Privacy Policy

Vico is a digital check-in and virtual counter service operated by Zentia Labs LLC, enabling car rental companies to digitize the vehicle pick-up, identity verification, and contract signing process.

The rental company that integrates Vico into its operations is the primary data controller for the personal data of its end customers (travelers). Zentia Labs acts as data processor for that data, following the operator documented instructions and the applicable data processing agreement.

Zentia Labs acts as independent controller for B2B marketing, operator account onboarding, support, billing, security, and use of its own websites and admin portals.

• Identification data: photos of national ID, passport, or equivalent document; driver license photograph.
• Biometric data: selfies with liveness detection, biometric liveness scores, and facial match scores. These data constitute special categories of personal data under GDPR Art. 9.
• Vehicle inspection data: vehicle damage photographs taken during check-in and check-out.
• Electronic signature data: strokes, timestamps, document hash, and data associated with the rental contract signing process.
• Payment data: pre-authorizations and charges processed through Stripe; Zentia Labs does not store full card numbers.
• Rental contract data: name, dates, assigned vehicle, terms, extras, and other data included in the generated contract.
• Operator account data (B2B): users, roles, credentials, configuration, billing data, and tax identifiers.
• Technical and usage data: IP address, browser, device, logs, security events, and product analytics.

• Identity verification (KYC): validate the traveler identity by comparing the identity document, selfie, and biometric liveness detection.
• Generation and electronic signing of rental contracts.
• Photographic vehicle damage inspection at pick-up and return.
• Payment charges and pre-authorizations on behalf of the operator.
• Integration with the operator reservation management system (RMS).
• Provide the contracted technology, host the infrastructure, and maintain the security of the service.
• Manage operator accounts, support, billing, and compliance with legal and tax obligations.

• Performance of the contract: processing of traveler data is necessary to execute the digital check-in process and formalize the requested rental contract.
• Legal obligation: retention of contractual, accounting, and tax data as required by applicable law.
• Legitimate interests: security, fraud prevention, product improvement, B2B relationship management with operators, and reasonable professional communications.
• Explicit consent of the data subject (GDPR Art. 9.2.a): for the processing of biometric data derived from liveness detection. The traveler gives explicit consent before starting the biometric verification process. This consent is freely given, specific, informed, and revocable.
• The operator (rental company) acts as data controller for its end customers data. Zentia Labs acts as data processor under documented instructions and the applicable data processing agreement.

• The rental company using Vico (data controller): receives check-in data, KYC verification results, signed contracts, damage photos, and payment data of its own customers.
• Stripe: payment processing and pre-authorizations.
• Google Cloud Platform: infrastructure, compute, and storage.
• Upstash: real-time cache and storage (Redis).
• Resend: transactional email (confirmations, notifications).
• Brevo: CRM and B2B marketing email directed at operators.
• Professional advisers and public authorities where there is a legal obligation, defence need, or valid request.

Zentia Labs does not sell personal data. It does not use WhatsApp Business or conversational messaging integrations in Vico.

Some providers or infrastructure may operate outside the European Economic Area. When this happens, we apply appropriate safeguards under applicable law, such as standard contractual clauses, adequacy decisions, or reasonable supplementary technical measures.

• Biometric and KYC data (selfies, liveness, scores): according to applicable regulations and the configuration defined by the operator; deleted once verification is complete unless the law requires a longer retention period.
• Identity document and driver license photos: for the duration of the rental contract and the claims period defined by the operator.
• Vehicle damage photos: for the duration of the rental contract plus the claims period configured by the operator.
• Electronic signature and contract data: while the commercial relationship with the operator exists and afterwards for the legally required retention periods.
• Billing and accounting data: 6 years in accordance with applicable tax law.
• Operator account data: while the commercial relationship exists and afterwards for the legally required periods.
• Security and access logs: usually up to 12 months, unless investigation is required.

• We apply enhanced technical and organizational measures given the sensitive nature of biometric data, including encryption in transit and at rest, role-based access controls, and least-privilege principle.
• Internal data access is limited to authorized personnel with a functional need and confidentiality obligations.
• Biometric liveness data is processed in isolation and deleted according to the configured retention policy.
• The processor relationship for operator operational data is governed through contract and the applicable data processing agreement, including subprocessors and security commitments.

Where applicable, you may exercise rights of access, rectification, erasure, objection, restriction, and portability. You may withdraw the consent given for biometric processing at any time, without affecting the lawfulness of prior processing.

If the request relates to traveler data collected through Vico, the primary route should be the rental company as data controller. Zentia Labs will assist the operator in its processor role where applicable.

• Requests about operator accounts, billing, support, or use of our websites: contact us at privacy@virtual-counter.com.
• Requests about check-in data, KYC, contract, or damage data as a traveler: contact the rental company where you completed check-in first.

We may update this policy to reflect legal, technical, or product changes. The current version will be published on this page together with its last update date.