Privacy Policy

Privacy Policy


The Policy sets out the rules for processing personal data of users of the website located at (“Website”), operated by Highway Automotive Sp. z o. o. in Niepołomice (“Administrator”). A user of the Website is anyone who uses it in any way (User). The Website contains information about the Administrator, our products, sample documents, contract templates used in concluding contracts (General Terms of Sale, Delivery and Payment, Terms of Guarantee, Terms of Acceptance of Deposit). The Website allows to make contact with us and receive the mentioned materials.

The Policy also covers issues of processing Users’ personal data related to our maintenance of accounts on social networks Instagram, Facebook, LinkedIn (Portals). The Policy also includes information on the cookies we use and analytical and marketing tools.


General information on the processing of personal data

In accordance with applicable data protection legislation, in particular the General Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 (hereinafter: RODO) (Article 13(1) and (2)), we inform you that:

  1. Identity and contact details of the personal data administrator

The administrator of your personal data is Highway Automotive Sp. z o.o. with headquarters in Niepołomice (ul. Grabska 10A, 32-005 Niepołomice), registered in the Register of Entrepreneurs kept by the District Court for Kraków- Śródmieście in Kraków, XII Economic Department of the National Court Register, under KRS number: 0000352815, with NIP number: PL6793031902, REGON: 121185550, share capital in the amount of: PLN 50,000.

The Administrator may be contacted in writing, by regular mail to: Grabska 10A, 32-005 Niepołomice or electronically at:


  1. Data sources

We may receive data from you by filling out the contact form available on the Website.

You may also write to us or call us – using the email, postal and telephone addresses provided on the Website or in this Policy. Such correspondence may also be a source of data for us.

In addition, we may obtain personal data from you through the Portals, as well as upon your consent to the analytical and marketing tools and their cookies used on the Website.


  1. Ways of protecting personal data

The Administrator ensures that the protection and security of your personal data are an important element in its business operations and are taken into consideration when developing its procedures and solutions.

In implementing these objectives, technical and organizational measures have been applied to ensure the protection of the processed data in accordance with the requirements set forth in the regulations on personal data protection, in particular the RODO, which measures are adequate to the risk of violation of your rights and freedom.

These include securing data against unauthorized access, unauthorized taking or use, against processing in violation of applicable laws, and against alteration, loss, damage or destruction of data.

Your data are shared with third parties in compliance with the law, in a situation where it is necessary from the point of view of the Administrator’s activities, and access to your data at the Administrator is granted to employees and associates who have received appropriate authorizations and signed appropriate commitments to protect personal data and keep them confidential.

We respect your data protection rights and our technical solutions are in line with the state of the art.

The Administrator has also implemented appropriate procedures for dealing with violations of personal data protection, as well as rules for reporting violations to the supervisory authority, which in Poland is the President of the Office for Personal Data Protection.


  1. Legal basis and purposes of personal data processing

Personal data is processed in accordance with the RODO and the Personal Data Protection Act of May 10, 2018.


The legal basis for data processing is:

  • ­Article 6, the Act 1, section b) RODO: Processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject prior to entering into a contract.


Processing purposes based on the above basis:

  • Conducting negotiations and arrangements for entering into a sales contract or service contract with us, including responding to contact from potential customers regarding inquiries about specific products/services.


  • ­Article 6, the Act 1, section f) RODO: The processing is necessary for the purposes of the legitimate interests pursued by the administrator.


Processing purposes based on the above basis:

  • direct marketing, in-house:
  1. responding to contact undertaken through the contact form and addresses available on the Website – regarding inquiries about the Administrator’s activities,
  2. storing inquiries and contacts about specific products/services, on the basis of which no contract was concluded,
  3. obtaining anonymized statistical data on Users’ use of the Website for the purpose of improving the quality of the Website and the use of the Website;
  4. conducting business and promotion on the Portals;
  • ensuring the secure operation of the Website and its functionality.


  1. Criteria for determining the period for which personal data will be stored

The data will be stored for the duration of the purposes covered by the legitimate interests of the Administrator, unless we are obliged to stop processing the data earlier due to your objection.

With regard to the sale of products and the performance of the services we offer, for the period of negotiation, conclusion and performance of the contract.


  1. Information on categories of recipients for personal data

The recipients of your personal data are entities cooperating with the Administrator in the course of his/her business on the basis of entrusting them with the processing, on his/her behalf, of the data he/she has at his/her disposal, i.e.: providers of software supporting business processes (e.g. e-mail, planning and data management programmes and applications of the CRM type, handling of forms on the Website), providers of hosting services, IT companies, companies providing software implementation and maintenance services, providers of analytical services concerning the Website, companies operating the Websites.

