The administrators of your personal data are companies belonging to the R4R capital group, jointly referred to as the Co-administrators.

As part of the co-administration agreement, the Joint controllers agreed on the scope   of   their   responsibility   regarding   the   fulfilment   of   obligations   under   the GDPR, in particular:

  • for fulfilling the disclosure obligations arising from the GDPR in relation to providing information referred to in art. 13 and 14 is the responsibility each Company is responsible on its own;
  • R4R Leasing Sp. z o.o. is  responsible   for fulfilling  the   obligations  arising from the   GDPR   in   relation   to   the   exercise   of   your   rights.   Regardless   of   this arrangement,   you   may   also   exercise   your   rights   against   other   Joint Administrators, who will forward your request to R4R Leasing Sp. z o.o. in order to fulfil your request.

The joint controllers have designated a single point of contact where you can report personal data issues. For this purpose, please contact us by e-mail to the following address: [email protected] or in writing to the address of the Administrator (with the annotation “personal data protection”).

As part of this document, we would like to inform you in a transparent way: why and how the Companies collects, uses and stores your personal data; what legal basis these personal data are processed and what are your rights and our obligations in relation to this processing.

Definitions

The following capitalized terms used in the Privacy Policy are given the following meanings:

• Controllers: R4R Leasing Sp. z o.o., R4R Warszawa Wilanowska Spółka z o.o., R4R Warszawa Woronicza Spółka z o.o., R4R Gdańsk Kołobrzeska Spółka z o.o., R4R Poznań Szczepanowskiego Spółka z o.o., R4R Warszawa Browary Spółka z o.o., R4R Wrocław Kępa Spółka z o.o., R4R Wrocław Rychtalska Spółka z o.o., R4R Łódź Wodna Spółka z o.o., R4R Warszawa Żwirki Spółka z o.o., R4R Warszawa Pohorskiego Spółka z o.o., R4R Kraków 3 Maja Spółka z o.o., R4R Poland Sp. z o.o., Pimech Invest Sp. z o.o., M2 Hotel Sp. z o.o. (Litewska 1, 00-581 Warsaw, Poland) oraz R4R Warszawa Taśmowa Spółka z o.o., R4R RE Sp. z o.o., R4R RE Wave 3 Sp. z o.o. email: [email protected]. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

• Personal data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 Account – assigned to a given User, identified by means of an e-mail address, part of the Website with which the User may perform specific actions within the Website;

• R4R Platform or Website – website through which the User may use the Services;

• Cookies – IT data that are stored on the User’s device by means of which he uses the Website, containing data about the User’s use of the Platform;

• Privacy Policy – this document. It sets out the principles according to which R4R processes Personal Data. The Website Regulations and the Privacy Policy are documents regulating the terms of use of the Platform;

• Website Regulations – a document regulating the principles of using the Platform, specifying the types and scope of Services available on the Platform, the complaint procedure and the technical conditions of using the Website. The Website Regulations and the Privacy Policy are documents regulating the terms of use of the Platform;

• Registration – the process of creating an Account by the User;

• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on the Protection of data) (Journal of Laws EU. 2016, No. 119, page 1), effective from 25 May 2018;

• Service – a service provided by the Companies to the User. These services will include: publication of announcements, notifications, etc.;

• User – any person using the R4R Website.

Types of personal data.

Data provided by Users

Registration:

In order to use the Services we provide, the website allows you to set up an account. During registration, the CompaniesCompanies may collect the following information about you:

• first name and last name

• e-mail adress;

• mobile number.

If you set up an account, providing the data specified above is voluntary, but necessary to use the Services offered under your R4R account. The data provided by you will be processed in order to provide the Service, in accordance with the Website Regulations. The consequence of not providing data is the inability to effectively set up an account.

Contact form:

Our portal allows you to send a query via the contact form. If you choose this contact channel, the CompaniesCompanies may collect the following information about you:

• first name and last name;

• e-mail adress;

• mobile number;

• The city;

• other information disclosed by you in the message.

Providing the data specified above is voluntary, but necessary to answer the received question. The CompaniesCompanies will process the data listed above in order to implement your instruction or provide information. In a situation where the answer to your inquiry will be given by phone, the CompaniesCompanies may require you to provide us again with the personal data provided in the contact form to confirm your identity.

Phone call and emails:

We have also provided you with a phone number and email address on our website. If you choose one of the above contact channel, the CompaniesCompanies will collect all information that you choose to provide to our employee or entity cooperating with the CompaniesCompanies during a conversation or in an electronic message.

Calls can be recorded. If you do not agree to record the conversation, please choose a different contact channel.

