Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the “Regulation”), NEXURA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ,. JANA III SOBIESKIEGO Street, No. 11, Unit E6, 40-082 KATOWICE, REGON: 529659910, NIP: 6343044968, acting as the data controller, hereby provides the following information on the processing of personal data of Clients using the Store. The data controller takes care to secure any data made available. All data is protected and secured against unauthorized disclosure, acquisition, processing in breach of the Regulation, or any unauthorized modification, loss, damage, or destruction. Personal data are processed by the Controller in compliance with the provisions of the GDPR and relevant Polish laws supplementing the GDPR.

Personal data processing means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal data are information about an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Details of the Data Controller

The controller of the Client’s personal data is NEXURA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, JANA III SOBIESKIEGO Street, No. 11, Unit E6, 40-082 KATOWICE, REGON: 529659910, NIP: 6343044968.

Hereinafter in this document referred to as “NEXURA.”

Legal Basis, Purposes of Processing, and Requirement to Provide Data

1. NEXURA primarily processes the Client’s personal data for purposes related to concluding a Sale Agreement and/or an Account Management Agreement (jointly also “Agreement”), and subsequently for their implementation, settlement, and termination. This also includes processing personal data for communication between NEXURA and the Client to the extent necessary to perform the Agreement.
   

• NEXURA processes this personal data under Article 6(1)(b) of the Regulation, as the processing is necessary for the conclusion and performance of the Agreement to which the Client is a party, and to undertake actions before concluding the Agreement. Providing personal data for this purpose is both a contractual and statutory requirement. In the event that such data are not provided, the Administrator will not be able to conclude the Agreement.

2. NEXURA processes the Client’s personal data also for the purpose of handling complaints submitted by the Client regarding the Sale Agreement and/or the Account Management Agreement. NEXURA processes this personal data on the basis of Article 6(1)(f) of the Regulation, i.e., the processing is necessary for the purposes of the legitimate interests pursued by the Administrator related to defending against claims. Providing personal data for this purpose is a contractual requirement. In the event of not providing such data, the Administrator will not be able to conclude the Agreement.
3. NEXURA also processes the Client’s personal data for the purpose of pursuing claims related to non-performance or improper performance of the Client’s obligations under the Agreement, in particular payment obligations. NEXURA processes this personal data under Article 6(1)(f) of the Regulation, i.e., the processing is necessary for the purposes of legitimate interests pursued by the Administrator in connection with the pursuit of claims. Providing personal data for this purpose is a contractual requirement. If such data are not provided, the Administrator will not be able to conclude the Agreement.
4. NEXURA processes the Client’s personal data for the purpose of marketing its own services and those offered by entities affiliated with NEXURA. NEXURA processes these personal data under Article 6(1)(a) of the Regulation, i.e., based on the Client’s consent.
5. NEXURA processes the Client’s personal data also due to legal obligations incumbent on NEXURA, particularly under tax laws. NEXURA processes these personal data under Article 6(1)(c) of the Regulation, i.e., where processing is necessary to comply with a legal obligation to which the Administrator is subject. Providing personal data for this purpose is a statutory requirement. In the event of not providing such data, the Administrator will not be able to conclude the Agreement.
6. NEXURA processes the Client’s personal data also for handling requests sent to Customer Service, where they are not directly connected with concluding or performing the Agreement. NEXURA processes these personal data under Article 6(1)(f) of the Regulation, i.e., processing is necessary for the purposes of the legitimate interests pursued by the Administrator in the scope of providing client support. Providing personal data for this purpose is a contractual requirement. If such data is not provided, the Administrator will not be able to proceed with the request.

Categories of Personal Data Processed by the Administrator

7. NEXURA primarily processes the Client’s personal data necessary for the proper performance of the Agreement and identification of the Client, which includes:

• First name(s) and last name,
• Residential address,
• Email address,
• Bank account number,
• Phone number.

Categories of Data Recipients

8. Under the Regulation, a “recipient” of data is defined as a natural or legal person, a public authority, an agency, or any other body to which personal data is disclosed, whether or not it is a “third party.” A “third party,” as per the Regulation, is a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. A “processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Public authorities that may receive personal data in specific proceedings in accordance with Union or Member State law are not considered recipients.

