Legal

Privacy policy

Last updated: 29 May 2026 · Version 2.0

This policy transparently explains who collects your personal data when you use idRent, what data we collect, what we use it for, who we share it with, how long we keep it and what rights you have over it. Drafted under the EU General Data Protection Regulation (2016/679 — GDPR), the Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights (LOPDGDD), Law 34/2002 on Information Society Services (LSSI-CE) and the ePrivacy Directive.

1. Data controllers

idRent is operated by two complementary entities, each with a well-defined role in processing your data:

Primary data controller

Legal name:Moverelocacion, S.L. (“Move”)
Spanish tax ID (NIF): B23856172
Registered office: Avenida de Manoteras 24, 2nd floor, 28050 Madrid, Spain
Privacy contact: hi@idrent.io
Role: collection and processing of all personal information related to the tenant profile, their documentation, contracted services and communications with landlords and guarantors.

Payment processor

Legal name: Racimo, LLC
US tax ID (EIN): 37-1826881
Address: 382 NE 191st St, PMB 813073, Miami, FL 33179-3899, USA
Role: intermediary for subscription billing and payment services, operated via Stripe. Only receives the data strictly necessary to process payments (name, email, amount, payment method). Has no access to your documents or your tenant profile.

Data Protection Officer (DPO)

Move's processing does not fall within the cases of mandatory DPO designation set out in Art. 37(1) GDPR (we are not a public authority, we do not carry out large-scale systematic monitoring, and we do not process Art. 9 GDPR special categories of data as a core activity). Nevertheless we have appointed an internal Privacy Officer you can contact for any query or rights request at hi@idrent.io.

2. Definitions

Personal data: any information about an identified or identifiable natural person (e.g. name, email, photograph, ID number, IP address).
Processing: any operation performed on personal data (collection, storage, modification, communication, deletion).
Data subject / User: the natural person the personal data belongs to (you, where applicable).
Processor: third party processing data on behalf of the Controller (e.g. Firebase Storage, Resend).
Recipient: independent third party we disclose data to so they can process it on their own account (e.g. a rent guarantor company assessing your application).
GDPR: EU Regulation 2016/679.
AEPD: Spanish Data Protection Agency, the Spanish supervisory authority.

3. Categories of personal data we collect

We collect only the data strictly necessary to provide the service (data minimisation principle, Art. 5(1)(c) GDPR). Categories:

3.1. Identification and contact data

First and last names
Email
Phone
Preferred language
Profile photo (optional)

3.2. Official identification data

National ID / Residence card / Passport (number and scan)
Tax ID (NIF / TIN)
Date of birth
Nationality / country of origin
Current country of residence

3.3. Economic and financial data

Employment type (employee, freelance, etc.)
Type of work contract
Payslips or income evidence
Net monthly income (amount and currency)
Available savings (amount and currency)
Bank statements (when provided)
Past rental history
Information on guarantors you designate (the guarantor's own data is collected directly from them with their consent)

3.4. Household data

Names and basic data of people who will live with you (only when you provide them; minors are registered by you in your capacity as legal representative)
Pets (species, number)

3.5. Search data

Target city
Estimated move-in date
Monthly budget (amount and currency)
Property type
Your active searches and saved properties

3.6. Communications and user-generated content

Messages you send to landlords or guarantors through the platform
Document comment threads
Your “story” — the intro paragraph you write
Communications with our support team

3.7. Technical data

IP address
Browser user agent (type and version)
Request timestamps
Session identifiers (in strictly necessary cookies)
App usage events (no advertising trackers)
Audit logs of access to your documents

3.8. Payment data (when you subscribe to a paid plan)

Stripe customer and subscription IDs (necessary to manage billing)
Invoice and payment history
Contracted plan (Basic, Premium or Maintenance) and billing modality (monthly, annual, or read-only maintenance). We need this to apply the relevant plan's limits and entitlements, and so any manual change between plans (e.g. activating Maintenance from /dashboard/billing) is reflected without delay.
We do NOT store your card data at any time. Stripe processes it directly under PCI-DSS Level 1 certification.

