes) will also be notified to active users by email.
12Contact
Privacy questions, data subject requests, and breach reports: support@renviq.io. General enquiries: support@renviq.io.