bfm-logo

Privacy Policy

The following Privacy Policy outlines the rules for storing and accessing data on Users’ Devices who use the Service for the purpose of providing electronic services by the Administrator, as well as the principles of collecting and processing Users’ personal data that have been provided by them voluntarily through the tools available in the Service.

The following Privacy Policy is an integral part of the Service Terms and Conditions, which define the rules, rights, and responsibilities of Users using the Service.

§1 Definitions

  • Service – the online service “BFM CAR RENTAL” operating under the website address www.bfm-carrental.pl
  • External Service – online services of partners, service providers, or service recipients cooperating with the Administrator
  • Service/Data Administrator – The Administrator of the Service and Data (hereinafter referred to as the Administrator) is the company “Michał Sikorski BFM”, operating at the address: ul. Wysoka 5, 31-460 Kraków, with the tax identification number (NIP): 5742040931, providing electronic services through the Service
  • User – an individual for whom the Administrator provides electronic services through the Service
  • Device – an electronic device along with software through which the User accesses the Service
  • Cookies – text data collected in the form of files placed on the User’s Device
  • GDPR (General Data Protection Regulation) – Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Personal Data – refers to information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be directly or indirectly identified, in particular based on an identifier such as a name, identification number, location data, online identifier, or one or more specific factors that identify the physical, physiological, genetic, mental, economic, cultural, or social identity of that person
  • Processing – refers to an operation or set of operations performed on personal data or sets of personal data, whether automated or non-automated, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure through transmission, dissemination, or other forms of making available, alignment or combination, restriction, erasure, or destruction.
  • Restriction of Processing – means marking stored personal data to limit its future processing
  • Profiling – means any form of automated processing of personal data that involves using personal data to evaluate certain personal factors of a natural person, particularly to analyze or predict aspects regarding the effects of that person’s work, their economic situation, health, personal preferences, interests, reliability, behavior, location, or movements
  • Consent – the consent of the data subject means the voluntary, specific, informed, and unambiguous indication of the will by which the data subject, through a statement or clear affirmative action, agrees to the processing of their personal data
  • Personal Data Breach – means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored, or otherwise processed
  • Pseudonymization – means processing personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that prevent its attribution to an identified or identifiable natural person
  • Anonymization – means the irreversible process of operating on data that destroys/overwrites “personal data,” making identification or linking a record to a specific user or natural person impossible

§2 Data Protection Officer

Pursuant to Article 37 of the GDPR, the Administrator has not appointed a Data Protection Officer.

For matters related to data processing, including personal data, please contact the Administrator directly.

§3 Types of Cookies

  • Internal Cookies – files placed and read from the User’s Device by the Service’s IT system
  • External Cookies – files placed and read from the User’s Device by the IT systems of external services. Scripts from external services that may place Cookies on the User’s Devices have been intentionally included in the Service through scripts and services provided and installed in the Service
  • Session Cookies – files placed and read from the User’s Device by the Service during a single session of the Device. After the session ends, the files are deleted from the User’s Device
  • Persistent Cookies – files placed and read from the User’s Device by the Service until manually deleted. These files are not automatically deleted after the Device’s session ends unless the User’s Device configuration is set to delete Cookies after the session ends

§4 Data Storage Security

  • Mechanisms for storing and reading Cookies – The mechanisms for storing, reading, and exchanging data between Cookies stored on the User’s Device and the Service are implemented through the built-in mechanisms of web browsers. These mechanisms do not allow for the retrieval of other data from the User’s Device or from websites visited by the User, including personal data or confidential information. It is also practically impossible for viruses, trojans, and other worms to be transferred to the User’s Device
  • Internal Cookies – The Cookies used by the Administrator are safe for Users’ Devices and do not contain scripts, content, or information that could jeopardize the security of personal data or the safety of the Device used by the User
  • External Cookies – The Administrator takes all possible actions to verify and select service partners in terms of User security. The Administrator works with well-known, large partners who have global social trust. However, the Administrator does not have full control over the contents of Cookies from external partners. The Administrator is not responsible for the security of the Cookies, their content, or their licensed use by the scripts installed on the Service, originating from external Services, to the extent permitted by law. A list of partners is provided later in the Privacy Policy
  • Cookie Control
  • User-side threats – The Administrator takes all possible technical measures to ensure the security of the data placed in Cookies. However, it should be noted that ensuring the security of this data depends on both parties, including the User’s actions. The Administrator is not responsible for the interception of this data, session hijacking, or its deletion, as a result of the deliberate or unintentional actions of the User, viruses, Trojans, or other spyware software that the User’s Device may have been or is infected with. To protect against these threats, Users should follow safe internet practices.
  • Storage of personal data – The Administrator ensures that every effort is made to keep the personal data voluntarily provided by Users secure, with access limited and carried out in accordance with its intended purpose and processing goals. The Administrator also ensures that all possible measures are taken to protect the stored data from loss by implementing appropriate physical and organizational security measures

