Last updated: December 8, 2025
This Data Processing Agreement ("DPA") forms part of the
Terms & Conditions between QRentify
("Processor") and any real-estate agency, property manager, or
landlord using QRentify to receive tenant applications ("Controller").
This DPA governs the processing of personal data by QRentify on
behalf of the Controller in accordance with Article 28 of the EU
General Data Protection Regulation (GDPR).
1. Definitions
"Controller" means the agency using QRentify to
collect and evaluate tenant dossiers.
"Processor" means QRentify.
"Data Subject" means a tenant submitting personal
information through QRentify.
"Personal Data" means any information relating to an
identified or identifiable natural person.
"Processing" means any operation performed on
personal data.
"Sub-processor" means any third party engaged by
QRentify to process personal data.
2. Roles and Responsibilities
2.1 Controller Responsibilities
The Controller:
- Determines the purposes and means of processing tenant data
-
Is responsible for ensuring lawful collection and use of tenant data
-
Must comply with GDPR requirements such as transparency, legal basis,
and user rights
-
Must evaluate whether the data requested from tenants is necessary and
proportionate
⚠️
QRentify is not responsible for the Controller's compliance with
GDPR.
2.2 Processor Responsibilities
QRentify processes personal data solely on behalf of the Controller and
only in accordance with:
- This DPA
- The Controller's documented instructions
- Applicable laws
QRentify will not use tenant personal data for its own purposes unless:
- Data is anonymized/aggregated, or
- QRentify has obtained explicit consent from the tenant
3. Subject Matter and Purpose of Processing
QRentify processes personal data for the purpose of:
- Collecting tenant applications
- Storing tenant documents
- Transmitting dossiers to the agency
- Enabling communication between tenant and agency
- Providing technical support and platform functionality
ℹ️ QRentify does not decide how tenant data is evaluated or used by
the Controller.
4. Types of Personal Data Processed
QRentify may process the following categories of tenant data:
- Contact information (name, email, phone number)
- Identification documents (ID card, passport)
- Proof of income (payslips, bank statements)
- Employment documents
- Rental history
- Additional documents requested by the Controller
5. Rights of Data Subjects
QRentify will:
-
Assist the Controller in responding to access, correction, deletion,
and portability requests
-
Delete tenant data upon request, unless retention is required by law
-
Notify the Controller if a tenant exercises GDPR rights directly with
QRentify
6. Retention and Deletion
6.1 Retention
QRentify stores tenant documents for a
maximum of 3 months, unless:
- The tenant requests earlier deletion
- Law requires longer retention
- The Controller requests earlier deletion
6.2 Post-retention
After the retention period, QRentify will:
- Delete or anonymize tenant documents
-
Retain only aggregated, non-personal statistical data for analytics
and service improvement
ℹ️ Aggregated data cannot identify any tenant and may be used for
future business development.
7. Security Measures
QRentify implements appropriate technical and organizational measures,
including:
- Encrypted data transmission (HTTPS)
- Secure hosting infrastructure
- Access controls and authentication
- Isolated storage environments
- Periodic security updates
- Logging and monitoring
- Automatic deletion processes
⚠️
The Controller is responsible for securing data after downloading
or exporting it from QRentify.
8. Sub-processors
QRentify may use sub-processors to provide hosting, payment processing,
email delivery, or analytics services.
Sub-processors may include:
- Hosting providers
- Payment processors
- Email providers
- Cloud infrastructure partners
QRentify ensures all sub-processors:
- Are GDPR-compliant
- Provide adequate security measures
A list of sub-processors can be provided upon request.
9. International Data Transfers
QRentify may transfer data outside Estonia or the EU.
When such transfers occur, QRentify ensures:
- The receiving country has an adequacy decision, OR
- Standard Contractual Clauses (SCCs) are in place, OR
- Other lawful transfer mechanisms are used
10. Data Breach Notification
In case of a personal data breach, QRentify will:
- Notify the Controller without undue delay
-
Provide available details, including:
- Nature of the breach
- Categories of affected data
- Measures taken to mitigate harm
- Assist the Controller in fulfilling regulatory obligations
⚠️
The Controller remains responsible for notifying authorities and
Data Subjects unless otherwise agreed.
11. Audits
Upon reasonable notice, the Controller may request an audit of
QRentify's data processing practices.
Audits may be satisfied through:
- QRentify's documentation
- Security certifications
- Questionnaires
- Remote assessment
On-site audits may be refused if disproportionate or disruptive.
12. Prohibited Processing
QRentify will not:
- Sell tenant personal data
- Use tenant data for independent marketing
-
Disclose tenant data to third parties without consent or lawful basis
ℹ️ Only anonymized, aggregated, or statistical data may be used freely
by QRentify.
13. Term and Termination
This DPA remains in effect as long as the Controller uses QRentify.
Upon termination:
-
QRentify will delete tenant personal data according to retention rules
-
The Controller remains responsible for data stored outside the
platform
14. Governing Law
This DPA is governed by the laws of Estonia.
Any disputes will be resolved exclusively in the courts of Estonia.
15. Contact Information