RE.OG.1
Version: 3.0
The following Privacy Policy describes the principles of personal data processing and protection applied at Polcar PPH with its registered office in Warsaw (02-619) at Wejnerta 19 Street, TIN 521-044-50-18.
1.1. The Personal Data Controller of persons cooperating with Polcar PPH, customers, users of Internet catalogues and visitors to websites administered by Polcar PPH is Polcar PPH with its registered office in Warsaw (02-619) at Wejnerta 19 Street, TIN 521-044-50-18.
1.2. The Personal Data Controller processes personal data in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
2.1. The provision of personal data is voluntary but necessary for the processing of enquiries and orders. Consent given for any purpose of processing can be revoked at any time.
2.2. The Personal Data Controller may obtain personal data from public sources e.g. KRS, CEIDG registers and from sources with restricted access e.g. KRD, BIG. In such a case, verification of whether there is a legal basis for the processing of personal data is required.
2.3. Browsing the content of websites may require the user to disclose personal data (e.g. IP in the form of metadata). The use of services provided by the Personal Data Controller may require the user to submit personal data. In such a case, failure to submit personal data may limit the ability to use the service.
2.4. If the user uses the services using mobile devices, the Personal Data Controller may acquire, in particular, the identification data of the mobile device, the Internet service provider and the subscriber. The data collected in this way will be processed anonymously and will only be used for statistical purposes or to ensure the correct use of the website by the user.
3.1. The personal data collected may include: name, surname, company name, function within the organisation, address, contact details (e.g. telephone number, e-mail address, fax number) and instant messaging addresses (e.g. Skype, GaduGadu) or other addresses enabling contact with the person in their preferred manner.
3.2. In justified cases, the identity document number is also stored if required by regulations related to the issuance of documents concerning the performance of contracts.
3.3. The Personal Data Controller collects information related to users' browsing of the website content, such as: the number and source of visits to the website's web pages, the duration of the visit, the content viewed, the number and type of subpages opened, the links used, and the computer's IP address. The administrator does not connect such information with the user's personal data and does not use it to identify the user, unless it is necessary for the proper provision of the service.
3.4. The Personal Data Controller does not store sensitive data.
4.1. Processing enquiries and orders submitted directly to Polcar PPH and through local distributors via all available communication channels, as well as pursuing claims related to them on the basis of Article 6(1)(b) of the GDPR.
4.2. Direct marketing related to the conducted business activity pursuant to Article 6(1)(a) of the GDPR, including (but not limited to) sending commercial information to the provided e-mail address, making phone calls to the indicated number, presenting promotional offers as part of the conducted campaigns, through all sales channels.
4.3. Surveys on satisfaction with cooperation with the Controller and local Distributors pursuant to Article 6(1)(a) of the GDPR (consent) and Article 6(1)(f) of the GDPR (legitimate interest of the Controller). The surveys are conducted only with the participant's consent and may be carried out electronically or by telephone.
4.4. Performing analytical and statistical activities – the legal basis for processing is the user's consent (Article 6(1)(a) of the GDPR) through the acceptance of analytical cookies and the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in analysing user activity and preferences in order to improve the functionality of websites and the quality of services provided.
4.5. Securing websites against criminal attacks. The legal basis is Article 6(1)(f) of the GDPR (legitimate interest of the Controller) and Article 45 of the GDPR in the case of data transfers to third countries covered by an adequacy decision.
5.1. The Personal Data Controller uses the information referred to in point 3.3 solely for purposes related to market research and internet traffic within the websites, for statistical purposes, in particular to assess interest in the content posted on the websites and to improve the content of the websites.
The Personal Data Controller uses Hotjar – a tool that allows for the analysis of user activity and a more complete understanding of their experience on the website. Hotjar records data on user behaviour, such as: page navigation, page scrolling, cursor movement. Technical information is also collected: location, anonymous user IP address, device type, operating system and browser. Hotjar does not collect or store any personal information about users, including personal data. For more information about Hotjar's privacy policy and how to deactivate user monitoring, please visit: https://www.hotjar.com/privacy.
5.2. The Personal Data Controller uses cookies or similar files. These files enable the Personal Data Controller, in particular, to better tailor the website to the individual interests and preferences of the user. For more information, please visit the page dedicated to cookies: https://www.polcar.com/pl/polityka-cookies.
6.1. The Personal Data Controller does not use profiling based on personal data.
6.2. The Personal Data Controller does not make automated decisions resulting from profiling based on personal data.
7.1. The period of personal data processing depends on the purpose of processing and the time of withdrawal of consents granted.
