Privacy Policy

1. Data Controller

2. Scope of Personal Data Processing

The Service processes the following categories of personal data:

**Registration data:**
• First and last name
• Email address
• Phone number
• Password (in encrypted form)

**Data in listings:**
• Contact data provided in listing
• Vehicle location (city, voivodeship)
• Vehicle data (VIN - optional)
• Photos

**Technical data:**
• IP address
• Browser and device data
• Cookies
• Service activity history

**IMPORTANT:** Providing personal data is voluntary but necessary to use the full functionality of the Service.

3. Purposes and Legal Basis for Data Processing

Personal data are processed for the following purposes:

**a) Provision of Service (Art. 6(1)(b) GDPR)**
• User account registration and maintenance
• Publishing listings
• Enabling communication between users
• Managing listings and account

**b) Compliance with legal obligations (Art. 6(1)(c) GDPR)**
• Maintaining accounting and tax documentation
• Handling complaints and claims
• Cooperation with law enforcement (upon request)

**c) Legitimate interest of Controller (Art. 6(1)(f) GDPR)**
• Statistics analysis and Service optimization
• Ensuring Service security
• Marketing of own products and services
• Pursuing claims and defense against claims
• Detecting and preventing fraud

**d) User consent (Art. 6(1)(a) GDPR)**
• Marketing of partners' products and services (only with consent)
• Marketing and analytical cookies (only with consent)

Consent may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Legal Basis for Processing

Personal data processing is based on:

• Regulation (EU) 2016/679 (GDPR)
• Act of 10 May 2018 on Personal Data Protection
• Act of 18 July 2002 on Provision of Services by Electronic Means
• Act of 16 July 2004 - Telecommunications Law

5. Personal Data Recipients

Personal data may be shared with the following recipient categories:

**a) Entities providing services for Controller:**
• Hosting and IT service providers
• Mailing system providers
• Analytics tool providers
• Payment system providers (in the future)

**b) Other entities authorized by law:**
• Law enforcement and judiciary (upon legal request)
• Control and supervision authorities

**c) Other Service users:**
• Contact data visible in listing (according to privacy settings)
• Information in messages sent to other users

**NOTE:** Controller does NOT sell, rent, or otherwise share users' personal data with third parties for marketing purposes without explicit user consent.

6. Data Retention Period

Personal data are retained for the following periods:

**User accounts:**
• Until account deletion by user
• Until account deletion by Administrator for Terms violation
• 3 years from last login (inactive accounts)

**Listings:**
• Until listing deletion by user
• 30 days from publication (automatic deactivation)
• Until deletion by Administrator (Terms violation)

**Messages:**
• Until deletion by user
• Until account deletion

**Accounting-tax data:**
• 5 years from end of year in which tax obligation arose

**System logs and security:**
• 12 months (according to Act on Provision of Services by Electronic Means)

**Cookies:**
• According to Cookie Policy (from end of session to 24 months)

7. User Rights (Data Subject Rights)

Under GDPR, the user has the following rights:

**a) Right of access to data (Art. 15 GDPR)**
User has the right to obtain Controller's confirmation whether personal data concerning them are being processed and, if so, the right to access such data and processing information.

**b) Right to rectification (Art. 16 GDPR)**
User has the right to request immediate rectification of inaccurate personal data concerning them and completion of incomplete data.

**c) Right to erasure - "right to be forgotten" (Art. 17 GDPR)**
User has the right to request deletion of personal data concerning them if:
• Data are no longer necessary for purposes for which they were collected
• User has withdrawn consent and there is no other legal basis for processing
• Data have been unlawfully processed
• User has objected to processing

**d) Right to restriction of processing (Art. 18 GDPR)**
User has the right to request restriction of processing in certain cases (e.g., during verification of data accuracy).

**e) Right to data portability (Art. 20 GDPR)**
User has the right to receive personal data concerning them in structured, commonly used, machine-readable format and transmit it to another controller.

**f) Right to object (Art. 21 GDPR)**
User has the right at any time to object to processing of personal data concerning them for marketing purposes or for reasons related to their particular situation.

**g) Right to withdraw consent**
If processing is based on consent, user has the right to withdraw consent at any time. Withdrawal of consent does not affect lawfulness of processing before its withdrawal.

**h) Right to lodge complaint with supervisory authority**
User has the right to lodge complaint with President of Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, if they consider that data processing violates GDPR.

**How to exercise rights:**
To exercise above rights, contact Controller via email: [email protected]

Controller responds to requests within 30 days (in complex cases, deadline may be extended to 60 days with user notification).

8. Cookies and Tracking Technologies

Service uses cookies in accordance with applicable law.

Detailed information can be found in Cookie Policy

14. Changes to Privacy Policy

Controller reserves right to introduce changes to Privacy Policy in the following cases:
• Changes in legal regulations
• Changes in Service provision method
• Introduction of new functionalities
• Technological changes

Users will be notified of all changes with at least **14 days' notice** via:
• Email notification (to address provided during registration)
• Announcement on Service homepage
• Notification after login

Continued use of Service after changes take effect means acceptance of new Privacy Policy.

User who does not accept changes has right to delete their account before changes take effect.

15. Contact Regarding Data Protection