Privacy Policy

2. Data Controller and Contact Information

Vamos Rent-A-Car is the data controller for personal information collected through our Site and services.

Registered Address:
Vamos Rent-A-Car
3, Rio Segundo, Boulevard Aeropuerto
Alajuela 20109
Costa Rica

Privacy Contact:
Email: privacy@vamosrentacar.com
Phone: +506-4000-0557

For privacy-related inquiries, including requests to exercise your data rights, please use the privacy email above. We aim to respond to all privacy requests within the timeframes required by applicable law (typically 30 days under GDPR; 45 days under CCPA, with possible extensions).

3. What Information We Collect

We collect personal information in several ways. The categories of information we collect depend on how you interact with us.

Information You Provide Directly

When you make a reservation, communicate with us, or otherwise interact with our services, you may provide:

• Identity information: First name, last name, date of birth (where required for rental qualification).
• Contact information: Email address, phone number, home address, hotel or vacation rental address (for delivery).
• Travel information: Flight number, arrival/departure dates, planned itinerary, party size.
• Payment information: Credit card number, expiration date, billing address (collected at booking and pickup; see Section 10 on security).
• Identification documents: Driver’s license, passport (for non-Costa Rican residents) — required at vehicle pickup.
• Account credentials: If applicable, login information for any customer account.
• Communications content: The content of emails, WhatsApp messages, SMS, phone notes, and any other communications you send us.
• Reviews and user-generated content: Reviews, comments, photos, and other content you submit.

Information Collected Automatically

When you use our Site, we automatically collect:

• Device and browser information: Browser type and version, operating system, device type, screen resolution, language preference.
• Usage information: Pages viewed, links clicked, time spent on pages, referring URL, exit pages, search queries on our Site.
• Location information: Approximate location derived from IP address (city/region level); precise location only if you explicitly grant browser location permission.
• Technical identifiers: IP address, cookie identifiers, mobile advertising IDs (where applicable), session identifiers.

Information From Third Parties

We may receive information about you from:

• Booking platforms and travel agents: If you book through Expedia, Booking.com, a travel agent, or another third-party platform, we receive the reservation details from that platform.
• Payment processors: Confirmation of payment authorization (we do not receive your full credit card number from payment processors after the initial transaction).
• Identity verification services: Where required for rental qualification or fraud prevention.
• Marketing partners: If you have consented to share information with our partners or have interacted with our advertising on partner platforms.

Sensitive Information

We do not intentionally collect “special category” or “sensitive” personal information (such as racial origin, religious beliefs, health information, sexual orientation, etc.) as defined under GDPR and similar regulations. If you voluntarily provide such information (for example, mentioning a disability that affects vehicle requirements), we use it only for the purpose for which you provided it.

4. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Manage Services

• Process and fulfill rental reservations.
• Verify rental qualification (driver’s license, age, payment ability).
• Communicate with you about your reservation, pickup, return, and any rental-related matters.
• Process payments and refunds.
• Provide customer service and respond to inquiries.
• Arrange vehicle delivery and shuttle services.
• Manage rental agreements and post-rental matters (damage claims, fines, etc.).

To Improve Our Services

• Analyze how users interact with our Site to improve content, features, and user experience.
• Conduct internal research and analytics.
• Test new features and services.
• Monitor and prevent fraud, abuse, and security incidents.

For Marketing and Communications (Where Permitted)

• Send transactional emails (reservation confirmations, reminders, follow-up surveys).
• Send promotional emails and newsletters about Vamos services (subject to your consent where required).
• Personalize advertising on partner platforms (Meta, Google, etc.) based on your interaction with our Site.
• Retargeting (showing Vamos advertising to users who have visited our Site).

Marketing communications are separate from our SMS program. Text-message opt-in is used only for transactional and customer-care messages about your rental, as described in the Mobile / SMS section below. You may opt out of marketing communications at any time through unsubscribe links in our emails or by contacting privacy@vamosrentacar.com.

For Legal and Compliance Purposes

• Comply with applicable laws, regulations, and lawful requests from authorities (including tax authorities such as the Ministerio de Hacienda in Costa Rica).
• Enforce our Terms of Service and rental agreements.
• Protect our legal rights and the rights of others.
• Respond to disputes, claims, and legal proceedings.

