Privacy Policy

Effective Date: June 17, 2026

1. Introduction

Renvia (the “Service” or “Renvia”) is committed to ensuring the confidentiality, integrity, and security of personal data processed in connection with its platform. This Privacy Policy outlines the data protection practices implemented by Renvia in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and applicable data protection laws. It describes the types of personal data collected, the purposes and legal bases for processing, data sharing practices, security measures, and the rights of Data Subjects. All Customers and Users of the Service are encouraged to review this policy carefully to understand the responsibilities and obligations of Renvia and its Customers.

2. Data Controller and Data Processor Roles

Renvia acts as a Data Controller with respect to the personal data it collects and processes directly in the provision and operation of its platform services. This includes personal data related to account management, billing, customer support, security monitoring, marketing communications, website analytics, and platform operations. In these contexts, Renvia determines the purposes and means of processing personal data and is responsible for compliance with applicable data protection requirements.

Customers of Renvia, as users of the platform, act as independent Data Controllers for personal data they upload, manage, or process through the Service. This includes personal data concerning tenants, guests, reservations, properties, team members, and any uploaded business records or documents. Customers determine the purposes and means by which this data is processed within the platform and bear full responsibility for establishing lawful bases for processing such personal data under GDPR and other relevant laws.

In its role as a Data Processor, Renvia processes Customer Data strictly on documented instructions provided by the Customer, except where otherwise required by law. Renvia does not exercise autonomous decision-making authority over Customer Data and implements appropriate technical and organizational measures to safeguard such data. The distinction between Data Controller and Data Processor roles is critical for compliance with data protection laws and the rights of Data Subjects.

Where Renvia acts as a Data Processor, processing activities are performed solely based on the documented instructions of the Customer, unless otherwise required by applicable law. In such cases, Renvia will inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

Customers, as Data Controllers, are responsible for providing appropriate privacy notices to tenants, guests, property owners, team members, and other Data Subjects whose personal data is uploaded or processed within the platform. Customers must ensure that Data Subjects are informed about the nature, scope, and purpose of processing and their rights under applicable data protection laws.

Customers acknowledge and agree that they are solely responsible for ensuring that any personal data uploaded or entered into the platform has been collected and processed in compliance with all applicable data protection laws, including obtaining any necessary consents or establishing other lawful bases for processing.

3. Company Information

moovit, s.r.o.
IČO: 45240639
IČ DPH: SK2022919415
Bobuľová 11/B
900 28 Ivanka pri Dunaji
Slovakia

4. Categories of Personal Data We Collect

Renvia collects and processes various categories of personal data in the course of providing and operating the Service. These categories include, but are not limited to:

5. Sources of Personal Data

Personal data processed by Renvia is primarily collected directly from Customers and Users during registration, platform usage, document uploads, and communications. Additionally, data may be received from integrated third-party services, such as Stripe for payment processing, and collected through automated tracking technologies including cookies and web beacons to support analytics and platform functionality.

6. Purposes and Lawful Bases for Processing

Renvia processes personal data for specific purposes, each supported by a lawful basis under GDPR Article 6. The following matrix outlines key processing activities and their corresponding legal bases:

Customers are responsible for ensuring that any personal data uploaded to the platform has an established lawful basis for processing under applicable data protection laws.

Where processing relies on Article 6(1)(f) (legitimate interests), Renvia may conduct legitimate interest assessments to ensure that its business interests are balanced against the rights and freedoms of Data Subjects. Such assessments consider the necessity, proportionality, and potential impact on Data Subjects to ensure fair and lawful processing.

7. Stripe Payment Processing

Subscription payments and billing operations are conducted exclusively through Stripe, an independent third-party payment processor. Renvia does not receive, store, or process full payment card numbers, CVV codes, or complete payment credentials. Payment data is transmitted securely directly to Stripe using industry-standard encryption protocols.

Stripe acts as an independent Data Controller with respect to certain payment-related activities, including the collection and processing of payment card details, fraud detection, and tax processing. Customers are encouraged to review Stripe's privacy policy at https://stripe.com/privacy for detailed information on Stripe's data handling practices.

