Privacy Policy
Last updated: March 30, 2026
This Privacy Policy explains how RentalPass ("we", "us", "our") collects, uses, shares, and protects your personal information when you use our platform. This policy applies to all users of rentalpass.com and related services, regardless of location. We comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and French data protection law enforced by the CNIL.
1. Company Identity
RentalPass SAS (Simplified Joint-Stock Company registered in France)
Registration: RCS Paris — SIRET pending
Registered office: 75 rue de Rivoli, 75001 Paris, France
EU VAT: FR pending
RentalPass LLC (Delaware, USA)
Registered agent: 1209 Orange Street, Wilmington, DE 19801
2. Data Controller & Data Protection Officer
The data controller is RentalPass SAS for users located in the European Economic Area (EEA), United Kingdom, and Switzerland. For users located in the United States, the data controller is RentalPass LLC.
Data Protection Officer (DPO)
Name: DPO — RentalPass
Email: dpo@rentalpass.com
Postal: 75 rue de Rivoli, 75001 Paris, France
You may contact our DPO at any time for questions about this policy or to exercise your data protection rights.
3. Data We Collect
3.1 Personal Data You Provide
- Identity information: full name, date of birth, nationality, government-issued ID
- Contact information: email address, phone number, postal address
- Professional information: employer name, job title, employment contract details, income
- Housing preferences: desired location, budget, move-in date, property type
3.2 Financial Data
- Bank account details (collected via Stripe Connect for landlord payouts)
- Payment card information (processed directly by Stripe — never stored on our servers)
- Income verification data: payslips, tax notices, bank statements
- Billing history and subscription details
3.3 Uploaded Documents
- Government-issued identification (passport, national ID card, driver's license)
- Proof of income (payslips, employment contracts, tax returns)
- Proof of address (utility bills, bank statements)
- Guarantor documents (where applicable)
- Lease agreements and rental history
3.4 Usage & Technical Data
- IP address, browser type and version, operating system
- Device identifiers and screen resolution
- Pages visited, features used, click patterns, session duration
- Referring URL and search terms
- Error logs and performance data
4. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation & authentication | Contract performance (Art. 6(1)(b)) |
| Rental application processing | Contract performance (Art. 6(1)(b)) |
| Identity & document verification | Contract performance (Art. 6(1)(b)) & Legal obligation (Art. 6(1)(c)) |
| Payment processing & rent collection | Contract performance (Art. 6(1)(b)) |
| AI-powered tenant scoring & analysis | Legitimate interest (Art. 6(1)(f)) & Consent (Art. 6(1)(a)) |
| Email & SMS notifications | Contract performance (Art. 6(1)(b)) & Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Analytics & service improvement | Legitimate interest (Art. 6(1)(f)) |
| Fraud detection & security monitoring | Legitimate interest (Art. 6(1)(f)) |
| Tax reporting & accounting records | Legal obligation (Art. 6(1)(c)) |
| Cookie & tracking technologies | Consent (Art. 6(1)(a)) — via cookie banner |
5. How We Use Your Data
- Service delivery: operate the platform, match tenants with landlords, manage rental applications and lease workflows
- Identity verification: verify user identity and uploaded documents to prevent fraud and comply with anti-money laundering regulations
- Payment processing: process rent payments, landlord payouts, subscription billing, and refunds via Stripe
- AI-powered analysis: use machine learning to analyze rental files, generate tenant scores, and provide landlords with objective risk assessments
- Communications: send transactional emails (application updates, payment receipts) and SMS notifications (viewing reminders, lease alerts)
- Customer support: respond to inquiries, troubleshoot issues, and manage support tickets
- Analytics & improvement: analyze usage patterns to improve features, fix bugs, and optimize performance
- Security & fraud prevention: detect and prevent unauthorized access, abuse, and fraudulent activity
- Legal compliance: meet tax, accounting, anti-fraud, and regulatory requirements across operating jurisdictions
- Marketing: send promotional content about new features and services (only with explicit consent; unsubscribe at any time)
6. Data Sharing & Subprocessors
We do not sell your personal data. We share data only with the categories of recipients described below, and only to the extent necessary for the stated purposes. All subprocessors are bound by Data Processing Agreements (DPAs) that impose GDPR-equivalent obligations.
6.1 Between Platform Users
When a tenant submits a rental application, selected profile information and documents are shared with the landlord for evaluation purposes. Landlords cannot access data beyond what the tenant has explicitly authorized for that application.
6.2 Subprocessors
| Provider | Purpose | Location | DPA Status |
|---|---|---|---|
| Convex | Real-time database & backend infrastructure | United States | Signed |
| Clerk | Authentication & identity management | United States | Signed |
| Stripe | Payment processing & billing | United States / Ireland | Signed |
| Vercel | Application hosting & edge delivery | United States / Global Edge | Signed |
| Amazon Web Services (AWS Bedrock) | AI-powered document analysis & applicant scoring (Claude via Bedrock) | Ireland (EU) — eu-west-1 | Signed |
| Amazon Web Services (AWS SES) | Transactional email delivery | Ireland (EU) — eu-west-1 | Signed |
| Amazon Web Services (AWS SNS) | SMS notifications | Ireland (EU) — eu-west-1 | Signed |
6.3 Other Disclosures
- Legal requirements: we may disclose data to comply with a court order, legal process, or government request
- Business transfers: in the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction; you will be notified of any change in controller
- Professional advisors: lawyers, auditors, and insurers where necessary for professional advice or claims
7. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We ensure adequate safeguards through the following mechanisms:
- EU-U.S. Data Privacy Framework (DPF): where our subprocessors are certified under the EU-U.S. DPF, transfers rely on this adequacy decision
- Standard Contractual Clauses (SCCs): for all other transfers, we use the European Commission's Standard Contractual Clauses (2021/914) as the transfer mechanism, supplemented by Transfer Impact Assessments where required
- Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymization, and access controls
You may request a copy of the relevant safeguards by contacting our DPO at dpo@rentalpass.com.
