+48 791 409 633 book your transport
  • pl
  • en
    • Home page » Privacy policy

    Privacy policy

    Version: July 2025

    1. GENERAL PROVISIONS

    At VOID sp. z o.o., the owner of the CCARS® brand (hereinafter referred to as “CCARS”), we take the protection of our customers’ personal data seriously and are committed to safeguarding their privacy during data processing activities. All personal data is processed in compliance with applicable data protection regulations.

    This Privacy Policy is intended to inform customers who visit CCARS websites or use the CCARS online platform (collectively referred to as the “CCARS Services”) about which personal data is processed by CCARS, how it is processed, and for what purposes. The CCARS Services are not intended for use by individuals under the age of majority.

    2. NAME AND CONTACT DETAILS OF THE DATA CONTROLLER

    The data controller, as defined under the General Data Protection Regulation (GDPR), is the owner of the CCARS® brand:

    VOID sp. z o.o., with its registered office in Warsaw (00-526), National Court Register (KRS) number: 0000981699
    (hereinafter referred to as the “Controller”)

    You may contact the Controller via email at: daneosobowe@ccars.pl

    3. INFORMATION ON THE SUPERVISORY AUTHORITY

    The competent data protection supervisory authority is the President of the Personal Data Protection Office (UODO), with its headquarters located in Warsaw (00-913), ul. Stawki 2.

    You may contact the Personal Data Protection Office via:
    Phone: +48 22 531 03 00
    Email: kancelaria@uodo.gov.pl

    Data subjects may contact the supervisory authority confidentially at the address provided above. Alternatively, they may reach out to the Data Controller and our Data Protection Team by sending an email to: daneosobowe@ccars.pl

    4. DATA SECURITY

    CCARS implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with data processing. In selecting these measures, we take into account the latest technological advancements, implementation costs, as well as the nature, scope, context, and purposes of the processing. Additionally, the likelihood and severity of the risk to data subjects’ rights and freedoms are considered.

    The transmission of personal data between the end-user device and CCARS systems is typically encrypted using TLS/SSL protocol. A secure connection can be identified, for example, by the padlock icon in the address bar of your browser.

    5. CCARS WEBSITES

    When visiting the CCARS websites for informational purposes only—i.e., without registering—certain usage data is automatically collected via your browser. This may include: IP address, status code, CCARS webpages visited, date and time of server request, browser type and version, referring URL (the page previously visited), transmitted files, and data volume. This information may be logged by our hosting provider and used for purposes such as service optimization, statistical analysis, and adjusting displayed content to user preferences.

    Further details regarding cookies and analytics services used by CCARS can be found in Section 6. Personal data is not shared with third parties, and processing is carried out primarily to establish and maintain a technical connection during the use of the Internet. These data may also be used by CCARS in pseudonymized or anonymized form to analyze the use of our websites, to design and improve CCARS services based on user needs, to identify and correct disruptions and technical issues, and to prevent misuse of the CCARS Services (e.g., fraudulent bookings or cyberattacks).

    The Controller processes personal data for the purpose of entering into and performing passenger transport service agreements with the data subject (legal basis: Art. 6(1)(b) GDPR). Additionally, data is processed for compliance with legal obligations such as issuing invoices and fulfilling accounting and tax obligations (legal basis: Art. 6(1)(c) GDPR). Personal data may also be processed for business communication purposes related to offering products and services provided by the Controller (legal basis: Art. 6(1)(f) GDPR).

    Consent to the processing of personal data may be withdrawn at any time.

    6. COOKIES, PIXELS AND SIMILAR TECHNOLOGIES

    When using the CCARS Services, cookies, pixels, or similar technologies may be employed—this is standard practice for most major websites.

    Cookies are small text files, and pixels are tiny graphic elements that can be stored on the user’s end device. Detailed information about the cookies, pixels, and similar technologies used by CCARS is available in our Cookie Policy.

