Privacy Policy

RaX is a Rental Management System (RMS) operated by Zentia Labs LLC, 30 N Gould St Ste N, Sheridan, WY 82801, USA. Zentia Labs is responsible for the processing of data collected on its websites, contact forms, demos, onboarding flows, support, billing, and account administration.

This policy governs Zentia Labs’ own processing as a B2B SaaS company. It does not replace the privacy policy that each car rental company must provide to its end customers and drivers when using RaX in its own operations.

Zentia Labs LLC processes the personal data covered by this policy from the following locations:

• United States of America: registered office of Zentia Labs and primary location of cloud infrastructure, storage, and AI-model subprocessors.
• Spain: authorized Zentia Labs personnel (product, engineering, support).
• Colombia: authorized Zentia Labs personnel (product, engineering, support).

By accepting our terms, the customer expressly authorizes these processing locations and undertakes to reflect them in the information provided to its end users whenever applicable law so requires. Safeguards for international transfers are detailed in the corresponding section.

• Sales and prospecting data: name, business email, phone number, company, fleet size, country, and operational needs.
• Account and administration data: users, roles (RBAC), credentials, preferences, office configuration, authentication events, and administrative activity inside the backoffice.
• Contract and billing data: legal entity details, address, tax identifiers, billing contacts, invoices, and payment references.
• Booking and rental contract data: reservations, rental agreements, dates, rates, extras, and operational status.
• Driver and rental customer data: name, ID document, driving licence, and contact details, entered manually by the operator in the backoffice.
• Vehicle data: registration plate, make, model, status, mileage, assignments, and maintenance history.
• Damage photographs: vehicle inspection images associated with rental contracts.
• Technical and usage data: IP address, browser, device, cookies, logs, security events, performance, and product analytics.

RaX allows users to sign in via email and password, magic link, or Google OAuth ("Sign in with Google").

When you choose to sign in with Google, we access your email address, name, and profile picture through the Google OAuth 2.0 openid, email, and profile scopes. This data is used solely to create or link your user account in RaX and to verify your identity on each sign-in.

We do not access your contacts, calendar, Drive files, or any other data from your Google account.

You can revoke RaX access to your Google account at any time from your Google account security settings at myaccount.google.com.

RaX's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• Respond to commercial requests, demos, product evaluations, and onboarding.
• Create and manage customer accounts, authorized users, roles, and office configuration.
• Provide the contracted RMS service: booking management, rental contracts, vehicle inventory, visual planner, manual check-in, and invoicing.
• Manage integrations with OTAs (Booking.com, Rentalcars) and telematics providers enabled by the customer.
• Provide support, maintenance, monitoring, security, and fraud or abuse prevention.
• Manage the contractual relationship, billing, collections, and accounting or tax obligations.
• Send service communications and, where a valid basis exists, reasonable B2B product communications.

• Performance of pre-contractual steps or the contract for demos, onboarding, SaaS provision, support, and billing.
• Compliance with legal obligations relating to accounting, tax, security, and valid requests from authorities.
• Legitimate interests for security, abuse prevention, product improvement, B2B relationship management, and reasonable professional communications.
• Consent for non-essential cookies, certain optional marketing actions, and any other processing that requires it.
• RaX does not process special categories of data (Art. 9 GDPR). No biometric data is processed, and no automated identity verification or liveness detection is performed.
• For operational data entered by the customer in the RMS (bookings, contracts, driver data, damage photos), the customer acts as data controller and Zentia Labs processes that data under documented instructions and the applicable data processing agreement.

To deliver the service, Zentia Labs relies on providers and subprocessors belonging to the following standard technology categories, the use of which the customer authorizes by accepting our terms: cloud infrastructure and hosting, storage, payment gateways and providers, transactional email, CRM and marketing email, analytics, and observability.

• Infrastructure, hosting, caching, transactional email, monitoring, and technology providers needed to deliver the service (Google Cloud Platform, Upstash, Resend).
• Payment processors (Stripe) to manage collections and billing.
• CRM and marketing email providers (Brevo) for B2B communications.
• OTAs and telematics providers integrated by the customer for booking synchronization and vehicle data.
• Professional advisers and public authorities where there is a legal obligation, defence need, or valid request.