5. Legal Basis for Processing (GDPR / EU and UK Users)

If you are located in the European Union, the United Kingdom, or another jurisdiction with GDPR-equivalent privacy laws, we rely on the following legal bases for processing your personal information:

Contract (Article 6(1)(b) GDPR)

Most of our processing is necessary to perform a contract with you (your rental agreement) or to take steps at your request before entering into a contract (your reservation): processing your reservation and rental, communicating about your booking, processing payments, and fulfilling our obligations under the rental agreement.

Legitimate Interests (Article 6(1)(f) GDPR)

We process some information based on our legitimate business interests, balanced against your rights: improving our Site and services through analytics, fraud prevention and security, direct marketing to existing customers about similar services, and operational record-keeping.

Consent (Article 6(1)(a) GDPR)

For certain processing, we rely on your explicit consent, which you can withdraw at any time: non-essential cookies and tracking technologies, marketing emails to non-customers, sharing data with marketing partners, enrollment in our SMS program, and use of precise location data.

Legal Obligation (Article 6(1)(c) GDPR)

We process some information to comply with legal obligations: tax reporting to the Ministerio de Hacienda (Costa Rican tax authority), responding to law enforcement requests, and retention of certain records as required by Costa Rican law.

6. Cookies and Similar Technologies

Our Site uses cookies and similar technologies (web beacons, pixels, local storage, mobile identifiers). These technologies serve various purposes:

Strictly Necessary Cookies

These cookies are essential for the Site to function and cannot be disabled: session management (keeping you logged in, maintaining your booking state), security and fraud prevention, load balancing and Site performance, and remembering language and accessibility preferences.

Analytics Cookies

We use analytics tools to understand how users interact with our Site:

• Google Analytics 4 (GA4): Collects information about pages visited, time spent, user demographics (aggregated), and conversion events. Configured with IP anonymization where required. Google’s privacy policy.
• Amplitude: Product analytics measuring user interactions with specific features (booking flow, page navigation patterns). Used to identify usability improvements. Amplitude’s privacy policy.
• Segment: Customer data platform that collects user interaction data and routes it to the analytics and marketing tools listed in this Policy. Segment acts as a data processor on our behalf. Segment’s privacy policy.

Advertising and Marketing Cookies

We use advertising and marketing technologies to measure campaign effectiveness and reach relevant audiences:

• Google Ads: Allows us to measure conversions from Google advertising and display retargeting ads to users who have visited our Site. Google’s privacy policy.
• Meta (Facebook) Pixel: Tracks conversions from Facebook and Instagram advertising, builds custom audiences for retargeting, and measures ad effectiveness. Meta’s privacy policy.

Functional Cookies

• WordPress: Our Site is built on WordPress. WordPress sets cookies for visitor comments (if you comment on the Site, your name, email, and website may be stored in a cookie for one year for your convenience).
• Voucherify: When you use a promotional or discount code, Voucherify processes the code on our behalf to apply the appropriate discount. Voucherify’s privacy policy.

Cookie Consent

When you first visit our Site from the European Union, United Kingdom, or other jurisdiction requiring explicit consent, you will see a cookie consent banner allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time by clearing cookies and revisiting the Site.

How to Disable Cookies

You can disable cookies through your browser settings. Doing so may affect Site functionality. Browser-specific instructions are available for Google Chrome, Apple Safari, Mozilla Firefox, and Microsoft Edge.

You can also opt out of certain advertising cookies through industry tools: the Network Advertising Initiative, the Digital Advertising Alliance, and Your Online Choices (EU).

7. Service Providers and Third Parties

We share personal information with third-party service providers who help us operate our business. These providers are contractually required to protect your information and use it only for the purposes we specify. We require Data Processing Agreements (DPAs) with all material data processors, consistent with GDPR Article 28 and similar requirements.

