Privacy policy

The Privacy Policy describes the principles of collecting and using user data of services provided by CarFree Sp. z o.o., which are collected directly from them or through cookies and similar technologies.

Data Controller and Contact Information

The controller of your personal data and of the persons authorized to drive the vehicle is CarFree Sp. z o.o., headquartered in Warsaw, ul. Cybernetyki 5, entered in the Register of Entrepreneurs of the National Court Register under KRS no.: 0000556022, NIP no.: 5213695626, REGON no.: 36138861600000.

To contact the Data Protection Officer, please send correspondence to the e-mail address: iod@carfree.pl or in writing to the Administrator's registered office address, regarding any matter related to the processing of personal data.

Use of Cookies and Similar Technologies

The Service does not automatically collect any information, except for information contained in cookies.

Cookies are IT data, in particular text files, that are stored on the User’s device and intended for use on the Service’s websites.

Cookies usually contain the name of the website they come from, their storage time on the User’s device, and a unique number.

The entity placing cookies on the User’s device and accessing them is CarFree Sp. z o.o., ul. Cybernetyki 5, 02-677 Warsaw.

Cookies are used to:

• adapt website content to the User’s preferences,

• create statistics that help improve the Service,

• maintain the User’s session after logging in.

Types of cookies used:

• “session” – stored until logout or browser closure,

• “persistent” – stored for the period specified in their parameters or until deleted.

Categories of cookies:

• necessary – e.g., for authentication,

• security – e.g., for detecting misuse,

• performance – collecting data on how the Service is used,

• functional – remembering settings, language, font,

• advertising – tailoring ads to interests.

The User may change cookie settings in their browser at any time.

Limitations on cookies may affect Service functionality. Cookies may also be used by CarFree’s advertisers and partners.

Source of Data

• If you contacted the Controller, the data comes directly from you.

• If data was provided by another person (e.g., an attorney), the source of the data is that person. In such a case, the Controller receives identification, address, and case description data.

Purpose and Legal Basis for Processing Personal Data

Collecting and processing your personal data is necessary for:

• preparing and executing a contract with you (Art. 6(1)(b)(c) GDPR),

• performing the concluded contract (Art. 6(1)(b)(c) GDPR),

• cooperation with our partners (Art. 6(1)(f) GDPR),

• enabling payment card processing (Art. 6(1)(b) GDPR),

• enabling communication between you and CarFree Sp. z o.o., in particular regarding inquiries, requests, and complaints (Art. 6(1)(f) GDPR).

Based on Art. 6(1)(f) GDPR, your data may also be processed for:

• fulfilling legal obligations (e.g., storage of contracts, invoices, accounting books),

• preventing crimes and misuse of services,

• pursuing and defending claims (e.g., debt collection),

• complying with court, police, and state authority orders,

• business contacts,

• conducting analyses, statistics, and archiving,

• sending offers and commercial information (marketing).

Important:

• Providing data is voluntary, but necessary to conclude a contract.

• Failure to provide data may prevent service provision.

Right to Withdraw Consent

You may withdraw your consent to the processing of contact data at any time by contacting the Controller. Withdrawal does not affect the lawfulness of processing before withdrawal.

Obligation or Voluntary Provision of Data

• Providing data in connection with a contract is voluntary, but required.

• Providing data for analytical/statistical purposes (e.g., cookies) is voluntary – you may use incognito mode without affecting website functionality.

GDPR Rights

You have the right to:

• access your data (Art. 15 GDPR),

• rectify data (Art. 16 GDPR),

• erase data (Art. 17 GDPR – “right to be forgotten”),

• restrict processing (Art. 18 GDPR),

• object to processing (Art. 21 GDPR),

• lodge a complaint with the President of the Personal Data Protection Office (UODO).

Scope of Collected Data

When booking a car, we ask for:

• full name,

• phone number,

• email address.

If card payment is chosen:

• type of credit card,

• card number,

• card expiration date.

For reservation confirmation, we also require:

• full name,

• PESEL number,

• registered address,

• ID document number,

• driver’s license number (field no. 5 on the document).

These data are stored in our customer database to facilitate future reservations.

Vehicle Location Data

We also collect:

• location data of the rented vehicle,

• travel route.

Recipients of Personal Data

Recipients of your data may include:

• CarFree employees and associates,

• partners, service providers, IT suppliers,

• state authorities authorized by law (e.g., Police).

Data are shared only to the extent necessary to provide the service.

Consent to Data Processing

Signing a rental agreement with CarFree Sp. z o.o. means that the renter and the authorized driver consent to data processing for:

• providing electronic services,

• performing the car rental,

• marketing purposes.

Data Retention Period

Personal data will be stored:

• until withdrawal of consent or completion of the contract,

• and thereafter for the limitation period of claims.

Cookie and traffic analysis data may be stored:

• until the cookie expires,

• some cookies may have no expiration date – such data will be stored as long as needed for security and historical traffic analysis.

Data Transfer to a Third Country or International Organization

The Controller may transfer user data to providers located in a third country (e.g., the USA) in connection with the use of tools for:

• statistics,

• reporting,

• advertising.

Data may be stored on servers outside the European Economic Area (EEA).

Transfers are made only on the basis of:

• standard contractual clauses (SCC) approved by the European Commission,

• additional safeguards consistent with recommendations of the European Data Protection Board (EDPB).

Providers do not use data to identify users or combine them with other information.

Review Reminders – Cooperation with Rating Captain

To improve service quality and customer satisfaction research, we cooperate with Rating Captain.

Based on legitimate interest (Art. 6(1)(f) GDPR), we may send you:

• a request to leave a review,

• an invitation to complete a service evaluation survey.

Rating Captain may process data on:

• your activity on the Service (e.g., clicks, visited subpages, visit time),

• your device and browser (including IP location).

We have concluded a data processing agreement with Rating Captain. Data are not profiled.

You may object at any time by contacting us (see: “Data Controller and Contact Information”).

Scanning of identity documents (365id system)

To confirm the authenticity of identity documents and to automatically read the data necessary to conclude a rental agreement, CarFree Sp. z o.o. uses the 365id system.
The document is scanned solely for the purpose of one-time verification of its authenticity and reading its textual data (e.g. first name, last name, document number, expiry date).
The scan of the document is not stored or archived anywhere – once the verification is completed, it is automatically and permanently deleted.
The legal basis for data processing is Article 6(1)(b) and (f) of the GDPR (conclusion of a contract and the controller’s legitimate interest in preventing abuse).
The data processor in this respect is 365id AB, based in Halmstad (Sweden).