Nomora LogoBack to Home

Privacy Policy

Last updated: January 7, 2026

Introduction

This Privacy Policy describes how Dizzy Solutions ("we", "us", "our", or the "Platform") collects, uses, processes, and protects personal data in connection with our vehicle rental management platform.

Who We Are

Company Information

Dizzy Solutions, MB

Company Code: 307400092

VAT Code: LT100018821610

Address: V. Nagevičiaus g. 3, LT-08237 Vilnius

Email: info@nomora.io

Website: nomora.io

Supervisory Authority

State Data Protection Inspectorate

(Valstybinė duomenų apsaugos inspekcija)

Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania

Email: ada@ada.lt

Website: www.ada.lt

Our Role Under GDPR

We operate in two distinct capacities depending on the data processing activity:

A) Data Processor (for Rental Customer/Driver Data)

When you rent a vehicle through one of our customers (the car rental companies), we act as a Data Processor on behalf of the rental company (the Data Controller).

What this means

The rental company determines what data is collected and why. We process and store this data on their behalf using our platform.

Your rights

You should primarily exercise your data subject rights (access, deletion, etc.) through the rental company that collected your data.

Responsibility

The rental company is responsible for ensuring they have a lawful basis to collect your data and for providing you with a privacy notice.

B) Data Controller (for Platform Accounts & Analytics)

For certain activities, we act as a Data Controller:

Our Business Customers (Rental Companies)

When rental companies sign up for our platform, create accounts, and manage their operations, we are the Data Controller for their business account information.

Customer Portal Users

When drivers create accounts in our customer portal to manage bookings and profiles, we are the Data Controller for authentication and account management data.

Platform Analytics

We collect anonymized usage analytics to improve our platform. We are the Data Controller for this analytical data.

Data We Collect & Process

Rental Customer/Driver Data (We Process on Behalf of Rental Companies)

When you rent a vehicle through one of our customers, we process the following data on their behalf:

Identity Data

  • • Full name
  • • Personal Identification Code
  • • Date of birth
  • • Nationality

Documentation

  • • Driver's licenses
  • • Rental agreements
  • • Signed contracts

Contact Data

  • • Residential address
  • • Email address
  • • Phone number

Financial Data

  • • Payment transactions
  • • Invoice details
  • • Transaction references

Vehicle Usage

  • • Rental dates and duration
  • • Vehicle details
  • • Mileage records

Technical Data

  • • IP addresses
  • • Login timestamps
  • • Device information

Platform Account Data (We Control as Data Controller)

For our business customers and customer portal users:

Account Information

  • • Organization details
  • • User credentials
  • • Team member roles
  • • Subscription information

Usage Data

  • • Feature usage patterns
  • • Session duration
  • • Support requests

Legal Basis for Processing

When We Act as Data Processor

The rental company (Data Controller) is responsible for establishing the legal basis. Typically:

  • Contract Performance: Processing driver data is necessary to fulfill the vehicle rental contract
  • Legal Obligation: Retention of rental agreements and driver documentation for tax, insurance, and legal compliance
  • Legitimate Interests: Fraud prevention and dispute resolution

When We Act as Data Controller

For Business Customers: Contract performance, legal obligations, and legitimate interests in platform improvement and security

For Portal Users: Contract performance for booking management and consent for optional features

For Analytics: Legitimate interests in understanding usage patterns and developing new features

How We Use Data

As Data Processor (For Rental Companies)

We use rental customer/driver data solely as instructed by the rental company:

  • • Store and display rental booking information
  • • Generate rental agreements and contracts
  • • Process payment transactions
  • • Maintain customer records and rental history
  • • Provide customer portal access for bookings management
  • • Generate invoices and financial reports
  • • Support rental company compliance

As Data Controller (For Our Operations)

We use platform account data to:

  • • Create and manage user accounts
  • • Authenticate users and maintain security
  • • Process subscription payments
  • • Provide customer support
  • • Send service-related notifications
  • • Improve platform features
  • • Ensure platform security and prevent fraud
  • • Comply with legal obligations

Special Category Data: Personal Identification Codes

Processing Under GDPR Article 87

We process Lithuanian Personal Identification Codes (Asmens kodas) as instructed by rental companies when acting as Data Processor.

Legal Basis

GDPR Article 87 permits EU Member States to establish specific requirements for processing national identification numbers. Lithuanian law allows processing for identification and verification purposes necessary for contract performance.

Permitted Uses

  • • Identity verification for rental agreements
  • • Cross-referencing with driver's license
  • • Legal and regulatory compliance
  • • Law enforcement requests where legally mandated

Prohibited Uses

We do NOT use Personal Identification Codes for marketing, automated decision-making, or sharing with third parties except as legally required.

Enhanced Security

Personal Identification Codes are subject to encryption at rest and in transit, restricted access, detailed audit logging, and separate secure storage.