Recipients of the data are also entities cooperating with the Administrator in the course of business as independent controllers of personal data with their own basis for processing, i.e.: delivery companies, postal services.


  1. Information on the possible obligation to provide data and the consequences of failure in doing it

The provision of personal data is optional.


  1. Information on the rights of the data subject

You have the right:

  1. access to personal data,
  2. to request the rectification, cancellation or restriction of the processing of personal data,
  3. data portability (the right to receive it from the Administrator and send it directly to another administrator),
  4. to object to the processing of personal data,
  5. make a complaint concerning the processing of personal data,
  6. not to be subject to a decision which is based solely on automated processing, including profiling, and produces legal effects on you or similarly significantly affects you, in accordance with the content of the RODO. In order to exercise these rights, please contact the Administrator at the address given in point 1 of this Policy.


  1. Right to object

To the extent that your personal data is processed on the basis of Article 6(1)(f) RODO – legitimate interest of the Administrator, you have the right at any time to object to its processing – on grounds relating to your particular situation. In that case, the Administrator may no longer process your data unless the Administrator can demonstrate that there are compelling legitimate grounds for such processing overriding your interests, rights and freedoms, or that there are grounds for establishing, asserting or defending claims.

However, to the extent that, within the legitimate interest of the Administrator, personal data is processed for direct marketing purposes, you have the right to object to such processing at any time. The Administrator shall then not be allowed to process your data for such purposes.


  1. Right to make a complaint to a supervisory authority

You have the right to make a complaint to a supervisory authority, in particular in the Member State of the European Union of your habitual residence, place of work or place where the alleged infringement was committed, if you believe that the processing of your data violates the RODO.

Within Poland, the powers of the supervisory authority are exercised by the President of the Office for the Protection of Personal Data (Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw).


  1. Profiling

We use marketing tools that include profiling in their operation. Profiling involves the automated processing of data in order to analyse or forecast certain information about you (e.g. interest in a particular product/service, orders placed). Its purpose is to optimise the performance of the Website, improve the relevance of the advertisements displayed and effectively target our online marketing message to you. In other words, the Administrator knows if a User has reached our Website through a particular advertising tool and may display online advertisements relating to your activity on the Website. By using these techniques, we do not receive information linked to individual Users from service providers. This profiling therefore has no legal effect on you, nor does it have any other significant effect of a similar nature on you. The profiling takes place on the basis of your consent (consent for advertising cookies).

To a certain extent, profiling is used in connection with our activities on LinkedIn. However, this is done on the basis of the policies of this Portal, and LinkedIn users can tailor the extent of the information they receive to their own criteria/preferences through the privacy settings made available to them on the Portal. For more on this, see para. 17. account on the LinkedIn Portal.

  1. Territorial scale of data processing

As a general rule, your data is processed within the European Economic Area (EEA), which comprises the EU Member States plus Norway, Iceland and Liechtenstein. Transfers of data outside of the EEA occur in connection with our Portal accounts.

The transfer takes place on the basis of standard contractual clauses that have been adopted by the European Commission. Our partners here mostly act as data processors or as co-data controllers who directly or indirectly transfer data outside the EEA. In some cases, additional technical security measures are applied. Further information on the security measures in place can be obtained by contacting us at the addresses indicated in paragraph 1 of this Policy or available on the Website.

In the absence of a Commission decision confirming an adequate level of protection, the transfer of data to third countries involves certain risks for data subjects. These countries have different data processing rules than in the EU and, as a consequence, the scope of their rights with regard to their data may be diminished or some rights may not be enforceable.


Functions of the Website that collect personal data

  1. Contact form on the Website. Contact using the addresses available on the Website

You may contact the Administrator quickly and efficiently through the contact form available on the Website or write or call using the addresses provided on the Website under the Contact tab. Sending to the Administrator a filled form / submitting information using the available addresses means that you agree to be contacted back using the data provided in the form / to be contacted back using the same, or the communication channel indicated in the information provided to us, within the meaning of the Act on Rendering Electronic Services and the Telecommunication Law. This consent is voluntary – we respect your privacy and it is your decision to contact the Administrator.

You may revoke your consent at any time by contacting the Administrator using the addresses available on the Site, or in this Policy. Revocation of consent does not affect actions taken by the Administrator based on consent prior to revocation.

Basis for the processing of personal data: article 6(1)(f) of the RODO [direct marketing of our own].


  1. Cookies

When using the Website, so-called cookies are installed on your device. Cookies are short IT data, in particular text files, placed on the Users’ terminal equipment when using the Website. Cookies usually contain the name of the website they come from, the time they are stored on the end device and a unique number.

