Privacy Policy

For the provision of this website, we use the web hosting service of Google Cloud EMEA Limited (70 Sir John Rogerson's Quay, Dublin 2, Ireland) in the data centre at 9909 TA Eemshaven.

Google is engaged pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate economic interest. We have concluded a data processing agreement with Google.

You can visit the website without disclosing your identity. The browser automatically sends information to the server (e.g. date and time of access, browser type, referrer URL). This includes the IP address of your device, which is temporarily stored in a log file and automatically deleted after 12 weeks.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and functionality of the website).

To create the folder, we require the following information from you:

• First name, last name, phone number
• a valid email address

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

To create your application folder, we use an account information service (BaFin-licensed under PSD2). Your banking credentials are transmitted exclusively to finAPI GmbH, Munich. rentcard never receives your banking credentials, account balance, IBAN or other account metadata.

With your consent, finAPI retrieves account transactions for the last six months. From these, potential salary and rent transactions are suggested for your selection. You decide which transactions are released. Only those are stored at rentcard.

Based on a defined keyword list, potential salary receipts and rent payments in your account transactions are pre-selected. You can see the pre-selection transparently and adjust it freely. rentcard does not assess your ability to pay. Interpretation of the values is the responsibility of the recipient of your application folder.

Retention period: The application folder is generally valid for 90 days. We delete the personal data no later than six (6) months after the validity period expires.

Legal basis: Art. 6(1)(b) GDPR.

To use the self-disclosure in full, we additionally require personal information (master data) from you, such as:

• Address
• Number of rooms
• Age
• Gender
• Nationality
• Net household income
• Smoking behaviour
• Phone number

Self-disclosure data is stored for up to 24 months after the last active use. Credit check data is handled separately and deleted at the latest six (6) months after the three-month validity period expires.

You can upload documents (e.g. pay slips, employment contracts, tenancy agreements). Uploaded documents are processed in two ways:

• Data Extraction (OCR): Predefined fields are extracted via Google Vertex AI Document AI. No content assessment or full-text analysis takes place.
• Authenticity Check: For PDF documents, metadata is used to verify whether the document is original or has been subsequently altered. For documents with a QR code, the code is verified against the issuer's online original.

The extracted data is displayed to you for review. Original documents are not permanently stored after processing unless you explicitly save them. Vertex AI does not store documents or results.

Legal basis: Art. 6(1)(b) GDPR.

You can instruct rentcard to transmit selected content to landlords or property portals. Disclosure takes place exclusively on the basis of your explicit consent (Art. 6(1)(a) GDPR). You may revoke consent at any time with effect for the future.

Alternatively, you can download your application folder as a PDF and share it yourself. In this case, the data does not leave the rentcard platform via our servers.

Personal data such as name, address and date of birth is processed to obtain credit information from a connected credit reference agency. Legal basis: Art. 6(1)(b) GDPR.

rentcard receives only a reduced credit result in the form of a traffic-light colour (Green = no payment issues known, Yellow = minor irregularities, Red = payment issues present, Grey = insufficient data). Detailed credit data is not stored by rentcard.

The credit check is conducted by CRIF GmbH as an independent controller. The credit result is shared with third parties only with your explicit consent.

When using the application folder directly, rentcard is the controller for the processing of your data. CRIF GmbH is independently responsible for conducting the credit check. The relationship between rentcard and CRIF is a data transfer between controllers, not data processing on behalf.

rentcard does not make decisions about rental applications. The decision to rent is made solely by the landlord.

Personal data such as name, date of birth, ID document data and photo or video sequences (e.g. liveness check) are processed. Biometric data within the meaning of Art. 9(1) GDPR is processed (matching the selfie with the ID photo). This biometric processing is carried out exclusively by Veriff OÜ. rentcard does not store any images, ID data or biometric data.

Legal basis: Art. 6(1)(b) GDPR. For the processing of biometric data, separate explicit consent is obtained pursuant to Art. 9(2)(a) GDPR. Identity verification via Veriff is optional. As an alternative, identity confirmation via bank account (finAPI) is available.

rentcard receives only the verification result (e.g. "verified" or "not verified").

Veriff OÜ acts as a processor within the meaning of Art. 28 GDPR. Images are transmitted directly from the user's device to Veriff. They do not pass through rentcard servers.

rentcard receives only: first name, last name, address and verification status (verified / not verified).

To ensure the integrity of the platform, rentcard may match personal data against publicly available international sanctions, embargo and PEP lists. Name, date of birth and nationality are generally processed for this purpose.

Legal basis: Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. rentcard processes only the screening result and does not make automated individual decisions.

For the eligibility check, personal data (e.g. name, address, date of birth, tenancy contract data, guarantee amount) is processed. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).

After submission, the insurance partner (R+V Versicherung AG) decides independently on acceptance or rejection and is the independent controller in this regard. rentcard does not store any credit or risk assessment data from the insurer.

Transactional messages are sent for the performance of a contract. Legal basis: Art. 6(1)(b) GDPR.

Marketing emails are sent only with your consent (double opt-in). Consent can be withdrawn at any time (unsubscribe link in every email). Legal basis: Art. 6(1)(a) GDPR and § 25(1) TTDSG.

Retention period: Sending and interaction data is stored until revocation, for a maximum of 24 months after the last interaction, or until the user account is deleted.

We collect: name, email address, subject, your message. Legal basis: Art. 6(1)(f) GDPR. The data is deleted once your enquiry has been conclusively answered.

To use our services, you can register at www.rentcard.app Your profile information is stored for the period set out in section 2.

rentcard does not assess you and does not make decisions about your rental application. Specifically, this means:

• We extract salary data from your documents but do not assess whether your income is sufficient.
• We suggest transactions and calculate an average, without weighting or assessment.
• The credit check is carried out by CRIF GmbH, not rentcard. We merely forward the result.
• The results of the various modules are displayed individually and independently of each other. We do not combine them into an overall profile.
• No automated individual decision within the meaning of Art. 22 GDPR takes place.

The data you transmit to us via www.rentcard.app are processed by us for the provision and billing of the respective services.

We only disclose your data to third parties if:

• you have given your explicit consent (Art. 6(1)(a) GDPR);
• there is a legal obligation (Art. 6(1)(c) GDPR).

To provide certain services, rentcard works with selected service providers. These process personal data either on behalf of rentcard or as independent controllers.

We use Google Analytics (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Pseudonymised usage profiles are created. Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF). We have concluded a data processing agreement with Google. IP addresses are anonymised (IP masking).

Google Ads places a cookie on your computer if you reached our website via a Google ad. These cookies expire after 30 days. Data transfer to the USA is based on the EU-US Data Privacy Framework (DPF).

Privacy policy: policies.google.com/privacy

On our website, cookies are used to collect and evaluate information for the optimisation of advertisements (Google LLC, DoubleClick). The cookie is automatically deleted after 30 days. You can manage interest-based advertising settings via Google's ad settings manager.

The Google Tag Manager tool manages the tools described in this privacy policy. The tool itself is a cookieless domain and does not access any collected data. If deactivation has been set at the domain or cookie level, it remains in effect for all implemented tracking tags.

This feature allows interest-based, personalised advertising messages to be displayed on other devices. If you have given Google the corresponding consent, Google links your web and app browsing history to your Google account for this purpose.

Opt-out: google.com/settings/ads/onweb

We use "Mouseflow" (Mouseflow ApS, Denmark) to record randomly selected visits with anonymised IP addresses. The collected data is not personal and is not passed on to third parties. Storage takes place within the EU.

Opt-out: mouseflow.com/opt-out