Privacy Policy
1. Who We Are (Data Controller)
The data controller responsible for your personal data is:
Company name | RENNscout s.r.o. |
Registration number (IČO) | 56 372 744 |
Tax ID (DIČ) | 2122289411 |
Registered address | Gorkého 4, Bratislava, Slovak Republic |
Country of registration | Slovak Republic |
Contact email |
2. Personal Data We Collect
We collect and process the following categories of personal data:
Identity data: Your first name and surname.
Contact data: Your email address and telephone number.
Vehicle search data: Vehicle preferences you provide (make, model, year, budget, geographic scope, and similar criteria you share when briefing us on your search or sale). Where you ask us to perform a VIN history check, we submit the VIN number to a third-party provider; the VIN number is a vehicle identifier, not a personal identifier, and does not by itself constitute personal data.
Communications: Emails, messages, and other correspondence between you and RENNscout during your engagement.
Payment data: Payments are processed by Stripe, Inc. We do not store or process your card number, bank account details, or full payment credentials. We retain only the transaction reference, amount, date, and payment status provided by Stripe.
Consent records: Where required (e.g., consent to begin work before the 14-day withdrawal period expires, or consent to receive marketing), we record the timestamp, channel, and content of your consent.
Marketing preferences: If you subscribe to our newsletter or opt in to marketing communications, we record your email address and the date and channel of your subscription.
Website usage data: We use a cookie-free, privacy-first analytics tool to understand how visitors use our website. This tool collects only anonymised, aggregated data — such as page views, approximate country of origin, and referral source. It does not set any cookies, does not store IP addresses, and does not collect or process any personal data. No cookie consent notice is required for this analytics tool.
3. Legal Bases for Processing
We process your personal data on the following legal bases under Article 6 of the GDPR:
3.1 Article 6(1)(b) — Performance of a contract
We process your identity, contact, vehicle search, and communications data in order to provide the service you have requested (Verify, Scout, Scout Pro, or Sale Advisory). Processing is necessary to perform the contract between us.
3.2 Article 6(1)(c) — Legal obligation
We retain invoice and accounting records as required by Act No. 431/2002 Coll. (Slovak Accounting Act) and related tax legislation.
3.3 Article 6(1)(f) — Legitimate interests
We may send you a follow-up message after delivery of your report to ask whether you found a vehicle, to request a review, or to inform you of relevant updates. Our legitimate interest is to maintain client relationships and improve our service quality. This interest does not override your rights; you may object at any time (see Section 8). Our use of cookie-free, anonymised website analytics is also based on our legitimate interest in understanding how visitors interact with our website; because no personal data is collected, this does not affect your rights as a data subject.
3.4 Article 6(1)(a) — Consent
Where you subscribe to our newsletter or opt in to marketing communications, we process your data on the basis of that consent. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
4. How We Use Your Personal Data
We use your personal data only for the following purposes:
• To provide, manage, and deliver the vehicle sourcing, sale advisory, and consultancy service you purchased.
• To communicate with you about the progress of your engagement.
• To issue invoices and comply with our accounting and tax obligations.
• To record and preserve consent for audit purposes (e.g., early-performance consent under the Consumer Rights Act).
• To send post-delivery follow-up messages (on the basis of legitimate interest — see Section 3.3).
• To send you newsletters, market updates, or promotional content where you have given consent (see Section 10).
• To understand how visitors use our website using anonymised, cookie-free analytics (no personal data is involved in this process).
• To prevent fraud and maintain the security of our systems.
• To comply with any applicable law, court order, or regulatory requirement.
