Privacy policy

Updated: 11th July 2025

Your privacy is very important to us. We want you to know that the personal data you provide for us is processed fairly and lawfully. This Privacy policy has been created to inform you about the purposes and conditions under which we process your personal data. 

If you have any questions regarding this policy or any requests related to the processing of your personal data, you can contact us at [email protected]. 

Your personal data is processed by AS APR-Rent, company code: 10276625, address: D Lõõtsa tn 4, 11415 Tallinn, Estonia (hereinafter – the Company or We), acting as the Data Controller. 

The Company represents the “Hertz” brand in Estonia, which belongs to the American car rental company based in Estero, Florida, operating more than 9,700 international corporate and franchise locations and representing such brands as Hertz, Hertz 24/7, Dollar, Thrifty, and Firefly. You can review the Hertz Privacy policy on the website www.hertz.com. 

Please be informed that when using third-party services (including reservation systems and websites owned by Hertz) or visiting their websites, you are required to review the privacy policies of those parties. We are only responsible for the processing of data provided to us and are not responsible for how your data is processed by third parties. 

In this Privacy policy, the term “Personal Data” (hereinafter – Personal Data) refers to any information or set of information that can directly or indirectly identify your identity, such as your name, surname, email address, phone number, etc. 

We guarantee that your personal information is processed in accordance with this Privacy policy and the applicable laws governing the data collection, use, and disclosure of your personal information, which our Company, including affiliated companies and all third parties – service providers or authorized representatives bound by contractual obligations – is required to comply with. 

This Privacy Policy is intended for all individuals who use, have used, or intend to use our services, as well as individuals indirectly associated with us (such as company beneficiaries, representatives, or other employees), individuals who have any contractual relationship with us, or whose personal data has become known to us, as well as anyone who visits our website, parking lots, or whose data becomes known to us through the use of Hertz or other reservation systems, or by any other means (hereinafter referred to as You or the Client). 

This Privacy policy provides general provisions on how we process Personal Data. Additional information about the processing of Personal Data may be provided in the agreements concluded between us and you, as well as in other documents. 

When processing and storing your personal data, we implement organizational and technical measures that ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure, as well as any other unlawful processing. Access to the personal data we process is granted only to those individuals for whom it is necessary to perform their job functions, provide services, or when there is a legitimate basis for such access. 

You are responsible for ensuring that the personal data you provide is accurate, correct, and complete. If the provided personal data changes, you must inform us without delay. 

We shall not be held liable for any damage caused to the individual and/or third parties due to the client or potential client providing incorrect and/or incomplete personal data or failing to request the supplementation and/or correction of the data when it has changed. 

SOURCES OF PERSONAL DATA 

We need to collect your personal information in order to rent a vehicle to you or provide other services.  

If you refuse to provide the information or provide incomplete information, in certain cases, we may be unable to offer you products or provide services under the agreement concluded with you, or we may fail to comply with applicable legal obligations. For example, when you rent a vehicle from us, we will request information such as your name and surname, address, payment information, and driver’s license. If you do not provide us with this information, we will be unable to rent the vehicle to you. We will inform you if this happens and notify you of the consequences of not providing personal information. 

We collect personal information when you provide it, for example, during a phone call, by fax, by mail, by email, at a rental location, when filling out an application, or when using the websites www.hertzlease.ee, www.hertz.ee Hertz mobile applications, or our products and services.  

Therefore, Personal Data is usually obtained directly from you when you provide it, but we also have the right to receive information from third parties: 

• that is, from Travel Agents or through third-party booking services you used to make a reservation; 

• From insurance companies, brokers, or partners when you require a replacement vehicle service; 

• From our partners when you intend to obtain long-term rental services or intend to purchase other products or services from us; 

• Through reservation systems operated under the Hertz brand when you make a vehicle reservation; 

• From credit institutions, when we are required to assess your creditworthiness in providing leasing services; 

• From your employer or the person who concludes a rental agreement with us and assigns the vehicle to you; 

• From the police and other law enforcement authorities if you were involved in a traffic accident or suffered any damage during the rental period, if the vehicle was damaged or stolen, as well as if you were fined for speeding, parking violations, tolls, or other traffic-related penalties during the rental period, or committed any traffic-related offense; 

• Also from other individuals, if there is a legal basis for obtaining such information; 

• Certain limited data may also be automatically generated when the client browses our website. 

In certain cases, we share the information received from you with other sources. For example, if a vehicle reservation was made through the www.hertz.ee reservation system, www.hertzlease.ee, upon your arrival to pick up the vehicle, the data in this system will be shared with the additional information you provide on-site. 