§5 Purposes for which cookies are used

  • Enhancing and facilitating access to the Service
  • Personalizing the Service for Users
  • Marketing, Remarketing on external websites
  • Ad-serving services
  • Affiliate services
  • Conducting statistics (users, number of visits, device types, connections, etc.)
  • Serving multimedia services

§6 Purposes for processing personal data

Personal data voluntarily provided by Users is processed for one of the following purposes:

  • Providing electronic services:
    • Services for sharing information about content posted on the Website on social media or other websites
  • Communication of the Administrator with Users regarding matters related to the Service and data protection
  • Ensuring the legitimate interests of the Administrator

User data collected anonymously and automatically is processed for the following purposes:

  • Conducting statistics
  • Remarketing
  • Serving advertisements tailored to users’ preferences
  • Managing affiliate programs
  • Ensuring the legitimate interests of the Administrator

§7 Cookies from External Services

The Administrator uses JavaScript scripts and web components from partners in the Service, who may place their own cookies on the User’s device. Please note that in your browser settings, you can decide which cookies are allowed to be used by individual websites. Below is a list of partners or their services implemented in the Service that may place cookies:

Services provided by third parties are beyond the Administrator’s control. These entities may change their terms of service, privacy policies, data processing purposes, and ways of using cookies at any time.

§8 Types of Collected Data

The Service collects data about Users. Some data is collected automatically and anonymously, while other data consists of personal data voluntarily provided by Users when signing up for specific services offered by the Service.

Anonymous Data Collected Automatically:

  • IP address
  • Browser type
  • Screen resolution
  • Approximate location
  • Subpages of the service visited
  • Time spent on each subpage of the service
  • Operating system type
  • Previous page address
  • Referring page address
  • Browser language
  • Internet connection speed
  • Internet Service Provider (ISP)

Data Collected During Registration:

  • First name / last name / nickname
  • Email address
  • Phone number
  • IP address (automatically collected)

Data Collected During Newsletter Subscription:

  • Email address

Some data (without identifying information) may be stored in cookies. Some data (without identifying information) may be transferred to statistical service providers.

§9 Access to Personal Data by Third Parties

As a general rule, the only recipient of the personal data provided by Users is the Administrator. Data collected as part of the provided services is not shared or sold to third parties.

Access to data (most often based on a Data Processing Agreement) may be granted to entities responsible for maintaining the infrastructure and services necessary to operate the service, such as:

  • Hosting companies providing hosting or related services to the Administrator.

Data Processing Agreement – Hosting, VPS, or Dedicated Server Services

In order to operate the service, the Administrator uses the services of an external provider for hosting, VPS, or dedicated servers OVH sp. z o.o. All data collected and processed on the website are stored and processed within the infrastructure of the service provider located within the territory of the European Union. There is a possibility of access to the data as a result of maintenance work carried out by the service provider’s personnel. Access to this data is governed by an agreement between the Administrator and the Service Provider.

§10 Method of Processing Personal Data

Personal data voluntarily provided by Users:

  • Personal data will not be transferred outside the European Union, unless published as a result of an individual action by the User (e.g., posting a comment or entry), making the data available to anyone visiting the website.
  • Personal data will not be used for automated decision-making (profiling).
  • Personal data will not be sold to third parties.

Anonymous Data (without personal data) Collected Automatically:

  • Anonymous data (without personal data) will be transferred outside the European Union.
  • Anonymous data (without personal data) will not be used for automated decision-making (profiling).
  • Anonymous data (without personal data) will not be sold to third parties.

