Information on the Processing of Clients’ Personal Data

Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the “Regulation”), NEXURA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ,. JANA III SOBIESKIEGO Street, No. 11, Unit E6, 40-082 KATOWICE, REGON: 529659910, NIP: 6343044968, acting as the data controller, hereby provides the following information on the processing of personal data of Clients using the Store. The data controller takes care to secure any data made available. All data is protected and secured against unauthorized disclosure, acquisition, processing in breach of the Regulation, or any unauthorized modification, loss, damage, or destruction. Personal data are processed by the Controller in compliance with the provisions of the GDPR and relevant Polish laws supplementing the GDPR.

Personal data processing means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal data are information about an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Details of the Data Controller

The controller of the Client’s personal data is NEXURA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, JANA III SOBIESKIEGO Street, No. 11, Unit E6, 40-082 KATOWICE, REGON: 529659910, NIP: 6343044968.

Hereinafter in this document referred to as “NEXURA.”

Legal Basis, Purposes of Processing, and Requirement to Provide Data

1. NEXURA primarily processes the Client’s personal data for purposes related to concluding a Sale Agreement and/or an Account Management Agreement (jointly also “Agreement”), and subsequently for their implementation, settlement, and termination. This also includes processing personal data for communication between NEXURA and the Client to the extent necessary to perform the Agreement.

• NEXURA processes this personal data under Article 6(1)(b) of the Regulation, as the processing is necessary for the conclusion and performance of the Agreement to which the Client is a party, and to undertake actions before concluding the Agreement. Providing personal data for this purpose is both a contractual and statutory requirement. In the event that such data are not provided, the Administrator will not be able to conclude the Agreement.

1. NEXURA processes the Client’s personal data also for the purpose of handling complaints submitted by the Client regarding the Sale Agreement and/or the Account Management Agreement.
   1. NEXURA processes this personal data on the basis of Article 6(1)(f) of the Regulation, i.e., the processing is necessary for the purposes of the legitimate interests pursued by the Administrator related to defending against claims. Providing personal data for this purpose is a contractual requirement. In the event of not providing such data, the Administrator will not be able to conclude the Agreement.
2. NEXURA also processes the Client’s personal data for the purpose of pursuing claims related to non-performance or improper performance of the Client’s obligations under the Agreement, in particular payment obligations.
   1. NEXURA processes this personal data under Article 6(1)(f) of the Regulation, i.e., the processing is necessary for the purposes of legitimate interests pursued by the Administrator in connection with the pursuit of claims. Providing personal data for this purpose is a contractual requirement. If such data are not provided, the Administrator will not be able to conclude the Agreement.
3. NEXURA processes the Client’s personal data for the purpose of marketing its own services and those offered by entities affiliated with NEXURA.
   1. NEXURA processes these personal data under Article 6(1)(a) of the Regulation, i.e., based on the Client’s consent.
4. NEXURA processes the Client’s personal data also due to legal obligations incumbent on NEXURA, particularly under tax laws.
   1. NEXURA processes these personal data under Article 6(1)(c) of the Regulation, i.e., where processing is necessary to comply with a legal obligation to which the Administrator is subject. Providing personal data for this purpose is a statutory requirement. In the event of not providing such data, the Administrator will not be able to conclude the Agreement.
5. NEXURA processes the Client’s personal data also for handling requests sent to Customer Service, where they are not directly connected with concluding or performing the Agreement.
   1. NEXURA processes these personal data under Article 6(1)(f) of the Regulation, i.e., processing is necessary for the purposes of the legitimate interests pursued by the Administrator in the scope of providing client support. Providing personal data for this purpose is a contractual requirement. If such data is not provided, the Administrator will not be able to proceed with the request.

Categories of Personal Data Processed by the Administrator

1. NEXURA primarily processes the Client’s personal data necessary for the proper performance of the Agreement and identification of the Client, which includes:

• First name(s) and last name,
• Residential address,
• Email address,
• Bank account number,
• Phone number.

Categories of Data Recipients

1. Under the Regulation, a “recipient” of data is defined as a natural or legal person, a public authority, an agency, or any other body to which personal data is disclosed, whether or not it is a “third party.” A “third party,” as per the Regulation, is a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. A “processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Public authorities that may receive personal data in specific proceedings in accordance with Union or Member State law are not considered recipients.

