GuarentioGuarentio
Back to app

Privacy Policy

Datenschutzerklärung

Stand / Last updated: 26. Mai 2026 / 26 May 2026

🇬🇧

Privacy Policy

We take privacy seriously

Protecting your privacy is a priority for us. Guarentio is a rent management app designed exclusively for landlords.

1. Personal Data

Personal data is information that identifies you as a person — such as your name, email address, or details you enter about your rental properties.

To use Guarentio you register with email and password, via Google, or via Apple ID. Within the app you manage rental properties with details such as floor area, number of rooms, furnishing status, rental period, base rent, additional fees, and deposit. A tenant's name is stored solely to distinguish between your properties — no further tenant contact details are collected.

We only collect data necessary to provide our service. All personal data is treated in strict confidence and is not shared with third parties.

2. Non-personal Data

When you visit our website, our servers automatically log technical connection data — such as IP address, device type, operating system, and the date and duration of the session. This information is strictly required for secure server operation and the technical delivery of the service. It is not used for personalised analysis.

You can browse our public pages without providing any personal data. Registration is only required to use the app's features.

3. Data Controller

The data controller within the meaning of the GDPR is:

Uzay Durdu

Spiegelberg 3

88090 Immenstaad am Bodensee

Germany

Email: info@guarentio.com

Phone: +49 176 216 351 64

4. When does this Privacy Notice start applying?

This Privacy Notice applies from the date Guarentio is publicly released — covering the mobile app (iOS and Android) and the web app at guarentio.app. It supersedes all prior versions of this document. We reserve the right to update this notice when there are material changes to the app, our processing activities, or the applicable legal framework. The effective date of the current version is shown at the top of this page.

5. Overview

We operate a rent tracking and property management application for landlords (`Guarentio`). We process personal data of our users (landlords) and tenant data entered by users.

6. Data We Collect

6.1 Landlord account data

  • First and last name
  • Email address
  • Password (encrypted by Supabase Auth — never stored in plain text)
  • Profile picture (optional, stored as URL)
  • App settings (language, theme, notification preferences)

6.2 Property and tenant data (entered by the landlord)

  • Property name and type
  • Property address (street, number, postal code, city, country)
  • Tenant name (free-text only — no contact details stored)
  • Lease terms (start/end date, base rent, additional fees, deposit)
  • Payment history (month, amount paid, status, source)
  • Property characteristics (sqm, rooms, year built, energy class, etc. — optional)
  • Property expenses (category, amount, date, description)
  • Tax-relevant data (estimated personal income for tax overview — user-entered)
Note: No tenant contact details (email, phone) or tenant banking details (IBAN etc.) are stored.

6.3 Bank account and transaction data (via Tink Open Banking)

If the user connects a bank account via the Open Banking feature, we process:

  • Connected bank name (provider)
  • Bank account IDs (external provider IDs — not full account numbers or IBANs)
  • Connection status and expiry (provider consent)
  • Transaction data: amount, currency, booking date, value date, transaction description

This data is used solely for automatic rent payment detection. Connection is provided via Tink (Visa Inc.), a licensed payment initiation service provider based in the EU.

6.4 Automatic connection data

When you access our website or web app, your browser automatically transmits technical connection data, including:

  • IP address of the requesting device
  • Device type and operating system
  • Browser type and version
  • Requested URL and referrer URL
  • Date, time and duration of the request
  • Data volume transferred and HTTP status code

This data is stored in server log files and is required for the technical operation, security and fault diagnosis of our systems. Log files are deleted after 30 days as a rule. Exceptionally, individual IP addresses may be retained longer in the event of suspected cyberattacks or abusive access, until the matter is resolved.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and availability of our systems).

6.5 Usage data

  • Login timestamps
  • Features used
  • Error messages

6.6 Registration and social login

Registration is required to use Guarentio. You may sign up using:

  • Email address and password — your password is stored exclusively as a hash (Supabase Auth) and never in plain text.
  • Google account (OAuth 2.0) — Google transmits your email address and, where applicable, your name. Processing by Google is governed by Google's own privacy policy.
  • Apple ID (Sign in with Apple) — Apple transmits your email address (or an anonymised relay address) and, where applicable, your name. Processing by Apple is governed by Apple's own privacy policy.

No password is stored by us when you use social login. The minimum requirement for registration is a valid email address.

Legal basis: Art. 6(1)(b) GDPR (contract initiation and performance).

6.7 Contact

You can contact us by email at info@guarentio.com or privacy@guarentio.app. You may also use our contact form. We process your data solely to respond to your enquiry. Data is deleted after the matter is fully resolved, unless statutory retention obligations apply.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries) or Art. 6(1)(b) GDPR where your enquiry relates to an existing contractual relationship.

6.8 Push notifications (mobile app)

With your consent, the Guarentio mobile app can send you push notifications — for example about upcoming rent payments or app activity. For delivery we use Expo Notifications, which processes a device-specific push token and your device platform (iOS / Android).

