Privacy policy

Important notice

This Privacy Policy explains how LocalWheels Albania (“LocalWheels”, “we”, “us”) processes personal data when you use our website and services. It is designed to be detailed and aligned with transparency duties under Albanian personal-data legislation (Law No. 9887/2008 “On the Protection of Personal Data” and subsequent amendments and bylaws) and, where applicable, the EU General Data Protection Regulation (GDPR) for users who fall within its scope. It is not legal advice; consult a lawyer for your specific situation.

Data controller and contact

The data controller for personal data processed through this marketplace is the operating entity behind LocalWheels Albania as identified on the website’s legal/imprint or contact page. For data-protection requests (access, correction, deletion where applicable, objections, complaints), contact us through the email or postal address published on the Contact page. We may ask reasonable questions to verify your identity before fulfilling requests.

Categories of personal data we process

Account and profile: email address, password hash, display name, account role (renter / owner / admin), preferred language, account closure timestamps, and similar account metadata.

Identity and eligibility: where offered, identity verification status, uploaded identity document references or URLs, and related review notes accessible only to authorised staff.

Owner / host business data: phone numbers shown or stored for hosting workflows, bank or payout details if collected for host settlements, internal wallet ledger references, and promotion purchase history.

Booking and trip data: renter and host identifiers linked to a booking, vehicle ID, pickup and return instants, pickup and drop-off location IDs, booking status, optional renter message text, child seat count requested, outside-country selection flag, voucher identifiers and discount amounts applied, frozen “listing terms snapshot” JSON capturing pricing/policy fields at booking time, fee and deposit amounts in EUR/cents, Stripe identifiers (session ID, payment intent ID, payment status, paid-at timestamp), refund status fields, pickup/return dispute descriptions, URLs or JSON arrays of proof images uploaded to cases, administrative ruling fields, and timestamps for lifecycle events (vehicle returned, host acknowledgement, etc.).

Messaging: booking message bodies, sender user ID, timestamps, and optional attached image URLs for dispute evidence.

Payments metadata: we do not store full payment card numbers or CVC codes. Stripe provides tokens, payment intent IDs, charge status, and amounts. We store our own breakdown of checkout line items in cents for accounting and customer support.

Technical and security: server logs may contain IP addresses, user-agent strings, timestamps, request paths, error diagnostics, and anti-abuse signals.

Cookies and local storage: see the dedicated section below.

Marketing: we only send promotional communications where we have a lawful basis (typically consent or soft opt-in where permitted). You can withdraw marketing consent at any time.

Special categories of data

Identity documents may contain data considered sensitive under Albanian or EU law (for example data revealing nationality or biometric likeness in a photo ID). We process such data only where necessary for verification, fraud prevention, or legal compliance, and with appropriate access restrictions. If you do not wish to provide this data, you may be unable to use verification-gated features.

Purposes and legal bases (Albania / GDPR-style mapping)

Performing the contract with you (Article 6(1)(b) GDPR-style; analogous contractual necessity under Albanian law): creating accounts, publishing listings, processing booking requests, calculating prices, operating messaging, displaying booking history, and processing card payments for platform fees/holds through Stripe.

Legitimate interests (Article 6(1)(f) GDPR-style; balanced against your rights): fraud detection, network security, debugging, product analytics that does not require consent where not using non-essential cookies, enforcing our Terms, and defending legal claims.

Legal obligation (Article 6(1)(c)): tax, accounting, and responding to lawful requests from public authorities.

Consent (Article 6(1)(a)): non-essential cookies / optional analytics when we enable them and you opt in via the banner; any optional marketing you explicitly agree to.

Where Albanian law applies without the GDPR, we still apply similar principles: purpose limitation, data minimisation, security, and retention aligned with the purposes above.

Recipients and processors

We share personal data with subprocessors strictly as needed:

Stripe Payments Europe Ltd (or other Stripe entities depending on configuration) for card payments, refunds, and fraud signals — subject to Stripe’s privacy policy and, where relevant, the Stripe Data Processing Agreement.

Hosting, database, and email delivery providers that store or transmit data on our behalf under contractual confidentiality and security obligations.

Cloudinary (or similar) for hosting uploaded vehicle photos, chat/dispute proof images, and verification images.

Professional advisers (lawyers, accountants) under professional secrecy when required.

Public authorities when a lawful, properly scoped request requires disclosure.

We do not sell your personal data in the sense of trading lists for money. Any future analytics or advertising partner would be listed here before processing begins.

International transfers

Some providers (notably Stripe and US-based infrastructure) may process data outside Albania or the EEA. Where GDPR applies, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or adequacy decisions, supplemented by technical and organisational measures. Albanian law likewise requires guarantees for transfers; we implement contractual protections with processors.

Retention periods (indicative)

Active account data: for the life of the account plus a short technical grace period.

Closed accounts: we may anonymise or delete personal identifiers where possible; certain records (hashed audit trails, booking IDs without direct identifiers) may be kept longer where law requires.

Bookings and invoices: typically kept for at least the statutory accounting and tax retention period applicable to our company (often multiple years — exact duration follows Albanian accounting/tax law and our auditor’s guidance).

Stripe transaction metadata: aligned with financial reconciliation needs and chargeback windows.

Server logs: rotated on a short cycle unless needed for security investigations.

Verification documents: retained only as long as needed for the verification purpose and legal defence, then deleted or anonymised unless a longer period is mandatory.

Exact schedules may be refined internally; you may request a summary for your data in a subject access request.

Your rights

Depending on applicable law, you may have the right to: access your personal data; request correction of inaccurate data; request deletion where appropriate; request restriction of processing; object to certain processing based on legitimate interests; withdraw consent where processing was consent-based; and receive a machine-readable copy of data you provided (data portability) where technically feasible.

You may lodge a complaint with a supervisory authority. For GDPR-covered processing, this may be the supervisory authority in your habitual residence, place of work, or the place of the alleged infringement. For Albania-only processing, complaints may be directed to the Albanian Commissioner for Information and Data Protection (Komisioneri për të Drejtën e Informimit dhe Mbrojtjen e të Dhënave Personale) as provided by Law 9887 and current contact details published by that authority.

Automated decision-making: we do not make solely automated decisions with legal or similarly significant effects on you without human review; pricing is deterministic from rules you can inspect in the Terms and listing disclosures.

Cookies, local storage, and similar technologies

Essential / strictly necessary: authentication session cookies where the product uses cookie-based sessions; security cookies; and first-party storage such as `lw_locale` (language preference, typically up to one year) needed to show the correct language. These do not require consent under EU ePrivacy guidance but we disclose them here.

Optional analytics: disabled by default. If you click “Accept all” in the cookie banner, we may record consent in local storage and load analytics tools when enabled. You can withdraw by clearing site data or using future preference controls if we add them.

Do Not Track: there is no uniform standard; we currently do not respond to DNT browser signals beyond applying default privacy settings described here.

Children

The service is directed at adults who can enter into rental arrangements. We do not knowingly register children under the age required by Albanian law to consent to data processing without parental authority. If you believe a minor has provided data, contact us to delete it.

Security

We implement technical and organisational measures appropriate to the risk: TLS for transport encryption, access controls for staff, password hashing for credentials, and segregation of production secrets. No online system is perfectly secure; report suspected vulnerabilities through our contact channel.

Changes to this Policy

We will update this Privacy Policy when our processing changes. The “Last updated” date will be revised. Material changes will be highlighted where practicable (website notice or email).