We do not sell, rent, or otherwise commercialise your personal data. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
5. Who We Share Your Data With
We share your personal data only where necessary and only with the following categories of recipients:
5.1 Data processors acting on our behalf
| Processor | Purpose | Basis / DPA |
|---|---|---|
Stripe, Inc. (United States) | Payment processing | Standard Contractual Clauses (SCCs). Stripe is additionally certified under the EU–US Data Privacy Framework. DPA accepted via Stripe Dashboard. |
Google LLC (Google Workspace) (United States) | Business email hosted under the custom @rennscout.com domain; document storage; internal team communications. Google Workspace is also used as an email sending channel for transactional messages (order confirmations, engagement updates, invoices) and marketing communications where email is sent directly via the @rennscout.com domain. | Standard Contractual Clauses (SCCs). Google Workspace is additionally certified under the EU–US Data Privacy Framework. DPA accepted via Google Admin Console. |
DigitalOcean, LLC (United States) | Website and application hosting; hosting of Payload CMS used for client record management and website content | Standard Contractual Clauses (SCCs). DPA available at digitalocean.com/legal/data-processing-agreement. |
Resend, Inc. (United States) | Transactional email delivery (order confirmations, engagement updates, invoices) and newsletter distribution, where Resend is used as the email delivery channel. Resend processes email addresses and email content solely for the purpose of delivery. | Standard Contractual Clauses (SCCs). DPA accepted via Resend platform. |
SuperFaktura, s.r.o. (Slovak Republic) | Invoice generation, management, and delivery. Used in conjunction with Stripe to issue invoices to clients. Processes client name, email address, billing address where provided, and invoice details (service description, amount, date, invoice number) solely for invoicing purposes. | SuperFaktura, s.r.o. explicitly acknowledges its role as data processor (sprostredkovateľ) for invoicing data in its Privacy Policy and Terms of Service (superfaktura.sk/ochrana-sukromia). Legal basis: Art 6(1)(b) GDPR — contract performance. SuperFaktura, s.r.o. is registered in the Slovak Republic (EEA); no international transfer occurs. |
VIN history check provider (e.g., CarVertical) | Vehicle history checks — VIN numbers only submitted; no personal data transmitted | VINs are vehicle identifiers, not personal data under Art 4(1) GDPR. No personal data is shared with this provider. |
Plausible Analytics OÜ (Estonia, European Union) | Anonymised, aggregated website usage statistics — page views, referral sources, approximate country, device type. No personal data is collected or processed. | No personal data is collected, stored, or transferred. No cookies are set. No DPA is required. Plausible is EU-hosted (Estonia); no cross-border transfer occurs. |
5.2 Other disclosures
We may also disclose personal data to:
• Our legal advisors and accountant, solely in connection with their professional services to us, subject to their own professional secrecy obligations.
• Public authorities or law enforcement where required by applicable law or a binding court order.
We do not share your data with vehicle sellers, dealers, or any other commercial third party for their own marketing or sales purposes.
6. International Transfers
The following processors are based in the United States and transfers to them are protected by the safeguards described:
| Processor | Transfer mechanism | Additional safeguard |
|---|---|---|
Stripe, Inc. | Standard Contractual Clauses (Art 46(2)(c) GDPR) | EU–US Data Privacy Framework certification |
Google LLC | Standard Contractual Clauses (Art 46(2)(c) GDPR) | EU–US Data Privacy Framework certification |
DigitalOcean, LLC | Standard Contractual Clauses (Art 46(2)(c) GDPR) | DPA with appropriate technical and organisational measures |
Resend, Inc. | Standard Contractual Clauses (Art 46(2)(c) GDPR) | DPA accepted via Resend platform |
We do not knowingly transfer your personal data to any country outside the European Economic Area (EEA) other than through the processors listed above under the safeguards described. The EU–US Data Privacy Framework adequacy decision is relied upon as an additional safeguard where applicable; our contracts also include Standard Contractual Clauses as a fallback in the event that the adequacy decision is suspended or invalidated.
Our website analytics provider (Plausible Analytics OÜ) is EU-hosted in Estonia, meaning no cross-border transfer of data occurs in connection with analytics. Our invoicing provider (SuperFaktúra) is registered in the Slovak Republic and also falls within the EEA; no international transfer occurs in connection with invoice processing.
7. How Long We Keep Your Data
| Data category | Retention period | Reason |
|---|---|---|
Active engagement file (name, contact, search brief, communications) | Duration of engagement | Necessary for service performance |
Completed client file (all engagement data after delivery) | 3 years from date of final delivery | Potential disputes; legal claims limitation period under Slovak Civil Code §101 |
Invoices and payment records | 10 years from date of invoice | Act No. 431/2002 Coll. (Accounting Act) and related tax legislation |
Consent records (timestamps, consent text, early-performance consent) | 3 years from date of consent, or until the related engagement file is deleted, whichever is later | Evidence of lawful processing; potential regulatory enquiry |
Marketing email list (email address and subscription date) | Until you withdraw consent or request deletion | Processing ceases upon withdrawal of consent |
Post-delivery follow-up (one or two messages after delivery) | Not retained separately — covered by completed client file retention above | Legitimate interest basis; follow-up is a single event, not ongoing storage |
Website analytics data | Not applicable — no personal data is collected | Cookie-free analytics collects only anonymised aggregates; no personal data retention applies |
After the applicable retention period expires, personal data is securely deleted or irreversibly anonymised.
