DATA AND PRIVACY PROTECTION

VERSION: 1.1
LAST UPDATED: April 2026.
APPLICABLE SCOPE: This Notice applies to personal data processed through the central website www.carwiz.rent, the direct website reservation environment connected to that website, the central CMS, and related central administrative systems, subject to any market specific, service specific, or jurisdiction specific supplement where applicable.
COMPANY: CARWIZ International d.o.o.
REGISTERED ADDRESS: Slavonska avenija 26/9, 10000 Zagreb, Croatia
PRIVACY EMAIL: privacy@carwiz.rent
WEBSITE: www.carwiz.rent

1. INTRODUCTORY PROVISIONS

This Data and Privacy Protection Notice explains how personal data is processed in connection with the CARWIZ website available at www.carwiz.rent, including use of the website, submission of reservation or booking related information through the website, communication through website forms or contact channels, and related technical, administrative, security, compliance, reservation management, and reporting related processing.

For the purposes of this Notice:

1. “CARWIZ Intl.” means CARWIZ International d.o.o., with registered address at Slavonska avenija 26/9, 10000 Zagreb, Croatia.
2. “Central Platform” means the website www.carwiz.rent, the direct website reservation environment connected to that website, the central CMS, the reporting dashboard, and related central administrative systems.
3. “Local Operator” means the relevant local market, franchise partner, affiliate partner, branch, or rental operator responsible for the local rental service, and includes the plural where the context so requires.

This Notice is intended to provide a layered explanation of the respective roles and responsibilities that may apply within the CARWIZ system, including:

1. processing carried out by CARWIZ International in relation to the Central Platform,
2. processing carried out by the relevant Local Operator in relation to the local rental service, and
3. any additional or separate processing that may be introduced in the future in connection with specific services, programmes, jurisdictions, or functionalities, including but not limited to loyalty services, account based services, market specific services, or country specific legal disclosures.

Where additional privacy information is required for a specific market, service, programme, functionality, or jurisdiction, such information may be published in a separate notice, supplement, or linked disclosure on this webpage or through the relevant process.

2. WHO IS RESPONSIBLE FOR PROCESSING PERSONAL DATA

2.1 CARWIZ International

For certain processing activities relating to the Central Platform, CARWIZ International acts as controller, or otherwise as a separately responsible party, to the extent that it determines the purposes and means of such processing.

This may include, in particular:

1. operation, administration, and support of the Central Platform,
2. receipt and handling of enquiries submitted through the Central Platform,
3. collection, storage, review, visibility, and administration of direct website reservation and booking related data submitted through the Central Platform,
4. operation of the central reservation related CMS, reporting dashboard, and related central administrative tools,
5. internal oversight, operational monitoring, business reporting, and statistical review concerning direct website reservation activity processed through the Central Platform,
6. security, incident detection, misuse prevention, diagnostics, debugging, technical maintenance, and service support relating to the Central Platform,
7. record keeping, audit trail integrity, legal compliance, and the establishment, exercise, or defence of legal claims relating to the Central Platform and its operation.

2.2 Local Operator

The relevant Local Operator generally acts as controller for personal data processed for the purposes of:

1. responding to a reservation request relating to that Local Operator,
2. confirming, modifying, rejecting, or cancelling a reservation,
3. concluding and performing the local rental agreement,
4. identity verification, eligibility checks, licence verification, deposit handling, payment handling, and vehicle handover,
5. customer communication and customer support relating to the local rental service,
6. claims handling, accidents, fines, penalties, damages, insurance related handling, and dispute management,
7. compliance with local legal, tax, accounting, consumer protection, insurance, and contractual obligations.

The relevant Local Operator will usually be identified during the reservation flow, on the relevant market page, in the rental documentation, or otherwise at the point where the local rental service is offered or concluded.

2.3 Nature and limits of responsibility

Not all processing activities described in this Notice are carried out by the same legal entity or for the same purpose.

Depending on the specific processing activity, personal data may be processed:

1. solely by CARWIZ International,
2. solely by the relevant Local Operator, or
3. by more than one responsible party for different, related, or legally distinct purposes.

Nothing in this Notice shall be interpreted to mean that CARWIZ International is automatically the controller for all local rental operations, all separate local websites, or all local processing activities in all markets.

Equally, nothing in this Notice shall be interpreted to mean that CARWIZ International has no responsibility where it independently determines the purposes and means of specific processing carried out through the Central Platform.