Subscription renewals, invoice generation, payment retries in the event of failed transactions, fraud screening, and tax determination are handled through automated workflows integrated with Stripe. This ensures timely billing, accurate calculation of applicable taxes, and proactive fraud prevention for all subscription services.

Payment card information is processed directly by PCI-DSS compliant payment providers and is never stored or retained by Renvia. All sensitive payment data is handled exclusively by Stripe or other authorized payment processors in accordance with industry security standards.

Subscription billing includes automated invoicing, payment retries in case of failures, and the application of applicable taxes. Fraud detection mechanisms are employed by Stripe and Renvia to mitigate unauthorized transactions and ensure platform security.

8. Documents and OCR Processing

Customers may upload various documents to the platform, including invoices, receipts, contracts, booking documents, and other files relevant to their business operations. These documents are stored securely and processed to facilitate platform functionalities.

Renvia employs Optical Character Recognition (OCR) technology to extract relevant data from uploaded documents automatically. This process assists in reducing manual data entry and improving operational efficiency.

OCR technology may not always achieve perfect accuracy due to the quality of the uploaded documents or inherent limitations of the technology. Therefore, Customers are responsible for reviewing and verifying the accuracy of any data extracted via OCR before relying on it for accounting, legal, or operational purposes.

The OCR feature is provided as an assistance tool and does not constitute professional accounting, legal, or financial advice. Customers should consult qualified professionals for such matters.

OCR results should be treated as draft extracted information only. The Customer remains solely responsible for the accounting, tax, legal, and regulatory accuracy of any information derived from OCR processing within the platform.

9. Sharing and Disclosure of Personal Data

Renvia may share personal data with third-party service providers and partners to facilitate the operation and maintenance of the platform. Categories of recipients include:

Renvia does not rent, sell, trade, or monetize personal data. Personal data is disclosed only where necessary for service delivery, legal compliance, security, or corporate transactions, and always subject to appropriate safeguards and contractual obligations.

10. Subprocessors

Renvia engages subprocessors to perform specialized services required for the operation, maintenance, and enhancement of the platform. All subprocessors are subject to a rigorous due diligence process prior to onboarding, which includes assessments of technical and organizational security measures, data protection practices, and compliance with applicable data protection laws.

Subprocessors are engaged only under written agreements that impose confidentiality, data protection, and security obligations that are at least as protective as those required by the GDPR and other applicable regulations. These agreements incorporate the requirements of GDPR Article 28, including:

Access to personal data by subprocessors is strictly limited to what is necessary for the performance of their assigned tasks, consistent with the principle of least privilege. Subprocessors are prohibited from processing personal data for any purpose other than the provision of contracted services.

Renvia maintains and regularly updates a list of authorized subprocessors. Notification of material changes to subprocessors or their data processing activities will be provided to Customers in advance, where required, to allow for objections or additional due diligence.

11. International Data Transfers

Personal data processed by Renvia or its subprocessors may be transferred outside the European Economic Area (EEA) in connection with the provision of the Service.

Such transfers are conducted in compliance with GDPR Chapter V requirements, including reliance on adequacy decisions issued by the European Commission, or the implementation of Standard Contractual Clauses (SCCs) approved by the European Commission to ensure appropriate safeguards.

Where equivalent legal safeguards are in place, personal data may also be transferred to countries without an adequacy decision. Renvia ensures that such transfers maintain a high level of data protection consistent with EU standards.

12. Security Measures

Renvia implements a comprehensive suite of technical and organizational security measures designed to safeguard personal data against unauthorized access, disclosure, alteration, or destruction. Security practices are continuously reviewed and updated to address evolving threats and regulatory requirements. Key measures include:

Renvia follows secure software development lifecycle (SDLC) practices, including code reviews, automated security testing, and deployment controls to minimize vulnerabilities in the platform. Regular access reviews are conducted to ensure that only authorized personnel retain access to systems and data.

