Privacy Policy

For the provision of this website, we use the web hosting service of Google Cloud EMEA Limited (70 Sir John Rogerson's Quay, Dublin 2, Ireland) in the data centre at 9909 TA Eemshaven. Google is engaged pursuant to Art. 6(1)(f) GDPR. We have concluded a data processing agreement with Google.

You can visit www.rentcard.app without disclosing your identity. Your browser automatically sends information to our server (e.g. date, URL, browser type, referrer URL). The IP address is temporarily stored and deleted after 12 weeks. Legal basis: Art. 6(1)(f) GDPR. We also use cookies and analytics services (see sections 5 and 6).

When you come to rentcard via a landlord, a user account is created for you. For this we require:

• First name, last name, phone number
• a valid email address

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord in reviewing the rental application) and Art. 6(1)(b) GDPR (performance of a contract).

The following data protection classification applies to verification for landlords:

• The landlord is the controller within the meaning of Art. 4(7) GDPR. The verification serves their rental decision.
• rentcard is a processor within the meaning of Art. 28 GDPR and processes your data on behalf of the landlord.
• You as the prospective tenant are the "data subject" under data protection law. The fact that you technically initiate the verifications yourself (e.g. via the rentcard app) does not change this role allocation.

rentcard does not make decisions about rental applications. We provide information to you and the landlord as separate modules. The decision for or against a prospective tenant is made solely by the landlord.

As part of the verification, you can complete a self-disclosure. Personal information is processed, such as:

• Address
• Number of rooms
• Age
• Gender
• Nationality
• Net household income
• Smoking behaviour
• Phone number

Self-disclosure data is stored for up to 24 months after the last active use. Credit check data is handled separately and deleted at the latest six (6) months after the three-month validity period expires.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord) and Art. 6(1)(b) GDPR (performance of a contract).

You can upload documents (e.g. pay slips, employment contracts, tenancy agreements) to substantiate your details. Uploaded documents are processed in two ways:

• Data Extraction (OCR): Predefined fields are extracted via Google Vertex AI Document AI. No content assessment or full-text analysis takes place.
• Authenticity Check: For PDF documents, metadata is used to verify whether the document is original or has been subsequently altered. For documents with a QR code, the code is verified against the issuer's online original.

The extracted data is displayed to you for review. You decide which information is released. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord in reviewing the application documents). Vertex AI does not store documents or results.

To verify your income and rent payment history, a bank account analysis may be carried out. Your banking credentials are transmitted exclusively to finAPI GmbH, Munich. rentcard never receives your banking credentials, account balance, IBAN or other account metadata.

With your consent, finAPI retrieves account transactions for the last six months. From these, potential salary and rent transactions are suggested for your selection. Only the transactions you release are stored at rentcard.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord in assessing ability to pay) and Art. 6(1)(b) GDPR (performance of a contract).

From the transactions you have released, potential salary receipts and rent payments are pre-selected based on a defined keyword list. You can see the pre-selection transparently and adjust it freely. rentcard does not assess your ability to pay. Interpretation of the values is the responsibility of the landlord.

Retention period: The verification results are valid for 90 days. Data is deleted at the latest six (6) months after the validity period expires.

To supplement your application documents, a credit check may be carried out. Name, address and date of birth are processed for this purpose. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord) and Art. 6(1)(b) GDPR.

rentcard receives only a reduced credit result in the form of a traffic-light colour (Green = no payment issues known, Yellow = minor irregularities, Red = payment issues present, Grey = insufficient data). Detailed credit data is not stored by rentcard.

The credit check is conducted by CRIF GmbH as an independent controller. The credit result is shared with the landlord only with your explicit consent.

You can carry out a digital identity verification. Personal data such as name, date of birth, ID document data and photo or video sequences (e.g. liveness check) are processed. Biometric data within the meaning of Art. 9(1) GDPR is processed (matching the selfie with the ID photo). This biometric processing is carried out exclusively by Veriff OÜ. rentcard does not store any images, ID data or biometric data.

Legal basis: Art. 6(1)(b) GDPR. For the processing of biometric data, separate explicit consent is obtained pursuant to Art. 9(2)(a) GDPR. Identity verification via Veriff is optional. As an alternative, identity confirmation via bank account (finAPI) is available.

Veriff OÜ acts as a processor (Art. 28 GDPR). Images are transmitted directly from the device to Veriff. They do not pass through rentcard servers. rentcard receives only: first name, last name, address and verification status (verified / not verified).

To ensure the integrity of the platform, rentcard may match personal data against publicly available international sanctions, embargo and PEP lists. Legal basis: Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. rentcard processes only the screening result and does not make automated individual decisions.

You have the option of applying for a rental deposit guarantee via rentcard or carrying out an eligibility check (opportunity check). Legal basis: Art. 6(1)(b) GDPR. The insurance partner (R+V Versicherung AG) is an independent controller. rentcard does not store risk assessment data.

Verification results and application documents are transmitted to the landlord only with your explicit consent. Before each release, you are informed which categories of data will be transmitted to the landlord. You can exclude individual modules or results from the release.

Legal basis for transmission: Art. 6(1)(f) GDPR (legitimate interest of the landlord in reviewing the rental application). Your consent is additionally obtained.

The principles of data sharing are described in the Shared Data Policy .

rentcard does not assess you and does not make decisions about your rental application. Specifically, this means:

• We extract salary data from your documents but do not assess whether your income is sufficient.
• We suggest transactions and calculate an average, without weighting or assessment.
• The credit check is carried out by CRIF GmbH, not rentcard. We merely forward the result.
• The results of the various modules are displayed to the landlord individually and independently of each other. We do not combine them into an overall profile.
• No automated individual decision within the meaning of Art. 22 GDPR takes place. The landlord makes their rental decision manually.

Transactional messages are sent for the performance of a contract (Art. 6(1)(b) GDPR). Marketing emails only with consent (double opt-in). Revocation at any time via unsubscribe link. Legal basis: Art. 6(1)(a) GDPR and § 25(1) TTDSG.

We collect: name, email address, subject, your message. Legal basis: Art. 6(1)(f) GDPR. The data is deleted once your enquiry has been conclusively answered.

Verification results are transmitted to the landlord only with your consent. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the landlord).

We only disclose your data to third parties if:

• you have given your explicit consent (Art. 6(1)(a) GDPR);
• there is a legal obligation (Art. 6(1)(c) GDPR).

To provide verification services, rentcard works with selected service providers:

We use Google Analytics (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Pseudonymised usage profiles are created. Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF). We have concluded a data processing agreement with Google. IP addresses are anonymised (IP masking).

Google Ads places a cookie on your computer if you reached our website via a Google ad. These cookies expire after 30 days. Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF).

Privacy policy: policies.google.com/privacy

On our website, cookies are used to collect and evaluate information for the optimisation of advertisements (Google LLC, DoubleClick). The cookie is automatically deleted after 30 days. You can manage interest-based advertising settings via Google's ad settings manager.

The Google Tag Manager tool (Google LLC) manages the tools described in this privacy policy. The tool itself is a cookieless domain. If deactivation has been set at the domain or cookie level, it remains in effect for all implemented tracking tags.

This feature allows interest-based, personalised advertising messages to be displayed on other devices. If you have given Google the corresponding consent, Google links your web and app browsing history to your Google account.

Opt-out: google.com/settings/ads/onweb

We use "Mouseflow" (Mouseflow ApS, Denmark) to record randomly selected visits with anonymised IP addresses. The collected data is not personal and is not passed on to third parties. Storage takes place within the EU.

Opt-out: mouseflow.com/opt-out