Privacy Policy
This Privacy Policy explains how the peer-to-peer vehicle-rental marketplace operated by the company identified below (the "Platform", "we", "us") collects and uses personal data, and your rights under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). It forms part of our Terms of Service.
Data controller: Company: Vrmly LTD · Privacy contact: privacy@vrmly.com
Version: 1.0 · Effective date: 11 June 2026
1. Data we collect
- Account data — name, email, phone, date of birth, country, password (hashed), preferred language, profile photo.
- Identity & driving-licence verification — performed by our verification provider; we receive the verification result and status (e.g. verified, document type, name/date-of-birth match) rather than the underlying biometric template (see §4).
- Host & vehicle data — listings, vehicle details, photos, location, pricing, availability.
- Booking & payment data — bookings, dates, prices, payouts. Card details are processed directly by our payment provider; we do not store full card numbers.
- Communications — messages between Users, reviews, support correspondence, notifications.
- Technical & usage data — IP address, device/browser information, log data, and cookies/similar technologies (see §8).
2. Why we use it, and our legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Create your account and provide the Platform | Performance of a contract (6(1)(b)) |
| Process bookings, payments and host payouts | Performance of a contract (6(1)(b)) |
| Verify identity and driving licence; prevent fraud | Legal obligation & legitimate interest (6(1)(c), 6(1)(f)) |
| Keep records for tax, accounting and (future) insurance distribution | Legal obligation (6(1)(c)) |
| Security, abuse prevention, and improving the service | Legitimate interests (6(1)(f)) |
| Send transactional notifications (e.g. booking updates) | Performance of a contract (6(1)(b)) |
| Optional marketing and non-essential cookies | Consent (6(1)(a)), withdrawable any time |
Where we rely on legitimate interests, we balance them against your rights; you may object (see §6).
3. Who we share data with (processors and recipients)
We share data only as needed to run the Platform:
- Payments & identity verification — Stripe (payments, Connect payouts, and Stripe Identity for document/selfie verification).
- Hosting and infrastructure — our cloud hosting and database provider.
- Email delivery — our transactional email provider.
- Maps — map tiles are served by OpenStreetMap when you view the map.
- The other party to a booking — limited details necessary to complete a rental (e.g. first name, vehicle/booking info, messages).
- Authorities — where required by law, or to establish, exercise or defend legal claims.
We do not sell personal data.
4. Identity verification and biometric data
Identity and driving-licence checks are carried out by our verification provider, which may process a photo of your document and a selfie, including biometric processing to confirm they match. That processing is performed by the provider as described in its own terms; we receive the outcome of the check. Where any processing of biometric data for unique identification requires it, it is carried out on the basis of your explicit consent given at the start of the verification flow, which you may decline (in which case you will not be able to book or drive).
5. International transfers
Some providers (e.g. Stripe) may process data outside the EU/EEA. Where they do, transfers are protected by an adequacy decision or by appropriate safeguards such as the European Commission's Standard Contractual Clauses.
6. Your rights
Under the GDPR you have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent at any time where processing is based on consent — without affecting prior processing.
To exercise these rights, contact privacy@………………. You also have the right to lodge a complaint with a supervisory authority — in Latvia the Data State Inspectorate (Datu valsts inspekcija), in Lithuania the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija), in Estonia the Data Protection Inspectorate (Andmekaitse Inspektsioon).
7. Retention
We keep personal data only as long as necessary for the purposes above: for the life of your account and thereafter as required to meet legal obligations (e.g. accounting and tax records), resolve disputes, and enforce agreements. Booking, payment and verification records are retained for the periods required by applicable law; other data is deleted or anonymised when no longer needed.
8. Cookies and similar technologies
We use strictly necessary cookies to operate the Platform (e.g. authentication sessions). Any analytics or marketing cookies are used only with your consent, which you can manage at any time. Details are provided in our cookie notice.
9. Children
The Platform is not intended for anyone under 18, and we do not knowingly process their data.
10. Changes
We may update this Policy. Material changes will be notified in advance, and the effective date above will be updated.
Legal basis
- Data protection — Regulation (EU) 2016/679 (GDPR), in particular Articles 6 (lawfulness), 9 (special categories, incl. biometric data), 13–14 (information), 15–22 (data-subject rights), and 44–49 (international transfers).
- Supervisory authorities: Latvia — Datu valsts inspekcija (dvi.gov.lv); Lithuania — Valstybinė duomenų apsaugos inspekcija (vdai.lrv.lt); Estonia — Andmekaitse Inspektsioon (aki.ee).