Privacy Policy
This Privacy Policy applies to personal data for which the companies forming part of the R4R capital group are controllers, collectively referred to as Joint Controllers.
To the extent that you use the services of the Other Companies, these entities are independent controllers of your personal data. The information clause of the Other Companies constitutes a separate document, the link to which is available here: [LINK] https://vantagerent.pl/obowiazek-informacyjny-rodo/
Under the joint controllership agreement, the Joint Controllers have agreed on the scope of their responsibilities regarding the fulfillment of obligations arising from the GDPR, in particular:
The Joint Controllers have appointed a common point of contact where you can report issues concerning personal data. To do so, please contact us electronically at: [email protected], or in writing to the address of the Joint Controllers (with the note “personal data protection”).
Within this document, we wish to transparently inform you:
1. Definitions
The following capitalized terms used in this Privacy Policy shall have the meanings set out below:
Joint Controllers or Companies – means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. The current list of Joint Controllers is provided in point 8.1.
Personal Data – means information relating to an identified or identifiable natural person;
Data Subject – an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Account – a section of the Website assigned to a given User, identified by an email address, through which the User can perform specific actions within the Website;
Platform or Website – the R4R website through which the User can use the Services;
Cookies – IT data stored on the User’s device, which the User uses to access the Website, containing data about the User’s use of the Platform;
Privacy Policy – this document. It defines the principles according to which R4R processes Personal Data. The Website Terms of Service and the Privacy Policy are documents regulating the terms of use of the Platform;
Website Terms of Service – a document regulating the rules for using the Platform, specifying the types and scope of Services available on the Platform, the complaint procedure, and the technical conditions for using the Website. The Website Terms of Service and the Privacy Policy are documents regulating the terms of use of the Platform;
Registration – the process of creating an Account by the User;
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119, 2016, p. 1), applicable from May 25, 2018;
Service – a service provided by the Company to the User. These services will include, among others: publication of advertisements, notifications, etc.;
User – any person using the R4R website.
Other Companies – R4R Warszawa Wilanowska Spółka z o.o. (KRS: 0000797908), R4R Warszawa Woronicza Spółka z o.o. (KRS: 0000759998), R4R Warszawa Taśmowa Spółka z o.o. (KRS: 0000759723), R4R Gdańsk Kołobrzeska Spółka z o.o. (KRS: 0000759426), R4R Poznań Szczepanowskiego Spółka z o.o. (KRS: 0000747162), R4R Wrocław Rychtalska Spółka z o.o. (KRS: 0000640333), R4R Łódź Wodna Spółka z o.o. (KRS: 0000640262), R4R Wrocław Jaworska II Spółka z o.o. (KRS: 0000814299), R4R RE Wave 4 Spółka z o.o. (KRS: 0000814236), R4R Kraków 3 Maja Spółka z o.o. (KRS: 0000798196), R4R Poland Sp. z o.o. (KRS: 0000718158), R4R RE Sp. z o.o. (KRS: 0000600773), R4R RE Wave 3 Sp. z o.o. (KRS: 0000798078), Pimech Invest Sp. z o.o. (KRS: 0000828847), M2 Hotel Sp. z o.o. (KRS: 0000766939), M2 Biuro Sp. z o.o. (KRS: 0000766653), R4R Wrocław Park Zachodni Sp. z o.o. (KRS: 0000888773), R4R Łódź Kilińskiego Sp. z o.o. (KRS: 0000894099), Hotel Wrocław Grabiszyńska Sp. z o.o. (KRS: 0000922220), R4R Poznań Nowe Miasto Sp. z o.o. (KRS: 0000932443).
2. Types of Personal Data
2.1 Data provided by Users
(a) Registration:
To use the Services we provide, the website allows you to create an account. During registration, the Companies may collect the following information about you:
(i) first name and last name;
(ii) email address;
(iii) mobile phone number.
When creating an Account, providing the data specified above is voluntary, but necessary to use the Services offered within the Account. The data you provide will be processed for the purpose of providing the Service, in accordance with the Website Terms of Service and this Privacy Policy. The consequence of not providing the data is the inability to successfully create an account.