Facebook Messenger:


The User has the possibility, using the built-in messenger application from Facebook, to contact the Administrator. For this purpose, it is necessary to be a registered user of Facebook social networking platform. The rules of data collection via the Facebook platform are regulated in a separate Privacy Policy of the Administrator placed on the Administrator’s corporate website on the Facebook platform: https://pl-pl.facebook.com/legal/terms.

Data collected automatically:

When using the R4R portal, the CompaniesCompanies may automatically collect your data in the following areas:

• IP and device data:

The CompaniesCompanies may collect Users IP addresses. The IP address is the number assigned to the terminal equipment of the person visiting the website. In addition, the Companies may collect information about the operating system and the type of your web browser and its version.

• Data on activity on the Website:

The Companies may collect data on your activity on the portal, and above all the date and duration of the visit and the sequences of activities on the site. In the event that you reach the R4R portal using links on other websites, the Companies will also collect data from which page was redirected to the R4R website and information about the ads from which such redirection took place.

• Login details:

In the case of Users who have an account, the Companies collects information on the date of registration on the site and logging in to the account, the date of the last password change, the date of the last successful login.

• Cookies

The website uses cookies, called cookies. They are saved by the Companies on the end device of the person visiting the R4R website, if the web browser allows it. A cookie usually contains the name of the domain from which it comes, its “expiration time” and an individual, randomly selected number identifying this file. Information collected using this type of file allows the development of general statistics of visits to our portal. The Companies uses two types of cookies:

• Session cookies: after the browser session ends or the end device is turned off, the saved information is deleted from the device’s memory. The mechanism of session cookies does not allow the collection of any personal data or any confidential information from the clients’ end devices.

• Cookies are permanent: they are stored in the memory of the Customer’s terminal device and remain there until they are deleted or expire. The mechanism of persistent cookies does not allow the collection of any personal data or any confidential information from customers’ end devices.

The Companies uses cookies for analysis and research as well as auditing audits, and in particular to create anonymous statistics that help to understand how Users use the website, which allows improving its structure.

The cookie mechanism is safe for end devices used by the website. This way it is not possible for viruses or other unwanted software or malware to get to your terminal equipment. However, in your browsers you have the option of limiting or disabling access of cookies to your devices. If you use this option, some of our Services or some parts of our portal may become inaccessible to you or may malfunction.

Below we present how you can change the settings of popular web browsers regarding the use of cookies:

• Internet Explorer: support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies

• Mozilla Firefox: support.mozilla.org/pl/kb/W%C5%82%C4%85czanie%20i%20wy%C5%82%C4%85czanie%20obs%C5%82ugi%20ciasteczek

• Chrome: support.google.com/chrome/answer/95647?hl=pl

• Safari: support.apple.com/kb/PH5042?locale=pl_PL

• Opera: help.opera.com/pl/latest/web-preferences/

Data collected from other sources

We may collect your personal data for marketing purposes directly from you or from third parties such as Google – primarily through marketing tools such as Google Ads and other similar.

Legal grounds, purposes and periods of data processing

Legal grounds for data processing

We cannot process personal data unless we have a valid legal basis. Therefore, we process personal data only if:

• the processing is necessary for the performance of a contract (art.6 par.1 lit.b GDPR), the subject of which is the service provided electronically – setting up an account;

• based on your explicit, voluntary and prior consent (art.6 par.1 lit.a GDPR) – for direct marketing. Any consent given may be withdrawn at any time. It should be remembered that withdrawal of consent is effective only for the future and does not affect the lawfulness of processing based on consent before its withdrawal;

• the processing is necessary for the pursuit of the legitimate interests of the Companies (art.6 par.1 lit.f GDPR) and does not unduly affect your interests or fundamental rights and freedoms. Please note that when processing personal data on this basis, we always try to balance our legitimate interest and your privacy. Such “legitimate interests” are:

• for establishing or pursuing civil law claims by the Companies as part of its operations, as well as defense against such claims;

• for answering the query received through any contact channel;

• for marketing using cookies collected on the Companies’s website.

Fulfilling contractual obligations: The duration of the contract between the User and the Companies.

Answering the received question: The period necessary to perform this task

Direct marketing by the Companies regarding the Companies’s products and Services: The period for which the Companies processes personal data for other purposes or until consent is withdrawn.

Conducting marketing using cookies collected on the Companies’s website. Session cookies are temporary files that are stored on the user’s end device until logging out, leaving the website or turning off the software (web browser). Persistent cookies are stored on the user’s end device for the time specified in the cookie parameters or until they are deleted by the user.

Regardless of the above periods, your data may be processed by the Companies for the purposes of determining or pursuing civil law claims as part of its business, as well as defense against such claims – for appropriate limitation periods for such claims, i.e. in principle no longer than 6 years from the occurrence of the event giving rise to the claim.

Security measures for personal data

All employees who gain access to Users personal data must comply with internal policies and processes related to the processing of personal data in order to protect them and ensure confidentiality. They are also required to comply with all technical and organizational security measures put in place to protect personal data.

