RENTCARS PRIVACY AND PERSONAL DATA PROTECTION POLICY

UPDATED ON SEPTEMBER 10, 2025.

Rentcars is committed to ensuring the Privacy and Protection of Personal Data processed in the course of its business activities, as well as complying with the requirements of the General Data Protection Law - Law No. 13.709/18 (“LGPD”), the European Union General Data Protection Regulation 2016/679 (“GDPR”), and other regulations applicable to Data Processing.

This Policy will be reviewed annually or whenever there are changes in applicable legislation, ensuring its update and compliance. Rentcars reserves the right to amend this Privacy and Personal Data Protection Policy (“Privacy Policy”) at any time, without prior notice.

1. Definitions

The terms and expressions used in this Privacy Policy have the meanings defined below:

“National Data Protection Authority or ANPD”: government agency responsible for overseeing, implementing, and monitoring compliance with the LGPD throughout the national territory.

“Rentcars Employees”: exclusively for the purposes of this Policy (not directly related to an employment relationship), all Rentcars collaborators, including partners, administrators, directors, employees, managers, interns, apprentices, internal service providers, and any other person directly affiliated with Rentcars.

“Consent”: a free, informed, and unequivocal expression by which the data subject agrees to the processing of their Personal Data for a specific purpose.

“Data Controller”: a natural or legal person, public or private, responsible for decisions regarding the processing of Personal Data.

“Data”: Personal Data and Sensitive Personal Data, as defined in this Policy, in accordance with the LGPD.

“Anonymized Data”: data relating to a data subject that cannot be identified using reasonable and available technical means at the time of its processing.

“Personal Data”: information relating to an identified or identifiable natural person.

“Sensitive Personal Data”: Personal Data concerning racial or ethnic origin, religious belief, political opinion, union membership or membership in a religious, philosophical, or political organization, data concerning health or sexual life, genetic or biometric data.

“Data Protection Officer (DPO)”: the person appointed by the Data Controller and the Data Processor to act as the communication channel with Data Subjects and with the National Data Protection Authority (ANPD).

“LGPD”: General Data Protection Law (Law No. 13.709/18).

“Data Processor(s)”: a natural or legal person, public or private, who processes Personal Data on behalf of the Controller.

“Rentcars”: Rentcars Ltda, a private legal entity registered with CNPJ No. 10.998.234/0001-23, headquartered at Rua Doutor Pedrosa, 151, suite 1201, 12th floor, Centro, Curitiba/PR, ZIP Code 80.420-120, and Rentcars BV, a Dutch company registered under Tax ID No. 859404900, located at Herengracht 420, 1017BZ, Amsterdam, Netherlands.

“GDPR”: General Data Protection Regulation 2016/679 of the European Union.

“Data Subject”: a natural person to whom the personal data being processed refers.

“Data Processing” or “Processing”: any operation performed with Personal Data, including Sensitive Personal Data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction of Personal Data.

2. Purpose

2.1. The purpose of this Privacy Policy is to define the main rules and principles for the Processing of Data collected, including but not limited to personal data from clients, suppliers and/or their representatives and collaborators, service providers, partners, rental companies, as well as any other parties involved in the execution of Rentcars’ activities, ensuring an adequate level of security through protective measures in alignment with the LGPD and other applicable regulations.

2.2. Accordingly, we collect personal information you provide directly, information about how you use our services, and information from third-party sources, as described in this document. We use such information to provide you with services, to understand how you use our services so that we can improve and personalize your experience, and to develop applications, technologies, and content more relevant to our customers. We also use personal information to deliver personalized ads tailored to your interests.

2.3. This Privacy Policy must be observed by all Rentcars Employees, clients, suppliers, service providers, partners, rental companies, or any natural or legal person who may act as a Data Subject and/or Data Processor where Rentcars serves as the Data Controller.

3. Points of Collection of Personal Data

Personal Data collection by Rentcars may occur in various ways, directly or indirectly, for example, but not limited to:

1. Receipt of emails, including via the Rentcars website;
2. In person, directly from the Data Subject;
3. Electronic résumés submitted by the Data Subject to Rentcars through the website and corporate social networks;
4. Internal and third-party management systems, including those used by Data Processors;

5. Registration and navigation by the Data Subject on the Rentcars website or app;

6. When you communicate with our Customer Service team or other Service teams, your communications are transmitted through our systems, including chatbot, WhatsApp, email, and app, whether for support or sales;
7. Corporate social networks and communication apps;
8. Meetings and events, phone calls, photos, and security camera images; and,
9. Contracts, public sources, scanned documents, and documents from clients and partners.

