Privacy policy

Who we are (data controller)

rentaro is operated by Valguse Kodu OÜ (operating as Rentaro), a private limited company registered in Estonia, which is the controller responsible for your personal data. Registered address: Narva mnt 128-4, Tallinn 10127, Estonia. Registration code: 14621591.

For any privacy question, or to exercise your rights, contact us at info@rentaro.ee. We have not appointed a statutory Data Protection Officer where one is not legally required; if that changes, this contact will be updated.

The data we collect

Booking and contact details: your first and last name, email address, phone number, city and preferred start date, and any notes you send us.

Identity and contract details: to enter into the rental agreement we collect identity-document information and your personal identification code or date of birth. These are collected and handled securely, are used only for verification and the contract, and are not stored in our website front-end.

Rental, payment and deposit details: the plan and accessories you choose, the bike assigned to you, billing and deposit records, and payment confirmations. Card details are entered with and held by our payment provider; we do not store full card numbers.

Signing and communications: records of the rental agreement and its signing, and the emails and messages we exchange with you about your booking and rental.

Technical and usage data: device, browser and similar information, and — only where you have consented — analytics about how you use the website. See the cookie policy below.

Why we use your data and our legal bases

To take and manage your booking, verify your identity, prepare and sign the rental agreement, hand over and operate your rental, and provide service and maintenance support — legal basis: performance of a contract with you (and steps at your request before entering it).

To take payments and the deposit, manage renewals, and recover amounts owed for damage, missing equipment or late or non-return — legal basis: performance of a contract, and our legitimate interest in being paid and protecting our property.

To meet legal obligations, such as accounting, tax and consumer-law record-keeping, and to respond to lawful requests — legal basis: compliance with a legal obligation.

To keep our service and website secure, prevent fraud and misuse, handle complaints and defend legal claims — legal basis: our legitimate interests in running and protecting the service. Where we rely on legitimate interests, we balance them against your rights.

To understand and improve how the website and booking flow are used through analytics — legal basis: your consent, which you can withdraw at any time without affecting your rental.

Who we share your data with (processors)

We use trusted service providers who process personal data on our behalf as processors, under data processing agreements and only on our instructions. We do not sell your personal data.

Resend — sends transactional and service emails about your booking and rental.

Montonio — processes payments and the security deposit.

Dokobit — handles identity-supported electronic signing of the rental agreement.

Vercel — hosts and serves the rentaro website.

Railway — hosts our application backend and database, in the EU.

Google Analytics and PostHog — provide website and product analytics, and run only where you have consented; PostHog is hosted in the EU.

We may also disclose data where the law requires it, to protect our rights or safety, or in connection with a business sale or reorganisation, in which case it remains protected under this policy.

International transfers

We aim to keep personal data within the European Economic Area (EEA). Our hosting (Vercel, Railway) and EU-hosted analytics (PostHog) are configured to keep data in the EU/EEA where possible.

Some providers, such as Google Analytics, may process limited data outside the EEA. Where that happens, we rely on appropriate safeguards — such as the European Commission's standard contractual clauses or an adequacy decision — so your data stays protected to EU standards.

How long we keep your data

We keep personal data only for as long as needed for the purposes above, then delete or anonymise it.

Booking and rental records, and accounting and tax records, are kept for the periods required by Estonian law (accounting records are generally retained for seven years).

Identity-verification documents and your personal identification code are kept only as long as needed to enter and support the rental contract and to meet legal obligations, and are then deleted. Analytics data is retained for a limited period in line with the tools' settings, and consent records are kept for as long as needed to evidence your choice. Marketing or optional-message consents are kept until you withdraw them.

Your rights

Under the GDPR you have the right to access your personal data; to have inaccurate data corrected; to have data erased; to restrict or object to certain processing; to data portability; and, where we rely on consent, to withdraw it at any time without affecting processing already carried out.

To exercise any of these rights, contact us using the details above. We will respond within the time limits set by law. You also have the right to lodge a complaint with a supervisory authority — in Estonia, the Data Protection Inspectorate (Andmekaitse Inspektsioon) — or with the authority in the EU country where you live or work.

Automated decision-making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. Identity verification and rental approval involve human review.

How we use cookies

A cookie is a small text file stored on your device by your browser. We use a small number of cookies to make the site work, to remember your choices, and — only with your consent — to understand how the site is used so we can improve it.

We group cookies as strictly necessary or functional cookies, which are always on because the site needs them, and analytics cookies, which load only after you accept them. We do not use advertising or cross-site tracking cookies.

Functional cookies

NEXT_LOCALE — remembers the language you selected so the site shows in your chosen language on your next visit. Functional; stored for up to 12 months.

rentaro_consent — records your cookie choice ("granted" or "denied") so we do not ask again on every visit and so analytics stays off unless you have agreed. Strictly necessary for consent management; stored for up to 12 months.

Analytics cookies (consent-based)

Google Analytics — helps us understand aggregate, anonymised website usage such as which pages are visited and how visitors move through the booking flow. Set by Google only after you accept analytics; cookies typically last from the end of your session up to about 24 months.

PostHog — provides privacy-conscious product analytics about how the site and booking flow are used, hosted in the EU. Set only after you accept analytics; cookies typically last up to about 12 months.

If you decline or choose necessary-only, these analytics tools are not loaded and their cookies are not set.

Managing your choices

When you first visit, the consent banner lets you accept analytics, decline, or allow necessary cookies only. Your choice is saved in the rentaro_consent cookie, and analytics only loads if you accept.

You can change your mind at any time by clearing the rentaro_consent cookie in your browser, which makes the banner appear again, and by adjusting cookie settings in your browser. Blocking strictly necessary or functional cookies may affect how the site works, such as remembering your language.