Periodic access reviews and privileged account monitoring are conducted to detect and address inappropriate or unnecessary access. Privileged accounts are subject to heightened monitoring, including audit logging and separation of duties, to minimize risks associated with elevated permissions.

Change management and deployment controls are enforced to ensure that updates to systems, applications, and infrastructure are reviewed, tested, and approved prior to release into production. All changes are tracked and documented to maintain system integrity and traceability.

Business continuity and disaster recovery planning is in place to maintain service availability and protect personal data in the event of major incidents, outages, or disasters. Regular testing and review of continuity plans ensure preparedness for potential disruptions.

Credential management policies require the use of strong, unique passwords and the implementation of multi-factor authentication (MFA) for critical systems and administrative accounts where technically feasible. Credentials are stored using salted and hashed formats, and access is revoked promptly upon role changes or termination.

Security incident detection capabilities include automated alerts, log analysis, and scheduled incident response drills to test readiness. Vendor risk management processes evaluate the security posture of all third-party service providers and subprocessors.

While Renvia employs industry best practices and strives for the highest level of security, no system can be guaranteed to be completely impenetrable. Renvia encourages Customers to implement their own security measures, such as strong authentication, regular password changes, and secure network practices.

13. Data Retention

Renvia retains personal data strictly for as long as necessary to fulfill the purposes for which it was collected, to comply with statutory obligations, to resolve disputes, and to enforce contractual rights. Retention periods are determined based on the data category, legal and regulatory requirements, and the legitimate interests of Renvia and its Customers. The following retention matrix provides an overview of typical retention periods:

Data CategoryPurposeTypical Retention Period
Customer Account DataAccount creation, authentication, management, and communicationsFor the duration of the Customer relationship and up to 7 years after account closure
Subscription and Billing DataInvoicing, payment processing, regulatory complianceUp to 7 years following termination of services
Customer DataPlatform functionality, business operations, service deliveryWhile account is active and up to 90 days after deletion request, subject to legal requirements
Uploaded DocumentsDocument storage, processing, compliance supportWhile account is active and up to 90 days post-deletion unless required for legal retention
OCR Extracted DataAutomated data extraction, operational efficiencyWhile associated document is retained, subject to Customer deletion
Support RecordsCustomer support, dispute resolution, quality assuranceUp to 3 years after ticket closure or Customer account termination
Audit LogsSecurity monitoring, compliance auditing, incident investigationUp to 12 months, unless required longer for legal or security purposes
Security LogsThreat detection, system integrity, forensic analysisUp to 12 months, extended if part of an ongoing investigation
Marketing PreferencesConsent management, direct communicationsUntil consent is withdrawn or account is deleted
Legal Hold RecordsLitigation support, regulatory investigationsFor the duration of the legal hold, as required by law

The above retention periods are indicative and may be adjusted to reflect evolving legal, regulatory, or operational requirements. Where statutory retention periods apply, such as for tax, accounting, or anti-money laundering laws, Renvia will retain relevant data for the legally mandated period, even if a deletion request has been submitted.

Retention periods may be extended where required for the establishment, exercise, or defense of legal claims, ongoing litigation, fraud investigations, regulatory requests, or enforcement of contractual rights. In such cases, data will be retained only for as long as strictly necessary to fulfill these obligations.

Upon expiration of the applicable retention period, personal data is securely deleted or anonymized using industry-standard methods. In some cases, data may persist in encrypted backups for a limited time until those backups are overwritten in accordance with the backup retention policy.

Customers acting as Data Controllers are responsible for defining and communicating their own data retention requirements for Customer Data processed via the platform.