The cookies used by the Administrator have the following functions:

  • the ability to use the Website in a secure manner and to use its available functionalities (essential cookies); they are activated automatically when you access the Website; their operation does not require your consent;
  • to collect information about how Users use the Website (we receive anonymised statistical data) in order to improve the quality of the Website and its use, to analyse conversions (Matomo action – analytical cookies);
  • running online marketing campaigns, including personalised ones by means of profiling, checking the effectiveness and optimisation of advertisements – operation of the Facebook Pixel (marketing cookies); these cookies are not activated until you have given your consent.


The main types of cookies that can be identified by the length of time they are stored:

  • session files – temporary files that are stored on the User’s terminal equipment until they log out, leave the website or change their browser settings;
  • permanent – they are stored on the User’s terminal equipment for the time specified in the parameters of cookies or until they are deleted by the User.

The maximum storage time for cookies is up to 2 years.

Analytical and marketing cookies are not activated until you have given your consent to their use within the meaning of the Telecommunications Law. Consent can be given by clicking on Accept all cookies, which grants consent for the use of all cookies used on the Site, or by clicking on the Cookie Settings button, which opens the possibility to grant, or not, consent for analytical and/or marketing cookies. Consent is voluntary and can be withdrawn by changing these settings on the Site (Cookie Settings link in the Site footer) or by clearing the cookies on your device, which will return you to your original settings option. The withdrawal of consent does not affect the lawfulness of actions taken on the basis of consent before its withdrawal.

Notwithstanding the above-mentioned options for managing cookies available on the Website, you can change the settings of cookies by specifying the conditions for their storage or access by means of the settings of your web browser software, including disabling the option to accept cookies in such a way as to block the automatic handling of cookies or to inform you each time they are sent to your terminal device and changing the duration of their storage. Please note that as some cookies are essential to the operation of the Website, disabling all cookies may disable some of the functionality available on the Website (e.g. sending a contact form).

Detailed information on how to manage the various cookies is available in the software settings of the individual internet browser.

  1. a) Chrome >;


  1. c) Internet Explorer;
  2. d) Opera >;
  3. e) Safari >


  1. Matomo analytical tool

Matomo is an open-source analytical tool used to analyse how you use the Website, count the number of visits to the Website, analyse conversions. On the basis of the data collected in this way, a report on the Website’s performance is generated.

The analytics data provided by Matomo are solely the property of the Administrator and are not collected or analysed by any other entity, in particular Matomo management. They are stored on servers provided by Matomo-in Germany-or directly on the Administrator’s servers, so that they are not transferred outside the EEA.

We receive this data in an anonymised version. In addition, the possibility for the Website user to subscribe or unsubscribe from tracking by Matomo is enabled.

Further information on the operation of Matomo and its data processing can be found here:

Legal basis for data processing: Article 6(1)(f) RODO, i.e. the Administrator’s legitimate interest [direct marketing: obtaining anonymised statistical data on Users’ use of the Website].


  1. Facebook and Instagram accounts

The administrator maintains accounts (fanpage) on Facebook and Instagram, where registered users can, for example, leave posts, messages, observe, recommend or ‘like’ him. Such activity may result in the transfer of personal data by the users themselves. The administrator also has access to the statistics offered by Facebook for the business account through which the fanpage is operated (statistics are presented in anonymous form).

Basis for the processing of data from the RODO: Article 6(1)(f) i.e. legitimate interest [self-directed marketing].

The ability to maintain an account on the Portals is provided by Meta Platforms Ireland Limited, whose registered office is at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

The Administrator and Meta Platforms are joint controllers (within the meaning of Article 26 RODO) of certain personal data processed in connection with the statistics of our pages on the Portals.

The joint administration of the data includes the creation of events and their aggregated analysis in the statistics of our page on the Portals, transmitted to the page administrator, i.e. in this case us. In contrast, any other processing of personal data in connection with our Facebook/Instagram page or related content, for which there is no joint specification of purposes and means, is carried out by us or Meta Platforms separately, as independent controllers.

As part of the joint administration, Meta Platforms is responsible for, among other things, the exercise of the rights of persons under Articles 15 to 21 of the RODO, implements appropriate technical and organisational measures to ensure the security of the processing in accordance with Article 32 of the RODO, and carries out notifications and notifications in the event of a personal data breach in accordance with Articles 33 and 34 of the RODO.

Further information on the processing of data in connection with page statistics on the Portals, including the division of responsibilities between the joint controllers can be found here:

Meta Platforms acts as a controller or co-data controller of the Portal that processes data, or uses further processors, also in third countries – outside the EEA.