4. Purposes of Data Processing

4.1. All Rentcars Data Processing activities are carried out using only the Data strictly necessary to achieve specific purposes, including but not limited to:

1. Fulfillment of contractual and legal obligations with clients, including after-sales support, for which Personal Data such as, but not limited to: name, ID numbers, booking code, driver’s license, proof of income, vehicle rental details, passport, banking data, marital status, physical address, nationality, occupation, phone, email, IP, geolocation are processed.
2. User behavior analysis on the website and app and vehicle recommendation generation, for which Personal Data such as, but not limited to: booking code, geolocation, client ID, browsing context, browsing behavior, vehicle pick-up and drop-off location, number of rental days, browsing and purchase history are processed.
3. Lead acquisition and reactivation via website, email, and WhatsApp, for which Personal Data such as, but not limited to: name, gender, email, phone, address, ID numbers, geolocation, booking code are processed.
4. Customer satisfaction surveys, for which Personal Data such as, but not limited to: name, booking code, email, and phone are processed.
5. Analysis of customer testimonials and opinions on consumer support websites and social media, for which Personal Data such as, but not limited to: name, gender, place of residence, social media profile, testimonial content are processed.
6. Calculation of booking cancellation probability, for which Personal Data such as, but not limited to: name, gender, age, email, phone, address, booking code, booking details, booking location, promotion usage, new or returning customer status, cancellation history, country of residence are processed.
7. Customer segmentation for marketing, for which Personal Data such as, but not limited to: name, gender, age, email, phone, address, booking code, booking details, segment are processed.
8. Contract management and fulfillment of contractual obligations with rental companies, suppliers, partners, and service providers, for which Personal Data such as, but not limited to: name, date of birth, marital status, ID numbers, physical address, email, phone, nationality, occupation, signature, and position are processed.
9. Prospecting and negotiation with new business partners and rental companies, for which Personal Data such as, but not limited to: name, email, phone, ID numbers, driver’s license, social media profile, position, occupation are processed.
10. Payment management for rental companies, partners, suppliers, service providers, and other third parties, for which Personal Data such as, but not limited to: name, ID numbers, email, and banking data are processed.
11. Evaluation and handling of booking fraud cases, for which Personal Data such as, but not limited to: name, date of birth, ID numbers, email, physical address, phone, banking data, booking details, and IP are processed.
12. Physical and property security at headquarters, for which Personal Data such as, but not limited to: name, photo, and ID, and Sensitive Personal Data such as biometrics, are processed.

4.2. The above-mentioned Data is processed by Rentcars and by contracted companies, as well as securely stored under appropriate technical and organizational measures, for the period necessary to fulfill the purposes.

4.3. Rentcars uses global tools and assets, therefore performs international transfers of Personal Data, in compliance with LGPD and Resolution CD/ANPD No. 19/2024.

5. Legal Bases for Data Processing

5.1. The legal bases for Rentcars’ Processing of Personal Data, according to art. 7 of the LGPD, are:

1. Consent of the Data Subject;
2. Compliance with legal or regulatory obligation by Rentcars;
3. Execution of a contract or preliminary procedures related to a contract of which the Data Subject is a party, at the request of the Data Subject;
4. Protection of the life or physical safety of the Data Subject or a third party;
5. Legitimate interest of Rentcars.

5.2. The legal bases for Rentcars’ Processing of Sensitive Personal Data, according to art. 11 of the LGPD, are:

1. Consent of the Data Subject;
2. Compliance with legal or regulatory obligation by Rentcars; and
3. Protection of the life or physical safety of the Data Subject or a third party.

6. Storage and Disposal of Personal Data

6.1. Any Data provided by the Data Subject is collected and stored securely under appropriate technical and organizational measures. To this end, Rentcars adopts various precautions, in compliance with security standards established in applicable legislation.

6.2. In addition to technical efforts, Rentcars also adopts organizational measures, such as the use of an Information Security Policy for the proper Processing of Data.