    As part of the use of CCARS Services, cookies that are essential to enable required functionalities—such as language selection, login status, or cookie consent—are placed. Additionally, subject to the user’s consent, CCARS uses both first-party and third-party cookies to:

    – analyze and improve the use of CCARS Services,
    – personalize and enhance functionality,
    – detect and correct technical or procedural issues,
    – prevent unlawful use of the Services (e.g., fraudulent bookings, cyberattacks),
    – achieve marketing objectives, including measuring, analyzing, and evaluating the effectiveness of advertisements.

    Further details are available in our Cookie Policy. Consent to the use and placement of cookies is recorded electronically via the CookieYes tool used by CCARS. Users can withdraw their consent at any time with future effect or adjust cookie preferences at any time via the CookieYes tool settings.

    In addition, users may prevent cookies from being stored and delete existing cookies through their browser settings. However, please note that doing so may limit the availability of certain functionalities of the CCARS Services or make them partially inaccessible. The retention period of each cookie varies depending on its type and can be checked either in the browser settings or in our Cookie Policy.

    The legal basis for processing personal data in connection with the use of cookies, pixels, and similar technologies is Article 6(1)(a) of the GDPR (user consent) and Article 6(1)(f) of the GDPR (legitimate interests of CCARS in the case of necessary cookies).

    7. SOCIAL MEDIA

    7.1. CCARS PRESENCE ON SOCIAL MEDIA PLATFORMS

    CCARS maintains official pages on social media platforms such as Facebook, Instagram, and LinkedIn. Detailed information about the processing and use of personal data can be found in the privacy policies of the respective social media providers.

    7.2. FACEBOOK, FACEBOOK MESSENGER AND FACEBOOK CONNECT

    CCARS uses services provided by the Facebook social network, operated by Meta Platforms Inc., headquartered at 1601 Willow Road, Menlo Park, CA 94025, USA (“Facebook”). For users located in Europe, the data controller for Facebook is Meta Platforms Ireland Ltd., located at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

    Facebook’s Privacy Policy is available at: https://www.facebook.com/about/privacy/

    According to the judgment of the Court of Justice of the European Union (Case C-210/16), administrators of Facebook fan pages are considered joint controllers of user personal data. This means that both Facebook and CCARS jointly determine the purposes and means of processing such data. Therefore, we recommend that users consult Facebook’s privacy policy for detailed information regarding the processing of personal data.

    8. PROCESSING OF PERSONAL DATA DURING USE OF CCARS SERVICES AND BOOKING OF RIDES

    CCARS processes the following personal data provided by the user when using CCARS Services or booking rides (hereinafter referred to as “Customer Data”):

    – Basic details: salutation, title, first and last name, company name, address, postal code, city, country;
    – Contact details: phone number, mobile number, email address;
    – Contract-related data: time and method of registration, status;
    – Ride details: pickup location, destination, times, flight number, special requests;
    – Customer status: bonus program participation, customer history (e.g., previous rides);
    – Billing and payments: invoices, payment status, billing address, last 4 digits of credit card number.

    Customer Data is used to provide CCARS Services, including personalized execution of the booked rides and for concluding and performing passenger transport contracts with service providers on behalf of the customer.

    Where necessary, CCARS shares Customer Data with third parties, especially transportation providers, to facilitate the execution of bookings and the provision of transportation services. If the customer uses a bonus program operated by CCARS, the necessary data is transferred to the relevant bonus program operator. Payment data is stored via certified payment service providers and shared with intermediary financial institutions or banks (see Section 10).

    All information provided to the Controller for the purpose of service provision is treated as confidential. The Controller does not transfer data outside the territory of Poland.

    A decision on adequacy (Art. 45(3) GDPR) or appropriate safeguards (Art. 46 GDPR) is not required, as the transfer is necessary for the performance of a contract with the data subject, or to take pre-contractual steps at the request of the data subject (Art. 49(1)(b) GDPR). It may also be required to conclude or perform a contract in the interest of the data subject (Art. 49(1)(c) GDPR).

