Privacy
Policy

This Privacy Policy (hereinafter: the "Policy") sets out the rules for the processing of personal data by NEXTCAR-USA Sp. z o.o. (hereinafter: the "Controller" or "we") in connection with our services and websites, including above all the website located at the domain: https://nextcar-usa.pl/pl/ and its subpages and the tools available within that website (hereinafter: the "Website" or "NextCar").

The purpose of the Policy is to inform you about what data we collect, for what purposes we use it, on what legal basis we do so, and what rights you have. The document takes into account the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR) and other applicable personal data protection laws.

The Policy also covers additional practices regarding the security and transparency of data processing, including data retention rules, the obligations of the User, and explanations concerning the transfer of data outside the EEA (where applicable).

The detailed rules and conditions for using NextCar, the manner of providing services by electronic means and the rules governing the tools available within this website are set out in the NextCar Terms of Service. Any terms used in this Policy that are not expressly defined have the meaning given to them in the aforementioned Terms of Service.

• Personal data (Data) — any information relating to an identified or identifiable natural person, e.g., first name, last name, email, IP address.
• GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (the General Data Protection Regulation).
• Controller — NEXTCAR-USA Sp. z o.o., which determines the purposes and means of processing personal data.
• User — a natural person using the Website whose data may be processed.
• Cookies — small text files stored on the User's device by websites.
• Processing — operations performed on personal data (collection, storage, analysis, erasure, etc.).
• Contract — any contract concluded with the Controller, e.g., for the provision of services, orders, etc.
• Service — the website(s), applications or other online channels operated by the Controller.

The controller of your personal data is NEXTCAR-USA Sp. z o.o., with its registered office in Rzeszów. You may contact us as follows:

• Company name: NEXTCAR-USA Sp. z o.o.
• Registered address: ul. Kard. Karola Wojtyły 223A /1, 35-304 Rzeszów, Poland
• Email: automax.usa.biuro@gmail.com
• KRS: 0001181755
• NIP: 813-39-36-360
• Share capital: PLN 30,000.

If you have any questions concerning this Policy or wish to exercise your rights (described below), please contact us by email or by regular mail to the aforementioned registered address of the Company, marked "Personal data protection."

The Controller has not appointed a Data Protection Officer (DPO), so the standard contact with the Controller applies. If a DPO is appointed, their contact details will be provided.

Depending on how you use the Website or the Controller's services, we may collect various categories of personal data, including:

• Identification data (first name, last name, company name, position, etc.).
• Contact data (email address, phone number, mailing address).
• Transaction data (purchase history, payments, order information).
• Analytical data (IP address, device and browser data, server logs, cookies).
• Recruitment data (resume, cover letter, qualifications, experience, if you apply for a job).
• Additional data provided to us in correspondence (by email, via the contact form, chat, etc.).

We do not collect special categories of data (e.g., data on health, religion or political opinions) except where you voluntarily disclose them (e.g., in a resume) or where required by law.

Please note that the scope of data may vary depending on the nature of the service provided. We always strive to minimize the scope of the data collected to the necessary minimum.

Your personal data comes primarily from you — you provide it to us voluntarily while using the Website or when contacting us (e.g., by completing a form, sending an email or placing an order). Sometimes we may receive your data from third parties, e.g., our business partners, payment service providers, external recruiters or job boards (in the context of recruitment).

In each case we inform you of the acquisition of data from another source, indicating its scope and purpose (e.g., in an information notice at the time of first contact). We aim to maintain full transparency as to the origin and the rules of processing of your data.

We process personal data solely for specific purposes, on clear legal bases consistent with the GDPR:

• Performance of contracts and provision of services: Basis: Article 6(1)(b) GDPR (contract) — the data is necessary to conclude and perform the contract, handle orders, provide customer support and ensure continuity of services.
• Marketing, newsletter and commercial communications: Basis: Article 6(1)(a) (consent) or (f) (legitimate interest — direct marketing). This includes, among others, sending newsletters, offers, promotions, etc.
• Analytics, statistics and optimization: Basis: Article 6(1)(f) GDPR (legitimate interest) — analyzing Website traffic and campaign effectiveness, improving functionality, and better tailoring the offering to clients' needs.
• Recruitment and HR activities: Basis: Article 6(1)(c) (legal obligation) and (a) (consent) — to the extent required by the Labor Code and/or information voluntarily provided by the candidate.
• Fulfillment of legal obligations: Basis: Article 6(1)(c) GDPR — e.g., tax and accounting regulations, archiving, requirements related to reporting to government authorities.
• Protection against claims and the pursuit of rights: Basis: Article 6(1)(f) GDPR (legitimate interest — safeguarding the Controller's interests). This includes pursuing or defending against legal claims.

