GDPR Compliance

    Information about our GDPR compliance and your rights

    GDPR Compliance

    EUROPEAN DATA PROTECTION COMPLIANCE

    This document outlines RentalTide's compliance with the European Union General Data Protection Regulation (GDPR) and explains the rights and protections available to individuals whose personal data we process.

    1. Introduction to GDPR Compliance

    RentalTide Inc. ("RentalTide," "we," "us," or "our"), a corporation incorporated in Delaware, United States, with additional registration in Canada, is committed to protecting the privacy and personal data of all individuals, particularly those in the European Economic Area (EEA), United Kingdom, and Switzerland. This document explains our compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

    Data Protection Officer: RentalTide Inc. (Delaware) 110 Didsbury Road, Ottawa, Ontario K2J 4T4, Canada, 1111B S Governors Ave STE 48363, Dover, DE 19904, United States Email: dpo@rentaltide.com Phone: 888-709-2650

    2. GDPR Scope and Applicability

    2.1 When GDPR Applies

    GDPR applies to our processing of personal data when:

    • Data subjects are in the EU/EEA: Regardless of where processing occurs
    • Offering services to EU residents: Through our platform or marketing
    • Monitoring EU resident behavior: Analytics, tracking, or profiling
    • Processing EU employee data: Staff or contractor information

    2.2 Our Role Under GDPR

    RentalTide acts in different capacities:

    • Data Controller: For our own business operations and direct customers
    • Data Processor: When processing data on behalf of rental operators
    • Joint Controller: For certain shared processing activities

    2.3 Legal Basis for Processing

    We process personal data based on:

    • Consent: Freely given, specific, informed, and unambiguous agreement
    • Contract: Necessary for performing our services
    • Legal Obligation: Compliance with laws and regulations
    • Legitimate Interests: Balanced against individual rights and freedoms
    • Vital Interests: Protection of life or health (rare circumstances)

    3. Data Subject Rights Under GDPR

    3.1 Right of Access (Article 15)

    You have the right to:

    • Confirm whether we process your personal data
    • Obtain a copy of your personal data
    • Receive information about how we process your data
    • Learn about data recipients and retention periods

    How to Exercise:

    • Submit request to gdpr@rentaltide.com
    • Include proof of identity for verification
    • Specify the data you want to access
    • Response time: Within 1 month (extendable to 3 months for complex requests)

    3.2 Right to Rectification (Article 16)

    You have the right to:

    • Correct inaccurate personal data
    • Complete incomplete personal data
    • Update outdated information

    How to Exercise:

    • Log into your account to make direct corrections
    • Email corrections to gdpr@rentaltide.com
    • Provide evidence supporting the corrections
    • Response time: Within 1 month

    3.3 Right to Erasure - "Right to be Forgotten" (Article 17)

    You have the right to have your personal data erased when:

    • Data no longer necessary for original purposes
    • You withdraw consent and no other legal basis exists
    • Data processed unlawfully
    • Erasure required for legal compliance
    • You object and no overriding legitimate grounds exist

    Limitations:

    • Legal obligations requiring retention
    • Freedom of expression and information
    • Public health or scientific research purposes
    • Legal claims establishment or defense

    3.4 Right to Restriction of Processing (Article 18)

    You can request restriction when:

    • Accuracy is contested (during verification period)
    • Processing is unlawful but you prefer restriction over erasure
    • We no longer need the data but you need it for legal claims
    • You object to processing (during legitimate interest assessment)

    Effect of Restriction:

    • Data stored but not processed further
    • Processing only with consent or for legal claims
    • You will be informed before restriction is lifted

    3.5 Right to Data Portability (Article 20)

    You have the right to:

    • Receive your data in structured, machine-readable format
    • Transmit data to another controller
    • Have data transmitted directly when technically feasible

    Conditions:

    • Processing based on consent or contract
    • Processing carried out by automated means
    • Does not adversely affect others' rights

    Available Formats:

    • JSON for structured data
    • CSV for tabular data
    • PDF for documents and reports

