Privacy policy & personal data (GDPR)

This privacy policy describes how Rentals (“we”, “us”, “the service”) processes personal data when you use our website and related services.

Under the EU General Data Protection Regulation (GDPR) and Finland’s Data Protection Act (Tietosuojalaki), we act as the data controller for the personal data we decide about for our own service.

Depending on how you use the service, we may process:

• Account and profile data e.g. name, email address, phone, identifiers you provide, and content you add to your profile.
• Usage and technical data e.g. IP address, device/browser type, approximate timestamps, security logs, and cookies where applicable (see our Cookie policy).
• Communications messages you send us (e.g. contact form), application-related messages, and notification preferences.
• Verification and compliance information required to operate safely and to meet legal obligations (e.g. fraud prevention, accounting where applicable).

We process personal data only for specific purposes, including:

• Providing the service registration, authentication, dashboards, matching applicants and organisations, messaging, and support. Legal bases: performance of a contract; legitimate interests in operating a secure platform.
• Communication service emails, security alerts, and responses you request. Legal bases: contract; legitimate interests.
• Legal obligations where we must retain or disclose information by applicable law. Legal basis: legal obligation.
• Improvement and analytics aggregated statistics and product improvement, where permitted. Legal bases: legitimate interests; where required, your consent (e.g. non-essential cookies).

We use trusted service providers (e.g. hosting, email delivery) who process data on our instructions (processors). We use written agreements and security measures as required by GDPR Article 28.

We aim to host and process personal data within the European Economic Area (EEA). If a transfer outside the EEA occurs, we use appropriate safeguards (e.g. Standard Contractual Clauses) where required.

We keep personal data only as long as needed for the purposes above, including legal, tax, and dispute resolution periods. When data is no longer needed, we delete or anonymise it in line with our internal retention practices.

Under GDPR you may have the right to:

• Access your personal data and receive a copy;
• Rectify inaccurate data;
• Erase data (“right to be forgotten”) where applicable;
• Restrict processing in certain cases;
• Data portability where processing is based on consent or contract and automated;
• Object to processing based on legitimate interests (including profiling in applicable cases);
• Withdraw consent at any time where processing is consent-based (without affecting prior lawful processing).

You may also lodge a complaint with a supervisory authority. In Finland, the Office of the Data Protection Ombudsman is tietosuoja.fi.

To exercise your rights, contact us using the details in the “Contact” section on this site or your account tools where available.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. No method of transmission over the Internet is 100% secure; we encourage strong passwords and safe device use.

The service is not directed at children below the age at which consent for information society services is valid in your country without parental authority. If you believe we have collected a child’s data in error, contact us and we will take appropriate steps.

We may update this policy to reflect product, legal, or regulatory changes. We will publish the new version on this page and adjust the “Last updated” date. Where required, we will notify you separately (e.g. by email or in-app notice).