mkrent.mkCar Rental & VIP Transfer
Home
Legal

Privacy Policy

Last updated: 19 April 2026 · GDPR + KVKK compliant

1. Data Controller

Mkrent DOO
Limak Diamond Residence, Ss Cyril & Methodius 3, Skopje 1000, North Macedonia
DPO email: dpo@mkrent.mk

2. What We Collect

  • Account info: name, surname, email, phone, password (bcrypt hash)
  • Booking data: driver info, license number, rental dates, pickup point
  • Payment data: processed by Stripe — card numbers are not stored with us; only last 4 digits + transaction ID
  • Technical data: IP address, browser, device, language, pages visited
  • Cookies: session, preferences (details)
  • Communications: emails/form messages you send us

3. Why We Use Data

  • Creating bookings and sharing with partner companies (contract performance — GDPR Art. 6(1)(b))
  • Account management, password reset, security
  • Email notifications (confirmation, cancellation, reminders)
  • Platform performance + error diagnostics (legitimate interest — GDPR Art. 6(1)(f))
  • Legal obligations (invoicing, tax, accounting — 10-year retention)
  • Marketing emails (requires explicit consent — unsubscribe at any time)

4. Who We Share With

  • Partner rental companies: only the info needed for the rental of the car you booked
  • Stripe (payments): PCI-DSS Level 1, EU data transfer with SCC
  • Resend (email): transactional email, EU servers
  • Cloudflare: DNS + CDN + security
  • Legal authorities: in case of court order, minimum required information

We never sell your data, never rent to third-party advertisers.

5. How Long We Keep It

  • Account data: until you delete + 30 days in backups
  • Booking details: 10 years (tax/accounting obligation)
  • Technical logs: 90 days
  • Marketing email list: until you unsubscribe
  • Cookies: session/7 days/1 year by type

6. Your Rights (GDPR/KVKK)

  • Access: know which of your data we process
  • Rectification: correct inaccurate data
  • Erasure ("right to be forgotten"): delete your account and data
  • Restriction: temporarily pause processing
  • Portability: download your data as JSON
  • Objection: object to processing under legitimate interest
  • Withdraw consent: cancel marketing approval
  • Complaint to authority: DZLP (MK) or KVKK (TR)

To exercise your rights: dpo@mkrent.mk — answered within 30 days.

7. Security Measures

  • TLS 1.2+ encryption on all connections
  • Passwords are bcrypt-hashed (never stored in plain text)
  • DB access IP-restricted, 2FA-protected
  • Daily backups (30 days)
  • Stripe PCI-DSS Level 1 payment infrastructure
  • Cloudflare WAF + DDoS protection

8. Children's Data

mkrent.mk does not serve users under 18. We do not knowingly collect children's data. If a child registration is noticed by accident, it is deleted immediately.

9. Data Transfer Outside the EU

Some of our providers (Stripe, Cloudflare) may process data outside the EU. In that case we apply Standard Contractual Clauses (SCC), and transfer is kept to a minimum.

10. Changes

When we update this policy the date changes; significant changes are notified by email.

11. Contact

Single point of contact for privacy: dpo@mkrent.mk

Data Protection Authority: DZLP (North Macedonia)