    Customers may rate rides organized by CCARS. Such ratings are stored in the CCARS system and may be shared in anonymized form with relevant drivers or transport providers. Customers have access to their own ratings, but these are not visible to other users. Ratings are retained to manage rides and payments, perform analytics, and improve CCARS Services—specifically for quality control, service enhancements, and the prevention of unlawful use (e.g., fraudulent bookings).

    This data is stored for a maximum of two years, after which it is deleted or anonymized.

    Legal bases for processing:

    Art. 6(1)(b) GDPR: performance of a contract (for registration and booking data);
    Art. 6(1)(a) GDPR: user consent (for optional data such as flight number or special requests);
    Art. 6(1)(f) GDPR: legitimate interest of CCARS (e.g., service analytics, improvements, fraud prevention).

    Customer data is also processed for analyzing service usage, customizing and improving offerings, displaying advertising, and identifying, resolving, or preventing technical failures and unlawful activities (e.g., cyberattacks). Such processing may involve third-party processors acting on behalf of CCARS (Art. 28 GDPR) or as otherwise permitted by law.

    9. PAYMENTS AND FRAUD PREVENTION

    9.1. PAYMENTS

    All CCARS bookings can be paid via credit/debit card, online payment methods, or—in certain cases—via traditional bank transfer. Credit card information is submitted during the payment process directly to the payment provider through a secure payment gateway. These details are protected from unauthorized access by certified payment service providers compliant with security standards such as PCI DSS (Payment Card Industry Data Security Standard). For recurring payments, card data is stored only by PCI DSS-certified providers. The legal basis for this processing is Art. 6(1)(b) GDPR (performance of a contract).

    CCARS does not store credit card information or stores it only in truncated form for analytics or fraud prevention purposes, in which case the legal basis is Art. 6(1)(f) GDPR (legitimate interest).

    PayPal
    Customers may also pay using PayPal. Based on Art. 6(1)(b) GDPR, data such as the PayPal account email address and mobile device information (e.g., device ID) may be transferred to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

    Details about data processing by PayPal: https://www.paypal.com/pl/legalhub/paypal/privacy-full

    Apple Pay and Google Pay
    Customers can also use Apple Pay or Google Pay. Based on Art. 6(1)(b) GDPR, personal data such as the email address associated with the payment account and device identifiers may be transferred to:

    Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA
    Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

    Privacy information:

    Apple Pay: https://www.apple.com/legal/privacy/data/en/apple-pay/
    Google Pay: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice

    9.2. FRAUD PREVENTION

    To ensure that payment instruments are used by their rightful owners and to prevent fraud, IP addresses, email addresses, payment data, and card information may be shared with one or more external fraud prevention providers. These providers may also process additional personal data as required, strictly on behalf of CCARS. The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest).

    10. COMMUNICATION WITH CCARS

    If a customer contacts CCARS (e.g., by phone, contact form, chat, messenger, email, or via social media platforms like Facebook, Instagram, LinkedIn), the data provided will be processed for the purpose of handling the request and providing a response. Legal bases: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (contract performance or pre-contractual measures).

    Contact data may also be used—pseudonymized or anonymized where possible—for designing and improving services, identifying faults, and preventing misuse. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

    CCARS uses third-party tools (e.g., chat systems and messaging apps) for communication. Where applicable, data processing agreements are concluded with service providers.

    Feedback channels may also be provided, including via external platforms. Data collected through such channels is used for responding to requests and improving services as described above. Legal basis: Art. 6(1)(a) GDPR (consent), or alternatively Art. 6(1)(f) GDPR (legitimate interest).

    11. EMAIL MARKETING AND NEWSLETTERS

    If a customer consents or if CCARS has a legal basis, customer data may be used to send personalized advertising or newsletters. Data processed includes salutation, name, and email address. Purpose: to inform customers about offers and features of CCARS Services.

    Marketing emails and newsletters may include tracking pixels—small graphic elements embedded in HTML emails to generate statistical reports (e.g., open rates, link clicks). Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest).

    Customers may withdraw consent to receive such emails at any time without incurring costs beyond standard transmission rates. To unsubscribe, use the link provided in the email or contact us directly (see Section 2).