6.3. Access to collected Data is restricted to Rentcars Employees and persons authorized by Rentcars and will be hosted on servers and systems located in Brazil and other countries in compliance with LGPD and Resolution CD/ANPD No. 19/2024.

6.4. After fulfilling the purposes for which they were collected, Data is disposed of within the scope and technical limits of activities, with retention allowed for the following purposes:

1. Compliance with legal or regulatory obligation by Rentcars;
2. Transfer to a third party, provided that the Data Processing requirements set forth in the LGPD are respected; and
3. Exclusive use by Rentcars, with access by third parties prohibited, provided the data is anonymized.

7. Geographic Scope

This Privacy Policy applies to cases where Data Processing occurs or where Data is collected within Brazilian territory.

8. Rights of Data Subjects

8.1. The Data Subject, whenever possible, receives information about the Processing of their Personal Data at the time of its collection.

8.2. The Data Subject may exercise rights regarding the Processing of their Data, such as: access to information; objection to processing, automated decision-making, and profiling; restriction of processing; data portability; rectification and deletion of data; and revocation of Consent, as applicable in each case, via the email address provided in item 13.2 of this Privacy Policy.

8.3. Rentcars has implemented procedures to ensure responses to Data Subjects within legally established deadlines and reserves, under the LGPD, the right to evaluate requests from Data Subjects and comply with them when technically feasible and legally required. In any case, the result of the evaluation will be communicated to the Data Subject.

8.4. The Data Subject acknowledges that exercising some of their rights may prevent the continuation of their relationship with Rentcars.

9. Obligations of Data Subjects

9.1. The Data Subject is responsible for the truthfulness, accuracy, and confirmation of the Data they provide, whether on the Rentcars website or by other means.

9.2. The Data Subject is prohibited from sharing with other individuals or third-party companies, including coworkers, family, and friends, logins, passwords, or any type of credential. The Data Subject must use strong and unique passwords for Rentcars’ assets and tools. Rentcars is not responsible for any breaches of the Data Subject’s Privacy and Personal Data Protection caused by the Data Subject’s actions or omissions.

9.3. The Data Subject is responsible for adopting all necessary security measures on their devices used to access Rentcars’ assets and tools, so that Rentcars is not held liable for any breaches of the Data Subject’s Privacy and Data Protection resulting from such lack of diligence.

10. Obligations of Rentcars Data Processors

10.1. Rentcars seeks to engage with Data Processors committed to privacy and data protection.

10.2. Rentcars Data Processors must strictly comply with this Privacy Policy, as well as with applicable legislation. In case of non-compliance, Rentcars reserves the right to immediate contract termination, without cost to Rentcars, and to apply the relevant legal and contractual penalties.

10.3. Rentcars reserves the right to verify whether Data Processors follow the processes, operational instructions, and procedures defined by Rentcars, through ordinary or extraordinary audits.

11. Cooperation with the ANPD and Other Authorities

11.1. Rentcars, in its capacity as Data Controller, will cooperate with the ANPD and other data protection authorities on matters related to the protection and privacy of Personal Data under its Processing, within the limits of the LGPD and GDPR, and without waiving any right of defense or appeal granted to it.

11.2. Rentcars Employees, as well as service providers and/or suppliers potentially involved in the Processing or challenged procedure, will provide support on matters related to the protection and privacy of Personal Data.

12. Data Sharing

We may share your information internally within our company, as well as with the following entities, for the purposes described above:

1. Affiliates and subsidiaries: other Rentcars companies we control or own.
2. Business Partners: partners with whom we work to provide you with requested or purchased services. For example, we may work with car rental companies to enable bookings. These partners are responsible for managing your personal information.
3. Other parties when required by law or for the protection of Rentcars, our services, employees, and our Clients: we may disclose your information when required by law, legal process, or court order. In addition, government authorities may request your data for law enforcement, national security, counterterrorism, and other public safety matters.
4. Other parties with your consent or upon your request: in addition to the situations set out in this Privacy Policy, we may share your information with third parties if you expressly authorize or request it.

13. Communication Channel

13.1. Rentcars provides Data Subjects, Data Processors, and any other person (natural or legal) with a free, exclusive communication and service channel for matters related to privacy and data protection.

13.2. All matters related to privacy and data protection should be directed to Rentcars’ Data Protection Officer, Marcelo Veiga, at: [email protected].