International Data Transfers

Data Storage Location

All rental customer/driver data (including Personal Identification Codes) is stored within the European Union:

  • Primary database: Supabase (hosted on AWS eu-central-1, Frankfurt, Germany)
  • File storage: UploadThing (EU region)

Sub-Processors Outside the EU

Some services transfer limited data outside the EU under appropriate safeguards:

ServicePurposeLocationSafeguard
ClerkAuthenticationUSAEU-U.S. Data Privacy Framework + SCCs
StripePayment processingIreland/USAStandard Contractual Clauses
PostHogPlatform analyticsUSAStandard Contractual Clauses

Standard Contractual Clauses (SCCs)

We use the European Commission's Standard Contractual Clauses (Decision 2021/914) for all non-EU data transfers. These provide contractual guarantees that data protection standards equivalent to EU law are maintained, and you have enforceable rights.

Data Retention

Rental Customer/Driver Data

Retention periods are determined by the rental company (Data Controller). Typical retention:

  • • Active rental records: Duration of rental + 30 days
  • • Completed rental records: 7 years (Lithuanian tax law)
  • • Driver's licenses and contracts: 7 years (legal compliance)
  • • Payment records: 10 years (financial regulations)

Our Deletion Obligations

When instructed by the rental company or upon contract termination, we complete data deletion within 30 days with secure overwriting methods.

Platform Account Data

As Data Controller:

  • • Active subscriptions: Duration of subscription
  • • Canceled subscriptions: 90 days for account recovery
  • • Financial records: 10 years (Lithuanian accounting law)
  • • Inactive customer portal accounts: 24 months of inactivity
  • • Deletion requests: Processed within 30 days

Analytics Data

Aggregated analytics retained indefinitely (anonymized). Individual usage logs: 12 months.

Data Sharing & Sub-Processors

We share data only as necessary to provide our services. Full sub-processor documentation available at nomora.io/legal/dpa (Section 5).

Key Sub-Processors

Supabase (AWS)

Database hosting - All data - Germany (EU)

Clerk

Authentication - Email, tokens - USA

Stripe

Payment processing - Transaction data - Ireland/USA

Montonio

Baltic bank payments - Payment data - Estonia (EU)

Vercel

Application hosting - Technical data - Global (EU primary)

PostHog

Analytics - Anonymized usage data - USA

No Selling of Data

We do NOT sell, rent, or trade your personal data to third parties for marketing purposes.

Data Security

Technical Measures

Encryption

AES-256 at rest, TLS 1.3 in transit

Access Control

Role-based access control (RBAC) with multi-factor authentication

Database Security

Row-level security (RLS) for multi-tenant data isolation

Monitoring

24/7 automated security monitoring and intrusion detection

Organizational Measures

  • • Employee background checks and confidentiality agreements
  • • Regular security training and awareness programs
  • • Incident response plan with defined escalation procedures
  • • Annual third-party security audits
  • • Vendor security assessments
  • • Daily encrypted backups with 30-day retention

Breach Notification

As Data Processor: Notification to rental company within 24 hours. As Data Controller: Notification to supervisory authority within 72 hours if high risk.

Your Data Protection Rights

Right to Access

Request a copy of the personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data in certain circumstances

Right to Restriction

Request that we limit how we use your data

Right to Data Portability

Receive your data in a structured, commonly used format

Right to Object

Object to processing based on legitimate interests

How to Exercise Your Rights

For Rental Customer/Driver Data

Contact the rental company directly - they are the Data Controller. If you cannot reach the rental company, contact us at info@nomora.io and we will assist.

For Platform Account Data

Email: info@nomora.io with subject "GDPR Data Subject Request". Include your full name, email address, and specific request. Response time: 30 days (may extend to 60 days for complex requests).

Cookies & Tracking Technologies

Essential Cookies

  • • Authentication session cookies (Clerk)
  • • CSRF protection tokens
  • • Load balancing and performance

Analytics Cookies

  • • PostHog analytics (anonymized usage tracking)
  • • Error monitoring and diagnostics

Your Choices

Cookie Consent: We display a cookie consent banner on first visit. You can accept all cookies, reject non-essential cookies, or manage preferences in your browser settings.

Opt-Out: Most browsers allow you to block cookies. PostHog opt-out is available in our cookie consent manager. We respect browser Do Not Track signals.

We do NOT use third-party advertising or tracking cookies.

Children's Privacy

Our platform is not directed at children under 16 years of age. We do not knowingly collect personal data from children.

If we become aware that we have collected data from a child without parental consent, we will delete it promptly. Parents/guardians: If you believe your child has provided us with personal data, contact us at info@nomora.io.

Changes to This Policy

Updates

We may update this Privacy Policy to reflect:

  • • Changes in our data processing practices
  • • New legal or regulatory requirements
  • • Service improvements or new features

Notification

Material Changes: We will notify you by email and/or prominent notice on our platform at least 30 days before the changes take effect.

Minor Changes: We will update the "Last Updated" date at the top of this policy.

Version History: Version 1.0 - January 7, 2026 (Initial publication)

Questions About Your Privacy?

For data protection inquiries, GDPR requests, or general privacy questions, please contact us:

Email: info@nomora.io

Response time: Within 5 business days