Privacy Policy

Carentright OÜ, operating the Carentright / CarRentRight / CRR platform (“Carentright”, “CarRentRight”, “CRR”, “we”, “our”, or “us”), respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you:

• visit our website;
• interact with our landing pages and public content;
• start a case through our platform;
• submit a complaint or claim;
• upload documents or other supporting information;
• communicate with us or with service channels connected to our platform.

Carentright operates a structured consumer-enforcement platform that supports claims and complaints through intake, evaluation, mediation, and, where appropriate, referral to independent legal partners. Personal data is processed in line with that operational model.

We process personal data in accordance with applicable data protection law, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable privacy and electronic communications laws.

The data controller responsible for the processing of personal data under this Privacy Policy is:

Carentright OÜ
Registry code: 17481848
Registered address: Harju maakond, Tallinn, Lasnamäe linnaosa, Ruunaoja tn 3, 11415, Estonia
General contact email: support@carentright.com

For privacy-related requests, you may contact us at:

privacy@carentright.com

This Privacy Policy applies to personal data processed through:

• the Carentright website;
• case intake forms and conversational intake tools;
• complaint and claim submission workflows;
• dashboard and account access features;
• communications sent by or to Carentright in relation to a case;
• analytics, security, and service-improvement processes connected to the platform.

This Privacy Policy does not govern the privacy practices of independent third-party websites, law firms, payment providers, or other third parties that may be linked to or interact with the platform.

We may collect and process the following categories of personal data.

We obtain personal data:

• directly from you;
• from documents and information you upload;
• from communications you provide;
• from public-facing website usage;
• from third parties where you instruct or authorize sharing;
• from legal or operational partners where relevant and lawful.

We process personal data on one or more of the following legal bases.

We may use personal data to:

• operate and maintain the website and platform;
• allow users to start and manage cases;
• structure, classify, and evaluate complaints and claims;
• request additional information or documents;
• communicate with companies where authorized;
• coordinate mediation-related actions;
• maintain user dashboards and outcome records;
• provide customer support;
• improve our products, workflows, and documentation;
• comply with legal obligations;
• protect our legal rights and those of users or third parties.

Carentright uses automated tools, including artificial intelligence, to help structure user-submitted case information.

These tools may be used to:

• organize free-text narratives into structured case summaries;
• identify missing information;
• classify case type and issue type;
• support evidence mapping and case-readiness checks;
• improve workflow efficiency.

CRR’s documented AI architecture makes clear that the AI assists intake and structuring, but does not provide legal advice, does not make final decisions, and does not guarantee outcomes.

Automated tools are used to support operations and human review. They do not independently decide whether you will receive compensation, succeed in mediation, or proceed to legal escalation.

Carentright may use complaint-related and outcome-related data to support transparency and accountability functions of the platform.

Depending on the service and permissions involved, this may include:

• anonymized or aggregated complaint statistics;
• company-level patterns and reporting;
• public rankings, summaries, or transparency indicators;
• internal reporting and pattern detection;
• aggregated complaint or outcome metrics.

CRR’s platform design and complaints-service logic rely on pattern detection, clustering, and structured outcome logging to improve accountability and public awareness.

Where content is used for publication, reporting, or ranking purposes, we take steps to avoid public disclosure of personal identifying information unless a lawful and explicit basis exists.

We may share personal data where necessary and lawful with:

We do not sell personal data.

Your personal data may be processed in countries outside your country of residence, including outside the European Economic Area where relevant service providers are involved.

Where such transfers occur, we will take appropriate safeguards, which may include:

• European Commission adequacy decisions;
• Standard Contractual Clauses;
• contractual, technical, and organizational protections.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including to operate the platform, provide requested services, maintain records, and comply with legal obligations.

Retention periods may vary by category of data. For example:

• website and technical logs may be retained for security, diagnostics, and operational integrity;
• account data may be retained while the account remains active and for a reasonable period thereafter;
• case files, uploaded evidence, communications, and outcome records may be retained for longer periods where necessary for dispute handling, legal defense, compliance, audit, or pattern analysis;
• abandoned or incomplete case-intake data may be retained where needed to defend against disputes, ensure auditability, and support operational recordkeeping.

CRR’s legal architecture explicitly relies on retaining intake and consent records so incomplete or abandoned claims can be documented and defended against later disputes.

We implement appropriate technical and organizational measures to protect personal data, including measures such as:

• access controls;
• encrypted transmission where appropriate;
• secure storage systems;
• audit logging;
• restricted internal access;
• monitoring for abuse, misuse, and unauthorized access.

No method of transmission or storage is completely secure. However, we take reasonable steps appropriate to the nature of the data and the platform.

Subject to applicable law, you may have the right to:

• request access to your personal data;
• request rectification of inaccurate data;
• request deletion of personal data;
• request restriction of processing;
• object to certain processing;
• request data portability;
• withdraw consent where processing is based on consent.

To exercise these rights, contact:

privacy@carentright.com

You may also have the right to lodge a complaint with a competent data protection authority.

The platform is not intended for children, and we do not knowingly collect personal data from children in connection with our services. If we become aware that personal data from a child has been collected inappropriately, we will take reasonable steps to delete it.

We may update this Privacy Policy from time to time to reflect legal, operational, or product changes.

When significant changes are made, the updated version will be posted on this page with a revised “Last updated” date.

For general questions, you may contact:

Carentright OÜ
Harju maakond, Tallinn, Lasnamäe linnaosa, Ruunaoja tn 3, 11415, Estonia
support@carentright.com