    12. DATA SUBJECT RIGHTS

    Under the GDPR, data subjects have the following rights:

    12.1. Right of Access (Art. 15 GDPR)

    To obtain confirmation of whether personal data is being processed and access to that data.

    12.2. Right to Rectification (Art. 16 GDPR)

    To request immediate correction or completion of inaccurate or incomplete personal data.

    12.3. Right to Erasure (Art. 17 GDPR)

    To request deletion of personal data under conditions such as:

    – Data is no longer needed;
    – Consent is withdrawn;
    – Processing is unlawful.

    12.4. Right to Restrict Processing (Art. 18 GDPR)

    Applies, for example, when the accuracy of data is contested or processing is unlawful.

    12.5. Right to Object (Art. 21 GDPR)

    To object to processing based on legitimate interest or for direct marketing purposes.

    12.6. Right to Data Portability (Art. 20 GDPR)

    To receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

    12.7. Right to Lodge a Complaint (Art. 77 GDPR)

    To file a complaint with the data protection authority.

    12.8. Right to Withdraw Consent (Art. 7(4) GDPR)

    To withdraw consent at any time. This does not affect the lawfulness of processing prior to withdrawal. Send your withdrawal to: daneosobowe@ccars.pl

    13. AUTOMATED DECISION-MAKING

    Customers are subject to automated decision-making (Art. 22 GDPR) only in exceptional cases, such as:

    – Reuse of a previously rejected payment method;
    – Indicators of fraudulent bookings.

    Such decisions are necessary for contract performance (Art. 22(2)(a) GDPR). Affected individuals may request human intervention, explanation, or express their viewpoint (see Section 2).

    14. DATA RETENTION AND DELETION

    Personal data is processed until the expiration of claims arising from the contract. Data will be deleted as soon as the legal basis ceases to apply. In some cases, multiple legal bases may exist or a new basis may arise (e.g., commercial or tax retention obligations).

    Marketing data is retained until objection to further processing is raised.

    15. CHANGES TO THIS PRIVACY POLICY

    CCARS reserves the right to amend or update this Privacy Policy at any time without prior notice if necessary, e.g., due to legal changes or technological developments.

     

    COOKIE SECURITY POLICY

    COOKIES, PIXELS, AND SIMILAR TECHNOLOGIES

    CCARS uses cookies, pixels, and similar technologies—small files stored on the user’s device that enable device recognition or improved data collection when using CCARS websites. The Controller informs users that all data transmitted on CCARS websites is secured using an SSL Certificate.

    TYPES OF COOKIES

    Cookies can be categorized based on their duration:

    – Session cookies – deleted automatically once the browser session ends.
    – Persistent cookies – stored beyond the individual session and enable future recognition of the user’s device.

    They may also be categorized as:

    – First-party cookies – set directly by CCARS.
    – Third-party cookies – set by external service providers.

    COOKIE MANAGEMENT

    Users may block the storage of cookies at any time through their browser settings or delete existing cookies. However, doing so may impair the functionality or availability of some CCARS Services. The storage duration of individual cookies varies by type and can be viewed in browser settings.

    The legal basis for the processing of personal data in connection with cookies, pixels, and similar technologies is Article 6(1)(a) GDPR (user consent) and Article 6(1)(f) GDPR (legitimate interest of CCARS).

    TECHNICALLY NECESSARY COOKIES

    CCARS uses technically necessary cookies to improve functionality and ensure a user-friendly experience. Use cases include:

    – user identification and authentication,
    – saving user preferences and settings (e.g., language selection),
    – retaining previously entered information to avoid reentry,
    – implementing security features.

    COOKIES FOR ANALYTICS AND OPTIMIZATION

    CCARS also uses proprietary cookies to:

    – analyze and improve service usage,
    – detect and eliminate technical or process-related issues,
    – prevent unlawful service usage (e.g., fraudulent bookings, cyberattacks).