Legal bases for personal data processing: 

1. The processing of Personal Data is necessary for the performance of the agreement to which the Data Subject is a party, or to take steps at the request of the Data Subject prior to entering into an agreement; 

2. The processing of Personal Data is necessary for the Company to comply with its legal obligations; 

3. The processing of Personal Data is necessary for the legitimate interests pursued by the Company or a Third Party; 

4. The Data Subject has given consent to the processing of their Personal Data for one or more specific purposes; 

5. On other grounds established by The General Data Protection Regulation (hereinafter – Regulation or GDPR), Personal Data Protection Laws, and other legal acts, provided that the conditions for such grounds are met. 

WHAT PERSONAL DATA WE PROCESS AND WHY? 

Short-Term Rental 

When managing your inquiries regarding short-term car rentals (including reservation data), we may process the following personal data about you: 

1. Name, Surname, date of birth, personal code (in certain cases); 

2. Contact information: email address, phone number, residential or work address, mailing address (if different from the main address), fax number; 

3. Payment information: credit/debit card number and expiration date, transaction amount, reservation amount; 

4. Driver’s license: number, place/country of issue, expiration date; Passport (if provided): number, country of issue, date of issue; Copy of identity document: driver’s license, passport or ID card; Residence permit (if provided): number, country of issue, date of issue;  

5. Hertz / Dollar / Thrifty loyalty program membership number; 

6. Information of corporate or discount program participants: airline or hotel loyalty programs, rental information including pick-up and return details; 

7. Person making the reservation on behalf of the client (travel agent, coordinator, administrative assistant, etc.); Travel agency/intermediary/business partner information; 

8. Other necessary and legally justified data or any other data voluntarily provided (For example, the flight number.). 

Legal basis for data processing – the processing of data is necessary for the conclusion and performance of an agreement (Article 6(1)(b) of the GDPR). 

Data retention period – if a agreement is concluded – 10 years from the end of the agreement term. Reservation data is retained until the agreement is concluded, but no longer than the consent remains valid. 

Long-Term Rental and Leasing (lease-purchase) 

When managing your inquiries regarding long-term car rentals or leasing (lease-purchase) (including reservation data), we may process the following personal data about you: 

1. Name, Surname, date of birth, personal code (in certain cases);   

2. Contact information: email address, phone number, residential or work address, mailing address (if different from the main address).  

3. We may request your creditworthiness information if you are renting a vehicle as a natural person; 

4. Driver’s license: number, place/country of issue, expiration date; Passport (if provided): number, country of issue, date of issue; Copy of identity document: driver’s license, passport or ID card; Residence permit (if provided): number, country of issue, date of issue;    

5. Corporate or association affiliation: contact details of the company representative (name, surname, position, email, phone number), contact details of the company director, name, surname (if the vehicle is rented by a company and handed over to you); 

6. Payment information: Bank account number; 

7. Services booked, car specification, car systems; 

8. Other necessary and legally justified data or any other voluntarily provided data. 

Legal basis for data processing – the processing of data is necessary for the conclusion and performance of an agreement (GDPR Article 6(1)(b)). 

Data retention period – After concluding the agreement – 10 years from the end of the agreement’s validity. 

Claims and penalties administration 

For the purpose of damage and car accident administration, we will process the following personal data of yours: 

• Name, surname, address, vehicle registration number, contact details, other data specified in the accident report; for this purpose, if necessary, we may also process your health data, but only as much as necessary to manage the incident. 

Legal basis for data processing – legal obligation (GDPR Article 6(1)(c)), the processing of data is necessary for the conclusion and performance of an agreement (GDPR Article 6(1)(b)), legitimate interest (GDPR Article 6(1)(f)). 

Data retention period – as long as necessary to administer the incident and fully resolve claims, but no longer than 10 years after the end of the rental agreement. 

For the purpose of administrative penalty or penalty administration, we will process the following personal data of yours: 

• Driver’s full name, date of birth / personal identification number, driver’s license number, date of issue, expiry date, email address, phone number, violation number, information about the violation (type, time, location, penalty). 

Legal basis for data processing – legal obligation (GDPR Article 6(1)(c)), the processing of data is necessary for the conclusion and performance of an agreement (GDPR Article 6(1)(b)), legitimate interest (GDPR Article 6(1)(f)). 

Data retention period – not less than 5 years (statute of limitations for enforcement of administrative penalties). 

Vehicle location data 

Some vehicles are equipped with a location tracking system, as well as a system that allows monitoring information about the vehicle’s status, such as locking, speed, sensor status, and the activation of safety systems (e.g., airbags). 

If such data processing is necessary based on our legitimate interests – for example, to ensure vehicle safety, prevent theft, or perform technical maintenance – we will clearly inform you about this in our agreements and/or privacy notices. In this case, we act as the data controller. 

If the equipment is installed in the vehicle at the initiative of your employer – for instance, when the vehicle is used for work purposes – we act as a service provider (data processor). In such cases, the basis, purposes, and your rights regarding the processing of personal data can be obtained directly from your employer, who is the data controller in this context. 