3.9. Sensitive data (Art. 9 GDPR special categories)

We do not request special category data (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, health, sex life or sexual orientation, genetic data, biometric data for unique identification). If you inadvertently provide any (e.g. health information in a recommendation letter), we recommend you redact it before uploading.

4. Sources of data

We collect the data described above through the following channels:

Directly from you: when you create your account, complete your profile, upload documents or use the platform.
From third parties with your consent:
- Firebase Authentication (Google LLC): when you sign up or log in with email/password or Google. We receive the Firebase-signed ID and verified email.
- Stripe, Inc.: on payment processing we receive webhook confirmations without card data.
From public sources (at your request): when you request a landlord verification for €30, we consult public registers (Property Registry, Cadastre, Commercial Registry) on the landlord data you provide us.
Automatically: the technical data listed in section 3.7 is collected automatically when interacting with the platform.

5. Purposes and legal bases

We process your data only for specific, explicit and legitimate purposes (Art. 5(1)(b) GDPR). The following table details each purpose with the corresponding legal basis under Art. 6 GDPR:

5.1. Providing the idRent service

Creating your verified profile, managing your documentation, generating share links with landlords, translating your documents into local format, storing your searches and properties. Legal basis: performance of the contract to which the data subject is party (Art. 6(1)(b) GDPR).

5.2. Identity and solvency verification

Manual review by our team of documents you upload to issue verification badges that landlords consult. Legal basis: contract performance (Art. 6(1)(b) GDPR).

5.3. Landlord verification

When you request a landlord verification for €30, we consult public sources to check ownership, identity and background. Legal basis: contract performance + legitimate interest in protecting the tenant from real-estate fraud (Arts. 6(1)(b) and 6(1)(f) GDPR).

5.4. Intermediation with guarantor companies

When you request that a guarantor company assess your profile, we share the strictly necessary data with the guarantor you choose. Legal basis: contract performance + explicit consent at the time of the request (Arts. 6(1)(b) and 6(1)(a) GDPR).

5.5. Payment and billing

Subscription and add-on charges and invoice issuance via Stripe / Racimo LLC. Legal basis: contract performance + legal obligation to keep accounting records (Arts. 6(1)(b) and 6(1)(c) GDPR; Art. 30 of the Spanish Commercial Code).

5.6. Transactional emails

Notification emails when something changes in your account: new landlord request, completed verification, rental reminders, etc. Legal basis: contract performance (Art. 6(1)(b) GDPR). These are necessary to provide the service — they do not require consent and you cannot fully disable them without closing your account. You can disable non-essential notifications from Settings.

5.7. Marketing communications

If you subscribe to our newsletter or opt in to receive information about new features or PLUS services, you will get emails for this purpose. Legal basis: consent (Art. 6(1)(a) GDPR). You can withdraw it at any time through the unsubscribe link in any email or by writing to hi@idrent.io.

5.8. Security, fraud prevention and incident handling

Audit logs, detection of suspicious access, blocking of compromised accounts, incident investigation. Legal basis: legitimate interest in ensuring the security of the platform and other users (Art. 6(1)(f) GDPR). We have conducted the corresponding balancing test between our interest and your rights and consider this basis proportionate.

5.9. Compliance with legal obligations

Invoice retention for tax purposes, response to judicial or administrative requirements, cooperation with fraud investigations. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

5.10. Product improvement and aggregate statistics

Internal usage analysis with always anonymised or aggregated data that does not permit re-identification. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). We do not sell these analyses or use them for targeted advertising.

6. Recipients and processors

We share your data only when necessary to provide the service or where required by law. Recipient categories:

6.1. Landlords and real-estate agencies

When you generate a private link, the landlords or agencies you choose see the profile information you explicitly marked as shareable. You control which sections are exposed and can revoke access at any time from “My links”. Legal basis: consent at link generation + contract performance.

6.2. Rent guarantee companies

When you request a guarantee, we share with the chosen company the profile they need to assess issuing the guarantee. Guarantors act as independent controllers for their own purposes; you will receive their own privacy policy on starting the flow.