    All evaluations conducted by CCARS are performed in pseudonymized or anonymized form whenever possible.

    COOKIES FOR MARKETING PURPOSES

    CCARS uses cookies, pixels, and similar technologies (both proprietary and third-party, e.g., from search engine providers, advertising networks, distribution partners) to:

    – improve CCARS Services,
    – measure, evaluate, design, and optimize marketing campaigns.

    Various analytics tools are used for these purposes, and data is processed in a pseudonymized or anonymized manner wherever feasible.

    EXAMPLES OF TOOLS USED IN CCARS SERVICES

    Google Analytics

    CCARS uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

    Google Analytics uses cookies stored on your computer to analyze how users interact with the website. Information generated by these cookies (including a shortened IP address) is typically transmitted to and stored on a Google server in the USA. CCARS uses Google Analytics exclusively with the “_anonymizeIp()” extension, which ensures anonymization of your IP address by truncating it, thus preventing direct identification.

    As a result, Google truncates your IP address within EU member states or other EEA countries before it is transmitted to the USA. Google uses this information on behalf of CCARS to evaluate website usage, compile reports on website activity, and provide other related services. Your browser’s IP address transmitted for Google Analytics purposes is not merged with other Google data.

    To opt out of Google Analytics, you may adjust your cookie settings in the browser or disable the service via:
    https://tools.google.com/dlpage/gaoptout

    Google’s privacy policy:
    http://www.google.com/policies/privacy
    https://www.cookiechoices.org/

    Google Tag Manager and Conversion Link

    CCARS uses Google Tag Manager, a service by Google LLC, to manage website tags via an interface.

    Google Tag Manager implements tags or scripts that may trigger other tags capable of collecting data. The tool itself does not collect personal data.

    For more information, see:
    http://www.google.com/policies/privacy
    https://policies.google.com/technologies/product-privacy?hl=en

    The Conversion Link tag enables the storage of click data in cookies associated with CCARS domains. This function supports the tracking of conversions (e.g., completed actions). More details:
    https://support.google.com/tagmanager/answer/7549390?hl=en

    Contentsquare (formerly Hotjar)

    CCARS uses an analytics tool provided by Contentsquare, formerly known as Hotjar. This tool is offered by Content Square SAS, 7 rue de Madrid, 75008 Paris, France (“Contentsquare”).

    When you visit our website, Contentsquare may collect technical data and cookies, as well as analyze user behavior such as mouse movements, scrolling, clicks, and interactions with page elements to generate so-called “heatmaps.” This information helps us design our website to be more efficient, user-friendly, and responsive. Personal data is anonymized and is not collected in a way that identifies individual users.

    As of July 1, 2025, all rights and obligations related to the Hotjar service have been transferred to Contentsquare, following an internal reorganization of the Contentsquare Group. From this date, Contentsquare acts as the data controller for account and usage data and processes this data in accordance with applicable data protection laws.

    If you do not consent to the use of Contentsquare (Hotjar) analytics tools, you can adjust your browser’s cookie settings or opt out directly via:
    https://www.hotjar.com/legal/compliance/opt-out

    You can also view the updated Contentsquare Privacy Policy at:
    https://www.contentsquare.com/privacy-center/privacy-policy/

    MailChimp

    For sending emails, CCARS uses MailChimp, a service provided by The Rocket Science Group LLC, 675 Ponce de Leon Avenue NE, Suite 5000, Atlanta, GA 30308, USA.

    If you subscribe to our newsletter or provide your email during registration, necessary data (email address, language, country) is transmitted to MailChimp in the USA and stored there. MailChimp not only delivers emails but also offers analytics for monitoring opens, clicks, and engagement. This includes the use of cookies and similar technologies.

    To unsubscribe from newsletters, click the “Unsubscribe” button in any email or disable cookies via your browser.

    MailChimp privacy information:
    https://mailchimp.com/legal/privacy/
    https://mailchimp.com/legal/cookies/

    For transfer reservations or inquiries,
    please contact us via email or call the number below.

    +48 791 409 633