Legal basis for data processing: the processing of data is necessary for the conclusion and performance of an agreement (GDPR Article 6(1)(b)), legitimate interest (GDPR Article 6(1)(f)). 

Data retention period – until the end of the rental agreement. 

Video surveillance 

Where indicated by signs, our rental locations are equipped with surveillance cameras to ensure the safety of property and individuals. 

The processed personal data include video data, vehicle registration number, location, and time. 

Legal basis for data processing: legitimate interest (GDPR Article 6(1)(f)). 

Data retention period – 14 days. 

Call recording 

We may record our conversations with you for the purpose of handling customer complaints or disputes, conducting internal analysis, and improving our services. You will be informed about the recording at the beginning of the call. 

The data processed includes information recorded during the conversation – the phone number, the customer’s voice (audio recording), and any information provided during the call (e.g., personal data, flight number, inquiries, or other details). 

Legal basis for data processing – the processing of data is necessary for the conclusion and performance of an agreement (GDPR Article 6(1)(b)), Consent (GDPR Article 6(1)(a)). 

Data retention period – 1 year. 

Service improvement 

We also process your basic contact and contractual data in order to send you requests to evaluate the quality of our services, with the aim of improving the services we provide. 

Legal basis for data processing – the processing of data is necessary for the conclusion and performance of an agreement (GDPR Article 6(1)(b)). 

Data retention period – 1 year. 

Direct marketing 

Upon receiving your consent, we may use and collect your personal data for direct marketing purposes to provide you with newsletters, offers, or information about our services. For this purpose, we collect your name, surname, and email address. 

Newsletters may be sent by email or other contacts you provide. Your contact details may be shared with our partners and data processors who provide us with newsletter distribution or quality assessment services. 

Even if you have given consent to process personal data for direct marketing purposes, you can easily withdraw this consent at any time for all or part of the personal data processing activities. To do this, you may: 

• notify us of your withdrawal by using the method indicated in the electronic messages and/or offers, if such a method is provided (for example, by clicking the newsletter “unsubscribe” link, etc.); or 

• Send us a message to the email address specified in this Privacy policy. If you request to withdraw your consent in this way, we may ask you to verify your identity. 

Once you withdraw your consent, we will make every effort to promptly stop sending newsletters to the contact details you have provided. 

Legal basis for data processing – the data subject’s consent to such data processing (Article 6(1)(a) of the GDPR). 

Data retention period – the data will be processed for 2 years from the date of consent. 

Other bases 

We process your basic, contact, contractual, and financial data in order to fulfill our legal obligations. Under such obligations, we are required to process data, for example, to comply with disclosure obligations to authorities and to fulfill data processing-related requirements (e.g., retention periods for accounting records, information about our ultimate beneficial owners). 

Legal basis for data processing – legal obligation (Article 6(1)(c) of the GDPR). 

Data shall be stored for the period prescribed by law. 

TRANSFER AND STORAGE OF PERSONAL DATA 

Personal data is protected against loss, unauthorized use, and breach. Physical and technical measures are employed to ensure that the personal data we collect is secure. The company is committed to taking all necessary actions and measures to protect the data. 

We commit to maintaining confidentiality regarding the personal data of clients, potential clients, website visitors, and others whose personal data we receive. 

Personal data may be disclosed to third parties only if necessary to conclude and perform an agreement for the benefit of the data subject, or for other legitimate reasons. 

WE MAY TRANSFER YOUR PERSONAL DATA TO 

Hertz International, travel agents, brokers, reservation system administrators. Your employer or organization. The financial institution that issued your credit card. Our employees responsible for providing services to you or improving them, handling claims, or in other cases where it is necessary to ensure our operations and obligations. Government, regulatory and law enforcement authorities, companies or service providers that manage or operate parking facilities. Insurance companies or claims management companies. Auditors, lawyers, tax advisors, as well as couriers, companies providing customer relationship management services, IT service providers, advertising and marketing agencies, accounting service providers, and others. 

We require our data processors to store, process, and handle Personal Data with the same level of responsibility as we do, and only according to our instructions. To obtain information about the data processors and data recipients we engage, you can submit a request via email at [email protected].  

We may also disclose your personal data in response to requests from courts or governmental authorities to the extent necessary to properly comply with applicable laws and instructions from governmental authorities. 

TRANSFER OF PERSONAL DATA TO THIRD PARTIES 

Personal Data is generally processed within the territory of the European Union / European Economic Area (EU/EEA), but in certain cases, it may be transferred to and processed outside the EU/EEA. 

Personal data may be transferred to and processed outside the EU/EEA when the transfer is necessary for the conclusion and performance of a agreement, when personal data may be stored using data storage solutions with servers located outside the European Economic Area, or when the Client has given consent, as well as when appropriate safeguards are implemented. 