Categories of Service Providers

• Analytics and Product Insights: Google Analytics 4 (GA4) — website analytics; Amplitude — product analytics and behavioral insights; Segment — customer data platform (routes data to other tools listed in this Policy).
• Advertising and Marketing: Google Ads — search and display advertising, conversion tracking; Meta (Facebook/Instagram) — social media advertising, conversion tracking, retargeting.
• Business Operations: WordPress — content management system hosting the Site; Voucherify — promotional code and discount management; email service providers — for transactional and marketing emails (specific provider may vary); SMS provider — delivers transactional and customer-care text messages on our behalf; payment processors — process credit card transactions (we do not store full card numbers electronically; see Section 10); customer service platforms — manage customer inquiries and reservation communications.
• Compliance and Legal: Ministerio de Hacienda (Costa Rica) — final invoices are automatically transmitted to Costa Rica’s tax authority as required by law.

When We Share Information

We share personal information with third parties in the following circumstances: with service providers as described above, under contractual confidentiality obligations; with your consent, when you have consented to sharing with specific parties; for legal compliance, when required by law, court order, or government request; to protect rights and safety, when we believe disclosure is necessary to protect our rights, your safety, or the safety of others; and in business transactions, in connection with a merger, acquisition, or sale of assets (with appropriate notice to you).

What We Do Not Do

• We do not sell your personal information to third parties for their own marketing purposes.
• We do not share your personal information with advertisers for their independent use.
• We do not knowingly transfer your personal information to data brokers.
• We do not share, sell, or otherwise disclose your text messaging originator opt-in data and consent information to any third parties for their own marketing or promotional purposes.

Mobile Information and Text Messaging (SMS)

If you opt in to our SMS program, we use your mobile phone number only to send transactional and customer-care messages related to your rental — such as booking confirmations, vehicle pick-up and drop-off instructions, and replies to the support questions you send us. We do not use SMS for unrelated marketing or promotional campaigns.

• Consent: You opt in by checking a box that is unchecked by default during the reservation process, or by texting us first. Opting in is voluntary and is not a condition of renting a vehicle.
• Message frequency: Message frequency varies based on your reservation activity.
• Rates: Message and data rates may apply.
• Help and opt-out: Reply HELP for help, or STOP to unsubscribe at any time. You may also contact us at privacy@vamosrentacar.com to be removed.
• No third-party sharing: Your mobile information and your text-messaging opt-in and consent data are never shared with third parties or affiliates for their own marketing or promotional purposes. The analytics, advertising, and marketing partners described elsewhere in this Policy (including Sections 6 and 7) do not receive your SMS opt-in or consent data.

8. International Data Transfers

Vamos is based in Costa Rica. When you use our Site or services, your personal information is transferred to and processed in Costa Rica. Our service providers may also process your information in countries other than your country of residence, including the United States, the European Union, and others.

For EU and UK Users

When we transfer your personal information outside the European Economic Area (EEA) or the United Kingdom, we rely on appropriate safeguards as required by GDPR and UK GDPR, which may include adequacy decisions (where the European Commission has determined that a country provides adequate protection), Standard Contractual Clauses (SCCs) — pre-approved contractual terms between us and our service providers — and the UK International Data Transfer Agreement (IDTA) for UK-to-non-UK transfers. For specific details about the safeguards in place for any particular transfer, contact privacy@vamosrentacar.com.

For Costa Rica

Costa Rica’s data protection law (Ley 8968) governs the processing of personal data within Costa Rica. Vamos complies with Ley 8968 and the regulations of the Prodhab (Agencia de Protección de Datos de los Habitantes).

9. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, subject to legal retention requirements.

After the retention period expires, we either delete the information securely or anonymize it (so it can no longer be associated with you).

Exceptions

Some information may be retained longer when required by law or regulation, needed for ongoing legal proceedings, claims, or disputes, required for fraud prevention or security purposes, or where you have provided ongoing consent (e.g., marketing subscriptions).

10. Data Security

We implement technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Technical Measures

• Encryption in transit: All data transmission between your browser and our Site uses TLS/SSL encryption.
• Encryption at rest: Sensitive information is encrypted when stored in our systems.
• Access controls: Only authorized personnel have access to personal information, on a need-to-know basis.
• Network security: Firewalls, intrusion detection, and regular security audits.
• Software updates: Systems are regularly updated with security patches.

Organizational Measures

• Employee training: Staff handling personal information receive privacy and security training.
• Confidentiality obligations: Employees and contractors are bound by confidentiality agreements.
• Vendor management: Service providers are vetted and required to maintain appropriate security.
• Incident response: Documented procedures for responding to security incidents.

