Skip to main content

Privacy Policy

1. Introduction

This Privacy Policy (the "Policy") explains how Szybex Spółka z ograniczoną odpowiedzialnością, a company registered in Poland with KRS number 0001142594, NIP 9492272972, and REGON 54035321700000, located at ul. Krakowska 26, 42-200 Częstochowa, Poland (hereinafter "we", "our", or "Szybex") collects, uses, stores, and otherwise processes personal data.

By "personal data" we mean any information relating to an identified or identifiable natural person.

The processing of your personal data is governed by different legal texts, including the following:

  • Regulation (EU) 2016/679 of 27 April 2016 (the "GDPR");
  • The Polish Act of 10 May 2018 on the Protection of Personal Data (Ustawa o ochronie danych osobowych) (the "Polish Data Protection Act");
  • The Polish Telecommunications Law of 16 July 2004 (Prawo telekomunikacyjne), in particular Article 173, on the storage of and access to information on a user's device;
  • Any other applicable Polish legislation implementing EU privacy directives (together the "Applicable Law").

Please read this Policy carefully before sharing your personal data with us. We reserve the right to update this Policy to remain compliant with the Applicable Law or to reflect changes in our practices. The latest version is always available free of charge at szybex.pl.

2. Data Controller

Szybex is the data controller responsible for the personal data described in this Policy. As data controller, we determine the purposes and means of processing your personal data.

Contact details for data protection queries:

  • By post: Szybex Sp. z o.o., ul. Krakowska 26, 42-200 Częstochowa, Poland
  • By telephone: 34 50 65 100

We may engage third-party processors to process personal data on our behalf. Where we do so, we ensure that appropriate data processing agreements are in place and that processors provide sufficient guarantees regarding technical and organisational security measures as required by Article 28 GDPR.

When we handle a job involving your insurer, we and the insurer each act as separate, independent controllers, each for our own purposes. We remain responsible for the processing described in this Policy.

3. Your Rights

Under the GDPR and the Polish Act of 10 May 2018 on the Protection of Personal Data, you have the rights set out below. To exercise any of these rights, please contact us:

  • By post: Szybex Sp. z o.o., ul. Krakowska 26, 42-200 Częstochowa, Poland
  • By telephone: 34 50 65 100

Please include enough detail for us to identify you and understand which right you wish to exercise. We may ask you to provide proof of identity; we will only request information reasonably necessary for this purpose.

We will respond to your request as soon as possible and within one (1) month of receipt. In complex or high-volume cases, we may extend this period by a further two months, in which case we will inform you within one month of receiving your request.

3.1 Right of access (Article 15 GDPR)

You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with information about: the purposes of processing; the categories of data; the recipients or categories of recipients; the planned retention period; the existence of automated decision-making including profiling; and your rights to rectification, erasure, restriction, and to lodge a complaint.

3.2 Right to rectification (Article 16 GDPR)

If your personal data is inaccurate or incomplete, you have the right to have it corrected or completed without undue delay.

3.3 Right to erasure — "right to be forgotten" (Article 17 GDPR)

You may request the deletion of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis for processing; you object to processing based on legitimate interests and no overriding grounds exist; you object to processing for direct marketing purposes; the data has been unlawfully processed; or deletion is required to comply with a legal obligation. We may be unable to delete data needed to initiate or defend legal proceedings or where retention is required by Polish or EU law.

3.4 Right to data portability (Article 20 GDPR)

Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

3.5 Right to object (Article 21 GDPR)

You have the right to object at any time to processing based on our legitimate interests (Article 6(1)(f) GDPR), including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You have an unconditional right to object to processing for direct marketing purposes at any time.

3.6 Right to restriction of processing (Article 18 GDPR)

You have the right to request that we restrict processing of your personal data where: you contest its accuracy and we need to verify it; the processing is unlawful and you prefer restriction to erasure; we no longer need the data but you require it for legal claims; or you have objected to processing and are awaiting the outcome of the balancing assessment.

3.7 Right to lodge a complaint

If you remain unsatisfied with our response, you have the right to lodge a complaint with the Polish supervisory authority, the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, the "UODO"), at any time. Contact details are provided below:

Address: ul. Stawki 2, 00-193 Warszawa, Poland

Telephone: +48 22 531 03 00

E-mail: kancelaria@uodo.gov.pl

Website: www.uodo.gov.pl

You also have the right to seek an effective judicial remedy before the competent courts in Poland.

