Privacy Policy

    How we collect, use, and protect your personal data

    Privacy Policy

    Last Updated: May 21, 2026 | Effective Date: May 21, 2026 | Version: 2.3

    📋 CHANGES IN VERSION 2.3

    • Added Section 4.4 (Biometric Information) clarifying that facial verification is performed by Stripe Identity and that we receive only verification results, including BIPA and other U.S. biometric-law notice
    • Added Section 10.6 (Quebec residents, Law 25), Section 10.7 (other U.S. state privacy laws), and Section 10.8 (New Zealand residents, Privacy Act 2020)
    • Linked the new Messaging & Communications Consent policy for SMS/email consent and opt-out
    • Clarified that we never sell data and that our advertising/analytics tools are used only for our own marketing measurement, with a Global Privacy Control (GPC) opt-out (Sections 6.5 and 11)

    📋 CHANGES IN VERSION 2.2

    • Added explicit "We do not sell your data" commitment (preamble + Section 6.5)
    • Expanded Section 5.3 with AI training masking measures and opt-out
    • Updated CCPA table (Section 11) to reflect that we do not sell or share personal information for targeted advertising
    • See the standalone AI Usage and Data Commitment page for the full AI policy

    📋 CHANGES IN VERSION 2.1

    • Added Section 10.4 (Canadian Residents - PIPEDA rights)
    • Added Section 10.5 (Australian Residents - Privacy Act 1988 rights)
    • Added protection product data to Section 4.1

    OUR COMMITMENT: WE DO NOT SELL YOUR DATA

    RentalTide does not sell, rent, or trade your personal information to third parties for their own commercial purposes, and we never will. We do not share your data with advertisers, marketers, or data brokers. If our business model ever changes, this policy will be updated in advance and you will be notified directly. See Section 6.5 for the full commitment.

    PRIVACY NOTICE

    This Privacy Policy describes how RentalTide Inc. and its affiliates ("RentalTide," "we," "us," or "our") collect, use, share, and protect your personal information. By using our Services, you agree to the collection and use of information in accordance with this policy.

    1. Introduction

    RentalTide Inc. ("RentalTide," "we," "us," or "our"), a corporation incorporated in Delaware, United States, with additional registration in Canada, operates a SaaS booking and point-of-sale platform for asset rental businesses. Our corporate offices are located at 110 Didsbury Road, Ottawa, Ontario, K2J 4T4, Canada, and 1111B S Governors Ave STE 48363, Dover, DE 19904, United States.

    This Privacy Policy applies to all personal information collected through our website (www.rentaltide.com), our application (app.rentaltide.com), mobile applications, APIs, and all related services (collectively, the "Services").

    2. Scope and Application

    This Policy applies to:

    • Visitors to our website
    • Rental operators using our platform ("Operators")
    • Customers making bookings ("Renters")
    • Business partners and their representatives
    • Any individual whose personal information we process

    Important Distinction: When Operators process their customers' data through our platform, they act as independent data controllers. Operators are responsible for their own privacy compliance and must publish their own privacy policies.

    3. Data Controller

    RentalTide Inc. is the data controller for personal information processed under this Privacy Policy. For questions about data processing, contact our Data Protection Officer at privacy@rentaltide.com

    4. Information We Collect

    4.1 Information You Provide

    • Account Information: Name, email, phone number, business name, address
    • Verification Data: Government ID, business registration, tax information, licenses
    • Financial Information: Bank account details, credit card information, billing address, tax ID
    • Booking Data: Reservation details, rental history, customer preferences
    • Protection Product Data: Optional protection selections, waiver acknowledgments, claim information
    • Communications: Support tickets, emails, chat messages, phone recordings
    • User Content: Photos, reviews, feedback, waiver signatures

    4.2 Information We Collect Automatically

    • Device Information: IP address, browser type, operating system, device identifiers
    • Usage Data: Pages visited, features used, click paths, session duration
    • Location Data: GPS coordinates (mobile), IP-based location
    • Cookie Data: See our Cookie Policy for details
    • Log Data: Server logs, error reports, performance metrics

    4.3 Information from Third Parties

    • Payment Processors: Transaction details from Stripe
    • Identity Verification: ID verification results from Stripe Identity
    • Authentication Providers: Login information from Auth0
    • Business Information: Public records, credit bureaus, sanctions lists
    • Marketing Partners: Lead information, referral data

    4.4 Biometric Information

    Some identity-verification flows use Stripe Identity, which may capture a photo of your government ID and a selfie and perform a facial-similarity (biometric) check to confirm the document belongs to you.