More on data processing on Facebook: and Instagram: You can manage the data collected on Facebook here: Instagram’s cookie policy is available at:


  1. LinkedIn account

We also maintain an account on LinkedIn, where registered users can, for example, leave posts, private messages, observe us and share our profile. We also have access to the statistics offered by LinkedIn (so-called Page Insights) for the business account through which our profile is maintained (such statistics are presented to us in anonymised form).

Basis for processing from the RODO: Article 6(1)(f) i.e. our legitimate interest [direct marketing of our own].

The ability to maintain an account on the Portal is provided to us by LinkedIn Ireland Unlimited Company. Wilton Place, Dublin 2, Ireland.

Both we and LinkedIn are joint controllers (within the meaning of Article 26 of the RODO) of the personal data processed in connection with the statistics of our page on the Portal. Under the terms of the data co-management agreement linking us to LinkedIn, the Portal is responsible in terms of the RODO for matters relating to statistics, including compliance with the obligations referred to in Articles 12-22 and 32-34 of the RODO. This means that, in the aforementioned respect, LinkedIn is responsible for, among other things, fulfilling its duty of information towards Portal users and enabling them to exercise their rights. Requests for the exercise of these rights can be addressed directly to LinkedIn. If such a request is received by us, we will forward it to LinkedIn. LinkedIn also takes care of the security of this processing by providing appropriate technical and organisational measures, You can find the co-management agreement with LinkedIn here For more information on the security measures used by LinkedIn

LinkedIn acts as a controller or co-data controller from the Portal that processes data, or uses further processors, also in third countries – outside the EEA.

More on LinkedIn’s data processing Contact LinkedIn’s IODO:


  1. Facebook Pixel marketing tool

We also use a marketing tool called Facebook Pixel (and its cookies) offered by Facebook. This tool is linked to our Facebook marketing account and to the Website. It allows us to assess the effectiveness of the ads we display on Facebook (so-called conversions – how ads and their clicks on Facebook translate into specific actions by Users) and to display these ads on Facebook in relation to specific actions the User has taken on the Site. Entering the Site via the pixel results in a direct connection to Facebook’s servers. As a result of using this tool, we do not receive personally identifiable data from Facebook about individual Users. Facebook Pixel cookies are stored for up to 2 years.

Legal basis for processing: Article 6(1)(f) RODO [direct marketing: conducting marketing campaigns, including personalised ones by means of profiling, checking the effectiveness and optimisation of advertising]. – based on your consent to advertising cookies – if you have given it.

The FB Pixel services are by Meta Platforms Ireland Limited, based at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

Both we and Meta Platforms Ireland Limited are joint controllers (within the meaning of Article 26 of the DPA) of certain personal data processed in connection with FB Pixel.

In terms of FB Pixel:

  1. with regard to personally identifiable data, i.e. their names, e-mail addresses and telephone numbers – we are the controller of this data and entrust it to FB for processing; FB processes it or uses further processors, also in third countries;
  2. in relation to other data we share about individuals and the activities they undertake on the Website, e.g. visits to the Website or purchases of products – we are a joint controller of this data together with FB; the scope of joint processing includes the collection of the data and the transfer of the data to FB; as part of the joint processing, FB is responsible for ensuring that the rights of data subjects are enforced in accordance with Art. 15-20 RODO, FB also implements appropriate technical and organisational measures to ensure the security of the processing in accordance with Article 32 RODO with regard to the data in the business tools it offers including FB Pixel.

For further information on:

  • FB Business Tools Regulations (including FB Pixel) –
  • Data co-administration in connection with business tools (including FB Pixel) –;
  • Entrusting our data processing to FB
  • Transfers of entrusted data by FB to third countries and further processors for advertising
  • Processing of data by FB (including those required by Article 13(1)(a) and (b) of the RODO and on how to enforce rights)


  1. External links

Our Website contains external links (links) to the mentioned Portals. When you use the links, no data is transmitted to the Portals, unless you are logged into your user account on the relevant social network. In that case, when you click on the link, the Portal will find out where you came from.

With regard to other external links that may be found on the Website, we point out that we are not responsible for the standards and data protection policies that are applied by the operators of such external sites. We recommend that you independently verify each of our partners and consequently decide for yourself whether to entrust them with your personal data.


Concluding information

  1. Applicability and changes to the Privacy Policy

This Privacy Policy is effective as of 01.01.2024.

The Privacy Policy may be amended if it is required by applicable law, the following changes: data of the Administrator or data of other entities mentioned in the Policy, information about the Administrator and its activities, the recruitment process conducted, or technological conditions of the Website. The change may also take place in order to improve the standard of information or protection. We will inform you of the change when you first access the Website following the change in the Privacy Policy.