Privacy Policy

Last updated: 13 July 2026

This Privacy Policy explains how Guardas de Productos, S.L. (“we”, “us”, “our”) collects, uses, stores and protects your personal data when you use the Rental Car Proof website (rentalcarproof.com) and the Rental Car Proof mobile app (together, the “Service”).

We are a Spanish-registered company, VAT registered in the UK. We are the data controller for the personal data described in this policy.

Data controller: Guardas de Productos, S.L.
Contact for privacy and data requests: Email us

This policy applies whether you’re browsing our website, downloading a free resource, or using the Rental Car Proof app. Where something applies only to the website or only to the app, it’s labelled accordingly.

1. Data We Collect

1.1 If you use our website

  • Email address — if you download a gated resource (such as the Inspection Checklist) or subscribe to updates, we collect your email address to deliver the resource and send you related content.
  • Contact form data — if you contact us, we collect whatever information you provide (name, email, message).
  • Analytics data — we use PostHog (EU-hosted) to understand how visitors use our website. This may include pages viewed, referral source, device/browser type, and approximate location derived from IP address. See “Cookies and Tracking” below.

1.2 If you use our app

Account data

  • Email address — collected at registration via magic link authentication
  • Display name — optional; either entered manually or provided via Google sign-in
  • Device hash — a one-way (SHA-256) hash of your device identifier, collected at registration. This cannot be reversed to identify you or your device. See “Fraud Prevention” below for why we collect this.

Rental data

  • Vehicle details you enter (licence plate, make, model)
  • Rental dates
  • Rental company name
  • Rental agreement reference number

Photo data

  • Photos you take during a vehicle walk-around inspection
  • Each photo includes metadata: timestamp, GPS coordinates, which inspection it belongs to, and which checklist step it documents
  • We store both the original photo and a stamped (annotated) version — this is a deliberate design choice, so the original file remains as independent, untouched evidence
  • GPS coordinates are captured from your device at the moment each photo is taken

Usage and entitlement data

  • Your entitlement status (e.g. whether you’ve used your free rental, or hold an active plan or credits)
  • Flags used to control one-time in-app messaging (e.g. whether you’ve seen the first-open guidance)
  • A fraud flag, described in “Fraud Prevention” below

2. How and Why We Use Your Data

We use your data to:

  • Provide the core service — let you create rental inspections, capture and store evidence photos, and generate evidence packs
  • Authenticate you and keep your account secure
  • Process purchases and manage your entitlements
  • Send transactional emails (e.g. magic link sign-in, evidence pack delivery)
  • Understand how our website and app are used, so we can improve them
  • Prevent abuse of our free-trial system (see “Fraud Prevention”)
  • Respond to support requests

We do not sell your personal data, and we do not use your rental or photo data for advertising.

3. Legal Basis for Processing

Under GDPR, we rely on the following legal bases:

  • Contract — processing your account, rental, and photo data is necessary to provide the service you’ve signed up for
  • Consent — where we send you marketing emails, or use non-essential website cookies/analytics
  • Legitimate interests — for fraud prevention (device hash retention, described below) and basic website analytics, where the impact on you is minimal and proportionate to our interest in protecting the service from abuse

4. Data Storage

Database and file storage: All account, rental, and photo metadata is stored with Supabase (PostgreSQL and Supabase Storage), hosted on AWS infrastructure in Frankfurt, Germany. Your data is stored within the European Union.

Evidence pack delivery: When you download an Evidence Pack, we generate a signed URL that expires after a limited time, so evidence links cannot be accessed indefinitely by anyone who obtains the link.

On your device: The app caches some configuration and app-state flags locally (e.g. whether you’ve completed onboarding). Photos are not retained permanently on your device after they’ve been uploaded — once safely stored, local copies are cleared.

5. Data Retention

Rentals: If you delete a rental, we don’t immediately erase it — it’s marked as deleted and hidden from your view, but the underlying record is retained. This prevents the free-trial entitlement system from being gamed by repeatedly creating and deleting rentals. This is a legitimate-interest basis for retention, not indefinite storage: the row is permanently deleted when you delete your account.

