PRIVACY POLICY AND PERSONAL DATA PROTECTION - CarRentEasy

UPDATED ON APRIL 1, 2025.

1. Definitions

National Data Protection Authority or ANPD: The public administration body responsible for overseeing, implementing, and enforcing compliance with the LGPD throughout the national territory.

CarRentEasy Collaborators: Individuals working with CarRentEasy, including partners, administrators, directors, employees, managers, interns, apprentices, internal service providers, and any other person who has a direct relationship with CarRentEasy.

Consent: A free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose.

Data Controller: A natural or legal person, whether public or private, responsible for making decisions regarding the processing of personal data.

Data: Personal Data and Sensitive Personal Data, as defined in this Policy, in accordance with the provisions of the LGPD.

Anonymized Data: Data related to the data subject that does not allow their identification using reasonable and available technical means at the time of processing.

Personal Data: Information related to a natural person that allows them to be identified in any way.

Sensitive Personal Data: Personal data concerning racial or ethnic origin, religious belief, political opinion, membership in a union or an organization of a religious, philosophical, or political nature, data related to health or sexual life, genetic data, or biometric data.

Data Protection Officer: The person designated by the Data Controller and the Data Processor to act as a communication channel with the data subjects and the National Data Protection Authority (ANPD).

LGPD: General Data Protection Law (Law No. 13.709/18).

Data Processor: A natural or legal person, whether public or private, who processes personal data on behalf of the Data Controller.

CarRentEasy: CarRentEasy Ltda, a private legal entity registered under CNPJ No. 10.998.234/0001-23, headquartered at Rua Doutor Pedrosa, 151, suite 1201, 12th floor, Centro, Curitiba/PR, ZIP Code 80.420-120, and CarRentEasy BV, a Dutch company registered with Tax ID No. 859404900, with an address at Herengracht 420, 1017BZ, Amsterdam, Netherlands.

GDPR: General Data Protection Regulation 2016/679 of the European Union.

Data Subject: The natural person to whom the personal data being processed relates.

Data Processing: Any operation or set of operations performed on personal data, including sensitive personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination, or extraction of personal data.

2. Purpose

2.1. The purpose of this Privacy Policy is to define the main rules and principles for the processing of data collected, including but not limited to the personal data of customers, suppliers and/or their representatives and collaborators, service providers, partners, rental agencies, as well as any other parties involved in the execution of CarRentEasy’ activities, ensuring an adequate level of security through protective measures in line with the LGPD and other applicable regulations.

2.2. In this way, we collect personal information that you provide directly, information about how you use our services, and information from third-party sources, as described in this document. We use such information to provide you with our services, understand how you use our services so that we can enhance and personalize your experience, and develop more relevant applications, technologies, and content for our customers. We also use personal information to provide personalized advertisements tailored specifically to your interests.

2.3. This Privacy Policy must be observed by all CarRentEasy collaborators, customers, suppliers, service providers, partners, rental agencies, or any individual or legal entity that assumes the role of Data Subject and/or Data Processor, in cases where CarRentEasy acts as the Data Controller.

3. Points of Collection of Personal Data

The collection of personal data by CarRentEasy can occur in various ways, directly or indirectly, for example, but not exclusively, through:

4. Purposes of Data Processing

4.1. The entire data processing procedure at CarRentEasy is carried out using only the data strictly necessary to achieve the specific purposes, such as:

4.2. The data mentioned above is processed by CarRentEasy and by companies contracted by it, and is stored securely under appropriate technical and organizational measures, for the period necessary to fulfill the purposes.

4.3. CarRentEasy uses tools and assets with global reach; therefore, it conducts international transfers of personal data, in accordance with the terms of the LGPD and Resolution CD/ANPD No. 19/2024.

