Privacy Policy

Last updated: February 2026

1. Introduction

Gorendi ("we", "our", "the Platform") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

The Platform is accessible at gorendi.com and serves users primarily in the European Union, including the Baltics and Scandinavia. We process data in compliance with the General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Information you provide directly

When you create an account, we collect your name and email address. If you register through Google OAuth, we receive your name, email and profile photo from Google. You may optionally provide a phone number, Telegram username, WhatsApp number, and a personal description on your profile.

2.2 Listing information

When you create a listing, we collect the details you provide: title, description, location (country and city), pricing, photos, vehicle specifications, camping spot amenities, or equipment details. Photos are stored on our servers.

2.3 Booking and communication data

When you make or receive a booking, we store the booking details (dates, price, status). Messages exchanged between users through the Platform chat are also stored.

2.4 Automatically collected information

When you visit Gorendi, our server may log your IP address, browser type, pages visited and timestamps. We use cookies for authentication (keeping you logged in) and session management.

3. How We Use Your Information

We use your personal data for the following purposes:

To create and manage your user account. To display your listings to other users. To facilitate bookings and communication between owners and renters. To send you email notifications about booking requests, booking status changes, new messages and reviews (subject to your notification preferences). To moderate content and enforce our Terms & Conditions, including photo moderation using automated tools. To detect and prevent fraud, abuse and security incidents. To improve the Platform and user experience.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contract performance: Processing necessary to provide our services — account creation, bookings, messaging, and listing management.

Legitimate interest: Platform security, fraud prevention, content moderation, and service improvement.

Consent: Marketing emails (you can opt out at any time in your account settings).

Legal obligation: Where we are required to retain or share data by law.

5. Information Sharing

We share your information only in the following cases:

With other users: When you create a listing, your listing details and the name on your profile are visible to other users. When a booking is confirmed, limited contact information may be shared between the owner and renter to facilitate the rental.

Service providers: We use third-party services for email delivery (SMTP), Google OAuth for authentication, and Google Cloud Vision for automated photo moderation. These services process data on our behalf and are bound by their own privacy policies.

Legal requirements: We may disclose your data if required by law, court order, or to protect the rights and safety of Gorendi, our users, or the public.

We do not sell your personal data to third parties. We do not share your data with advertisers.

6. Data Storage & Security

Your data is stored on secure servers located in the European Union. We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS/SSL), secure password hashing (bcrypt), session-based authentication with JWT tokens, rate limiting to prevent brute-force attacks, input validation and SQL injection prevention, and access controls limiting who can view sensitive data.

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure.

Identity Verification Data

If you choose to verify your identity, you upload a photo of a government-issued document. This image is processed only to confirm your identity and is permanently deleted the moment a decision is made. We do not store document photos or document numbers. We retain only a confirmation that your identity was verified, the name as shown on the document, and a one-way cryptographic hash used solely to prevent the same document from being linked to multiple accounts. The original document number cannot be recovered from this hash.

7. Cookies

Gorendi uses a minimal number of cookies, strictly for functionality:

Authentication cookie: Keeps you logged in during your session and between visits (valid for 30 days).

Session cookie: Stores temporary session data required for the Platform to function.

We do not use advertising cookies, tracking pixels or third-party analytics tools. You can disable cookies in your browser, but this may affect your ability to use the Platform (e.g. staying logged in).

8. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will remove your personal data, profile information and listings. However, some data may be retained for a limited period to comply with legal obligations, resolve disputes, or enforce our terms.

Reviews you have left on other listings will be anonymised (your name will be replaced with "Deleted User") but will not be removed, as they serve the legitimate interest of maintaining trust on the platform.

Messages in conversations with other users will be retained for the other party's reference, but your name will be anonymised.

9. Your Rights Under GDPR

As a user in the EU, you have the following rights regarding your personal data:

Right of access: You can request a copy of the personal data we hold about you.

Right to rectification: You can update or correct your data at any time through your account settings.

Right to erasure: You can delete your account and associated data through the account settings page.

Right to data portability: You can request your data in a structured, commonly used format.

Right to restrict processing: You can request that we limit how we process your data in certain circumstances.

Right to object: You can object to processing based on legitimate interest.

Right to withdraw consent: Where processing is based on consent (e.g. marketing emails), you can withdraw it at any time in your notification settings.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Children's Privacy

Gorendi is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us and we will promptly delete the account.

11. International Data Transfers

Your data is primarily stored and processed within the European Union. If any data is transferred outside the EU (for example, through third-party service providers), we ensure appropriate safeguards are in place in accordance with GDPR requirements.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by email or by posting a notice on the Platform. We encourage you to review this page periodically.

13. Rental Operator Data (External Listings)

Some listings in our catalogue are created by Gorendi based on publicly available information from rental operators’ own websites ("external listings"). For these listings we store the operator’s business contact details exactly as published by the operator: business name, business email address, business phone number and website address. We never buy contact data and never take it from sources where the operator has not chosen to publish it.

We process this data on the basis of legitimate interest (Article 6(1)(f) GDPR): connecting travellers who submit a genuine booking request with the operator they wish to rent from. A documented Legitimate Interest Assessment is maintained for this processing and is available on request.

Operators only receive transactional emails from us: the forwarded booking request of a specific client, sent to the address the operator publishes for booking enquiries. These emails contain no advertising, and we never send follow-up or marketing emails to operators without their consent.

Every such email contains a one-click removal link. Using it permanently removes all of the operator’s listings from Gorendi and adds the operator’s email address to a permanent suppression list, ensuring no further emails are ever sent. Operators can also object to this processing at any time by writing to [email protected] — we honour every objection without requiring justification.

14. Contact & Complaints

If you have any questions about this Privacy Policy or want to exercise your data rights, contact us at [email protected].

If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee, or with the data protection authority in your country of residence.