14. Account Deletion

Customers may initiate an account deletion request by contacting Renvia at privacy@renvia.app. The account deletion process is designed to ensure security, compliance, and transparency throughout the lifecycle:

  1. Request Submission: The Data Subject or authorized Customer representative submits a deletion request to the Renvia privacy team, specifying the relevant account and associated data to be deleted.
  2. Identity Verification: Renvia verifies the identity and authority of the requester using appropriate authentication measures to prevent unauthorized or fraudulent deletion requests.
  3. Export Opportunity: Before deletion is processed, Customers are informed of their right to export account data and records. Renvia provides guidance or tools for data export in a structured, commonly used format.
  4. Account Deactivation: Upon confirmation, the account is deactivated to prevent further access or processing. Associated sessions and access tokens are revoked.
  5. Scheduled Deletion: Personal data and Customer Data are scheduled for deletion from active systems, typically within 30 days of confirmation, unless a different timeline is required by contract or law.
  6. Backup Expiration: Deleted data may persist in encrypted backups for up to 90 days (or as specified in the retention policy) until those backups are overwritten in the normal course of operations.
  7. Legal Retention Exceptions: Certain data may be retained beyond deletion for the duration necessary to comply with statutory obligations (e.g., tax, accounting, anti-fraud), resolve disputes, enforce agreements, or as required by legal holds.
  8. Final Purge Process: After all retention periods expire, data is permanently and irreversibly deleted or anonymized using industry-standard secure deletion methods.

Renvia will notify the Customer upon completion of the deletion process or if any legal or technical constraints prevent full deletion of specific data categories. Where Renvia acts as a Data Processor, the deletion will be performed in accordance with the documented instructions of the Data Controller.

15. Data Portability

Data Subjects have the right to receive their personal data, as processed by Renvia in its capacity as Data Controller, in a structured, commonly used, and machine-readable format. Supported export formats include JSON, CSV, or other industry-standard formats suitable for data interoperability.

To exercise the right to data portability, a formal request may be submitted to privacy@renvia.app. Renvia will carry out identity verification to ensure that data is disclosed only to the Data Subject or their authorized representative.

Exports will include personal data provided directly by the Data Subject and, where technically feasible, data generated through their use of the Service. Renvia will provide the data within one month of receiving a valid request; this period may be extended by up to two additional months for complex or voluminous requests, with notification to the requester.

Where Renvia acts as a Data Processor, data portability requests should be directed to the relevant Data Controller (i.e., the Customer). Renvia will assist the Data Controller in fulfilling such requests as required by applicable law and contractual obligations.

Data portability does not apply to data that is processed solely on the basis of legitimate interests or legal obligations, or to derived or anonymized data that cannot be linked to an identifiable Data Subject.

16. GDPR Rights of Data Subjects

Data Subjects whose personal data is processed by Renvia or its Customers are entitled to exercise the following rights under the General Data Protection Regulation (GDPR, Articles 15–22). Each right is subject to applicable legal conditions, and Renvia will respond to valid requests without undue delay, and in any event within one month of receipt. This period may be extended by up to two additional months for complex or numerous requests, with notification of the reasons for delay.

To exercise these rights, Data Subjects may contact Renvia at privacy@renvia.app or, where Renvia acts as Data Processor, contact the relevant Customer as Data Controller. Verification procedures will be employed to confirm the identity and authority of the requester.

All data subject requests are processed following a standardized workflow that includes verification of the requester's identity, logging of the request, and tracking of the response. Requests are assigned to appropriate personnel and may be escalated if complex or sensitive. Renvia aims to respond within one month of receipt, with a possible extension of up to two months for particularly complex or voluminous requests, in accordance with GDPR requirements.

17. Supervisory Authority

Data Subjects have the right to lodge a complaint with a competent supervisory authority if they believe that the processing of their personal data infringes applicable data protection laws. In Slovakia, the competent supervisory authority is:

Úrad na ochranu osobných údajov Slovenskej republiky
Hraničná 12
820 07 Bratislava 27
Slovak Republic
https://dataprotection.gov.sk/

Data Subjects may also contact the supervisory authority in their habitual residence, place of work, or the place of the alleged infringement, in accordance with Article 77 GDPR.

18. International Data Transfers

Personal data processed by Renvia or its subprocessors may be transferred to countries outside the European Economic Area (EEA) where necessary for the provision of services, support, or platform functionality.