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.
| Data Category | Retention Period |
|---|---|
| Account & profile data | Duration of account + 3 years after deletion |
| Financial & payment data | 7 years (legal obligation — tax & accounting) |
| Uploaded identity documents | 6 months after verification, then deleted |
| Rental application files | Duration of tenancy + 3 years |
| Usage & analytics data | 26 months (rolling) |
| Server logs | 90 days |
| Cookie consent records | 13 months |
| Support tickets & correspondence | 5 years after resolution |
When retention periods expire, data is securely deleted or anonymized. Anonymized data may be retained indefinitely for statistical purposes.
9. Your Rights Under the GDPR
If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under the GDPR:
- Right of access (Art. 15): obtain confirmation of whether we process your data and request a copy
- Right to rectification (Art. 16): correct inaccurate or incomplete personal data
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten") where no legal obligation requires its retention
- Right to restriction (Art. 18): restrict processing while a complaint or dispute is resolved
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller
- Right to object (Art. 21): object to processing based on legitimate interests, including profiling; we will cease processing unless we demonstrate compelling legitimate grounds
- Rights related to automated decision-making (Art. 22): you have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects; you may request human intervention, express your point of view, and contest the decision
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, email dpo@rentalpass.com or use the "My Data" section in your account settings. We respond within 30 days (extendable by 60 days for complex requests). If unsatisfied, you may lodge a complaint with your supervisory authority (see Section 16 for CNIL details).
10. Your Rights Under the CCPA / CPRA (California Residents)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with the following additional rights:
- Right to know / notice at collection: you have the right to know what personal information we collect, the sources, the business purposes, and the categories of third parties with whom we share it — this policy serves as our notice at collection
- Right to delete: you may request that we delete personal information we collected from you, subject to certain exceptions (e.g., legal obligations, ongoing transactions)
- Right to correct: you may request that we correct inaccurate personal information
- Right to opt-out of sale/sharing: RentalPass does not sell personal information and does not share personal information for cross-context behavioral advertising; therefore, there is no need to opt out — however, if this changes, we will provide a "Do Not Sell or Share My Personal Information" link
- Right to limit use of sensitive personal information: you may request that we limit use of sensitive personal information to what is necessary to provide the services
- Right to non-discrimination: we will not discriminate against you for exercising any CCPA rights; you will not receive a different level of service or pricing
To submit a CCPA request, email privacy@rentalpass.com with the subject line "CCPA Request". We will verify your identity before processing the request and respond within 45 days.
Categories of personal information collected in the preceding 12 months: identifiers; personal information under Cal. Civ. Code § 1798.80; financial information; commercial information; internet/electronic activity; geolocation data; professional information; inferences drawn from the above.
11. Cookies & Tracking Technologies
We use cookies and similar technologies (local storage, pixels) for the following purposes:
- Strictly necessary cookies: authentication, security, session management — no consent required
- Functional cookies: language preferences, UI settings — consent required
- Analytics cookies: understanding usage patterns, page performance — consent required
- Marketing cookies: measuring campaign effectiveness — consent required
You can manage your cookie preferences at any time via the cookie banner or your browser settings. For full details, see our Cookie Policy.
12. Children's Privacy
RentalPass is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us at dpo@rentalpass.com and we will promptly delete such information.
13. Security Measures
We implement technical and organizational measures designed to protect your personal data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication for all internal systems
- Regular penetration testing and vulnerability assessments
- Automated security monitoring and intrusion detection
- Incident response plan with 72-hour breach notification (per GDPR Art. 33)
- Annual security audits and SOC 2 Type II compliance roadmap
- Employee security training and confidentiality agreements
No method of transmission or storage is 100% secure. If you discover a vulnerability, please report it responsibly to security@rentalpass.com.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you by email and/or a prominent notice on our platform at least 30 days before changes take effect
- Where required by law, obtain your consent before applying changes that affect your rights
We encourage you to review this page periodically. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
15. Contact Information
General inquiries
Data protection & privacy rights
CCPA requests
Security reports
Postal address
RentalPass SAS — 75 rue de Rivoli, 75001 Paris, France
16. CNIL — French Supervisory Authority
RentalPass SAS is subject to French data protection law (Loi Informatique et Libertés, as amended). Our lead supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).
If you believe that your data protection rights have not been adequately addressed, you have the right to lodge a complaint directly with the CNIL:
- Website: www.cnil.fr
- Online complaint form: cnil.fr/fr/plaintes
- Postal: CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
- Phone: +33 1 53 73 22 22
Under French law, we are also required to inform you that the processing of personal data for the purpose of AI-assisted tenant scoring is subject to a Legitimate Interest Assessment (LIA) and, where the scoring produces legal effects or similarly significant impacts, you have the right to obtain human intervention per GDPR Article 22.
17. Governing Law
This Privacy Policy is governed by the laws of France and the European Union. Disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts of Paris, France, without prejudice to your right to lodge a complaint with your local supervisory authority.
© 2026 RentalPass SAS. All rights reserved. This policy is effective as of March 30, 2026.