    • Stripe performs the biometric matching. Stripe acts as the verification provider and processes the facial images and any biometric identifiers or templates under Stripe's privacy policy and its biometric notices.
    • What RentalTide receives: We receive the verification result (e.g., verified / not verified), the extracted identity data (such as name, date of birth, document type and number, and expiry), and a fraud signal. We do not receive, create, or store your facial-recognition template.
    • Purpose and limits: Where biometric data is involved, it is used only for identity verification, fraud prevention, and Know-Your-Customer (KYC) compliance. We do not use it for advertising, profiling, or any unrelated purpose, and we never sell it.
    • U.S. biometric laws: Where the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier law (CUBI), or Washington's biometric law applies, biometric data captured in verification is collected with notice and consent, used only for the stated purpose, and retained no longer than needed and consistent with those laws' retention limits. You may decline biometric verification, though we may then be unable to complete identity verification required to use certain features.

    5. How We Use Your Information

    5.1 Service Provision (Contractual Necessity)

    • Process bookings and payments
    • Manage operator accounts and dashboards
    • Provide customer support
    • Execute rental agreements and waivers
    • Enable communication between operators and renters

    5.2 Legal Compliance

    • Anti-money laundering (AML) and Know Your Customer (KYC) checks
    • Tax reporting and withholding
    • Responding to legal requests and court orders
    • Enforcing our terms and policies
    • Protecting against fraud and illegal activities

    5.3 Legitimate Business Interests

    • Improving our Services through analytics
    • Developing new features and products
    • Sending service-related communications
    • Preventing fraud and ensuring security
    • Training our internal AI and machine learning models (see Section 5.3.1)
    • Business transfers and corporate transactions

    5.3.1 AI and Machine Learning Training

    We use limited, masked data to train and evaluate our own internal AI features (docs chatbot, pricing recommendations, fraud detection, support routing, and similar). When we do so:

    • Personally identifiable information is removed or redacted before data reaches any training pipeline. This includes names, email addresses, phone numbers, physical addresses, payment card numbers, bank account details, waiver signatures, government identifiers, and IP/device identifiers.
    • Free-text fields (notes, messages, support transcripts) are reviewed and redacted of identifying detail before use.
    • Financial figures are used in aggregate or scaled form and are never tied back to a specific customer.
    • We use the minimum data needed to accomplish a specific improvement. We do not perform bulk training dumps.
    • Your data is never sold, licensed, or shared with third-party AI providers for them to train their own models. When we use foundation-model APIs to power product features, we do so under enterprise agreements that prohibit those providers from using your data to train their own models.

    Opt-out: You can opt your business out of internal AI training at any time by emailing privacy@rentaltide.com with the subject "AI training opt-out." We will exclude your data from all future training and evaluation runs within thirty (30) days and confirm in writing. Opting out has no effect on the quality of service you receive.

    For the full policy see AI Usage and Data Commitment.

    5.4 With Your Consent

    • Marketing communications and newsletters
    • Promotional offers and campaigns
    • Participation in surveys and research
    • Measuring the performance of our own marketing campaigns

    How SMS, email, and voice consent works, and how to opt out at any time (reply STOP, unsubscribe, or update your preferences), is described in our Messaging & Communications Consent policy.

