Sign in Start free

Privacy Policy

Effective date: June 17, 2026

This Privacy Policy explains how Anderson Solutions Group LLC (d/b/a RentalPilot) (“RentalPilot,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data in connection with the RentalPilot platform (the “Service”). RentalPilot is a car-rental management platform for independent rental operators. We are committed to handling personal data responsibly and in accordance with applicable data protection laws, including the EU and UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).

1. Introduction and scope

This policy applies to personal data we process through our websites, the operator administration application, the public booking sites we host on behalf of operators, and related services. It describes our practices for two distinct groups of people:

  • Operators — the businesses and individuals who subscribe to RentalPilot to manage their vehicle fleets, bookings, and customers.
  • Renters — the end customers who book vehicles through an operator’s public booking site. Renters do not hold RentalPilot accounts; they are the operator’s customers.

Because these groups have different relationships with us, our role under data protection law differs depending on whose data is involved, as described in the next section.

2. Our role: controller vs. processor

Data protection laws distinguish between a “controller” (who decides why and how personal data is processed) and a “processor” (who processes data on a controller’s behalf and under its instructions). Our role depends on the data in question:

  • Operator account data and platform analytics — RentalPilot is the controller. We decide how to operate, secure, and improve the Service, and we are responsible for the personal data of operators and for usage and analytics data generated across the platform.
  • Renter personal data — the operator is the controller and RentalPilot is the processor. When an operator uses RentalPilot to collect and manage information about its renters, the operator decides why and how that data is used. We process renter data only to provide the Service to that operator and in accordance with our agreement with them. Renters with questions about how their data is used should generally contact the operator they booked with.

This Privacy Policy describes our own practices. An operator’s collection and use of renter data is governed by that operator’s own privacy notice and policies.

3. Categories of personal data we collect and our sources

We collect the following categories of personal data, either directly from the individual, from the operator, or automatically through use of the Service:

Operator account data

  • Name and email address;
  • Account password (stored only in hashed form — we never store passwords in plain text);
  • Business details, such as company name, address, locations, and tax identifiers;
  • Subscription and billing information, including plan tier and payment identifiers.

Renter data (processed on behalf of operators)

  • Name, email address, and phone number;
  • Date of birth (used to verify legal driving age and to apply any young-driver charges set by the operator);
  • Driver’s license number and uploaded images of driver’s licenses;
  • Signatures captured at pickup or on rental agreements;
  • Booking history and pickup/return details;
  • Vehicle condition photos taken at check-out and check-in.

Payment data

  • Payment card transactions are handled by Stripe using Stripe Elements. Full card numbers are never stored on RentalPilot’s servers. We store only Stripe tokens and identifiers (such as a customer or payment-method reference) that allow a charge to be processed without exposing card details to us.
  • Card data is handled in a manner intended to support PCI-DSS compliance, with the cardholder data environment managed by Stripe as a certified payment processor.

Usage, device, and analytics data

  • Information about how the Service is used, such as pages viewed, features used, approximate location derived from IP address, device and browser type, and similar technical data;
  • Cookies and similar technologies, as described in Section 5.

4. How and why we use personal data, and our legal bases

We use personal data for the purposes below. Where the GDPR applies, the legal basis for each purpose is indicated.

  • To provide and operate the Service — creating and managing operator accounts, hosting booking sites, processing bookings, and enabling the features operators rely on. Legal basis: performance of a contract; for renter data, processing on behalf of the operator.
  • To process payments and manage subscriptions — billing operators for their plans and enabling renter payments through Stripe. Legal basis: performance of a contract; legitimate interests in being paid for the Service.
  • To communicate with users — sending transactional messages such as booking confirmations, cancellations, account notices, and service updates. Legal basis: performance of a contract; legitimate interests.
  • To secure, maintain, and improve the Service — monitoring for errors and abuse, debugging, and developing new features. Legal basis: legitimate interests in keeping the Service safe, reliable, and improving.
  • To understand product usage through analytics — measuring engagement and improving the user experience. Legal basis: consent where required (for example, optional analytics cookies); otherwise legitimate interests.
  • To comply with legal obligations and protect rights — responding to lawful requests, enforcing our terms, and protecting against fraud. Legal basis: legal obligation; legitimate interests.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Cookies and similar technologies

We and our analytics providers use cookies and similar technologies. We distinguish between two categories:

  • Strictly necessary cookies — including the session and authentication cookies that keep operators signed in and that make the booking flow function. These are essential to deliver the Service and cannot be switched off through the consent banner.
  • Optional analytics cookies — used for product analytics and, on the public booking flow, session replay. These are set only where you consent to them. Where required, we present a cookie banner that lets you accept or decline non-essential cookies, and you can change your choice at any time.