Photos: Retained for as long as the associated rental exists. Permanently deleted when your account is deleted.

Account deletion: When you delete your account, we permanently delete:

  • Your authentication record
  • All rental records, including previously “deleted” ones
  • All photo files and photo metadata
  • Your profile record, including the device hash

The only thing retained after account deletion is your device hash, which is moved to a separate table used solely for fraud prevention (see below). This hash cannot be linked back to your identity, email, or any other personal data once your profile is deleted.

6. Fraud Prevention

To protect the free-trial system from abuse, we generate a one-way cryptographic hash of your device identifier when you register. This hash cannot be reversed to reveal your actual device ID or identify you personally.

If you delete your account, this device hash is copied into a separate table before the rest of your data is erased. If someone later registers a new account from the same device, we check the incoming device hash against this table. If it matches, the new account is flagged and is not granted a further free trial.

We rely on legitimate interests as the legal basis for this narrow, anonymous retention — it exists solely to prevent systematic abuse of our billing model, and the data retained cannot identify you.

If you object to this processing, contact us at Email us. Please note that honouring an objection means removing your device hash from the fraud-prevention list, which would make the device eligible for another free trial.

7. Cookies and Tracking (Website)

Our website uses PostHog, an EU-hosted analytics platform, to understand visitor behaviour. This may involve cookies or similar technologies to distinguish visitors and measure usage.

Full cookie policy — categories of cookies used, consent mechanism, and opt-out instructions — to be added as a separate Cookie Policy document, referenced here.

8. Third-Party Services

We share data with the following service providers, each acting as a data processor on our behalf:

ProviderPurposeData sharedPrivacy policy
SupabaseAuthentication, database, file storageAll account, rental, and photo datasupabase.com/privacy
RevenueCatPurchase validation and entitlement managementUser ID, purchase receiptsrevenuecat.com/privacy
Resend / BrevoTransactional email (magic link sign-in, evidence pack delivery)Email addressresend.com/legal/privacy-policy / brevo.com/legal/privacypolicy
Google Play BillingPayment processing (Android in-app purchases)Handled entirely by Google — we never receive or store your payment card detailspolicies.google.com/privacy
PostHogWebsite and app analytics (EU-hosted)Usage data, approximate location, device/browser typeposthog.com/privacy

We require all third-party processors to handle your data securely and only for the purposes we’ve instructed.

Note: we do not currently use crash-reporting tools (e.g. Sentry) or over-the-air update services at runtime. Expo/EAS is used only as build tooling and does not receive data from end users’ devices. If either of these changes, this table will be updated accordingly.

9. International Data Transfers

Your core account, rental, and photo data is stored within the EU (Frankfurt, Germany). Some of our third-party service providers — such as email delivery and payment processing — may process data outside the European Economic Area as part of providing their service. Where this happens, we rely on appropriate safeguards such as Standard Contractual Clauses, as required under GDPR.

10. Your Rights (GDPR)

If you’re in the EU/UK, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — delete your account at any time directly within the app; this permanently erases your personal data, with the sole exception of the anonymous device hash described in “Fraud Prevention”
  • Data portability — request your data in a portable format. Our Evidence Pack export (a ZIP of your photos and inspection manifest) already provides this for your rental data
  • Object — object to processing based on legitimate interests, including the device hash retention described above

To exercise any of these rights, contact us at Email us.

11. Children’s Privacy

Rental Car Proof is not directed at children under 16 (or under 13 in the United States). We do not knowingly collect data from children. We do not currently have a mechanism to verify user age; if you believe a child has provided us with personal data, please contact us so we can remove it.

12. Changes to This Policy

We may update this policy from time to time — for example, if we add a new third-party service or change how we handle data. We’ll update the “Last updated” date at the top of this page, and where changes are material, we’ll notify you via email or an in-app notice.

13. Contact Us

If you have questions about this policy or how we handle your data:

Guardas de Productos, S.L.
Email us