7.2. It is possible to extend the processing of personal data until the legitimate interests of the Personal Data Controller are fulfilled, including the performance of contracts, pursuing claims or defending against them, but not longer than for the period of limitation of claims specified in the provisions of law.
8.1. The Personal Data Controller declares that no personal data collected will be sold or made available to entities not involved in the performance of contracts.
8.2. The Personal Data Controller may entrust the processing of data to a local Distributor for the purpose of fulfilling an enquiry or order.
8.3. Personal data is entrusted on the basis of an entrustment agreement ensuring the protection of personal data in accordance with applicable regulations.
8.4. Personal data may be disclosed to entities cooperating in connection with the implementation and exercise of rights arising therefrom, including, among others, entities providing services such as accounting, debt collection, IT, marketing, courier, postal, legal and administrative support.
8.5. The Personal Data Controller does not transfer personal data outside the European Union, except in cases where this is required by a specific request from the customer in connection with the execution of an order, and except for processing in the United States by:
8.5.1. CloudFlare – as a proxy server to protect the website from criminal attacks. Due to the use of CloudFlare services, your personal data (IP address as metadata) may be transferred to a third country – the United States. CloudFlare is certified under the EU-US Data Privacy Framework, which provides the legal basis for the transfer in accordance with Article 45 of the GDPR. The data transfer is based on the European Commission's adequacy decision, which confirms the adequate level of personal data protection in the USA under this programme. CloudFlare guarantees an adequate level of protection and security of personal data in accordance with the GDPR. Data is processed by CloudFlare only to the extent necessary to provide security and optimisation services. CloudFlare's services are used by many entities in the EU. More information on this topic can be found at the following link:
https://www.cloudflare.com/gdpr/introduction/.
8.5.2. Google Analytics (GA4) – a tool for analysing website traffic, which allows the Personal Data Controller to understand how users use their website. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics enables the automatic collection of data for statistical and analytical purposes (e.g. information about the browser, subpages visited, session duration, links clicked, traffic source). The data is transferred to Google LLC in the USA and stored there. The data transferred is anonymous; the user's IP address is truncated before being transferred. Only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there. Google Analytics does not use the collected data to identify the user or combine it to enable identification. As part of Google Analytics, the Personal Data Controller does not collect any data that would allow the user to be identified. The user has the right to withdraw their consent to the processing of this data by changing the cookie settings on the Controller's website. Detailed information on the scope and rules of data collection in connection with this service can be found at the following link: https://support.google.com/analytics/answer/6004245.
8.5.3. HotJar – a tool that allows the Personal Data Controller to analyse User activity and gain a better understanding of their experience on the website. In certain limited cases, user data is transferred by the provider of this tool, Hotjar Ltd., based in Malta, to its subcontractors located outside the EU. The transfer of data to these subcontractors is based on an adequacy decision (more information: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?prefLang=pl), where the subcontractor has been entered in the list of self-certified entities under the Data Privacy Framework programme or on the basis of standard contractual clauses issued by the European Commission. More information: https://www.hotjar.com/privacy. The user may opt out of Hotjar monitoring by using the link: https://www.hotjar.com/opt-out.
8.6. The Personal Data Controller reserves the right to disclose information about the user to competent authorities or third parties who request such information, based on an appropriate legal basis and in accordance with applicable law.
9.1. The person whose personal data is being processed has the right to: withdraw consent to the processing of personal data, object to the processing of data for marketing purposes, the right to access data, the right to request rectification of personal data, the right to request erasure of personal data, the right to request restriction of processing of personal data, the right to data portability, the right to object to the transfer of data to third countries (USA), the right to manage cookie consents, the right to opt out of tracking by Google Analytics.
9.2. The person whose data is being processed has the right to lodge a complaint with the supervisory authority responsible for personal data protection, i.e. the President of the Personal Data Protection Office.
9.3. The Personal Data Controller may refuse to delete personal data if there are legal grounds for doing so.
10.1. You can contact the Personal Data Controller at Polcar PPH:
11.1. This policy is available at the Personal Data Controller's headquarters and on the website www.polcar.com.
11.2. The Personal Data Controller has the right to make changes to the Privacy Policy. The current version is valid from 23 October 2025.
11.3. Every user of the Personal Data Controller's services is bound by the current version of the Privacy Policy.
11.4. In the event of discrepancies between the language versions of the Polcar PPH Privacy Policy, the Polish version shall prevail.