For more detail on the providers behind these technologies, see Section 6.

6. Sub-processors and third parties

We rely on a small number of trusted service providers (sub-processors) to operate the Service. Hosting is primarily in the United States. Each is bound by contractual obligations to protect personal data and to process it only as needed to provide their service. Current sub-processors include:

  • Stripe — payment processing for operator subscriptions and renter transactions.
  • Render — application and database hosting (United States).
  • Vercel — front-end and content-delivery-network hosting.
  • Cloudflare R2 — file and object storage, including driver’s license images, signatures, and vehicle photos.
  • PostHog — product analytics and session replay on the public booking flow. Recordings are configured so that form inputs are masked and payment fields are excluded from capture.
  • Sentry — error and performance monitoring, configured not to send personal data by default.
  • Resend — transactional email delivery, such as booking confirmations.

We do not sell personal data. We may also disclose data where required by law, to enforce our agreements, in connection with a corporate transaction such as a merger or acquisition, or with your consent.

7. International data transfers

Because our hosting and several sub-processors are located in the United States, personal data may be transferred to and processed in the United States and other countries that may have data protection laws different from those in your country. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum, where applicable), or another lawful transfer mechanism.

8. Data retention

We retain personal data for as long as needed to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

  • Operator account data is retained for the life of the account and for a reasonable period afterward to meet legal, accounting, and audit obligations.
  • Renter data is retained on behalf of the operator for as long as the operator’s account is active and according to the operator’s instructions and retention settings. When an operator’s account is closed, we delete or return renter data in line with our agreement with the operator, subject to legal retention requirements.
  • Analytics and log data is retained for a limited period appropriate to its purpose.

9. Security measures

We take reasonable and appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit using HTTPS/TLS for data moving between your device and our services;
  • Access controls limiting personal data to authorized personnel and systems, and tenant isolation so that one operator cannot access another operator’s data;
  • Private, authentication-gated storage for sensitive files such as driver’s license images and signatures, which are not publicly accessible;
  • Hashing of account passwords and reliance on Stripe’s certified environment for cardholder data.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Your privacy rights

Depending on where you live and the applicable law, you may have some or all of the following rights regarding your personal data:

  • Access — to request a copy of the personal data we hold about you;
  • Correction — to ask us to correct inaccurate or incomplete data;
  • Deletion / erasure — to request that we delete your personal data;
  • Portability — to receive certain data in a portable, machine-readable format;
  • Objection and restriction — to object to or restrict certain processing, including processing based on legitimate interests;
  • Opt-out of “sale” or “sharing” — under the CCPA/CPRA, to opt out of the sale or sharing of personal data. We do not sell your personal data, and we honor recognized opt-out signals where required;
  • Non-discrimination — to not be treated unfairly for exercising your rights.

To exercise any of these rights regarding data for which we are the controller, contact us using the details in Section 14. We may need to verify your identity before acting on a request.

How renters exercise their rights

For renter personal data, the operator is the controller. If you are a renter, you should usually direct privacy requests to the operator you booked with, as they decide how your data is used. If you contact us, we will assist the relevant operator in responding and will act on the operator’s instructions, as required of a processor.

11. Children’s data

The Service is not directed to children, and we do not knowingly collect personal data from children. The booking flow is intended for individuals who are of legal driving age and otherwise eligible to rent a vehicle. If you believe a child has provided personal data through the Service, please contact us so it can be addressed.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, provide additional notice. We encourage you to review this policy periodically.

13. Contact us

If you have questions about this Privacy Policy or our data practices, or wish to exercise your rights, please contact:

  • Anderson Solutions Group LLC (d/b/a RentalPilot)
  • 1309 Coffeen Avenue, Suite 1200, Sheridan, WY 82801
  • info@rentalpilot.io