§11 Legal Basis for Processing Personal Data

Serwis gromadzi i przetwarza dane Użytkowników na podstawie:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation):
    • Article 6(1)(a): The data subject has given consent to the processing of their personal data for one or more specific purposes.
    • Article 6(1)(b): The processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract.
    • Article 6(1)(f): The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
  • Act of May 10, 2018, on the protection of personal data (Journal of Laws 2018, item 1000)
  • Act of July 16, 2004, Telecommunications Law (Journal of Laws 2004, No. 171, item 1800)
  • Act of February 4, 1994, on Copyright and Related Rights (Journal of Laws 1994, No. 24, item 83)

§12 Data Retention Period

Dane osobowe podane dobrowolnie przez Użytkowników:

Personal Data Provided Voluntarily by Users:

As a rule, the personal data provided is stored only for the period during which the Service is provided by the Administrator. The data will be deleted or anonymized within 30 days from the end of the service provision (e.g., account deletion, unsubscribing from the Newsletter, etc.).

An exception applies when it is necessary to secure the legitimate purposes for further processing of such data by the Administrator. In such a case, the Administrator will retain the data, from the time of the User’s request for deletion, for no longer than 3 years in the event of a violation or suspicion of violation of the service terms by the User.

Anonymous Data (Non-personal Data) Collected Automatically:

Anonymous statistical data, which does not constitute personal data, is stored by the Administrator for the purpose of conducting service statistics for an indefinite period.

§13 User Rights Regarding the Processing of Personal Data

Serwis gromadzi i przetwarza dane Użytkowników na podstawie:

  • Right to Access Personal Data
    Users have the right to obtain access to their personal data, upon request submitted to the Administrator.
  • Right to Rectify Personal Data
    Users have the right to request the Administrator to promptly rectify inaccurate or incomplete personal data, upon request submitted to the Administrator.
  • Right to Erasure of Personal Data
    Users have the right to request the Administrator to promptly delete personal data, upon request submitted to the Administrator.
    In the case of user accounts, deletion involves anonymizing the data that identifies the User.
    The Administrator reserves the right to suspend the deletion request to protect the legitimate interests of the Administrator (e.g., if the User has violated the Terms and Conditions or if the data was collected via correspondence).
    For the Newsletter service, Users can independently delete their personal data using the link provided in each email sent.
  • Right to Restrict the Processing of Personal Data
    Users have the right to restrict the processing of personal data in cases specified in Article 18 of the GDPR, including questioning the accuracy of personal data, upon request submitted to the Administrator.

  • Right to Data Portability
    Users have the right to obtain from the Administrator personal data concerning the User in a structured, commonly used, and machine-readable format, upon request submitted to the Administrator.

  • Right to Object to the Processing of Personal Data
    Users have the right to object to the processing of their personal data in the cases specified in Article 21 of the GDPR, upon request submitted to the Administrator.

  • Right to Lodge a Complaint
    Users have the right to lodge a complaint with the supervisory authority responsible for personal data protection.

§14 Contacting the Administrator

You can contact the Administrator in one of the following ways:

  • Postal address: Michał Sikorski BFM, ul. Wysoka 5, 31-460 Kraków
  • Email address: kontakt@bfm-carrental.pl
  • Phone number: +48 733 644 002
  • Contact form: available at the following address: /kontakt

§15 Service Requirements

  • Limiting the storage and access to cookies on the User’s device may cause some functions of the Service to malfunction.
  • The Administrator is not responsible for any malfunctioning features of the Service if the User restricts in any way the ability to store and read cookies.

§16 External Links

The Service may contain links in articles, posts, entries, or comments from Users that direct to external websites with which the Service Owner does not cooperate. These links, as well as the websites or files they point to, may pose a risk to your device or compromise the security of your data. The Administrator is not responsible for the content found outside of the Service.

§17 Changes to the Privacy Policy

  • The Administrator reserves the right to modify this Privacy Policy at any time without notifying Users regarding the use of anonymous data or the application of cookies.

  • The Administrator reserves the right to modify this Privacy Policy regarding the processing of Personal Data. In such cases, Users with accounts or those subscribed to the newsletter will be notified via email within 7 days of the changes being made. Continued use of the services indicates acceptance of the updated Privacy Policy. If a User disagrees with the changes, they are required to delete their account from the Service or unsubscribe from the newsletter.

  •  Any changes to the Privacy Policy will be published on this page of the Service.

  • The changes will take effect as soon as they are published.