6.3. Processors (subprocessors)

The following providers process your data on our behalf under GDPR-compliant contract (Data Processing Agreement / Standard Contractual Clauses where applicable):

Provider	Purpose	Data processed	Location
Google LLC (Firebase Authentication)	Credential management	Email, password hash, user ID	USA (with SCCs)
Google LLC (Firebase Cloud Storage)	Document storage	Your documents at-rest encrypted, associated metadata	European Union (europe-west1 region)
Stripe, Inc.	Payment processing and billing	Name, email, amount, payment method (token), billing history	USA (with SCCs) + Ireland
Resend, Inc.	Transactional email delivery	Recipient email, subject, body	USA (with SCCs)
Amazon Web Services EMEA SARL (“AWS”)	Backend infrastructure, database and backup hosting	Logs, encrypted database (RDS / Aurora), backups, application files	European Union (eu-west-1 Ireland or eu-south-2 Madrid regions)

We maintain an up-to-date subprocessor register. If we add or change any material subprocessor, we will notify you at least 30 days in advance so you can object and, if applicable, terminate the contractual relationship at no cost.

6.4. Public authorities and courts

We will share your data where required by a court order, a reasoned administrative request or applicable law.

6.5. Corporate transactions

In the event of a merger, acquisition or sale of Move's assets, your data may be transferred to the acquiring party. We will inform you before the transfer occurs so you can object if you wish.

6.6. What we do NOT do with your data

We do not sell your personal data to third parties.
We do not train AI models on your documentation.
We do not share your data with advertisers or advertising networks.
We do not use your data for commercial profiling on third-party platforms.

7. International data transfers

Your data is mainly stored on European Union servers (Firebase Storage europe-west1 region; backups in the same jurisdiction). However, some of our processors have their main office in the USA (Google, Stripe, Resend, Racimo LLC) and may access data from there for maintenance, support or administrative management.

These transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) or, where applicable, other adequacy mechanisms set out in Chapter V of the GDPR (adequacy decisions, approved certifications, binding corporate rules).

To request a copy of the SCCs applicable to your case, write to hi@idrent.io.

8. Retention periods

We keep each category of data only for the time needed for the processing purposes, except where a legal obligation requires longer. Detail:

Data type	Retention period	Basis
Active account data	While the account is active	Contract performance
Verification documents	While the account is active + 30 days after cancellation	Contract performance + recovery window
Landlord communications	While the associated link is active, max 1 year after last activity	Legitimate interest (dispute resolution)
Invoices and tax data	10 years	Legal obligation (Art. 30 Commercial Code; Art. 66 LGT)
Security audit logs	12 months	Legitimate interest + legal obligation
Strictly necessary cookies	Session lifetime + 7 days (refresh token)	Contract performance
Deleted account data	30-day grace period, then permanent deletion (except billing)	GDPR Art. 17 (right to be forgotten)

After the indicated periods, data is irreversibly deleted or fully anonymised for aggregate statistical purposes.

9. Security measures

We apply appropriate technical and organisational measures under Art. 32 GDPR to ensure a level of security appropriate to the risk. Among them:

Encryption in transit: TLS 1.2+ enforced on all connections to the platform.
Encryption at rest: your documents and data are stored encrypted in Firebase Cloud Storage and in the database.
Authentication: JWT with refresh-token rotation and immediate revocation on account block. Passwords are hashed; never stored in clear.
Access control: only authorised Move personnel access your data within their duties, under contractual confidentiality and specific data-protection training.
File verification: uploaded documents are analysed by byte signature to block malicious files.
Audit logs: every access to your documents by our team or by landlords is logged.
Backups: encrypted with limited retention and in the same jurisdiction as the primary data.
Rate limiting and DDoS protection on sensitive endpoints.
Periodic internal audits and documented incident response plan.

Despite these measures, no Internet transmission or storage system is 100 % secure. If you suspect your account has been compromised, contact us immediately.

