Privacy Policy

Last updated: May 27, 2026

This policy explains how Zentia Labs LLC handles personal data in the context of Vico, its digital check-in and virtual counter solution for car rental companies.

Vico is a B2B2C product: the rental company (customer) deploys it so that its end users (travelers) can complete digital self-service check-in. The customer acts as data controller for its end users’ data; Zentia Labs acts as data processor.

1. Controller and scope

Vico is a digital check-in and virtual counter service operated by Zentia Labs LLC, enabling car rental companies to digitize the vehicle pick-up, identity verification, and contract signing process.

The rental company that integrates Vico into its operations is the primary data controller for the personal data of its end users (travelers). Zentia Labs acts as data processor for that data, following the customer’s documented instructions and the applicable data processing agreement.

Zentia Labs acts as independent controller for B2B marketing, customer account onboarding, support, billing, security, and use of its own websites and admin portals.

2. Processing locations

Zentia Labs LLC processes the personal data covered by this policy from the following locations:

  • United States of America: registered office of Zentia Labs and primary location of cloud infrastructure, storage, and AI-model subprocessors.
  • Spain: authorized Zentia Labs personnel (product, engineering, support).
  • Colombia: authorized Zentia Labs personnel (product, engineering, support).

By accepting our terms, the customer expressly authorizes these processing locations and undertakes to reflect them in the information provided to its end users whenever applicable law so requires. Safeguards for international transfers are detailed in the corresponding section.

3. Categories of data we process

  • Identification data: photos of national ID, passport, or equivalent document; driver license photograph.
  • Biometric data: selfies with liveness detection, biometric liveness scores, and facial match scores. These data constitute special categories of personal data under GDPR Art. 9.
  • Vehicle inspection data: vehicle damage photographs taken during check-in and check-out.
  • Electronic signature data: strokes, timestamps, document hash, and data associated with the rental contract signing process.
  • Payment data: pre-authorizations and charges processed through Stripe; Zentia Labs does not store full card numbers.
  • Rental contract data: name, dates, assigned vehicle, terms, extras, and other data included in the generated contract.
  • Customer account data (B2B): users, roles, credentials, configuration, billing data, and tax identifiers.
  • Technical and usage data: IP address, browser, device, logs, security events, and product analytics.

4. Purposes of processing

  • Identity verification (KYC): validate the traveler’s identity by comparing the identity document, selfie, and biometric liveness detection.
  • Generation and electronic signing of rental contracts.
  • Photographic vehicle damage inspection at pick-up and return.
  • Payment charges and pre-authorizations on behalf of the customer.
  • Integration with the customer’s reservation management system (RMS).
  • Provide the contracted technology, host the infrastructure, and maintain the security of the service.
  • Manage customer accounts, support, billing, and compliance with legal and tax obligations.

5. Legal basis and privacy roles

  • Performance of the contract: processing of traveler data is necessary to execute the digital check-in process and formalize the requested rental contract.
  • Legal obligation: retention of contractual, accounting, and tax data as required by applicable law.
  • Legitimate interests: security, fraud prevention, product improvement, B2B relationship management with customers, and reasonable professional communications.
  • Explicit consent of the data subject (GDPR Art. 9.2.a): for the processing of biometric data derived from liveness detection. The traveler gives explicit consent before starting the biometric verification process. This consent is freely given, specific, informed, and revocable.
  • The customer (rental company) acts as data controller for its end users’ data. Zentia Labs acts as data processor under documented instructions and the applicable data processing agreement.

6. Who we share data with

To deliver the service, Zentia Labs relies on providers and subprocessors belonging to the following standard technology categories, the use of which the customer authorizes by accepting our terms: cloud infrastructure and hosting, storage, KYC and biometrics, payment gateways and providers, transactional email, CRM and marketing email, analytics, and observability.

  • The rental company using Vico (data controller): receives check-in data, KYC verification results, signed contracts, damage photos, and payment data of its own customers.
  • Stripe: payment processing and pre-authorizations.
  • Google Cloud Platform: infrastructure, compute, and storage.
  • Upstash: real-time cache and storage (Redis).
  • Resend: transactional email (confirmations, notifications).
  • Brevo: CRM and B2B marketing email directed at customers.
  • Professional advisers and public authorities where there is a legal obligation, defence need, or valid request.

Zentia Labs will notify the customer with reasonable advance notice of any material change of subprocessors with impact on the processing of personal data; the customer may object on reasonable, justified grounds. Zentia Labs does not sell personal data and does not use WhatsApp Business or conversational messaging integrations in Vico.