By providing us with your Personal Data or giving consent for the processing of Personal Data, you agree that your data (including data storage and transfer) may be processed outside the EU/EEA for the purposes specified in this Policy. 

We will take all reasonably necessary security measures to ensure that the processing of your Personal Data complies with all applicable data protection laws. We have the right to transfer your Personal Data in accordance with: 

• the European Commission’s adequacy decision; 

• standard data protection clauses prepared by the European Commission; 

• standard data protection clauses prepared by the data protection authority; 

• taking advantage of other available safeguards and derogations, where available under the applicable law. 

YOUR RIGHTS AS A DATA SUBJECT 

When processing your data, we ensure that your rights established by the European Union General Data Protection Regulation (EU) 2016/679 and other legal acts regulating personal data processing are respected. 

You, as the data subject, have the following rights related to your Personal Data: 

1. To access the personal data processed by the Company – you have the right to access your personal data and how it is being processed; 

2. The right to request the rectification of Personal Data – you have the right to request that we correct any of your Personal Data if you believe it is inaccurate or incomplete; 

3. The right to request the erasure (to be forgotten) of Personal Data – you may also request the erasure of your Personal Data if it is no longer necessary for the purposes for which it was collected, or if you believe that the data processing is unlawful, or if you believe that the Personal Data must be erased in order for us to comply with a legal obligation. In certain cases, due to legal regulations, when the laws of the relevant jurisdiction prohibit us from deleting the data we store and process, we will not be able to fulfill such a request, even if you ask us to do so; however, we will inform you about the obligations that apply to us. 

4. The right to restrict the processing of personal data – in certain cases, you may have the right to request that we do not use the personal information you have provided (e.g., if you believe it is inaccurate). 

5. The right to object to the processing of Personal Data – in cases provided by law, you have the right to object to the relevant processing of your Personal Data, including, for example, the processing of your Personal Data for marketing purposes. In cases where your personal data is processed on the basis of a separate consent, you have the right to withdraw your consent to the processing of your personal data at any time. 

6. The right to data portability – if your Personal Data is processed automatically based on your consent or on the basis of mutual contractual relationships, you may request that we provide you with such Personal Data in a structured, commonly used, and electronic format. In addition, you may also request that the Personal Data be transferred to another controller. Please note that this can only be done if such technical possibilities exist. 

COOKIES 

In order to improve your experience on our website, we may use cookies – small text files that are automatically created while browsing the website and are stored on the visitor’s computer or other end device. 

The information collected through cookies helps ensure more convenient browsing on the Website and provides insights into visitor behavior, allowing us to analyze trends and improve the Website, the services provided, or the information presented on the Website. 

We may use essential cookies that are necessary to ensure the functioning of the Website, analytical cookies, functional cookies designed to analyze Website visits, remember user preferences, and tailor them to the Website in order to provide enhanced features, performance cookies, third-party cookies used by third parties, and advertising cookies intended to display personalized and general advertisements to you. 

You can choose whether or not to accept cookies. If you do not agree to cookies being stored in your computer’s or other device’s browser, you can indicate this in the cookie consent banner, change your browser settings, and disable cookies (either all at once, individually, or by category). If you wish to disable cookies on your mobile device, you should follow the official instructions specific to that device. Please note that in some cases, refusing cookies may slow down browsing speed, limit the functionality of certain websites, or block access to the website altogether. More detailed information is provided at the following address: http://www.AllAboutCookies.org or https://www.google.com/privacy_ads.html 

You can deactivate the use of third-party cookies for advertising-related purposes by visiting the Network Advertising deactivation page at http://www.networkadvertising.org/managing/opt_out.asp.  

To ensure you can use the website more conveniently and efficiently, we use following cookies: 

CHANGES TO THE PRIVACY POLICY 

This Policy may be amended or updated. The latest version will always be published on our websites, so we encourage you to check from time to time to ensure you are familiar with the most recent version. This Policy was updated on 2025-07-11 and takes effect from the day it is published on our website. 

CONTACT US 

You have the right to contact us to submit inquiries, withdraw given consents, make requests regarding the exercise of data subject rights, and file complaints concerning the processing of Personal Data. 

If you are concerned about a possible privacy rights violation or any other legal infringement, please contact us by email at [email protected]. 

If you are dissatisfied with the handling of your complaint, you have the right to submit a complaint to the data protection authority of your country. You also have the right to bring a case before a court of competent jurisdiction. Information about the authorities responsible for ensuring compliance with laws related to Personal Data protection: 

Estonia 

Data Protection Inspectorate 

Väike-Ameerika 19, 10129 Tallinn, Estonia 

Phone. +372 6274 135 

Email: [email protected]  

www.aki.ee