(b) Online Chat:
Our Platform allows you to send an inquiry via Online Chat. If you choose this communication channel, the Companies may collect the following information about you:
(i) first name;
(ii) email address;
(iii) mobile phone number;
(iv) city;
(v) other information disclosed by you in the message sent.
Providing the data specified above is voluntary, but necessary to respond to the inquiry received. The Companies will process the data listed above to fulfill your request or provide information.
If your inquiry is answered by phone, the Companies may require you to re-submit the personal data provided in the contact form to confirm your identity.
(c) Phone calls and emails:
(i) We have also provided you with a phone number and email address on our Platform.
(ii) If you choose either of the above communication channels, the Companies will collect all information that you decide to provide to our employee or to an entity cooperating with the Companies during the conversation or in an electronic message.
Calls may be recorded. If you do not consent to the recording of the conversation, please choose another communication channel.
(d) Facebook Messenger:
(i) The User has the possibility to contact the Joint Controllers via the built-in Facebook Messenger application. For this purpose, it is necessary to be a registered user of the Facebook social media platform. The rules for data collection via the Facebook platform are regulated by the Administrator’s separate Privacy Policy available on its company page on the Facebook platform: https://pl-pl.facebook.com/legal/terms
2.2 Automatically collected data
While using the Platform, the Companies may automatically collect your data to the following extent:
(a) IP and device data
The Companies may collect Users’ IP addresses. An IP address is a number assigned to the end device of a person visiting the Platform. In addition, the Administrator may collect information about your operating system, the type of your web browser, and its version.
(b) Activity data on the Website
The Companies may collect data regarding your activity on the Website, primarily the date and duration of the visit and the sequence of actions on the page. If you access the Platform using links on other websites, the Joint Controllers will also collect data about which page redirected you to the Platform and information about the advertisements from which such redirection occurred.
(c) Login data
For Users with an Account, the Companies collect information about the registration date on the Website and login to the Account, i.e., the date of the last password change, the date of the last successful login.
(d) Cookies
The Platform uses files called cookies. They are saved by the Joint Controllers on the end device of the person visiting the Platform if the web browser allows it. A cookie usually contains the name of the domain from which it originated, its “expiration time,” and an individual, randomly selected number identifying this file. Information collected through this type of file allows for the development of general statistics of visits to our Platform.
The Companies use two types of cookies:
(i) Session cookies: after the end of a given browser session or turning off the end device, the saved information is deleted from the device’s memory. The session cookie mechanism does not allow the collection of any personal data or any confidential information from Clients’ end devices.
(ii) Persistent cookies: are stored in the memory of the Client’s end device and remain there until they are deleted or expire. The persistent cookie mechanism does not allow the collection of any personal data or any confidential information from Clients’ end devices.
The Companies use cookies for analysis and research and audience auditing, and in particular to create anonymous statistics that help understand how Users use the Platform, which enables improving its structure.
The cookie mechanism is safe for the end devices you use to access the Platform. Viruses or other unwanted or malicious software cannot get onto end devices this way. Nevertheless, in your browsers, you have the option to limit or disable access to cookies on your devices. If you use this option, some of our Services or some parts of our Platform may become unavailable to you or may function incorrectly.
Below we present how you can change the settings of popular web browsers regarding the use of cookies:
(i) Microsoft Edge browser; https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
(ii) Mozilla Firefox browser; https://support.mozilla.org/pl/kb/blokowanie-ciasteczek
(iii) Chrome browser; https://support.google.com/chrome/answer/95647?hl=pl
(iv) Safari browser; https://support.apple.com/kb/PH5042?locale=pl_PL
(v) Opera browser. https://help.opera.com/pl/latest/web-preferences/
2.3 Data collected from other sources
We may collect your Personal Data for direct marketing purposes directly from you, or from third parties, such as Google – primarily through marketing tools such as Google Ads and similar.
