Does Citty have a system of discounts for regular customers?

Yes. As soon as you return our car and voice your intention next time for sure to rent a car from us, you will be given a discount code, which provides a discount of 5$ per day from the tariff for renting any Citty car. And during the next year it can be used not only by you, but also by any person to whom you want to render this small service.

What are the requirements for a tenant at Citty?

You must be at least 23 years old and have at least 3 years of driving experience. Documents required to sign a rental agreement: passport and a valid international driver's license. However, if your driver's license valid in your country has a Latin variant of data spelling, it is acceptable.

What is included in the rental car rate?

Payment of the car rental tariff provides you with the right to limitation of liability for damage to the car (CDW), limitation of liability for theft of the car (TP), and limitation of liability to third parties (TPL); the right to free use of the parking lot within the city limits of Tbilisi.

What rules of the rental company am I obliged to follow?

The instructions you will receive when you sign the rental agreement are summarized as follows: You are financially responsible for violation of the rental rules and insurance terms; You are not allowed to use the rented car for commercial purposes (transportation) or leave it as a collateral; It is strictly forbidden to drive the car under the influence of alcohol or drugs, as well as to test it for strength in off-road conditions (heavy off-road).

You used to be called City Rent Car. Why do you have a different name now?

Yes. As soon as you return our car and voice your intention next time for sure to rent a car from us, you will be given a discount code, which provides a discount of 5$ per day from the tariff for renting any Citty car. And during the next year it can be used not only by you, but also by any person to whom you want to render this small service.

Privacy Policy

Effective January 1, 2026 · Last updated May 16, 2026 · v3.1

This Privacy Policy describes how LTD City Rent Car (operating as Citty.rent) collects, uses, stores and protects personal data obtained from customers, website visitors and other data subjects. This policy is issued in accordance with Regulation (EU) 2016/679 (GDPR) and the Law of Georgia on Personal Data Protection.

For any privacy-related enquiry, contact our privacy team at privacy@citty.rent.

1. Definitions

The following terms are used throughout this policy:

Personal data — any information relating to an identified or identifiable natural person.
Data controller — the entity which determines the purposes and means of processing personal data.
Data processor — a natural or legal person which processes personal data on behalf of the controller.
Processing — any operation performed on personal data, including collection, storage, use, transfer or erasure.
Consent — a freely given, specific, informed and unambiguous indication of the data subject's wishes.
GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.
Supervisory authority — an independent public authority responsible for monitoring the application of GDPR (or equivalent national law).
DPO — Data Protection Officer.

2. Data Controller

LTD City Rent Car is the data controller for the personal data covered by this policy. The Company is registered in Georgia with its registered office at Lekh Kachinski 4, Tbilisi, 0144, Georgia. The Company has been operating since 2014 and provides car rental services at Tbilisi International Airport (TBS), Kutaisi International Airport (KUT), Batumi International Airport (BUS) and across the territory of Georgia.

3. Categories of personal data collected

3.1. Data collected when booking a vehicle

Full name, date of birth, citizenship.
A copy of the driving licence and passport, required to verify legal eligibility to rent a vehicle.
Email address, telephone number and preferred messaging service (WhatsApp, Telegram, Viber).
Flight number, arrival time and place of accommodation, where the customer requests delivery.
Payment information. Card numbers are not stored on the Company's systems. Payments are processed exclusively by PCI DSS-compliant institutions. The Company retains only the last four digits and the card brand for accounting purposes.

3.2. Data collected when using the website

IP address, browser type and language preference.
Cookies, as detailed in our Cookie Policy.
Anonymised website analytics data, processed via Google Analytics 4.
Standard server logs, including date, time, page accessed and referring source.

4. Lawful basis for processing

Each processing activity carried out by the Company is based on one of the following lawful grounds set out in Article 6(1) GDPR:

Processing activity	Lawful basis (Art. 6 GDPR)
Conclusion and performance of the rental contract	6(1)(b) — performance of a contract
Tax and accounting record-keeping	6(1)(c) — legal obligation
Booking confirmations and service notifications	6(1)(b) — performance of a contract
Direct marketing communications	6(1)(a) — consent
Improvement of the website and services	6(1)(f) — legitimate interest
Investigation of accidents, vehicle damage and insurance claims	6(1)(b) and 6(1)(f)

5. Disclosure to third parties

The Company does not sell personal data. Personal data may be disclosed to the following categories of recipients, each acting under a written data processing agreement or statutory obligation:

Hetzner Online GmbH — hosting infrastructure provider (Germany).
Google Workspace Business (Google Ireland Ltd) — corporate email, file storage and analytics.
Renteon — booking management system (Serbia).
Banking institutions — payment processing (Georgia).
Insurance providers — claims handling.
Competent state authorities — disclosure required by law or court order.