All international data transfers are conducted in compliance with GDPR Chapter V requirements. Transfers to countries recognized by the European Commission as providing an adequate level of data protection are permitted without additional safeguards. For transfers to countries without an adequacy decision, Renvia implements appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or uses other legally recognized transfer mechanisms.

Renvia regularly reviews its international transfer arrangements and ensures that Data Subjects' rights and effective legal remedies remain protected at all times, regardless of the data's location.

Where appropriate, Renvia may conduct transfer impact assessments to evaluate the risks associated with international data transfers. Supplementary safeguards may be implemented depending on the destination country's legal environment and risk profile, to ensure an adequate level of protection for personal data.

19. Data Breach and Security Incident Response

Renvia maintains a robust data breach and security incident response framework in line with GDPR Articles 33 and 34. This framework encompasses incident detection, triage, containment, remediation, post-incident review, and statutory notification obligations.

Upon detection of a potential data breach or security incident, Renvia initiates immediate triage to assess the scope, impact, and nature of the incident. Containment measures are deployed to prevent further unauthorized access, data loss, or damage.

Remediation efforts focus on restoring system integrity, mitigating vulnerabilities, and preventing recurrence. Each incident is followed by a post-incident review to analyze root causes and implement corrective actions.

All security incidents are documented, and corrective actions are tracked through to resolution. Lessons learned reviews are conducted following incidents to identify opportunities for improvement and to strengthen future prevention and response capabilities.

In accordance with GDPR Article 33, Renvia will notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of Data Subjects.

Where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, Renvia will also notify affected Data Subjects directly and without undue delay, as required by Article 34 GDPR. Notifications will include the nature of the breach, likely consequences, and measures taken or proposed to address and mitigate the breach.

Renvia fully cooperates with supervisory authorities and affected Customers throughout breach investigations and ensures transparent communication and remediation.

20. Data Processing Agreement (DPA)

Where Renvia acts as a Data Processor on behalf of a Customer (Data Controller), all processing of Customer Data is performed strictly in accordance with documented instructions provided by the Customer, in compliance with GDPR Article 28.

Renvia provides a Data Processing Agreement (DPA) to business Customers upon request or as part of contractual arrangements. The DPA details the scope, nature, and purpose of processing, the types of personal data, categories of Data Subjects, security measures, and the rights and obligations of both parties.

The DPA supplements and forms an integral part of this Privacy Policy and the applicable Terms of Service. In the event of conflict, the DPA prevails with respect to data processing provisions.

The DPA forms part of the contractual documentation for business Customers. Customers may request execution of a separate DPA prior to initiating any processing of Customer Data. Renvia will provide a signed DPA or enter into Customer-provided DPAs subject to mutual agreement.

21. Children's Privacy

Renvia is intended for business users and property management activities. The Service is not directed to children under 16 years of age. Renvia does not knowingly collect personal data directly from children under 16. If such data is discovered, reasonable steps will be taken to delete it.

22. Changes to this Privacy Policy

This Privacy Policy is reviewed and updated periodically to reflect changes in legal requirements, data processing activities, technological advancements, or the Service. Updated versions will be published on this page with a revised effective date. Customers and Users are encouraged to review the policy regularly to remain informed of data protection practices.

23. Data Protection Officer

Renvia has not appointed a Data Protection Officer (DPO), as it is not currently required to do so under Article 37 GDPR.

Privacy-related inquiries, data protection requests, and communications regarding the processing of personal data should be directed to privacy@renvia.app.

24. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or the processing of personal data by Renvia, please contact:

Privacy-related requests, data subject rights requests, deletion requests, and DPA inquiries may be submitted to privacy@renvia.app. Our privacy team will respond in accordance with applicable data protection laws and contractual obligations.

privacy@renvia.app
support@renvia.app
billing@renvia.app
moovit, s.r.o.
IČO: 45240639
IČ DPH: SK2022919415
Bobuľová 11/B, 900 28 Ivanka pri Dunaji, Slovakia