10. Your rights

As a data subject you have the following rights over your personal data under Arts. 15 to 22 GDPR:

Access (Art. 15): obtain confirmation of whether we process your data and, if so, a copy. Download a full JSON dump from Settings → My account or via GET /api/users/me/export.
Rectification (Art. 16): correct inaccurate data. Edit your profile fields directly from Settings; for non-editable data (e.g. email), write to us.
Erasure / right to be forgotten (Art. 17): delete your data when no longer needed for the purposes collected, you withdraw consent, you object, or where unlawfully processed. Delete your account from Settings or via DELETE /api/users/me with { confirm: "DELETE" } in the body.
Restriction (Art. 18): request that we stop processing your data while keeping it for claims.
Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (we give it as JSON; complies).
Objection (Art. 21): object to processing based on legitimate interest or to direct marketing at any time.
Not to be subject to automated individual decisions with legal effects (Art. 22): idRent does not make fully automated decisions with significant legal effects on you. Important verifications (identity, landlord) are made by a human reviewer.
Consent withdrawal (Art. 7(3)): when a purpose is based on consent (e.g. marketing), you can withdraw it at any time without affecting the lawfulness of prior processing.

11. How to exercise your rights

You can exercise any of the rights above:

By email: hi@idrent.io identifying yourself and describing your request. If we have doubts about your identity we may ask for additional verification.
By post: Moverelocacion, S.L., Avenida de Manoteras 24, 2nd floor, 28050 Madrid, Spain.
Through the platform's own endpoints: export and deletion are directly accessible for faster turnaround.

Response time: we will respond within one month of receipt. This period can be extended by two further months where complexity or volume of requests requires (we will notify you within the first month). Exercising rights is free, except for manifestly unfounded or excessive requests (especially repetitive ones).

Right to lodge a complaint: if you believe the processing of your data does not comply with the law, you can lodge a complaint with the Spanish Data Protection Agency (AEPD):

C/ Jorge Juan, 6, 28001 Madrid
Phone: +34 901 100 099 / 912 663 517
Web: www.aepd.es (electronic office for online complaints)

Before going to the AEPD, please contact us directly — most issues are resolved within days.

12. Children's data

idRent is NOT directed to children under 18. We do not collect data from people we know to be under 18. If you are a parent or legal guardian and believe your child has provided us personal data without authorisation, contact us at hi@idrent.io for immediate deletion.

If you add data of minors as part of your household (section 3.4), you do so in your capacity as legal representative and under your responsibility. We only collect the minimum necessary data (name, date of birth, family relationship).

13. Automated decisions and profiling

idRent does not make fully automated decisions with legal effects or that significantly affect you. Identity, income and landlord verifications are made by a human reviewer on our team.

We use basic algorithms only for internal operational tasks with no effect on your rights (e.g. listing ordering, city suggestions). These processes do not constitute profiling under Art. 22 GDPR.

14. Data breach notification

In the event of a personal data security breach posing high risk to your rights and freedoms, we will notify you without undue delay and, in any case, within the 72-hour period set by Art. 33 GDPR for notification to the AEPD.

The communication will include the nature of the breach, affected data, measures taken to mitigate its effects and the Move contact person for further information (Art. 34 GDPR).

15. Marketing communications

We will only send marketing communications (newsletter, new features, offers) if you have expressly accepted them when creating your account or later. Each marketing email includes a one-click unsubscribe link, and you can also disable them from Settings → Notifications.

Transactional communications (payment confirmations, account changes, operational reminders) are necessary for the service and require no additional consent. To stop receiving them entirely you must close your account.

16. Cookies and similar technologies

We only use strictly necessary cookies for the platform to work (session, language preference). If we add analytics or advertising cookies in the future, they will only activate with your express consent via the cookie banner. See our Cookie policy for more detail.

17. Changes to this policy

We may update this policy to reflect changes in our practices, legal requirements or new services. When changes materially affect your data processing (e.g. new purposes, new recipients, new retention periods):

We will notify you by email at least 30 calendar days in advance.
If the legal basis of the new processing is consent, we will request it explicitly before starting.
If you disagree with the changes, you can close your account at no cost before they take effect.

For minor changes (clarifications, typo fixes) we will publish the updated version with the revision date. Review this policy periodically.

18. Contact

For any privacy or policy query:

Email: hi@idrent.io
Post: Moverelocacion, S.L., Avenida de Manoteras 24, 2nd floor, 28050 Madrid, Spain

This policy is governed by Spanish law and applicable EU law.