6. International data transfers

Customer booking records are stored on servers physically located in Germany (European Union), operated by Hetzner Online GmbH.

Limited categories of data may be processed outside the European Union by certain service providers:

Google Workspace infrastructure spans data centres worldwide, including the United States. Such transfers are protected by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) adopted under Article 46 GDPR.
Renteon hosts in the Republic of Serbia, outside the European Union. Transfers are governed by Standard Contractual Clauses concluded between the Company and Renteon.
Where the data subject initiates communication from a third country, the resulting transfer (e.g., return of a booking confirmation) takes place under that data subject's control.

The Company does not transfer personal data to jurisdictions lacking an adequacy decision or appropriate safeguards.

7. Data retention

Active customer records are retained for the duration of the rental relationship plus five (5) years, in accordance with applicable accounting and tax legislation.
Marketing preferences are retained until withdrawal of consent or a deletion request.
Server logs and analytics data are retained for 14 months and aggregated thereafter.

8. Security measures

The Company implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

HTTPS / TLS 1.3 encryption for all connections.
AES-256 disk-level encryption of database storage.
Two-factor authentication on all staff accounts.
Role-based access on a least-privilege basis.
Encrypted nightly backups.
Annual penetration testing performed by independent security firms.

9. Data subject rights

Subject to the conditions set out in Articles 15-22 GDPR, data subjects are entitled to:

Obtain confirmation of processing and access to their personal data (Art. 15).
Receive a copy of their personal data in a structured, commonly used, machine-readable format (Art. 20).
Request rectification of inaccurate or incomplete data (Art. 16).
Request erasure of personal data (Art. 17).
Restrict processing in the circumstances foreseen by Art. 18.
Object to processing carried out on the basis of legitimate interest, including direct marketing (Art. 21).
Not be subject to a decision based solely on automated processing (Art. 22). The Company does not engage in such processing.
Withdraw consent at any time, without prejudice to the lawfulness of processing prior to withdrawal.

Requests for exercising these rights may be addressed to dpo@citty.rent. The Company shall respond within thirty (30) days of receipt, free of charge. Where a request is particularly complex, this period may be extended by an additional sixty (60) days, with prior notice to the data subject.

10. Children's data

The Company's services are not directed at, marketed to, or intended for individuals under the age of 21, which constitutes the minimum rental age. The Company does not knowingly collect personal data from minors.

A parent or legal guardian who becomes aware that a minor has provided personal data to the Company may contact dpo@citty.rent to request deletion. The Company does not engage in age-based profiling or in advertising directed at children.

11. Right to lodge a complaint

Pursuant to Article 77 GDPR, data subjects have the right to lodge a complaint with the supervisory authority in their Member State of residence, place of work, or place of the alleged infringement. The competent authorities include:

Germany: BfDI · bfdi.bund.de
France: CNIL · cnil.fr
United Kingdom: ICO · ico.org.uk
California (USA): California Attorney General · oag.ca.gov/privacy
Georgia: Personal Data Protection Service · personaldata.ge
Full list of EU supervisory authorities: edpb.europa.eu

12. Data breach notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, the Company shall notify the competent supervisory authority and, where required, the affected data subjects without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of the breach, in accordance with Articles 33 and 34 GDPR.

13. Contact

Data Protection Officer
Email: dpo@citty.rent
Privacy team: privacy@citty.rent
Address: LTD City Rent Car, Lekh Kachinski 4, Tbilisi 0144, Georgia
Telephone: +995 577 415 777

14. Amendments

The Company reserves the right to amend this policy. Material amendments will be communicated by email (where the data subject has provided one) and through a notice on the website at least thirty (30) days prior to entry into force.

15. Forwarding of law-enforcement materials

In cases where Georgia's Ministry of Internal Affairs traffic camera system or municipal parking enforcement systems capture violations attributable to your rental period (photos, video frames), we may forward such materials to you for your reference and decision-making regarding payment. Other vehicles or persons that may appear incidentally in the frame are visible as captured by the original government system. We do not edit or process such images.

See also: Cookie Policy