In light of the above definitions, NEXURA notifies of the following categories of recipients:

• Entities providing legal and accounting services related to NEXURA’s business;
• Entities providing IT services related to NEXURA’s business, including hosting services;
• Courier companies;
• Subcontractors and entities cooperating with the Administrator, which may be commissioned with individual tasks related to performing the Agreement;
• Entities, other than those listed above, that by law are entitled to obtain from NEXURA information related to NEXURA’s business, which may include the Client’s personal data.

Intention to Transfer Personal Data to a Third Country or an International Organization

1. NEXURA does not intend to transfer the Client’s personal data to a third country (i.e., outside the European Economic Area) or to an international organization.

Period of Storage of Personal Data or Criteria for Determining This Period

1. Personal data processed for the purpose of concluding an Agreement will be processed until the Agreement is concluded. If the Agreement is not concluded, the data will be erased no later than one year after the Agreement conclusion procedure is discontinued. Where data are processed based on consent, they will be processed for the time stated in that consent, but no longer than until it is withdrawn.
2. Personal data processed in connection with the sale of Products will be processed for the duration of the Sale Agreement, and afterward for a period required by law, including tax laws.
3. Personal data processed in connection with Account management will be processed for the duration of the Account Management Agreement, and afterward for a period required by law.
4. Data processed for the purpose of claiming or defending against claims will be processed until those claims expire.
5. Data processed because it is necessary for compliance with a legal obligation by the Administrator will be processed as long as needed to fulfill that obligation.
6. Data processed for the Administrator’s legitimate interests will be processed as long as necessary to achieve those interests.
7. Data processed based on consent will be processed for the time indicated in the consent, but no longer than until consent is withdrawn. If the period specified in the consent expires earlier than the periods mentioned in points 10–15 above, the Administrator will cease processing personal data for the purpose and scope specified in the consent but may continue to process them for other purposes and in other scopes as indicated in points 10–15 above.

Information on Automated Decision-Making, Including Profiling

1. The Client’s personal data will not be used for automated decision-making.

Information on Processing Data for Purposes Other Than for Which They Were Collected

1. NEXURA does not plan to process personal data for any purpose other than that for which they were collected.

Information on the Rights of the Client

1. The Client has the right to request from the Administrator access to their personal data, including obtaining a copy of the data undergoing processing. The first copy is free of charge. For any subsequent copies requested by the Client, the Administrator may charge a reasonable fee based on administrative costs.
2. The Client has the right to request that the Administrator rectify their personal data if it is incorrect, particularly if it was collected with errors or has changed since its collection. This right also includes supplementing incomplete data.
3. The Client has the right to request that the Administrator erase their personal data, subject to the cases specified in the Regulation. NEXURA may refuse to erase data in circumstances specified by law, in particular if continuing to process the data is necessary to fulfill a legal obligation under Union or Member State law or to establish, assert, or defend legal claims.
4. The Client has the right to request restriction of the processing of their personal data in the cases set out in the Regulation.
5. The Client has the right to object, pursuant to Article 21(1) of the Regulation, on grounds relating to their particular situation, at any time to the processing of personal data concerning them based on Article 6(1)(f) of the Regulation, including profiling based on those provisions. Should such an objection be raised, the Administrator must cease processing those data unless it demonstrates compelling legitimate grounds for processing overriding the interests, rights, and freedoms of the Client, or for establishing, asserting, or defending legal claims.
6. The Client has the right to object to the processing of their personal data for direct marketing purposes, including profiling, as far as it is related to that direct marketing, pursuant to Article 21(2) of the Regulation.
7. The Client has the right to data portability. Under the Regulation, data portability entitles the Client to receive in a structured, commonly used, machine-readable format the personal data concerning them that they have provided to the Administrator, and also to transmit those data to another controller without hindrance from the Administrator. This right only applies to personal data processed on the basis of consent or a contract and by automated means.
8. When exercising the right to data portability, the Client also has the right to have the personal data transmitted directly by the Administrator to another controller, where technically feasible.
9. The Client has the right to withdraw at any time the consent referred to in point 4 above. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of that consent before its withdrawal.
10. If personal data are also processed on grounds other than consent, the Administrator may continue processing them on these other grounds.
11. The Client has the right to lodge a complaint with a supervisory authority, which in Poland is the President of the Personal Data Protection Office.