Credit Card Information

Your full credit card numbers are not stored electronically by Vamos. Credit card data is processed through PCI-compliant payment processors and is not retained in our systems after authorization. Paper records of credit card information (for example, on signed rental agreements) are stored in a locked office for the four years required by the Ministerio de Hacienda, after which they are securely shredded.

Limitations

While we work to protect your information, no system is 100% secure. We cannot guarantee absolute security and disclaim liability for breaches caused by factors outside our reasonable control, including unauthorized acts by third parties. You are responsible for maintaining the security of your own devices and credentials.

11. Data Breach Notification

In the event of a personal data breach that creates a risk to your rights and freedoms, we will:

• EU and UK users (GDPR): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required, and notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms.
• Costa Rica users: Comply with notification requirements under Costa Rica’s Ley 8968 and any guidance from Prodhab.
• California users (CCPA): Notify affected California residents in accordance with California breach notification law (Cal. Civ. Code § 1798.82).
• Other U.S. state users: Comply with applicable state breach notification laws (timing and content requirements vary by state).

Even where not legally required, we will make reasonable efforts to notify affected users of significant breaches that may materially affect their privacy or security.

12. Your Rights — All Users

Regardless of your location, you have the following rights with respect to your personal information:

• Access: Request information about what personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information (subject to legal retention requirements).
• Communication preferences: Unsubscribe from marketing communications at any time.

To exercise any of these rights, contact privacy@vamosrentacar.com. We will respond within the timeframes required by applicable law. Additional rights specific to your jurisdiction are described in Sections 13–16.

How to Exercise Your Rights

When making a request, please provide your full name and email address used in your interactions with us, the nature of your request (access, correction, deletion, etc.), and sufficient detail to allow us to verify your identity and locate your information. We will respond within the timeframe required by your applicable law: GDPR (EU/UK) within 30 days, extendable by 60 days for complex requests; CCPA (California) within 45 days, extendable by 45 days; other jurisdictions as required by applicable law.

We do not charge for these requests, except where requests are manifestly unfounded, excessive, or repetitive (in which case we may charge a reasonable fee or refuse the request, as permitted by law).

13. Your Rights — EU and UK Users (GDPR)

If you are located in the European Union or the United Kingdom, you have specific rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

• Right of Access (Article 15): Request confirmation of whether we process your personal data and, if so, a copy of that data.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / “Right to Be Forgotten” (Article 17): Request deletion of your personal data, subject to legal retention requirements and other exceptions.
• Right to Restriction of Processing (Article 18): Request that we restrict processing of your personal data in certain circumstances (e.g., while we verify the accuracy of disputed data).
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. See Section 17 for details.
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time (without affecting the lawfulness of prior processing).

Right to Lodge a Complaint: You may file a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may file complaints with the Information Commissioner’s Office (ICO) at ico.org.uk.

14. Your Rights — California Users (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes of collecting it, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information needed to complete transactions, comply with legal obligations, or detect fraud).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: Direct us not to sell or share your personal information. Vamos does not sell personal information in the traditional sense, but California’s broad definition of “sharing” may apply to some advertising-related disclosures.
• Right to Limit Use of Sensitive Personal Information: Direct us to limit the use of sensitive personal information to only what is necessary to provide our services. We do not intentionally collect sensitive personal information; if collected, we use it only for necessary purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. Exercising your rights will not affect the quality of service you receive or the prices you are charged.

How to Exercise Your California Rights

Contact us at privacy@vamosrentacar.com or call +506-4000-0557 (international rates apply). For California-specific requests, please indicate that you are a California resident. You may also authorize an agent to make a request on your behalf; we will require proof of the agent’s authorization and may require additional verification from you. We will respond to verifiable requests within 45 days (extendable by an additional 45 days if reasonably necessary, with notice to you).

“Do Not Sell or Share My Personal Information”

If you are a California resident and wish to opt out of any sharing of your personal information for cross-context behavioral advertising, you can manage your cookie preferences on the Site, send your browser’s Global Privacy Control (GPC) signal (which we honor as an opt-out request), or email privacy@vamosrentacar.com.

15. Your Rights — Other U.S. State Privacy Laws

In addition to California, several other U.S. states have enacted comprehensive privacy laws, including (as of the date of this Policy): the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), Montana Consumer Data Privacy Act, and others, as state laws continue to evolve.