Zentia Labs will notify the customer with reasonable advance notice of any material change of subprocessors with impact on the processing of personal data; the customer may object on reasonable, justified grounds. Zentia Labs does not sell personal data and does not use customer operational data for its own purposes beyond service delivery.

In addition to the processing activities described in the purposes above, Zentia Labs may process aggregated, anonymized, or pseudonymized data derived from use of the service for the following additional purposes:

• Provision and technical improvement of the service: debugging, performance, reliability, and quality of response.
• Internal training and evaluation of the AI models used by the service, as well as tuning of prompts, instructions, and heuristics.
• Aggregated statistical analyses of the vehicle-rental sector (for example, demand metrics, sentiment, types of queries) that do not allow identification of specific natural persons.
• Development of new features and adjacent services that may benefit existing and future customers.

In no case do we use identifiable end-customer conversational content to train AI models of third-party providers for purposes other than the provision of the contracted service. When models from external providers (subprocessors) are used, the contractual agreements and usage policies of those providers apply, which prohibit the use of customer data to train the provider’s own models unless there is an explicit opt-in.

Provision of the service involves processing personal data across the United States – Spain – Colombia triangle, as described in the "Processing locations" section. Additionally, certain subprocessors may operate from other countries outside the European Economic Area.

To legitimize these international transfers we apply the safeguards recognized by applicable law, in particular:

• Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision (EU) 2021/914, Module 2 (Controller to Processor), for transfers from Spain or any other EEA country to the United States and Colombia.
• Model contractual clauses published by the Colombian Superintendence of Industry and Commerce (SIC) for international transfers originating in Colombia.
• United States legal framework applicable to Zentia Labs LLC as a company incorporated in the State of Wyoming, including the contractual obligations undertaken in the data processing agreement.
• Adequacy decisions, recognized certifications, or reasonable supplementary technical measures where applicable.

The data processing agreement (DPA) incorporated into the terms of service constitutes, by itself, the contractual safeguard mechanism for transfers between the customer and Zentia Labs, since it incorporates obligations, guarantees, and rights equivalent to those provided by the safeguards above. For additional transfers to subprocessors, Zentia Labs relies on the DPAs and transfer clauses published by those providers.

• Leads, forms, and B2B sales communications: up to 24 months from the last interaction, unless there is an objection or a contract is signed.
• Account, contract, and billing data: while the commercial relationship exists and afterwards for the periods required by law (6 years for tax and accounting records in most jurisdictions).
• Operational booking, contract, and driver data: according to customer configuration and instructions, technical backup windows, and the agreed deletion process.
• Damage photographs: according to customer instructions and applicable claim periods.
• Support tickets: usually up to 3 years after case closure.
• Security and access logs: usually up to 12 months, unless investigation or reinforced retention is required.

• We apply reasonable technical and organizational measures, including role-based access controls (RBAC), encryption in transit, event logging, and vendor review.
• Internal data access is limited to authorized personnel with a functional need and confidentiality obligations.
• Each customer company data is isolated at tenant level, ensuring no operator can access another operator data.
• The processor relationship for customer operational data is governed through contract and the applicable data processing agreement, including subprocessors and security commitments.

Where applicable, you may exercise rights of access, rectification, erasure, objection, restriction, and portability with respect to data that we process as our own controller.

If the request relates to driver or end-customer data entered by a car rental company in RaX, the primary route should be that company as controller. Nevertheless, data subjects may also direct their requests subsidiarily to Zentia Labs; in that case we will forward the request to the customer without undue delay and assist with its resolution in our role as data processor.

• Requests about leads, accounts, billing, support, or use of our websites: contact us at privacy@raxmobility.com.
• Requests about bookings, contracts, or driver data managed by a car rental company: contact that company first.

We may update this policy to reflect legal, technical, or product changes. The current version will be published on this page together with its last update date.