Preview releaseThis site presents sample listings and AI-generated visualizations. Bookings and contact forms are not currently processed.

Privacy Policy

Effective date: [DATA_WEJŚCIA_W_ŻYCIE]

This English version is provided for information only. In case of any discrepancies, the Polish version (Polityka prywatności) prevails as the legally binding document under Polish law.

This Privacy Policy provides information about the rules of personal data processing in the Arietta Cars service in accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

§1 Data controller

The controller of your personal data is [NAZWA_PODMIOTU], with its registered office at [ADRES_SIEDZIBY], entered in the register under KRS: [KRS], Tax ID (NIP): [NIP], Statistical ID (REGON): [REGON].

Contact with the Controller on all matters relating to personal data protection: email rodo@ariettacars.com.

§2 Data Protection Officer (DPO)

The Controller is not obliged to appoint a Data Protection Officer under Article 37 of the GDPR, as it does not carry out large-scale processing of special categories of data or large-scale regular monitoring of individuals.

Despite the lack of obligation, data subjects may contact the Controller at rodo@ariettacars.com on all matters relating to personal data protection.

§3 Purposes and legal bases of processing

Your personal data is processed for the following purposes and on the following legal bases:

(a) handling the Operator account and providing Service functions — Article 6(1)(b) GDPR (performance of a contract);

(b) forwarding Customer Inquiries to the chosen Operator — Article 6(1)(f) GDPR (legitimate interest in providing intermediary services);

(c) Service security, fraud prevention, security logs — Article 6(1)(f) GDPR;

(d) fulfilment of legal obligations, including tax and accounting — Article 6(1)(c) GDPR;

(e) pursuing or defending against legal claims — Article 6(1)(f) GDPR;

(f) direct marketing (if implemented in the future) — Article 6(1)(a) GDPR (consent).

§4 Categories of data processed

Operator data: email address, hashed password (Argon2id algorithm), company name, contact phone, contact email, city, company description, rental terms and cancellation policy.

Customer data (Inquiry): name and surname, email address, phone number (optional), planned rental dates, message content, ID of the vehicle the Inquiry concerns.

Session data: session identifier, IP address, timestamps (session expires after 8 hours since login or 30 minutes of inactivity).

Technical data: IP address, browser and device information (within the scope of security logs).

§5 Recipients of data

Operators (car rental companies) — when a Customer submits an Inquiry, the Customer's data is forwarded to the Operator chosen by the Customer. The Operator becomes a separate controller of that data within the meaning of the GDPR and processes it solely to handle the given Inquiry and any resulting Rental Agreement. The Operator bears independent responsibility in accordance with its own privacy policy.

IT service providers (processors): Amazon Web Services EMEA SARL — application hosting (AWS Lightsail, eu-central-1) and image storage (AWS S3, eu-central-1). Basis: data processing agreement under Article 28 GDPR.

Email service provider: Amazon Web Services EMEA SARL — AWS Simple Email Service (SES), eu-central-1 (sending), eu-west-1 (receiving messages on Controller contact mailboxes).

§6 Transfers to third countries

Data is processed mainly within the European Economic Area (AWS regions: eu-central-1 — Frankfurt and eu-west-1 — Ireland).

To the extent that administrative operations of the cloud provider may involve data transfers outside the EEA, the Controller provides appropriate safeguards in the form of Standard Contractual Clauses of the European Commission (SCC) and mechanisms under the Data Privacy Framework (DPF).

§7 Data retention periods

Inquiry data (name, email, phone, message): 3 years from submission — the limitation period for civil claims under Article 118 of the Polish Civil Code.

Operator account data: for the duration of the account and 5 years after closure — accounting obligations under Article 74 of the Polish Accounting Act.

Login session data: maximum 8 hours (absolute limit) or 30 minutes of inactivity; session files are automatically removed every 15 minutes.

Security logs (IP address, events): 12 months.

Data processed on the basis of consent (e.g. marketing): until consent is withdrawn.

§8 Your rights (Articles 15–22 GDPR)

You have the following rights:

(a) right of access (Article 15 GDPR) — to obtain a copy of processed data and information about processing;

(b) right to rectification of incorrect or incomplete data (Article 16 GDPR);

(c) right to erasure — the „right to be forgotten” (Article 17 GDPR), unless another legal basis exists for further processing;

(d) right to restriction of processing (Article 18 GDPR);

(e) right to data portability in a structured, commonly used format (Article 20 GDPR);

(f) right to object to processing based on legitimate interest (Article 21 GDPR);

(g) right to withdraw consent at any time — without affecting the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR).

To exercise these rights, contact the Controller at: rodo@ariettacars.com.

§9 Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO).

Correspondence address: ul. Stawki 2, 00-193 Warszawa.

Email: kancelaria@uodo.gov.pl, website: www.uodo.gov.pl.

§10 Automated decision-making and profiling

The Controller does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect data subjects within the meaning of Article 22 GDPR.

§11 Cookies

The Service uses cookies necessary for its proper operation:

(a) ARIETTA_SESSION — logged-in Operator session identifier (httpOnly, Secure, SameSite=Lax, lifetime 8 hours);

(b) cookie-consent — storage of your cookie decision (lifetime 12 months);

(c) NEXT_LOCALE — remembers the selected interface language.

The above cookies are necessary and do not require consent, in accordance with Article 173(3) of the Polish Telecommunications Act.

If analytics or marketing cookies are introduced in the future, they will be activated only after your prior, informed and active consent given via the cookie banner. Consent can be withdrawn at any time — withdrawal is as simple as giving consent.

You can block cookies in your browser settings. Blocking necessary cookies may prevent the use of Service functions requiring login.

§12 Changes to the Privacy Policy

The Controller reserves the right to amend this Policy. Significant changes will be notified in the Service with 14 days' notice.

The current version of the Policy enters into force on [DATA_WEJŚCIA_W_ŻYCIE].