7. Use of data for service improvement and AI models

In addition to the processing activities described in the purposes above, Zentia Labs may process aggregated, anonymized, or pseudonymized data derived from use of the service for the following additional purposes:

  • Provision and technical improvement of the service: debugging, performance, reliability, and quality of response.
  • Internal training and evaluation of the AI models used by the service, as well as tuning of prompts, instructions, and heuristics.
  • Aggregated statistical analyses of the vehicle-rental sector (for example, demand metrics, sentiment, types of queries) that do not allow identification of specific natural persons.
  • Development of new features and adjacent services that may benefit existing and future customers.

In no case do we use identifiable end-customer conversational content to train AI models of third-party providers for purposes other than the provision of the contracted service. When models from external providers (subprocessors) are used, the contractual agreements and usage policies of those providers apply, which prohibit the use of customer data to train the provider’s own models unless there is an explicit opt-in.

8. International transfers

Provision of the service involves processing personal data across the United States – Spain – Colombia triangle, as described in the "Processing locations" section. Additionally, certain subprocessors may operate from other countries outside the European Economic Area.

To legitimize these international transfers we apply the safeguards recognized by applicable law, in particular:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision (EU) 2021/914, Module 2 (Controller to Processor), for transfers from Spain or any other EEA country to the United States and Colombia.
  • Model contractual clauses published by the Colombian Superintendence of Industry and Commerce (SIC) for international transfers originating in Colombia.
  • United States legal framework applicable to Zentia Labs LLC as a company incorporated in the State of Wyoming, including the contractual obligations undertaken in the data processing agreement.
  • Adequacy decisions, recognized certifications, or reasonable supplementary technical measures where applicable.

The data processing agreement (DPA) incorporated into the terms of service constitutes, by itself, the contractual safeguard mechanism for transfers between the customer and Zentia Labs, since it incorporates obligations, guarantees, and rights equivalent to those provided by the safeguards above. For additional transfers to subprocessors, Zentia Labs relies on the DPAs and transfer clauses published by those providers.

9. Retention periods

  • Biometric and KYC data (selfies, liveness, scores): according to applicable regulations and the configuration defined by the customer; deleted once verification is complete unless the law requires a longer retention period.
  • Identity document and driver license photos: for the duration of the rental contract and the claims period defined by the customer.
  • Vehicle damage photos: for the duration of the rental contract plus the claims period configured by the customer.
  • Electronic signature and contract data: while the commercial relationship with the customer exists and afterwards for the legally required retention periods.
  • Billing and accounting data: 6 years in accordance with applicable tax law.
  • Customer account data: while the commercial relationship exists and afterwards for the legally required periods.
  • Security and access logs: usually up to 12 months, unless investigation is required.
  • Data derived from service use in aggregated, anonymized, or pseudonymized form: may be retained for up to 24 additional months for service improvement and defence of claims.

10. Security and data processing agreement

  • We apply enhanced technical and organizational measures given the sensitive nature of biometric data, including encryption in transit and at rest, role-based access controls, and least-privilege principle.
  • Internal data access is limited to authorized personnel with a functional need and confidentiality obligations.
  • Biometric liveness data is processed in isolation and deleted according to the configured retention policy.
  • The processor relationship for customer operational data is governed through contract and the applicable data processing agreement, including subprocessors and security commitments.

11. Rights and request handling

Where applicable, you may exercise rights of access, rectification, erasure, objection, restriction, and portability. You may withdraw the consent given for biometric processing at any time, without affecting the lawfulness of prior processing.

If the request relates to traveler data collected through Vico, the primary route should be the rental company as data controller. Nevertheless, data subjects may also direct their requests subsidiarily to Zentia Labs; in that case we will forward the request to the customer without undue delay and assist with its resolution in our role as data processor.

  • Requests about customer accounts, billing, support, or use of our websites: contact us at privacy@virtual-counter.com.
  • Requests about check-in data, KYC, contract, or damage data as a traveler: contact the rental company where you completed check-in first.

12. Changes to this policy

We may update this policy to reflect legal, technical, or product changes. The current version will be published on this page together with its last update date.

Contact

Controller
Zentia Labs LLC, 30 N Gould St Ste N, Sheridan, WY 82801, USA

If you live in Spain or another EEA country and believe that the processing of your data does not comply with applicable law, you may lodge a complaint with the competent supervisory authority.