You can disable push notifications at any time in your device settings.

Legal basis: Art. 6(1)(a) GDPR (your consent, granted when first using the app).

7. Legal Bases for Processing

PurposeLegal basisNote
Providing the app and its featuresArt. 6(1)(b) GDPRNecessary for contract performance
Registration (email/password, Google, Apple)Art. 6(1)(b) GDPRContract initiation and performance
Storing property, rent payment and expense dataArt. 6(1)(b) GDPRCore service function; necessary for contract performance
Processing tenant data (tenant name) on behalf of the landlordArt. 28 GDPRData processing on behalf — landlord is controller
Automatic connection data (server logs)Art. 6(1)(f) GDPRLegitimate interest in system security and availability; deleted after 30 days
Bank account connection via Open Banking (Tink)Art. 6(1)(b) GDPRFor contract performance; consent obtained at bank connection
Responding to email enquiriesArt. 6(1)(f) / (b) GDPRLegitimate interest or contract performance
Push notificationsArt. 6(1)(a) GDPRUser consent; revocable at any time
Legal retention obligationsArt. 6(1)(c) GDPRLegal obligation (§ 147 AO, § 257 HGB)

8. Recipients and Data Processors

For certain processing activities we engage commissioned service providers (data processors) who process data exclusively on our behalf and on our instructions pursuant to Art. 28 GDPR. We ensure through appropriate data processing agreements that such processing is fully GDPR-compliant. We use service providers primarily in the following areas: IT infrastructure and hosting, cloud storage, authentication, and push notifications.

Service providerPurposeLocation
Supabase Inc.Hosting and data storage (auth, database, storage)EU (Frankfurt)
Tink AB (Visa Inc.)Open Banking — bank account connection and transaction dataEU (Stockholm, Sweden)
Expo (Expo Inc.)Push notifications — processing of push tokensUSA (Standard Contractual Clauses, Art. 46(2)(c) GDPR)
Resend (Resend Inc.)Transactional emails (sign-up confirmation, password reset)USA (Standard Contractual Clauses, Art. 46(2)(c) GDPR)

9. Third Country Transfers

As described in this Privacy Notice, we use services whose providers are based in or process personal data in so-called third countries (outside the European Union or the European Economic Area) — countries whose level of data protection does not correspond to that of the European Union.

Where this is the case and the European Commission has not issued an adequacy decision for the country concerned (Art. 45 GDPR), we have put in place appropriate safeguards to ensure an adequate level of data protection. These include in particular:

  • Standard Contractual Clauses (SCCs) of the European Commission pursuant to Art. 46(2)(c) GDPR
  • The EU–US Data Privacy Framework (DPF), where the recipient is certified thereunder
  • Binding Corporate Rules, where applicable

Currently, data is transferred to Expo Inc. (push tokens) and Resend Inc. (email address for transactional emails) in the USA. These transfers are carried out on the basis of Standard Contractual Clauses. All other service providers (Supabase, Tink) process data exclusively within the EU.

Where none of the above safeguards apply in exceptional cases, we base the transfer on the derogations in Art. 49 GDPR — in particular your explicit consent or the necessity of the transfer for contract performance. In such cases there is a risk that authorities in the relevant third country may access the transferred data and that your data subject rights may not be enforceable in full.

10. Your Rights

As a data subject you have the following rights under GDPR. To exercise any of them, contact us at: info@guarentio.com

10.1 Right of access (Art. 15 GDPR)

You have the right to obtain information at any time about the personal data we hold about you — including the purposes of processing, categories of data, recipients, planned retention period, the existence of rights to rectification, erasure, restriction or objection, the right to lodge a complaint, and the source of the data where it was not collected directly from you.

10.2 Right to withdraw consent (Art. 7(3) GDPR)

You have the right to withdraw any consent you have given at any time with future effect. The withdrawal does not affect the lawfulness of processing carried out before it.

10.3 Right to rectification and completion (Art. 16 GDPR)

You have the right to require us to correct inaccurate personal data without undue delay, and to have incomplete data completed — including by means of a supplementary statement.

10.4 Right to erasure — `right to be forgotten`` (Art. 17 GDPR)

You have the right to require the erasure of your personal data under the conditions set out in Art. 17 GDPR — for example where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis for processing.

10.5 Right to restriction of processing (Art. 18 GDPR)

You have the right to require restriction of processing, in particular if you contest the accuracy of the data (for the duration of verification), if the processing is unlawful and you request restriction rather than erasure, or if you still need the data to assert legal claims.

10.6 Right to data portability (Art. 20 GDPR)

Where we process personal data you have provided on the basis of consent or a contract and processing is carried out by automated means, you have the right to receive that data in a structured, commonly used and machine-readable format, or to have it transmitted directly to another controller.

10.7 Right to object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to processing of your personal data where that processing is based on Art. 6(1)(f) GDPR (legitimate interests).