3. Legal bases, purposes, and periods of data processing
3.1 Legal bases for data processing
We cannot process Personal Data unless we have a valid legal basis. Therefore, we process Personal Data only when:
(a) processing is necessary for the performance of a contract (Art. 6(1)(b) GDPR), the subject of which is an electronically supplied service – account creation;
(b) based on your explicit, voluntary, and previously expressed consent (Art. 6(1)(a) GDPR) – for direct marketing purposes. Any given consent may be withdrawn at any time. Please note that the withdrawal of consent is effective only for the future and does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
(c) processing is necessary for the realization of the legitimate interests of the Companies (Art. 6(1)(f) GDPR) and does not disproportionately affect your interests or fundamental rights and freedoms. Please note that when processing personal data on this basis, we always strive to balance our legitimate interest with your privacy. Such “legitimate interests” include:
(i) establishing or pursuing civil law claims by the Companies within the framework of their operations, as well as defending against such claims;
(ii) responding to inquiries received through any contact channel;
(iii) ensuring the proper functioning of the Website by using cookies collected on the Companies’ website.
3.2 Purposes and periods of data processing
Personal Data is processed only for a specific purpose and to the extent necessary to achieve it, and for as long as it is necessary. The purposes pursued by the Companies and entities associated with the Companies through the processing of Personal Data, as well as the periods for which they are processed, are listed below.
Purpose of processing and processing period
(a) Fulfillment of contractual obligations: the duration of the agreement between the User and the Company.
(b) Responding to inquiries received: the period necessary to complete this task.
(c) Transfer of Personal Data and information to Other Companies, if your inquiry or communication is addressed to them or concerns services provided by these entities.
(d) Conducting direct marketing by the Company regarding the Company’s products and Services: the period for which the Company processes personal data for these purposes or until consent is withdrawn.
(e) Conducting marketing using cookies collected on the Platform: “session” cookies are temporary files that are stored on the user’s end device until logging out, leaving the website, or turning off the software (web browser). “Persistent” cookies are stored on the user’s end device for the time specified in the cookie parameters or until deleted by the user.
Regardless of the above periods, your data may be processed by the Companies for the purpose of establishing or pursuing civil law claims by the Companies within the scope of their operations, as well as defending against such claims – for the relevant limitation periods for such claims, i.e., as a rule, no longer than 6 years from the occurrence of the event giving rise to the claim.
4. Measures to secure personal data
4.1 The Joint Controllers are entitled to jointly determine the purposes and means of processing Personal Data with the other Joint Controllers.
4.2 The Joint Controllers declare that they are aware of the principles of processing and securing Personal Data resulting from the GDPR and other generally applicable legal provisions, with particular emphasis on the obligations of a personal data controller.
4.3 The Joint Controllers declare and assure that, in accordance with Art. 24 GDPR, they possess technical and organizational measures aimed at ensuring compliance of Personal Data processing with GDPR provisions and apply security measures meeting GDPR requirements, and also subject them to reviews and updates.
4.4 All employees who access Users’ Personal Data must comply with internal rules and processes related to personal data processing to protect it and ensure confidentiality. They are also obliged to comply with all technical and organizational security measures implemented to protect Personal Data.
4.5 We have implemented appropriate technical and organizational measures to protect Personal Data against unauthorized, accidental, or unlawful destruction, loss, alteration, misuse, disclosure, or access, and against all other illegal forms of processing. These security measures have been implemented taking into account technical capabilities, implementation costs, risks associated with processing, and the nature of the Personal Data.
5. Disclosure of Personal Data to recipients and other third parties
Personal Data may be disclosed to recipients or other third parties to achieve the purposes listed in point 3.2 to the extent necessary for them to perform tasks entrusted by the Companies, if required by law or if the Companies have another legal basis.
Recipients or other third parties may include:
(a) entities related to the Companies personally or by capital, subsidiaries of the Companies, and special purpose vehicles;
(b) entities processing personal data on behalf of the Companies, such as entities providing document archiving services or accounting services.
Such entities do not independently decide how to process your Personal Data. Their processing of Personal Data occurs only to the extent necessary for the Companies’ operations. The Companies control the activities of such entities through appropriate contractual provisions that protect your privacy.
