Privacy policy
Last updated: 2026-04-18
Who we are
CarRental (“we”, “the platform”) is a multi-tenant SaaS for car rental businesses. When you create a tenant, you act as the data controller for your tenant's customer records; we act as a data processor on your behalf.
What we collect
- Account data — email, full name, password hash (bcrypt), role, tenant.
- Business data — customers, guarantors, cars, bookings, rent agreements, payments, files you upload. Stored in PostgreSQL with tenant-scoped isolation.
- Operational telemetry — IP address, user-agent, request path and method, rate-limit counters. Retained 30 days.
- Audit log — every create / update / delete / payment / plan change — with user, tenant, timestamp. Retention by plan: 7 / 90 / unlimited days.
How we protect it
- TLS (Let's Encrypt) for every request; HSTS with includeSubDomains.
- Passwords hashed with bcrypt (work factor 12).
- JWT with per-token ID and revocation list.
- Optional two-factor authentication (TOTP).
- Row-level tenant isolation — cross-tenant reads are impossible by construction.
- Content-Security-Policy, X-Frame-Options: DENY, Permissions-Policy restrict sensors.
- Log redaction of Authorization / Cookie / password headers.
- Nightly off-host Postgres backups with 14-day retention.
- Image uploads stripped of EXIF metadata before storage.
Your rights (as an end-user of a tenant)
Contact your tenant admin to exercise access, correction, export, or deletion rights. They can fulfil those through the in-platform tools (CSV export, delete with audit trail).
Your rights (as a tenant owner)
- Portability — download a CSV per resource at any time.
- Deletion — contact support. We delete the tenant's row data within 30 days; backups purge on the normal rotation.
- Audit — the full audit log is viewable in-product.
Where data lives
EU-compliant Contabo infrastructure, region EU-Central. Your tenant row data never leaves this region.
Payment processing
We never store card numbers. Online payments are handled by the third-party provider you configure (Stripe, JazzCash, Easypaisa, HBL, Alfa, Meezan, PayPro, Safepay). Offline payments (cash / cheque / bank transfer) record a reference you choose — no card data involved.
Subprocessors
- Contabo (hosting).
- Let's Encrypt (TLS certificate issuance).
- Resend (transactional email, optional — log-only by default).
- Twilio (SMS, optional — log-only by default).
- Stripe / JazzCash / Easypaisa / HBL / Alfa / Meezan / PayPro / Safepay (payment processing — only when a tenant enables them).
Contact
Privacy questions: privacy@carrental.callnsms.com.
Security reports: security@carrental.callnsms.com — see also /security and /.well-known/security.txt.