8. Your Rights Under the GDPR
Under the GDPR and Act No. 18/2018 Coll., you have the following rights in relation to your personal data:
Right of access (Art 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art 16): You may ask us to correct any inaccurate or incomplete personal data.
Right to erasure (Art 17): You may ask us to delete your personal data where there is no compelling reason for continued processing. This right may be limited where we are required to retain data by law (e.g., accounting records).
Right to restriction (Art 18): You may ask us to restrict processing in certain circumstances (e.g., while you contest the accuracy of data, or while an objection is being considered).
Right to data portability (Art 20): Where processing is based on consent or contract and carried out by automated means, you may ask us to provide your data in a structured, commonly used, machine-readable format.
Right to object (Art 21): You may object at any time to processing based on legitimate interests (including post-delivery follow-up). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art 7): Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of the above rights, please contact us at: [email protected]
We will respond within 30 days of receiving a valid request. We may ask you to verify your identity before processing a request. There is no charge for exercising your rights unless a request is manifestly unfounded or excessive.
9. Cookies and Tracking Technologies
We do not use cookies on our website. No cookie consent notice or banner is required.
To understand how visitors use our website, we use Plausible Analytics (Plausible Analytics OÜ, Estonia) — a cookie-free, privacy-first analytics tool. This tool:
• sets no cookies of any kind;
• does not store or process your IP address;
• does not track you across sessions, devices, or websites;
• collects only anonymised, aggregated data — such as page view counts, approximate country (not city or address), referral source, device type, and time spent on pages;
• does not transfer any personal data to third parties.
Because no personal data is collected through our analytics setup, you have no cookie-related consent choices to make and we have no cookie preferences to manage on your behalf. If our analytics setup changes in a way that involves the collection of personal data or the setting of cookies, we will update this section and present an appropriate consent mechanism before deploying any such technology.
If you use our website's contact or enquiry form, the form may use a session-level technical measure to prevent spam submissions. This is strictly necessary for the form to function and does not involve tracking or profiling.
10. Newsletter and Marketing Communications
We send newsletters and marketing communications only to individuals who have explicitly opted in. You may subscribe:
• Via a subscription form on our website.
• Via a lead-generation resource (e.g., a guide or checklist we offer in exchange for your email address), provided a clear consent statement is displayed at the point of sign-up.
• By providing express consent during or after your engagement with us.
Our email communications — including transactional emails (order confirmations, engagement updates, invoices) and newsletter distributions — are delivered either through Google Workspace (via the @rennscout.com domain) or through Resend, Inc., a third-party email delivery platform, depending on the channel used. In either case, your email address and the content of emails sent to you are processed solely for the purpose of delivering those communications. Both providers are listed in Section 5.1.
Each marketing email will contain a clear and functional unsubscribe link. You may also unsubscribe at any time by emailing [email protected]. Unsubscribing from marketing emails does not affect the delivery of transactional emails necessary for any active engagement.
Past clients: if you were a client before we implemented this Privacy Policy, we will contact you separately to request your consent before adding you to any marketing list. We do not rely on the previous service relationship as a basis for marketing without a fresh, GDPR-compliant opt-in.
11. How We Protect Your Data
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These include:
• Storage of client files within Google Workspace, which provides encryption in transit (TLS) and at rest.
• Website and application hosting on DigitalOcean infrastructure with standard data-centre security controls.
• Email delivery via Google Workspace or Resend, both of which use TLS for email transmission.
• Invoice generation and delivery through SuperFaktúra. Client data shared with SuperFaktúra is limited to invoice-relevant details only.
• Access to client data restricted to authorised personnel only.
• Payments processed exclusively through Stripe, a PCI DSS-compliant provider. We do not store payment card data.
• Periodic review of access rights and data held.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours of becoming aware of the breach and, where required, notify you directly.
12. Supervisory Authority and Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR or Act No. 18/2018 Coll., you have the right to lodge a complaint with the supervisory authority:
Authority | Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic) |
Address | Hraničná 12, 820 07 Bratislava 27, Slovak Republic |
Website | www.dataprotection.gov.sk |
Telephone | +421 2 3231 3214 |
You also have the right to bring a claim before a competent court if you consider that your rights have been infringed.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. The current version will always be available on our website at www.rennscout.com/en/privacy/v1.2. Where changes are material, we will notify active clients by email.
This policy was last reviewed and updated in June 2026.