We have implemented appropriate technical and organizational measures to protect personal data against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access, and above all other illegal forms of processing. These security measures have been implemented taking into account technical capabilities, implementation costs, processing risks and the nature of personal data.

Transfer of personal data to recipients and other third parties.

The data may be transferred to recipients and other third parties to achieve the objectives set out in the policy and to the extent that they are necessary for them to perform the tasks ordered by the

Companies, if required by law or if the Companies has a different legal basis. The following may be considered as recipients or other third parties:

• entities related to the Companies in person or capital, subsidiaries of the Companies and special purpose vehicles;

• entities processing personal data at the request of the Companies, such as entities providing document archiving services or accounting services. These types of entities do not decide for themselves how to process your personal data. The processing of personal data by them takes place only to the extent that it is necessary for the business of the Companies. The Companies has control over the operations of such entities through appropriate contractual provisions protecting your privacy.

• any national public administration authorities (e.g. Police), authorities of other EU Member States (e.g. authorities established to protect personal data in other Member States) or courts, if required by applicable national or EU law or at their request;

• legal or tax advisers;

• providers of IT systems and hosting services;

• courier or postal service providers;

• entities operating call centers.

Data transfer outside the European Economic Area

Personal data will not be transferred to countries outside the European Economic Area (“EEA”), which includes EU Member States, Iceland, Liechtenstein and Norway.

The rights of Users and their use Rights

Each person has the right to access their personal data processed by the Companies. If you believe that any information about your person is incorrect or incomplete, please submit a request for rectification The Companies will immediately correct such information. In addition, you have the right to:

• withdraw your consent if the Companies has obtained such consent to process personal data (provided that such withdrawal does not violate the lawfulness of data processing carried out prior to withdrawal);

• obtain a copy of your personal data;

• request deletion of your personal data in cases specified by the provisions of the GDPR;

• request to limit the processing of your personal data in cases specified by the provisions of the GDPR;

• objecting – for reasons related to your particular situation – to the processing of your personal data, if such processing is carried out for the purpose of pursuing the public interest or legitimate interests of the Companies;

• transfer of data, receipt of personal data provided to the Companies in a structured, commonly used and machine-readable format, and to request that such personal data be sent to another personal data controller, without impediments by the Companies and subject to its own confidentiality obligations.

The Companies will verify your requests, requests or objections in accordance with applicable data protection laws. However, it should be remembered that these rights are not absolute; regulations provide for exceptions to their application. In response to your request, the Companies may ask you to verify your identity or provide information that will help the Companies better understand the situation. The Companies will endeavor to explain its decision to you if your requests are not met.

rights regarding the processing of personal data

To exercise the above rights, please send an email to [email protected] or contact the Companies by mail at Litewska 1, Warsaw 00-581.

If you are not satisfied with the way the Companies processes your personal data, please notify us of the problem and we will investigate any irregularities that arise. Please report your concerns using the contact details provided above. If you have any objections to the Companies’s reaction, it is also possible to submit a complaint to the competent personal data protection authority. In Poland, this body is the President of the Office for Personal Data Protection. In order to ensure the timeliness and accuracy of personal data, we may periodically ask you to check and confirm the personal data we hold about you or to inform us of any changes regarding this personal data (such as changing your email address). We encourage you to regularly checking the correctness, timeliness and completeness of personal data processed.

Information clause updates

This clause was updated on October 12, 2020 and may be subject to further changes. If required by law, any information regarding future changes or additions to the processing of personal data described in this clause, which may relate to your person, will be forwarded to you through the appropriate form of communication usually used by the Companies in dealing with Users.

List of jointly controlled companies:

R4R Leasing Sp. z o.o., R4R Warszawa Wilanowska Spółka z o.o., R4R Warszawa Woronicza Spółka z o.o., R4R Gdańsk Kołobrzeska Spółka z o.o., R4R Poznań Szczepanowskiego Spółka z o.o., R4R Warszawa Browary Spółka z o.o., R4R Wrocław Kępa Spółka z o.o., R4R Wrocław Rychtalska Spółka z o.o., R4R Łódź Wodna Spółka z o.o., R4R Warszawa Żwirki Spółka z o.o., R4R Warszawa Pohorskiego Spółka z o.o., R4R Kraków 3 Maja Spółka z o.o., R4R Poland Sp. z o.o., Pimech Invest Sp. z o.o., M2 Hotel Sp. z o.o. oraz R4R Warszawa Taśmowa Spółka z o.o., R4R RE Sp. z o.o., R4R RE Wave 3 Sp. z o.o.,R4R RE Wave 4 Sp. z o.o. (Litewska 1, 00-581 Warsaw, Poland)