    6. How We Share Information

    We may share your information with:

    6.1 Service Providers:

    • Stripe (payment processing, identity verification)
    • Auth0 (authentication)
    • AWS (cloud hosting)
    • Intercom (customer support)
    • Google Analytics (analytics)
    • SendGrid (email delivery)

    6.2 Business Partners:

    • Operators (for bookings on their assets)
    • Integration partners (with your consent)
    • Insurance providers (for coverage claims)
    • Marketing affiliates (referral programs)

    6.3 Legal and Compliance:

    • Law enforcement agencies
    • Courts and tribunals
    • Tax authorities
    • Regulatory bodies
    • Legal advisors

    6.4 Corporate Transactions:

    In case of merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. In such an event, this Privacy Policy will continue to govern the use of that information, or you will be notified of any new policy that materially differs.

    6.5 What we will never do: No sale of personal information

    We do not sell, rent, lease, or trade your personal information to third parties for their own commercial purposes, and we never will.

    Specifically, we do not:

    • Sell customer lists, booking histories, payment data, or any other personal information to data brokers, marketers, or advertisers.
    • Hand your personal information to a third party so that the third party can run its own advertising or build profiles to sell.
    • Allow third parties to use your data to train their own AI or machine-learning models.
    • Receive any compensation from third parties in exchange for access to your personal information.

    We do use Google Analytics and our own advertising pixels (Google Ads, Meta) to measure and improve our own marketing. Under the CPRA's broad definition this can count as "sharing," so we provide an opt-out and honor Global Privacy Control (GPC) signals (see Section 11). We never share your data for any third party's own advertising.

    This commitment is in addition to, and stronger than, the minimum required by CCPA/CPRA, GDPR, and other applicable privacy laws. If our business model ever changes, we will update this Policy at least thirty (30) days before any change takes effect and notify you directly by email.

    7. International Data Transfers

    Your information may be transferred to and processed in countries other than your country of residence, including Canada, the United States, and other countries where our service providers operate.

    We ensure appropriate safeguards through:

    • Standard Contractual Clauses approved by the European Commission
    • Adequacy decisions where applicable
    • Binding Corporate Rules for intra-group transfers
    • Your explicit consent where required

    8. Data Security

    We implement industry-standard security measures including:

    • 256-bit SSL/TLS encryption for data in transit
    • AES-256 encryption for data at rest
    • PCI DSS compliance for payment data
    • Regular security audits and penetration testing
    • Access controls and authentication requirements
    • Employee training and confidentiality agreements

    Security Disclaimer: No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You use our Services at your own risk.

    9. Data Retention

    We retain personal information for as long as necessary to:

    • Provide our Services
    • Comply with legal obligations (typically 7 years for financial records)
    • Resolve disputes and enforce agreements
    • Maintain security and prevent fraud

    Specific retention periods:

    • Account data: Duration of account plus 2 years
    • Transaction records: 7 years
    • Marketing data: Until consent withdrawn
    • Cookie data: See Cookie Policy
    • Support communications: 3 years

    10. Your Privacy Rights

    10.1 Rights for All Users

    • Access your personal information
    • Correct inaccurate data
    • Delete your account and data (subject to legal requirements)
    • Opt-out of marketing communications
    • Request information about our data practices

    10.2 Additional Rights for EEA/UK Residents (GDPR)

    • Data portability (receive your data in a structured format)
    • Restrict processing of your data
    • Object to processing based on legitimate interests
    • Withdraw consent at any time
    • Lodge a complaint with supervisory authorities

    10.3 Additional Rights for California Residents (CCPA/CPRA)

    • Know what personal information we collect and how it's used
    • Request deletion of personal information
    • Opt-out of "sale" or "sharing" of personal information
    • Non-discrimination for exercising rights
    • Correct inaccurate personal information
    • Limit use of sensitive personal information

    10.4 Additional Rights for Canadian Residents (PIPEDA)

    • Access your personal information held by us
    • Challenge the accuracy and completeness of your data
    • Withdraw consent (subject to legal or contractual restrictions)
    • File a complaint with the Office of the Privacy Commissioner of Canada

    10.5 Additional Rights for Australian Residents (Privacy Act 1988)

    • Access your personal information
    • Request correction of inaccurate data
    • Complain about privacy breaches to the Office of the Australian Information Commissioner (OAIC)
    • Opt-out of direct marketing at any time
    • Request information about overseas disclosure of your data