    3.6 Right to Object (Article 21)

    You can object to processing based on:

    • Legitimate interests (including profiling)
    • Direct marketing (absolute right)
    • Scientific/historical research (unless public interest)

    Direct Marketing:

    • Unconditional right to opt-out
    • Includes profiling for marketing purposes
    • Must be clearly offered and easy to exercise

    3.7 Rights Related to Automated Decision-Making (Article 22)

    You have the right to:

    • Not be subject to solely automated decisions with significant effects
    • Request human intervention in automated processes
    • Express your point of view about automated decisions
    • Contest automated decisions

    Our Automated Processing:

    • Fraud detection and prevention
    • Risk assessment for transactions
    • Personalized recommendations
    • Customer support routing

    4. Lawful Basis for Processing

    4.1 Consent (Article 6(1)(a))

    When we rely on consent:

    • Marketing communications and newsletters
    • Optional data collection for enhanced features
    • Cookies for non-essential purposes
    • Special category data processing

    Consent Requirements:

    • Freely given: Real choice without detriment
    • Specific: Clear purpose for processing
    • Informed: Clear information about processing
    • Unambiguous: Clear affirmative action required

    Consent Management:

    • Easy withdrawal mechanism provided
    • Withdrawal as easy as giving consent
    • Records maintained of consent given
    • Separate consent for different purposes

    4.2 Contract (Article 6(1)(b))

    Processing necessary for contract performance:

    • Account creation and management
    • Booking processing and fulfillment
    • Payment processing and billing
    • Customer support and communications
    • Service delivery and maintenance

    4.3 Legal Obligation (Article 6(1)(c))

    Processing required by law:

    • Tax reporting and record keeping
    • Anti-money laundering (AML) compliance
    • Know Your Customer (KYC) verification
    • Data breach notification requirements
    • Court orders and legal process compliance

    4.4 Legitimate Interests (Article 6(1)(f))

    Our legitimate interests (balanced against your rights):

    • Fraud prevention and security: Protecting platform and users
    • Business operations: Analytics, reporting, and optimization
    • Customer service: Improving support and user experience
    • Marketing to existing customers: Relevant service information
    • Legal compliance: Meeting regulatory requirements

    Balancing Test Factors:

    • Purpose and necessity of processing
    • Impact on data subjects
    • Reasonable expectations of data subjects
    • Nature and sensitivity of data
    • Safeguards and mitigation measures

    5. Special Category Data

    5.1 Definition and Examples

    Special category data includes:

    • Health information: Medical conditions, disabilities, accessibility needs
    • Biometric data: Facial recognition, fingerprints (if used)
    • Religious beliefs: Relevant to rental restrictions or preferences
    • Sexual orientation: If relevant to accommodation needs

    5.2 Additional Protections

    Special category data requires:

    • Explicit consent or other specific lawful basis
    • Enhanced security measures and access controls
    • Data minimization - only collect what's necessary
    • Purpose limitation - specific, explicit purposes only
    • Regular review and deletion when no longer needed

    5.3 Processing Conditions

    We may process special category data when:

    • Explicit consent given for specific purposes
    • Necessary for legal claims establishment or defense
    • Substantial public interest with appropriate safeguards
    • Vital interests protection when consent cannot be given

    6. Data Transfers Outside the EEA

    6.1 Transfer Mechanisms

    Primary Transfer Safeguards:

    • Adequacy Decisions: EU-Canada adequacy decision for transfers to Canada
    • Standard Contractual Clauses (SCCs): EU Commission approved clauses
    • Binding Corporate Rules: For intra-group transfers (if applicable)
    • Certification Schemes: Approved data protection certifications

    6.2 Countries We Transfer To

    • Canada: Primary processing location (adequacy decision)
    • United States: Cloud services and sub-processors (SCCs)
    • Other jurisdictions: Only with appropriate safeguards

    6.3 Additional Safeguards

    Beyond legal mechanisms, we implement:

    • Technical measures: Encryption, access controls, monitoring
    • Organizational measures: Staff training, incident response procedures
    • Contractual protections: Enhanced data protection obligations
    • Regular monitoring: Compliance audits and reviews

    6.4 Your Rights Regarding Transfers

    You have the right to:

    • Information about transfers and safeguards in place
    • Object to transfers in certain circumstances
    • Request copies of relevant adequacy decisions or SCCs
    • Lodge complaints with supervisory authorities

    7. Data Retention Under GDPR

    7.1 Retention Principles

    • Purpose limitation: Retain only as long as necessary for original purpose
    • Storage limitation: Regular review and deletion of unnecessary data
    • Legal compliance: Meet legal retention requirements
    • Legitimate interests: Balance retention needs against individual rights

    7.2 Specific Retention Periods

    Data CategoryRetention PeriodLegal Basis
    Account dataDuration of relationship + 2 yearsContract + Legal obligation
    Transaction records7 yearsLegal obligation (tax/audit)
    Marketing dataUntil consent withdrawnConsent
    Support communications3 yearsLegitimate interests
    Security logs2 yearsLegitimate interests
    Legal documents10 yearsLegal obligation

    7.3 Automated Deletion

    We implement automated systems to:

    • Flag data for review when retention periods approach
    • Delete data automatically when legally permissible
    • Archive data that must be retained but not actively used
    • Notify data subjects of upcoming deletions when required

    8. Data Breach Procedures

    8.1 Breach Definition

    A personal data breach means:

    • Confidentiality breach: Unauthorized disclosure
    • Integrity breach: Unauthorized alteration
    • Availability breach: Accidental or unlawful destruction

    8.2 Notification Timeline

    To Supervisory Authority:

    • 72 hours from becoming aware of breach
    • Detailed information including impact assessment
    • Remedial measures taken and planned

    To Data Subjects:

    • Without undue delay when high risk to rights and freedoms
    • Clear and plain language explanation
    • Recommended protective measures for individuals

    8.3 Breach Response Process

    1. Detection and Assessment: Immediate breach evaluation
    2. Containment: Stop ongoing breach and secure systems
    3. Investigation: Determine scope, cause, and impact
    4. Notification: Authorities and affected individuals as required
    5. Remediation: Fix vulnerabilities and prevent recurrence
    6. Documentation: Comprehensive breach records maintained

    9. Privacy by Design and Default

    9.1 Privacy by Design Principles

    • Data minimization: Collect only necessary data
    • Purpose limitation: Use data only for stated purposes
    • Accuracy: Maintain accurate and up-to-date data
    • Storage limitation: Delete data when no longer needed
    • Security: Implement appropriate technical and organizational measures

    9.2 Privacy by Default

    Default settings ensure:

    • Minimum data processing necessary for each purpose
    • Shortest retention periods permissible
    • Least invasive options for data subjects
    • Opt-in rather than opt-out for non-essential processing

    9.3 Technical Implementation

    • Access controls: Role-based permissions and authentication
    • Encryption: Data protection in transit and at rest
    • Pseudonymization: Where possible, replace identifying information
    • Automated deletion: Systematic removal of expired data
    • Audit trails: Comprehensive logging of data processing activities

    10. Data Protection Impact Assessments (DPIAs)

    10.1 When DPIAs are Required

    We conduct DPIAs for processing that is likely to result in high risk, including:

    • Systematic monitoring of publicly accessible areas
    • Large-scale processing of special category data
    • Innovative technologies with unclear privacy implications
    • Automated decision-making with significant effects

    10.2 DPIA Process

    1. Systematic description of processing operations
    2. Assessment of necessity and proportionality
    3. Risk assessment to data subject rights and freedoms
    4. Mitigation measures to address identified risks
    5. Consultation with DPO and potentially supervisory authority

    10.3 Risk Mitigation

    Common mitigation measures include:

    • Enhanced security controls for high-risk processing
    • Additional consent mechanisms for sensitive data
    • Regular audits and reviews of processing activities
    • Staff training on data protection requirements
    • Technical measures like encryption and pseudonymization