For the avoidance of doubt, references in this Notice to the Central Platform, the central CMS, the reporting dashboard, or related central administrative systems refer to processing carried out in connection with the central CARWIZ digital environment and do not, by themselves, mean that CARWIZ International is the controller for every separate local website, every separate local rental operation, or every third party booking channel.

3. CATEGORIES OF PERSONAL DATA

Depending on how a user interacts with the Central Platform and the relevant Local Operator, the following categories of personal data may be processed:

1. identification data, such as name, surname, title, nationality, date of birth, or similar identifying information where relevant,
2. contact data, such as email address, telephone number, address, country, or other contact details,
3. reservation and booking data, such as selected market, rental location, reservation number, date and time of pick up and return, vehicle category, selected extras, comments submitted, and other reservation related details,
4. transaction related data, such as reservation amount, currency, payment status, and whether payment was made online or offline,
5. communication data, such as enquiries, requests, messages, complaints, support correspondence, and related records,
6. technical and usage data, such as IP address, browser type, device data, session data, cookie related identifiers, log data, and website interaction data,
7. legal and compliance related data where necessary for fraud prevention, dispute handling, record keeping, audit trail integrity, or defence of legal claims.

For the avoidance of doubt, payment card details are generally processed within the relevant payment service environment and are not intended to be stored within the central CMS merely because payment status or payment channel information is visible there.

Where a specific market, service, functionality, or legal regime requires additional disclosures concerning specific categories of data, such disclosures may be set out in a separate market specific or service specific notice.

4. PURPOSES OF PROCESSING

Personal data may be processed for the following purposes, as applicable:

1. to provide, operate, administer, and support the Central Platform,
2. to enable users to submit enquiries, reservation requests, or booking related information,
3. to route or make available reservation related information to the relevant Local Operator,
4. to collect, store, display, review, and administer direct website reservation records within the Central Platform,
5. to support operational visibility and internal business monitoring concerning direct website reservation activity processed through the Central Platform,
6. to communicate with users regarding enquiries, reservations, booking related matters, or operational follow up,
7. to maintain service continuity, system stability, technical functionality, diagnostics, debugging, and security in relation to the Central Platform,
8. to generate internal reporting, oversight, and limited statistical or administrative review relating to direct website reservation activity and use of the Central Platform,
9. to comply with legal obligations,
10. to establish, exercise, or defend legal claims,
11. to perform, or prepare for the performance of, a rental or related service where applicable,
12. to fulfil local legal, tax, accounting, consumer, insurance, or contractual requirements applicable to the relevant Local Operator.

5. LEGAL BASES FOR PROCESSING

Personal data may be processed on one or more of the following legal bases, depending on the relevant activity:

1. performance of a contract, or steps taken at the data subject’s request prior to entering into a contract,
2. compliance with a legal obligation to which the relevant controller is subject,
3. legitimate interests pursued by the relevant controller, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject,
4. consent, where consent is required under applicable law, including for specific categories of cookies or similar technologies.

Where processing is based on legitimate interests, such interests may include, as applicable:

1. operation and administration of the Central Platform,
2. management and oversight of the direct website reservation flow processed through the Central Platform,
3. internal business reporting and operational monitoring in relation to direct website reservations,
4. system security, misuse prevention, diagnostics, debugging, and technical maintenance relating to the Central Platform,
5. internal administrative oversight, record integrity, and audit trail integrity,
6. business continuity,
7. protection and defence of legal rights and claims.

Where consent is required, including for non essential cookies or similar technologies, the relevant processing will be based on consent and may be withdrawn in accordance with applicable law.

6. SOURCES OF PERSONAL DATA

Personal data may be collected:

1. directly from the user,
2. through the user’s interaction with the Central Platform,
3. through reservation, booking, enquiry, or contact forms,
4. from the relevant Local Operator,
5. from technical systems, logs, cookies, or related website technologies,
6. from service providers engaged for hosting, maintenance, technical support, analytics, communications, security, payment validation, or similar support purposes,
7. from third parties where required for legal, operational, or contractual reasons.

7. RECIPIENTS AND DISCLOSURE OF PERSONAL DATA

Personal data may be disclosed, to the extent necessary and lawful, to:

1. the relevant Local Operator,
2. CARWIZ International and its authorised personnel,
3. website developers, hosting providers, technical maintenance providers, CMS providers, infrastructure providers, payment related service providers, or other IT and support service providers engaged in connection with the Central Platform and its operation,
4. legal, accounting, compliance, customer support, security, insurance related, or other professional advisers and service providers where applicable,
5. competent authorities, regulators, courts, law enforcement bodies, or other public authorities where disclosure is required by law or necessary for the protection of rights and legitimate interests.