If you are a resident of one of these states, you generally have the right to access the personal information we have about you, correct inaccurate personal information, delete personal information (subject to exceptions), port your personal information to another controller, and opt out of targeted advertising, sale of personal information, and certain types of profiling.

To exercise these rights, contact privacy@vamosrentacar.com and indicate your state of residence. We will respond within the timeframe required by your state’s law (typically 45 days, with possible extensions). If you disagree with our response to a privacy request, you may have the right to appeal; contact us for information about the appeal process applicable to your state.

16. Your Rights — Canadian Users (PIPEDA / Quebec Law 25)

If you are located in Canada, your personal information is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, if you reside in Quebec, by Quebec’s Law 25 (formerly Bill 64).

Your Rights Under PIPEDA

• Access: Request access to your personal information.
• Correction: Request correction of inaccurate information.
• Withdrawal of consent: Withdraw consent for the collection, use, or disclosure of your information, subject to legal or contractual requirements.
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Additional Rights for Quebec Residents (Law 25)

• Right to data portability: Receive your personal information in a structured, commonly used technological format.
• Right to be informed of automated decision-making: Be notified when decisions affecting you are made by automated means.
• Right to deindexing: In some circumstances, request that personal information no longer be linked to search results or be re-indexed.
• Complaint: File a complaint with the Commission d’accès à l’information du Québec at cai.gouv.qc.ca.

To exercise these rights, contact privacy@vamosrentacar.com.

17. Automated Decision-Making

We may use automated systems, including artificial intelligence and algorithmic processing, in operating our Site and providing services. Examples include fraud detection (automated review of reservation information to identify potentially fraudulent transactions), email automation (automated responses to common customer inquiries), marketing personalization (algorithmic selection of relevant content or offers based on your interactions), and pricing and inventory (dynamic rate adjustments based on availability and demand).

Your Rights Regarding Automated Decisions

If an automated decision significantly affects you (for example, if your reservation is declined due to fraud detection), you have the right to request human review (a Vamos team member will review the decision and the basis for it), receive an explanation (understand the general logic and factors considered in the automated decision), provide additional information (submit information that may change the outcome), and contest the decision (challenge the result through our customer service channels).

To exercise these rights, contact privacy@vamosrentacar.com. We do not use automated decision-making with legal or similarly significant effects beyond what is reasonably necessary for fraud prevention and service operations.

18. Children’s Privacy

Our Site and services are directed to adults. We do not knowingly collect personal information from individuals under the following ages:

• United States (COPPA): 13 years old.
• European Union (GDPR): 16 years old (or lower age set by your country’s law, between 13 and 16).
• United Kingdom: 13 years old.
• Canada: 13 years old (varies by province).
• Costa Rica: 12 years old (per Ley 8968 and related regulations).

If we learn that we have collected personal information from a child under the applicable age, we will delete that information as soon as practical. If you believe we have collected personal information from a child in violation of these requirements, contact us immediately at privacy@vamosrentacar.com.

Note that the minimum age for renting a vehicle is 18 years old in Costa Rica, regardless of these privacy thresholds. See the Rental Requirements page for details.

19. Changes to This Policy

We may revise this Privacy Policy from time to time. When we make changes, the “Last updated” date at the top of this page will be revised. For material changes (changes that significantly affect your rights or our processing of your information), we will provide reasonable advance notice through the Site, by email to subscribers, or by another appropriate method. The revised Policy will take effect on the date stated, unless legally required to take effect earlier.

We encourage you to review this Policy periodically. Continued use of our Site or services after the effective date of a change constitutes acceptance of the revised Policy. For material changes to processing of EU/UK users’ personal information that require new consent (for example, processing for a new purpose not previously disclosed), we will obtain that consent before implementing the change.

20. Contact Us

For privacy-related questions, concerns, or to exercise your rights:

Email: privacy@vamosrentacar.com

Mail:
Vamos Rent-A-Car
Attn: Privacy Officer
3, Rio Segundo, Boulevard Aeropuerto
Alajuela 20109
Costa Rica

Phone: +506-4000-0557

For general inquiries unrelated to privacy, please use the contact options on our Contact Us page.