4. Personal Data We Collect and Why

We process personal data only to the extent necessary for the purposes described below. We collect this data via the contact form available on our website, the online booking funnel available on our website, and through cookies (see section 7).

4.1 Categories of data and purposes

CategoryData collectedPurpose
IdentityName, first name, address, cityNecessary to process your contact-form inquiry or online booking, arrange an appointment, send contract-related documents, and invoice.
IdentityLicence plate / chassis numberUsed to verify glass-damage insurance coverage and order the correct windscreen model.
ContactE-mail addressUsed to respond to your contact-form inquiry, confirm bookings and, where a valid legal basis applies, to send commercial communications (see section 4.2(e)).
ContactTelephone numberUsed to contact you regarding your inquiry or appointment and, where applicable, for service follow-up.
PreferenceLanguageUsed to communicate with you in your preferred language.
Connection dataIP addressUsed, where you have given prior consent to the relevant cookies (see section 7), to remember your preferences and compile website usage statistics.
ProfilingMain area of interest (via cookies)Only collected where you have given prior consent to analytics or advertising cookies (see section 7).
InsurancePolicy numberNoted on the work order where the vehicle is insured against glass damage.

We do not process special categories of personal data (Article 9 GDPR). We do not carry out automated individual decision-making that produces legal or similarly significant effects (Article 22 GDPR).

4.2 Legal bases for processing

We rely on the following legal bases under Article 6 GDPR:

(a) Performance of a contract (Article 6(1)(b) GDPR)

We process identity, contact, vehicle, and insurance data to the extent necessary to enter into and perform our service contract with you. This includes responding to enquiries submitted via the contact form or booking funnel, assessing insurance coverage, arranging appointments, executing the repair or replacement, invoicing, and maintaining customer records. If you do not provide required data, we may be unable to provide the requested service.

(b) Compliance with a legal obligation (Article 6(1)(c) GDPR)

We may process certain personal data to comply with Polish legal obligations, including accounting and tax obligations under the Polish Accounting Act and the Polish Tax Code (Ordynacja podatkowa).

(c) Legitimate interests (Article 6(1)(f) GDPR)

We process certain data for the following legitimate interests, after having carried out a balancing assessment to ensure a fair balance with your rights and freedoms:

  • To keep you informed about relevant news, products, and services where you have an existing relationship with us and have not objected (see section 3.5 for your right to object at any time).
  • To compile anonymised or pseudonymised statistics, conduct market research, and analyse marketing campaign effectiveness.
  • To track business activity (call volumes, website visits, sales) for internal management purposes.
  • To establish, exercise, or defend legal claims, including debt collection.
  • To improve our services, including through optional call recording (you are always informed at the start of a call).

(d.) Consent (Article 6(1)(a) GDPR)

Where we rely on your consent as a legal basis (e.g. for certain marketing communications or non-essential cookies), we will obtain your prior, freely given, specific, informed, and unambiguous consent. You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

(e.) Sending commercial electronic communications

We may send you commercial e-mails where one of the following applies:

  • You have given us your prior, freely given, specific, informed, and unambiguous consent (opt-in); or
  • You are an existing customer, the communication concerns similar products or services to those you have already purchased, and you have been given a clear and easy opportunity to opt out both at the time of data collection and in every subsequent communication (soft opt-in, in accordance with Applicable Law).

Every marketing e-mail includes a free and easy "Unsubscribe" link. You may also object at any time using the contact details in section 2.

4.3 How we share your data

We share your personal data only as described below and in accordance with Applicable Law:

(a) Within Szybex

Your data may be accessed by internal departments where necessary for the performance of our contract or other legitimate purposes described above.

(b) Third-party service providers (processors)

We may share data with carefully selected third-party processors that assist us with: website development and maintenance; marketing, events, and customer communications; statistics and reporting; document printing and production; IT support, security, and business operations. All processors are bound by data processing agreements compliant with Article 28 GDPR and may only process data in accordance with our instructions.

(c) Business partners acting as independent controllers

When we act as an intermediary for a business partner (e.g. an insurance company), we may share data with that partner in accordance with their instructions. In such cases, the partner is another (independent) data controller for that processing.

4.4 Source of your data

We usually collect your personal data directly from you, via the contact form, the online booking funnel, or cookies. In some cases, typically where your repair or replacement is covered by insurance, we also receive personal data about you from your insurer, including your identity and contact details, vehicle data and policy/claim information.

5. Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to any applicable legal retention obligations under Polish law. The following retention periods apply:

Data / purposeRetention period
Customer contract data (identity, contact, vehicle, insurance)Duration of the contractual relationship + 6 years (general limitation period for civil-law claims under Article 118 of the Polish Civil Code).
Marketing communications (e-mail address)Until you unsubscribe or object, whichever is earlier.
Website analytics / connection data (IP address)Maximum 14 months from collection (in accordance with the retention setting configured in Google Analytics).
Accounting and invoicing records5 years from the end of the calendar year in which the financial year ended (Polish Accounting Act of 29 September 1994, Article 74) and, for tax purposes, 5 years from the end of the calendar year in which the tax payment deadline expired (Polish Tax Code / Ordynacja podatkowa, Article 70).
Call recordingsMaximum 3 months unless required for a pending complaint or legal claim.

After the applicable retention period, data is either deleted or anonymised. Where we retain data beyond the active processing period for archival or legal purposes, access is restricted to authorised personnel only.

6. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These measures include, but are not limited to:

  • Encryption of data transmissions, including financial information (TLS/SSL with a certificate issued by a recognised certification authority).
  • Anti-virus software, firewalls, and access controls.
  • Role-based access management and confidentiality obligations for employees and suppliers.
  • Regular security reviews and supplier due diligence.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UODO within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR.

7. Cookies and Similar Technologies

Our website (szybex.pl) uses cookies and similar tracking technologies. A cookie is a small text file stored on your device when you visit a website.

7.1 Types of cookies we use

CategoryPurposeConsent required?
Strictly necessaryRequired for the website to function (e.g. session management, language preference). Cannot be disabled.No — exempt under Article 173 of the Polish Telecommunications Law
FunctionalityUsed to remember visitor information on the website (e.g. language, timezone, enhanced content).Yes — prior consent required
PerformanceUsed to see how visitors use the website (e.g. analytics cookies). These cookies cannot be used to directly identify a visitor. Provider: Google Analytics (Google LLC, USA). For more information, see the Google Privacy Policy at policies.google.com/privacy.Yes — prior consent required
TargetingUsed to identify visitors between different websites (e.g. content partners, banner networks). These cookies may be used to build a profile of visitor interests or show relevant advertisements on other websites.Yes — prior consent required
UnclassifiedCookies that have not yet been assigned to a category or are in the process of categorisation. These cookies are treated as requiring prior consent until classified. The cookie list is updated regularly by our cookie management provider (CookieScript).Yes —prior consent required

7.2 Cookie consent

In accordance with Article 173 of the Polish Telecommunications Law (Prawo telekomunikacyjne), we will only place non-essential cookies after you have given your prior, freely given, specific, and informed consent via our cookie consent banner. You may accept all, reject all, or configure your preferences by category.

Our cookie consent banner is managed by CookieScript (UAB "Inovirtual", Lithuania), which acts as a data processor on our behalf.

You may withdraw or modify your cookie consent at any time by clicking the "Cookie settings" link in the footer of our website, or by adjusting your browser settings. Note that disabling certain cookies may affect the availability of some website features.

Our website uses Google Analytics (provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to compile aggregated website usage statistics. Tracking is implemented via server-side tagging, which means data is collected using first-party cookies set on our domain before being forwarded to Google Analytics.

Google processes analytics data on our behalf to provide analytics services. Data may be transferred to the United States. Google LLC participates in the EU-U.S. Data Privacy Framework. For more information, please see Google's Privacy Policy at https://policies.google.com/privacy

8. What is our policy on data concerning minors?

Our website and services are not targeted to minors. If you learn that your minor child has provided us with their personal data without your consent, please contact us (see our contact details under section 2 above).

9. What happens in the event of a change to this Policy

Should we plan to use personal data for a new purpose or change our privacy policy in any other way, we will update this Policy and you will be notified through our website or by message. We recommend that you check this page regularly. The date of last amendment of this Policy is shown at the bottom of the document.

10. What to do in case of dispute?

In the event of a dispute arising between us, we are committed to prioritising dialogue and good faith in seeking an amicable resolution.

This policy was last reviewed on 1 July 2026. Szybex reserves the right to update this Policy at any time. The current version is always available at szybex.pl.