Under normal circumstances, our services are not directed at persons under 16 years of age. If, however, we offer functionalities for minors, we require the consent of their legal guardian (where required by law).

If we notice that we are processing children's data without proper consent, we will promptly take steps to delete it. We ask guardians to contact us if they suspect that a child has provided us with data without consent.

The Website may include contact forms, online chats or other communication channels. Providing data (such as first name, last name, email and the content of the message) is voluntary but necessary to receive a response from us.

We use the data collected in this way solely to handle your inquiry, including replying to you or resolving the issues you have reported. Please remember not to provide sensitive data in such correspondence unless it is absolutely necessary to handle the matter.

The personal data provided in contact forms, comprising in particular the contact information of senders and recipients of messages and the information contained in the body of such correspondence, will therefore be processed by the Controller: in order to enable contact with the Controller, including identifying the sender and handling their inquiry/order submitted via the provided form, and then to maintain ongoing communication with the recipients of the messages; the aforementioned personal data will also be processed to document the arrangements made; to accept reports, requests, inquiries, etc. in electronic form; to perform the contract concluded with clients or counterparties; to pursue any claims or defend against claims; and for statistical and analytical purposes — with respect to the data marked in the form as required fields, the legal basis for processing is the Controller's legitimate interest in enabling identification of the sender and efficient handling of the inquiry submitted via the form by persons interested in the Controller's services or products (Article 6(1)(f) GDPR); with respect to data not marked in the form as required fields, the legal basis for processing is the User's consent (Article 6(1)(a) GDPR).

You may subscribe to our newsletter or consent to receiving commercial offers (e.g., by checking the appropriate box in a form). In such a case, we process your email address (and possibly other voluntarily provided data) in order to send commercial information, promotions and offer updates.

You have the right to opt out of receiving the newsletter at any time, e.g., by clicking the unsubscribe link in a message you receive. Withdrawing consent does not affect the processing carried out before its withdrawal.

As part of marketing communications, we may also personalize the content of the newsletter, taking into account your preferences or purchase history if you consent to this. The aim is to provide you with the most relevant information.

In addition, we may process Users' personal data in order to carry out additional marketing activities, which may consist of:
- displaying marketing content to the User that is not tailored to their preferences (including contextual advertising);
- displaying marketing content to the User matching their interests (behavioral advertising).

In order to carry out marketing activities, the Controller in some cases uses automated decisions, including decisions resulting from profiling, which may lead to the automatic adjustment of the Website's content to Users' needs. This means that, through the automated processing of data, including profiling, the Controller assesses Users' preferences in order to best tailor the offering for the future. The profiling we carry out does not result in decisions producing legal effects or similarly significantly affecting Users.

The Controller processes Users' personal data for marketing purposes in connection with directing advertising to Users, including contextual advertising (i.e., advertising that is not tailored to the User's preferences). The processing of personal data for this purpose is carried out in connection with the pursuit of the controller's legitimate interest (Article 6(1)(f) GDPR).

The Controller processes Users' personal data, including personal data collected via cookies and other similar technologies, for marketing purposes in connection with directing behavioral advertising to Users (i.e., advertising that is tailored to the User's preferences). The processing of personal data for this purpose also includes the profiling of Users.

If you apply for a job at NEXTCAR-USA Sp. z o.o., we process your data to the extent specified by law (e.g., the Labor Code) and on the basis of your consent to the processing of additional information (e.g., in your resume).

We retain recruitment data for the duration of the given recruitment process and, if you consent, also for the purposes of future recruitment for the period indicated in the recruitment clause or until consent is withdrawn.

Do not provide us with sensitive information (e.g., about health, political opinions or racial origin) — unless it is necessary due to legal requirements or the nature of the position, and we expressly request it.

Our Website uses cookies and similar technologies (e.g., local storage, tracking pixels) for the following purposes:

• Essential cookies (ensuring the basic functioning of the Website).
• Analytics and statistics (measuring traffic, studying User behavior).
• Functional (remembering preferences, language settings, etc.).
• Marketing (ad personalization, remarketing, integrations with social media).

Many cookies come from external providers (e.g., Google, Facebook) and are subject to their own privacy policies. You can manage cookie settings in your browser (blocking, deleting, etc.).

More detailed information can be found in our separate Cookies Policy available on the Website. We recommend reviewing it to fully understand the tracking mechanisms and how to disable them.

For analytical purposes and to improve the quality of our services, we may use tools such as:

• Google Analytics (Google LLC) — which collects data on traffic, User behavior and campaign effectiveness.
• Google Tag Manager (Google Ireland Limited) — for managing marketing scripts and tags on the site.
• Facebook Pixel (Meta Platforms, Inc.) — a tool for measuring the effectiveness of campaigns on Facebook and Instagram.