    10.6 Additional Rights for Quebec Residents (Law 25)

    Under Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25, you have the right to:

    • Be informed when we collect your personal information and the purposes for it
    • Access and request correction of your personal information
    • Request de-indexing or deletion of personal information in certain circumstances
    • Data portability, receive computerized personal information in a structured, commonly used format
    • Be informed of, and request a review of, decisions based exclusively on automated processing (see our AI Usage and Data Commitment)
    • Withdraw consent, subject to legal or contractual restrictions
    • Lodge a complaint with the Commission d'accès à l'information du Québec (CAI) at cai.gouv.qc.ca

    Our Privacy Officer is responsible for our compliance and can be reached at privacy@rentaltide.com.

    10.7 Additional Rights for Other U.S. State Residents

    If you reside in a U.S. state with a comprehensive privacy law, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, and others as they take effect, you have rights comparable to those in Section 10.3, which we extend to you, including the right to:

    • Confirm whether we process your personal data and access it
    • Correct inaccuracies and request deletion
    • Obtain a portable copy of your data
    • Opt out of targeted advertising, the "sale" of personal data, and certain profiling (we do not sell personal information or use it for targeted advertising, see Section 6.5)
    • Appeal a denial of a rights request, and contact your state Attorney General

    To exercise these rights, email privacy@rentaltide.com.

    10.8 Additional Rights for New Zealand Residents (Privacy Act 2020)

    • Access and request correction of your personal information
    • Receive notice of a privacy breach likely to cause serious harm
    • Request information about overseas disclosure of your data
    • Complain to the Office of the Privacy Commissioner (privacy.org.nz)

    See our dedicated New Zealand Privacy Compliance page for full details.

    11. California Privacy Rights (CCPA/CPRA)

    This section applies only to California residents. We have collected the following categories of personal information in the last 12 months:

    CategoryExamplesSoldShared for advertising*
    IdentifiersName, email, phone, IP addressNoLimited*
    Commercial InformationBooking history, preferencesNoNo
    Financial InformationPayment methods, billing addressNoNo
    Internet ActivityBrowsing history, search queriesNoLimited*
    GeolocationCoarse location from IPNoLimited*
    InferencesPreferences, characteristicsNoLimited*

    *We never sell your personal information. "Limited" reflects that we use Google Analytics and our own advertising pixels (Google Ads, Meta) to measure our own marketing, which can count as "sharing" for cross-context behavioral advertising under the CPRA. We do not share your data for any third party's own advertising.

    Do Not Sell or Share My Personal Information

    RentalTide does not sell your personal information. We use Google Analytics and our own advertising pixels (Google Ads, Meta) to measure and improve our own marketing. To the extent this is "sharing" for cross-context behavioral advertising under the CPRA, you can opt out at any time by:

    • Adjusting your cookie settings or using the provider opt-out links in our Cookie Policy,
    • Sending a Global Privacy Control (GPC) signal, which we honor, or
    • Emailing privacy@rentaltide.com.

    We never share your data with any third party for that third party's own advertising. If you have any concern that we may have sold or shared your information contrary to this commitment, email privacy@rentaltide.com and we will investigate within thirty (30) days.

    12. Children's Privacy

    Our Services are not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will promptly delete such information.

    13. Contact Us

    For privacy-related inquiries:

    Data Protection Officer:
    Email: privacy@rentaltide.com

    General Privacy Inquiries:
    Email: legal@rentaltide.com

    Mailing Addresses:

    Canada: RentalTide Inc. Attn: Privacy Department 110 Didsbury Road Ottawa, Ontario K2J 4T4 Canada

    United States: RentalTide Inc. Attn: Privacy Department 1111B S Governors Ave STE 48363 Dover, DE 19904 United States

    Phone: 888-709-2650

    14. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify you of material changes by:

    • Posting the new Privacy Policy on this page
    • Updating the "Last Updated" date
    • Sending email notification for material changes
    • Obtaining consent where required by law