Privacy Policy

For the purposes of the GDPR, DeviceRent acts as the data controller for the personal data described in this Policy. Questions, requests, or complaints can be sent to info@devicerent.net.

We collect the following categories of personal data:

• Account data: email address, display name, and any optional profile information you provide.
• Authentication data: hashed passwords, multi-factor authentication factors and recovery codes (TOTP), and session tokens. Plaintext passwords are never stored.
• Billing data: subscription status, plan, billing cycle, and a reference to your customer record at our payment processor (Stripe). Your full payment card number is collected and stored by Stripe; DeviceRent does not have access to it.
• Usage data: session start and end times, device selections, credit balance changes, and similar product telemetry needed to operate the Service.
• Technical data: IP address, browser type, operating system, referrer, and similar information collected automatically through server logs and analytics, used in aggregated form for security and product improvement.
• Communications: the content of any messages you send us through email or in-app channels.

We rely on the following legal bases under Article 6 of the GDPR:

• Contractual necessity (Art. 6(1)(b)): to create your account, deliver the Service, process your subscription, and provide support.
• Legitimate interests (Art. 6(1)(f)): to keep the Service secure, prevent fraud and abuse, debug problems, and improve the product. We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): for non-essential cookies and any optional marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to retain billing records and respond to lawful requests by public authorities.

We process personal data to:

• create and authenticate your account;
• operate device sessions and bill the corresponding fees;
• send transactional emails (e.g., receipts, security alerts);
• provide customer support;
• monitor and protect the Service against abuse;
• comply with applicable legal and tax obligations;
• improve and develop our products in aggregated form.

We do not sell personal data. We share it only with sub-processors that help us operate the Service, under written agreements requiring confidentiality and GDPR-compliant safeguards:

• Supabase — authentication and database hosting.
• Stripe — payment processing and subscription billing.
• Vercel — application and edge hosting.
• Resend — transactional email delivery.
• Google Analytics — aggregated usage analytics with IP anonymization where supported.

We may also disclose personal data when required by law, regulation, court order, or to enforce our Terms or protect the rights, property, or safety of DeviceRent, our users, or others.

Some of our sub-processors operate outside the European Economic Area. Where personal data is transferred to a country that has not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses or another lawful transfer mechanism, and we apply additional safeguards as appropriate.

We retain personal data for as long as your account is active and for a reasonable wind-down period after deletion to handle backups, dispute resolution, and security investigations. Billing and tax records are retained for the period required by applicable law (typically several years). When personal data is no longer needed, we delete or anonymize it.

If you are in the EEA, the UK, or a comparable jurisdiction, you have the right to:

• access the personal data we hold about you;
• request rectification of inaccurate or incomplete data;
• request erasure of your personal data ("right to be forgotten"), subject to legal retention obligations;
• request restriction of processing in certain situations;
• receive a portable copy of the data you provided to us in a structured, commonly used, machine-readable format;
• object to processing based on legitimate interests;
• withdraw consent at any time without affecting the lawfulness of prior processing;
• lodge a complaint with the data protection supervisory authority of your country.

To exercise any of these rights, email info@devicerent.net. We will respond within the time limits set by applicable law. We may need to verify your identity before fulfilling certain requests.

We do not use personal data for automated decision-making that produces legal or similarly significant effects on you, and we do not engage in profiling for that purpose.

We apply reasonable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, and loss. These include encryption in transit (TLS), hashed credential storage, optional multi-factor authentication for users, row-level security at the database layer, and least-privilege access for our team. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at info@devicerent.net.

The Service is not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so that we can delete it.

We use cookies and similar technologies as described in our Cookie Policy.

We may update this Privacy Policy from time to time. If we make material changes, we will give reasonable notice before they take effect (for example, by email or in-app notice). The "Effective" date at the top of this page reflects the most recent revision.

For privacy questions or to exercise your rights, email info@devicerent.net.