5. Legal Bases for Data Processing

5.1. The legal bases for the processing of personal data by CarRentEasy, according to Article 7 of the LGPD, are:

5.2. The legal bases for the processing of sensitive personal data by CarRentEasy, according to Article 11 of the LGPD, are:

6. Storage and Disposal of Personal Data

6.1. Any data provided by the Data Subject is collected and stored securely under appropriate technical and organizational measures. To that end, CarRentEasy adopts various precautions in accordance with the security standards established by the applicable legislation.

6.2. In addition to technical measures, CarRentEasy also adopts organizational measures, such as the implementation of an Information Security Policy for the proper processing of the data.

6.3. Access to the collected data is restricted to CarRentEasy collaborators and persons authorized by CarRentEasy, and it is hosted on servers and systems located in Brazil and in other countries in accordance with the LGPD and Resolution CD/ANPD No. 19/2024.

6.4. After fulfilling the purposes for which the data was collected, the data is disposed of within the scope and technical limits of the activities, with retention permitted for the following purposes:

7. Geographical Scope

This Privacy Policy applies to cases in which data processing occurs or the data is collected within the Brazilian territory.

8. Rights of Data Subjects

8.1. The Data Subject, whenever possible, receives information about the processing of their personal data at the time of collection.

8.2. The Data Subject may exercise rights regarding the processing of their data, such as:

8.3. CarRentEasy has implemented procedures to ensure responses to data subjects within the legally established deadlines and reserves, under the terms of the LGPD, the right to evaluate data subjects’ requests and to fulfill them when technically feasible and legally required. In any case, the outcome of the evaluation will be communicated to the data subject.

8.4. The Data Subject is aware that exercising some of their rights may prevent the continuation of their relationship with CarRentEasy.

9. Obligations of the Data Subjects

9.1. The Data Subject is responsible for the truthfulness, accuracy, and confirmation of the data they provide, whether on the CarRentEasy website or by any other means.

9.2. The Data Subject is prohibited from sharing logins, passwords, or any type of credentials with other people or third-party companies, including coworkers, family, and friends. The Data Subject must use strong and unique passwords for CarRentEasy assets and tools. CarRentEasy is not responsible for any breaches of privacy or personal data protection resulting from the actions or omissions of the Data Subject.

9.3. The Data Subject is responsible for implementing all necessary security measures on their devices used to access CarRentEasy assets and tools, so that CarRentEasy is not liable for any breaches of privacy or data protection resulting from this lack of diligence.

10. Obligations of CarRentEasy’ Data Processors

10.1. CarRentEasy seeks to engage with data processors committed to privacy and data protection.

10.2. CarRentEasy’ data processors must comply with this Privacy Policy as well as the relevant legislation. In case of non-compliance with either, CarRentEasy reserves the right to immediate contractual cancellation, without any liability to CarRentEasy, as well as to apply the appropriate legal and contractual sanctions.

10.3. CarRentEasy reserves the right to verify that its data processors follow the processes, operational instructions, and procedures defined by CarRentEasy, through routine or extraordinary audits.

11. Cooperation with the ANPD and Other Authorities

11.1. CarRentEasy, in its capacity as Data Controller, will cooperate with the ANPD and other data protection authorities on matters related to the protection and privacy of personal data under its processing, within the limits of the LGPD and GDPR, without waiving any rights to defense and appeals as guaranteed to it.

11.2. CarRentEasy collaborators, as well as service providers and/or suppliers potentially involved in the questioned processing or procedure, will provide support on matters related to the protection and privacy of personal data.

12. Data Sharing

We may share your information internally within our company, as well as with the following entities, for the purposes described above:

13. Communication Channel

13.1. CarRentEasy provides the Data Subject, Data Processors, and any other individual or legal entity with a free communication channel and exclusive service for matters related to privacy and data protection.

13.2. All matters related to privacy and data protection should be directed to CarRentEasy’ Data Protection Officer, Débora Jabur, at the email: dpo@CarRentEasy.com.

2025© CarRentEasy. All rights reserved.