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

To exercise your right to object, an email to info@guarentio.com is sufficient.

11. Retention Periods

Unless stated otherwise in this Privacy Notice, we store your personal data only for as long as necessary to achieve the purposes described here, or as required by statutory retention obligations. After that, the data is deleted, blocked or anonymised.

We will not delete your registered account unless you request it — even if you do not use it for an extended period. Once you have requested deletion, the account is physically deleted after a 14-day technical waiting period.

Where we are required to retain data for legal reasons or to protect overriding legitimate interests, we restrict further processing of that data instead of deleting it.

Data categoryRetention period
Landlord account dataDuration of contract + 30 days after account deletion
Tenant dataDuration of contract; deleted on landlord instruction
Payment and billing data10 years (§ 147 AO, § 257 HGB)
Technical log data (server logs)30 days (exceptionally longer in case of cyberattack)
Consent recordsUntil withdrawal + statutory evidence period

12. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Lautenschlagerstraße 20, 70173 Stuttgart, Germany

www.baden-wuerttemberg.datenschutz.de

13. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit our web app; they allow your browser to be recognised on a subsequent visit. We distinguish two categories:

Strictly necessary cookies

We use only strictly necessary session and authentication cookies (Supabase Auth). These are required to keep you logged in after sign-in and to protect your session. They are deleted when you close your session or when the session expires.

Legal basis: § 25(2) No. 2 TDDDG (strictly necessary for the operation of the service) in conjunction with Art. 6(1)(b) and (f) GDPR. No consent is required for these cookies.

Analytics and marketing cookies

We currently do not use any analytics or marketing cookies. Should we introduce such cookies in the future, we will obtain your explicit consent in advance (§ 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR) and update this Privacy Notice accordingly.

You can disable cookies in your browser settings. Please note that disabling strictly necessary cookies will impair the usability of the app, as sign-in without a session cookie is not possible.

14. Security and Abuse Prevention

We have implemented technical and organisational measures to protect your personal data against loss, destruction, manipulation and unauthorised access. All transmissions of personal data between your device and our servers are encrypted exclusively using HTTPS (TLS/SSL). Our server infrastructure (Supabase, EU region) also applies server-side encryption of data at rest. Our security measures are subject to a continuous improvement process.

We also use the connection and usage data described in section 6.4 to detect security incidents and prevent misuse. This includes in particular:

  • Detection and mitigation of cyberattacks, brute-force attempts, and other attack patterns
  • Analysis of access anomalies for early detection of security incidents
  • Enforcement of our Terms of Service in cases of abusive use
  • Assertion, exercise, and defence of legal claims

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security of our systems, protection of our users, and pursuit of legal claims).

15. Disclosure to Authorities, Injured Parties and for Legal Enforcement

Where necessary to investigate unlawful or abusive use of our services, or for the purpose of legal enforcement, personal data may be passed to law enforcement authorities and, where applicable, to injured third parties. This only occurs where there are indications of unlawful or abusive conduct. Data may also be disclosed to enforce our Terms of Service or other agreements.

We are also legally obliged to provide information to certain public authorities on request — in particular law enforcement agencies and tax authorities.

Legal basis: Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest in ensuring the proper operation of our services and in asserting, exercising or defending legal claims).

16. Corporate Transactions

In the event of a merger, acquisition, sale of business assets, or other transfer of ownership, personal data may be transferred to the new controller. We will ensure that any such transfer complies with applicable data protection law and notify you of the transaction and your rights in good time, to the extent required by law.

Legal basis: Art. 6(1)(b) GDPR (where the transfer ensures uninterrupted continuation of your contractual relationship) and Art. 6(1)(f) GDPR (legitimate interest in the continuity of business operations and disclosure for administrative purposes).

17. Changes to This Privacy Notice

We reserve the right to update this Privacy Notice when there are material changes to the legal framework, our processing purposes, or our service. We will notify you of material changes in the app or by email. The effective date of the current version is shown at the top of this page. We recommend checking this notice periodically.

18. Tenant Data — Special Notice

With respect to tenant data entered in our app, the landlord acts as the data controller under GDPR and we act as the data processor pursuant to Art. 28 GDPR. Tenants with questions about their data should contact their landlord as the responsible party.

19. Obligation to Provide Data

The provision of certain personal data is required to establish and fulfil the contractual relationship with us. If you do not provide the data necessary for contract performance, we cannot provide the service.

To use Guarentio, a valid email address (or sign-in via Google or Apple account) is mandatory. Without registration, the app features cannot be used. Entry of property and tenant data is required for the core features of the app; uploading a profile picture and connecting a bank account via Open Banking are optional and voluntary.

There is no statutory obligation to provide data when using Guarentio. All data provision is voluntary in the context of using our service.

We do not engage in automated decision-making (including profiling) within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

Guarentio — Smart Property Management

ContactAGBImpressumSign in