    11. Supervisory Authority Cooperation

    11.1 Lead Supervisory Authority

    For cross-border processing, our lead supervisory authority is: Office of the Privacy Commissioner of Canada
    30 Victoria Street
    Gatineau, Quebec K1A 1H3, Canada
    Phone: 1-800-282-1376
    Website: priv.gc.ca

    11.2 EU Supervisory Authorities

    Data subjects may also contact their local supervisory authority:

    • Complete list: Available at edpb.europa.eu
    • Direct contact: Through local authority websites
    • Complaint filing: Online forms available in most jurisdictions

    11.3 Our Cooperation

    We commit to:

    • Respond promptly to supervisory authority inquiries
    • Provide requested information and documentation
    • Implement corrective measures as directed
    • Maintain ongoing dialogue on compliance matters

    12. Exercising Your GDPR Rights

    12.1 How to Contact Us

    Primary Contact:

    • Email: gdpr@rentaltide.com
    • Subject Line: "GDPR Request - [Type of Request]"
    • Include: Specific details about your request and identity verification

    Alternative Contacts:

    • Data Protection Officer: dpo@rentaltide.com
    • General Privacy: privacy@rentaltide.com
    • Mail:
      • GDPR Rights, 110 Didsbury Road, Ottawa, Ontario K2J 4T4, Canada
      • GDPR Rights, 1111B S Governors Ave STE 48363, Dover, DE 19904, United States

    12.2 Identity Verification

    To protect your privacy, we require:

    • Account information: Username, email, or account number
    • Identity verification: Government ID or other proof of identity
    • Specific request details: Clear description of what you're requesting
    • Authorization: If acting on behalf of someone else

    12.3 Response Timeline

    • Standard requests: Within 1 month of receipt
    • Complex requests: Up to 3 months (with explanation)
    • Incomplete requests: Clarification sought within 1 month
    • Urgent requests: Expedited processing when possible

    12.4 Request Processing

    1. Receipt confirmation within 2 business days
    2. Identity verification if additional proof needed
    3. Request assessment and information gathering
    4. Response preparation and quality review
    5. Final response with requested information or action taken

    13. Children's Data Protection

    13.1 Age Restrictions

    • Service eligibility: 16 years or older for most services
    • Parental consent: Required for children under 16 in EU
    • Age verification: Reasonable efforts to verify age
    • Special protections: Enhanced safeguards for any child data

    13.2 Parental Rights

    Parents/guardians of children under 16 can:

    • Access their child's data
    • Request rectification or erasure
    • Object to processing
    • Withdraw consent given on child's behalf

    13.3 Child Data Minimization

    For any child data we process:

    • Strict necessity standard applied
    • Enhanced security measures implemented
    • Regular review and deletion procedures
    • No marketing or profiling activities

    14. GDPR Compliance Monitoring

    14.1 Internal Monitoring

    • Regular compliance audits by internal teams
    • Data protection impact assessments for new processing
    • Staff training on GDPR requirements
    • Incident tracking and response improvement
    • Policy updates to reflect legal changes

    14.2 External Validation

    • Third-party audits of data protection practices
    • Certification schemes participation where available
    • Legal reviews of processing activities
    • Supervisory authority guidance implementation

    14.3 Continuous Improvement

    We continuously enhance our GDPR compliance through:

    • Technology updates for better privacy protection
    • Process improvements based on experience and feedback
    • Training programs for staff and customers
    • Industry best practices adoption
    • Regulatory guidance implementation

    Last Updated: November 14, 2025
    Effective Date: February 1, 2025
    Version: 1.0

    Important: This GDPR compliance document supplements our Privacy Policy and Data Processing Agreement. For specific questions about your GDPR rights or our compliance practices, contact our Data Protection Officer at dpo@rentaltide.com.

    This document is regularly updated to reflect changes in GDPR guidance and our compliance practices. Check back regularly for the latest information.