(c) any national public administration bodies (e.g., Police), authorities of other EU Member States (e.g., data protection authorities in other Member States) or courts, if required by applicable national or EU law or at their request;
(d) Other Companies (if the content of your inquiry or communication is addressed to them);
(e) legal or tax advisors;
(f) providers of IT systems and hosting services;
(g) courier or postal service providers;
(h) call center service providers.
6. Data transfer outside the European Economic Area
Personal data will not be transferred to countries outside the European Economic Area (“EEA”), which includes EU Member States, Iceland, Liechtenstein, and Norway.
7. Rights of Users and their exercise
7.1 Entitled rights
Every person has the right to access their Personal Data processed by the Companies. If you believe that any information concerning you is incorrect or incomplete, please submit a request for its rectification as specified in point 6.2 below. The Companies will promptly correct such information.
Furthermore, you have the right to:
(a) withdraw your consent in cases where the Companies have obtained such consent for the processing of Personal Data (with the proviso that this withdrawal will not affect the lawfulness of data processing carried out before the withdrawal);
(b) obtain a copy of your Personal Data;
(c) request the erasure of your Personal Data in cases specified by GDPR provisions;
(d) request the restriction of the processing of your Personal Data in cases specified by GDPR provisions;
(e) object – on grounds relating to your particular situation – to the processing of your Personal Data, if such processing is carried out for the performance of a task carried out in the public interest or for the legitimate interests of the Companies;
(f) data portability, i.e., to receive Personal Data provided to the Companies in a structured, commonly used, and machine-readable format and to request the transmission of such Personal Data to another personal data controller, without hindrance from the Companies and subject to their own confidentiality obligations.
The Companies will verify your requests or objections in accordance with applicable personal data protection regulations. However, please note that these rights are not absolute; regulations provide exceptions to their application.
In response to your request, the Companies may ask you to verify your identity or provide information that will help the Companies better understand the situation. The Companies will make every effort to explain their decision to you if your requests are not met.
7.2 Exercising your rights
To exercise the above rights, please send an email to [email protected] or contact the Companies by correspondence at ul. Litewska 1, Warsaw 00-581.
If you are not satisfied with how the Companies process your Personal Data, please notify us of the problem, and we will investigate any irregularities that have arisen. Please report your concerns using the contact details provided above.
If you have reservations about the Companies’ response, you also have the option to lodge a complaint with the competent personal data protection authority. In Poland, this authority is the President of the Personal Data Protection Office.
To ensure the currency and accuracy of Personal Data, we may periodically ask you to review and confirm the Personal Data we hold about you or inform us of any changes regarding this Personal Data (such as a change of email address). We encourage you to regularly check the correctness, currency, and completeness of the processed Personal Data.
8. Updates to the information clause
This clause was updated on May 27, 2026, and may be subject to further changes. If required by law, all information regarding future changes or additions to the personal data processing described in this clause, which may affect you, will be provided to you through the appropriate form of communication usually used by the Companies in contacts with Users.
9. Joint Controllers
9.1 List of companies that are Joint Controllers
Companies based at ul. Litewska 1, 00-581 Warsaw: R4R Leasing Sp. z o.o. (KRS: 0000600776), R4R Warszawa Browary Spółka z o.o. (KRS: 0000640389), R4R Wrocław Kępa Spółka z o.o. (KRS: 0000640326), R4R Poland Sp. z o.o. (KRS: 0000718158), R4R RE Sp. z o.o. (KRS: 0000600773), Hotel Gdańsk Zielony Trójkąt sp. z o.o. (KRS: 0000919831), R4R Gdańsk Stocznia Sp. z o.o. (KRS: 0000888813); Hotel Wrocław Bardzka sp. z o.o. (KRS: 0000991546) and, based at ul. Opolska 110, 31-323 Kraków, the company Hotel Kraków Romanowicza sp. z o.o. (KRS: 0000926147).
© 2026 Resi4Rent - All rights reserved