Personal data will not be disclosed to unauthorised third parties.

8. INTERNATIONAL TRANSFERS

Where personal data is transferred outside the European Economic Area, such transfer shall take place only where a lawful transfer mechanism exists under applicable data protection law, including an adequacy decision, standard contractual clauses, or other appropriate safeguards, as applicable.

Further information on international transfers may be provided upon request, to the extent required by law.

9. RETENTION OF PERSONAL DATA

Personal data shall be retained only for as long as necessary for the purposes for which it was collected and processed, including, where applicable:

1. for the duration necessary to process an enquiry, reservation, booking, or related customer communication,
2. for the duration of the relevant contractual relationship or pre contractual process,
3. for the period reasonably necessary for administration, reporting, oversight, diagnostics, technical support, audit trail, record integrity, and internal review relating to direct website reservation activity and operation of the Central Platform,
4. for the period required by applicable law, including accounting, tax, consumer protection, and other legal retention obligations,
5. for the period necessary to establish, exercise, or defend legal claims.

Where different retention periods apply depending on the market, legal regime, or type of record, the relevant controller may apply the retention period required under applicable law, internal policy, or legal necessity.

10. COOKIES AND SIMILAR TECHNOLOGIES

The Central Platform uses cookies and similar technologies.

Further information about the categories of cookies used, their purposes, legal basis, duration, and consent management is available in the Cookie Policy published on this website.

Where consent is required for non essential cookies or similar technologies, such technologies shall be used only in accordance with the user’s consent preferences, subject to the technical configuration of the website and consent management tool.

11. DATA SUBJECT RIGHTS

Subject to applicable law, data subjects may have the right to:

1. request access to their personal data,
2. request rectification of inaccurate or incomplete data,
3. request erasure of personal data,
4. request restriction of processing,
5. object to processing carried out on the basis of legitimate interests,
6. request data portability, where applicable,
7. withdraw consent at any time where processing is based on consent,
8. lodge a complaint with a competent supervisory authority.

Where a request relates primarily to the local rental relationship, local reservation fulfilment, rental agreement, payment handling, claim, or other market specific matter, the request may need to be addressed to the relevant Local Operator acting as controller for that processing.

Where a request relates to the Central Platform, direct online reservations received through www.carwiz.rent, the central CMS, the reporting dashboard, technical logs, security, or related central processing, the request may be addressed to CARWIZ International.

CARWIZ International may, where appropriate, redirect, coordinate, or cooperate with the relevant responsible party to the extent necessary for proper handling of the request.

12. CONTACT DETAILS

For privacy related questions or requests concerning processing carried out by CARWIZ International in connection with the Central Platform, users may contact:

CARWIZ International d.o.o.
Slavonska avenija 26/9
10000 Zagreb
Croatia
Email: privacy@carwiz.rent
Website: www.carwiz.rent

For privacy related questions or requests concerning the local rental service, local reservation fulfilment, rental agreement, payment, claims, or other local market processing, users should contact the relevant Local Operator identified in the relevant reservation, relevant market website, rental documentation, or contractual materials.

13. SUPERVISORY AUTHORITY

Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State of their habitual residence, place of work, or place of the alleged infringement.

For CARWIZ International in Croatia, the competent supervisory authority is:

Croatian Personal Data Protection Agency, AZOP
Ulica Metela Ožegovića 16
HR, 10000 Zagreb
Croatia
Email: azop@azop.hr
Website: www.azop.hr

14. FUTURE SERVICES, MARKET SPECIFIC DISCLOSURES, AND ADDITIONAL NOTICES

This Notice applies to the processing activities currently identified as relevant at the time of publication.

If CARWIZ introduces additional services, features, or processing operations, including but not limited to:

1. central user accounts,
2. loyalty or rewards programmes,
3. market specific customer portals,
4. United States specific services or disclosures,
5. additional payment, support, insurance, mobility, or related service functionalities,
6. other country specific or service specific processing operations,

additional privacy information may be published in a separate notice, supplement, or linked disclosure, and will apply to the relevant service, market, or functionality from the time such service or functionality becomes active.

Where such services are not yet active, no processing shall be deemed to occur merely because they are referenced in this section.

15. CHANGES TO THIS NOTICE

CARWIZ may update this Data and Privacy Protection Notice from time to time in order to reflect legal, operational, technical, or organisational changes.

The latest version shall be published on this website and shall indicate the relevant version and last updated date.