This data may include cookies, IP addresses and information about the browser and device. We collect it on the basis of legitimate interest (Article 6(1)(f) GDPR) or your consent — depending on the configuration. You can limit or block some of these tools, e.g., through browser plugins.

In connection with the pursuit of the purposes described in the Policy, personal data may be transferred to:

• Entities processing data on our behalf (hosting providers, IT, accounting and legal firms, marketing agencies).
• Payment operators and courier companies in order to handle orders.
• Commercial partners, if you have given separate consent or where required by a contract (e.g., joint services, projects).
• Public authorities entitled to obtain data (e.g., the police, courts, government offices) — in cases provided for by law.

We always select entities that ensure an appropriate level of data protection and conclude data processing agreements with them where required.

Some entities whose services we use (e.g., cloud providers, newsletter systems, analytics) may be based outside the EEA. In such a case, the transfer of data takes place on the basis of:

• A European Commission decision finding an adequate level of protection.
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Other permissible mechanisms arising from the GDPR (e.g., the consent of the data subject).

You have the right to obtain a copy of the standard contractual clauses by contacting us (details in the Contact section). We make every effort to maintain a high level of data protection, even in the case of transfers outside the EEA.

We retain personal data only for as long as it is necessary to achieve the specified purposes (described above) or for the period required by law. For example:

• Data related to the performance of a contract — we retain for the duration of the contract and the limitation period for claims.
• Data processed on the basis of consent — until consent is withdrawn or the purpose ceases to be relevant.
• Recruitment data — for the duration of the recruitment or until consent is withdrawn (if it concerns future recruitment).
• Data necessary to fulfill legal obligations — for as long as required by law (e.g., tax, accounting).
• Data processed on the basis of legitimate interest — until an effective objection is raised or that interest ceases.

After this period, the data is deleted or anonymized, unless there are other grounds for further processing.

If you would like detailed information about specific data retention periods for a given service, please contact us (the Contact section).

In some situations we may use automated tools to analyze Users' data (so-called profiling), e.g., to prepare personalized offers or marketing campaigns.

As a rule, decisions made as a result of such profiling do not produce legal effects for you. However, if the processing significantly affects your rights and freedoms, you will be informed of this and will have the right not to be subject to a decision based solely on automated processing (Article 22 GDPR).

An example of such profiling may be segmenting customers based on purchase frequency in order to offer certain discounts or loyalty programs.

We apply appropriate technical and organizational measures to protect data against unauthorized access, loss, destruction or alteration, including:

• Encryption of transmissions (HTTPS/SSL).
• Access control systems (passwords, permissions, authorizations).
• Regular backups.
• Incident response procedures (Incident Response Plan).
• Security policies and employee training.

Despite the application of high standards, no system is completely reliable. If a data breach occurs that threatens your rights, we will notify you and the relevant authorities in accordance with the regulations.

We also encourage you to apply appropriate security measures on your side (e.g., strong passwords, changing passwords regularly, not sharing login credentials with third parties).

In connection with the functioning of the Website and ensuring security, we collect so-called system logs (e.g., IP address, access time, information about the browser and operating system). This data is processed mainly for administrative, diagnostic and statistical purposes.

System logs may contain information that, in certain circumstances, allows you to be identified. However, we do not use them to identify Users, but only for internal purposes (e.g., preventing abuse).

On the basis of the logs, we may also analyze trends in order to improve the Website and detect anomalies or attempts at unauthorized access.

By using the Website, the User declares that the data they provide is true, up to date and relates solely to themselves (or to persons who have authorized them to act on their behalf). In particular:

• Do not share other people's data without their express consent.
• In the event of a change of data (e.g., email address), please update it as soon as possible.

The User is responsible for the truthfulness and completeness of the information provided to us. All actions on the Website should be carried out in good faith and with respect for the rights of others.

In accordance with applicable law, you have the following rights regarding the processing of your data:

• Right of access (Article 15 GDPR) — the ability to obtain confirmation as to whether we process your data and information on what data and for what purpose.
• Right to rectification (Article 16 GDPR) — if your data is inaccurate or incomplete.
• Right to erasure ("the right to be forgotten," Article 17 GDPR) — in certain situations (e.g., when the data is no longer needed or you withdraw consent).
• Right to restriction of processing (Article 18 GDPR) — e.g., when you contest the accuracy of the data, for the duration of the verification.
• Right to data portability (Article 20 GDPR) — if the processing is carried out by automated means on the basis of consent or a contract.
• Right to object (Article 21 GDPR) — against processing based on legitimate interest (including profiling) or for the purposes of direct marketing.
• Right to withdraw consent (Article 7(3) GDPR) — at any time, without affecting the lawfulness of processing carried out before its withdrawal.
• Right to lodge a complaint (Article 77 GDPR) — with a supervisory authority (in Poland: the President of the Personal Data Protection Office).