Cookie Policy

1. The website shottas.pl does not automatically collect any information except for the information contained in cookies.
2. Cookies are files sent to your computer or other device when you browse the shottas.pl/ website. You can set the storage conditions for or access your data by adjusting your cookies settings in your browser.
3. Cookies allow us to remember and verify your preferences as a user of this website. This helps us to, among other things, improve search results and ensure that the information displayed is relevant to you.
4. Cookies do not make any changes or modifications to the settings in the device or software on which they are installed.
5. You have the right to refuse the use of cookies (they can be blocked).
6. If you wish to block cookies, we recommend choosing the appropriate settings in your web browser. More information can be found directly in particular browsers:
   • Mozilla Firefox: https://support.mozilla.org/en-US/kb/block-websites-storing-cookies-site-data-firefox
   • Google Chrome: https://support.google.com/chrome/answer/95647?hl=en&sjid=15211577509250571587-EU
   • Opera: https://help.opera.com/en/latest/web-preferences/
   • Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac
   • Microsoft EDGE:

https://support.microsoft.com/pl-pl/topic/usuwanie-plik%C3%B3w-cookie-i-zarz%C4%85dzanie-nimi-168dab11-0753-043d-7c16-ede5947fc64d

1. Using the shottas.pl website implies consent to our use of cookies. This notification will appear automatically each time a new user visits our website for the first time.
2. Blocking or removing cookies may cause difficulties in using the Store, and some of its functionalities may not be available.
3. Cookies can be classified as follows:
   • “Essential” – allowing the use of services available within the site, e.g., to maintain a session after the user logs in,
   • “Functional” – enabling the storage of user-selected settings and affecting interface personalization,
   • “Security” – aiding in ensuring security,
   • “Performance” – enabling the collection of information on how the site is used,
   • “Session cookies” – temporary files stored on the User’s device until logging out, leaving the site, or closing the browser,
   • “Persistent cookies” – stored on the User’s device for a specified period or until deleted by the User.
4. Our website uses the following types of cookies:

Name	Type of Cookie	Purpose
_ga	2 years – persistent	Used by Google Analytics to collect aggregated statistical data about users of our site
_gat	10 minutes – persistent	Used by Google Analytics to collect aggregated statistical data about users of our site
_git	24 hours – persistent	Used by Google Analytics to distinguish users of our site

Social Media

Information on Joint Controllership with Meta Platforms Ireland Limited and YouTube

The Administrator uses services and technologies offered by Meta Platforms, Inc. (Facebook, Messenger, Instagram, WhatsApp) as well as YouTube belonging to Alphabet Inc. In connection with cooperation with these entities, the Administrator and these entities are joint controllers of your data, within the meaning of Article 26 of the GDPR, to the extent data are processed for statistical and advertising purposes.

Joint controllership includes aggregate data analysis to display statistics on the activity of Users on the Administrator’s Fanpage.

• Scope of Meta Platforms Ireland’s responsibility for processing your data for the above purposes:
  • Having a legal basis for data processing for Page Insights;
  • Ensuring the exercise of the rights of data subjects;
  • Reporting personal data breaches to the supervisory authority and notifying data subjects of a breach;
  • Ensuring appropriate technical and organizational measures to safeguard your data.
• Scope of the Administrator’s responsibility for processing your data:
  • Having a legal basis for data processing,
  • Providing the information obligations in respect of the processing activities carried out by the Administrator.

Meta Platforms Ireland will make the essence of the Page Insights Controller Addendum available to data subjects (Article 26(2) GDPR) via the Page Insights Information, accessible from all Pages.
The main supervisory authority in joint data processing is the Irish Data Protection Commission (without prejudice to Article 55(2) of the GDPR, where applicable).
Detailed information about the arrangements between joint controllers is available at: https://www.facebook.com/legal/terms/page_controller_addendum.
Meta Platforms Ireland’s data processing rules are available at: https://www.facebook.com/privacy/explanation.
You can contact Facebook’s Data Protection Officer via a form provided on Facebook’s website at https://www.facebook.com/help/contact/540977946302970.
The rules governing your data processing by YouTube are available at:
https://policies.google.com/privacy?hl=en&gl=pl and https://policies.google.com/privacy?hl=enl&gl=pl.