To exercise the above rights, please contact us (details in the Data Controller section). We may ask you for additional information in order to confirm your identity.

You may exercise these rights free of charge; however, in the case of excessive or unfounded requests, we may charge a fee or refuse to act on them, in accordance with Article 12 GDPR.

The Website may contain links leading to other external sites or services (e.g., commercial partners, payment providers, social media). The Controller is not responsible for the data processing practices of those entities.

The Controller processes the personal data of Users who visit the Controller's profiles maintained on social media (including Facebook, Instagram, TikTok, LinkedIn). This data is processed solely in connection with maintaining the profile, including informing Users about the Controller's activity and promoting various events, services and products. The legal basis for the Controller's processing of personal data for this purpose is its legitimate interest (Article 6(1)(f) GDPR) in promoting its own brand and improving the quality of the services provided.

The Website also uses plugins and other social tools provided by the aforementioned social media services. In connection with using the Website, which contains such a plugin, the User's browser establishes a direct connection to the servers of the social media administrators (service providers). The content of the plugin is transmitted by the given service provider directly to the User's browser and integrated into the page. Through this integration, the service providers receive information that the User's browser has displayed the Website, even if the User does not have a profile with the given service provider or is not currently logged in to it. Such information (together with the IP address) is transmitted by the User's browser directly to the server of the given service provider (some servers are located in the USA) and stored there.

If the User has logged in to one of the social media services, that service provider will be able to directly associate the visit to the Website with the User's profile on the given social media service. If the User uses a given plugin, e.g., the "Like" button, the relevant information will also be transmitted directly to the server of the given service provider and stored there. In addition, this information will be published on the given social media service and shown to the persons added as the User's contacts.

The administrators of social media services also independently record Users' behavior using cookies or similar technologies, including with every interaction with our profiles. The full scope and purposes of processing personal data on social media services are determined by their administrators.

Detailed information on the purpose and scope of data collection and its further processing and use by the service providers, as well as the ability to contact them and the User's rights in this regard and the option to make settings ensuring the protection of Users' privacy, are described in the privacy policies of the individual service providers:
Facebook – https://www.facebook.com/privacy/explanation
Instagram – https://www.facebook.com/help/instagram/155833707900388
TikTok – https://www.tiktok.com/legal/page/eea/privacy-policy/pl
LinkedIn – https://pl.linkedin.com/legal/privacy-policy

We encourage you to review the privacy policies applicable to these external services. Each of these entities may process data in a different manner, independent of our procedures.

In the event of detecting a personal data breach that may result in a high risk to the rights or freedoms of natural persons, the Controller will:

• Notify the supervisory authority (the President of the Personal Data Protection Office in Poland) of the incident without undue delay — no later than 72 hours after becoming aware of the breach.
• Notify the data subjects if the breach may pose a significant risk, in accordance with Article 34 GDPR.
• Take all possible steps to minimize the consequences of the breach and to secure the data.

The Controller maintains internal documentation of incidents and procedures for responding to such situations. We also strive to analyze such incidents and draw conclusions in order to prevent them in the future.

The Controller reserves the right to make changes to this Policy at any time. Any modifications will be published on the Website with appropriate advance notice, and in the case of material changes we may additionally notify you, e.g., by email (if we have such contact information).

Continued use of the Website after the changes are introduced constitutes acceptance of the new content of the Policy. We recommend regularly checking the current version of the document to stay up to date with our privacy protection practices.

In matters not regulated by this Privacy Policy, the relevant provisions of Polish law apply. The invalidity of any provision of this Privacy Policy does not affect the validity of the remaining provisions or of this document as a whole. In such a case, the Controller undertakes to formulate a valid provision in place of the invalid one, in particular with regard to the purpose of this document. This Policy is informational in nature and concerns only the Controller's Website. When using another website, it is advisable to review the privacy policy applicable there.

Any questions, requests or complaints related to this Privacy Policy or the processing of personal data should be directed to the Controller:

• Controller: NEXTCAR-USA Sp. z o.o.
• Address: Kard. Karola Wojtyły 223A / 1, 35-304 Rzeszów, Poland
• Email: automax.usa.biuro@gmail.com
• Phone: +48 694 527 961

This Privacy Policy enters into force on the date it is published on the Website and remains in effect until revoked or until a new version is published.