In light of the above definitions, NEXURA notifies of the following categories of recipients:

• Entities providing legal and accounting services related to NEXURA’s business;
• Entities providing IT services related to NEXURA’s business, including hosting services;
• Courier companies;
• Subcontractors and entities cooperating with the Administrator, which may be commissioned with individual tasks related to performing the Agreement;
• Entities, other than those listed above, that by law are entitled to obtain from NEXURA information related to NEXURA’s business, which may include the Client’s personal data.

Intention to Transfer Personal Data to a Third Country or an International Organization

9. NEXURA does not intend to transfer the Client’s personal data to a third country (i.e., outside the European Economic Area) or to an international organization.

Period of Storage of Personal Data or Criteria for Determining This Period

10. Personal data processed for the purpose of concluding an Agreement will be processed until the Agreement is concluded. If the Agreement is not concluded, the data will be erased no later than one year after the Agreement conclusion procedure is discontinued. Where data are processed based on consent, they will be processed for the time stated in that consent, but no longer than until it is withdrawn.
11. Personal data processed in connection with the sale of Products will be processed for the duration of the Sale Agreement, and afterward for a period required by law, including tax laws.
12. Personal data processed in connection with Account management will be processed for the duration of the Account Management Agreement, and afterward for a period required by law.
13. Data processed for the purpose of claiming or defending against claims will be processed until those claims expire.
14. Data processed because it is necessary for compliance with a legal obligation by the Administrator will be processed as long as needed to fulfill that obligation.
15. Data processed for the Administrator’s legitimate interests will be processed as long as necessary to achieve those interests.
16. Data processed based on consent will be processed for the time indicated in the consent, but no longer than until consent is withdrawn. If the period specified in the consent expires earlier than the periods mentioned in points 10–15 above, the Administrator will cease processing personal data for the purpose and scope specified in the consent but may continue to process them for other purposes and in other scopes as indicated in points 10–15 above.

Information on Automated Decision-Making, Including Profiling

17. The Client’s personal data will not be used for automated decision-making.

Information on Processing Data for Purposes Other Than for Which They Were Collected

18. NEXURA does not plan to process personal data for any purpose other than that for which they were collected.

Information on the Rights of the Client

19. The Client has the right to request from the Administrator access to their personal data, including obtaining a copy of the data undergoing processing. The first copy is free of charge. For any subsequent copies requested by the Client, the Administrator may charge a reasonable fee based on administrative costs.
20. The Client has the right to request that the Administrator rectify their personal data if it is incorrect, particularly if it was collected with errors or has changed since its collection. This right also includes supplementing incomplete data.
21. The Client has the right to request that the Administrator erase their personal data, subject to the cases specified in the Regulation. NEXURA may refuse to erase data in circumstances specified by law, in particular if continuing to process the data is necessary to fulfill a legal obligation under Union or Member State law or to establish, assert, or defend legal claims.
22. The Client has the right to request restriction of the processing of their personal data in the cases set out in the Regulation.
23. The Client has the right to object, pursuant to Article 21(1) of the Regulation, on grounds relating to their particular situation, at any time to the processing of personal data concerning them based on Article 6(1)(f) of the Regulation, including profiling based on those provisions. Should such an objection be raised, the Administrator must cease processing those data unless it demonstrates compelling legitimate grounds for processing overriding the interests, rights, and freedoms of the Client, or for establishing, asserting, or defending legal claims.
24. The Client has the right to object to the processing of their personal data for direct marketing purposes, including profiling, as far as it is related to that direct marketing, pursuant to Article 21(2) of the Regulation.
25. The Client has the right to data portability. Under the Regulation, data portability entitles the Client to receive in a structured, commonly used, machine-readable format the personal data concerning them that they have provided to the Administrator, and also to transmit those data to another controller without hindrance from the Administrator. This right only applies to personal data processed on the basis of consent or a contract and by automated means.
26. When exercising the right to data portability, the Client also has the right to have the personal data transmitted directly by the Administrator to another controller, where technically feasible.
27. The Client has the right to withdraw at any time the consent referred to in point 4 above. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of that consent before its withdrawal.
28. If personal data are also processed on grounds other than consent, the Administrator may continue processing them on these other grounds.
29. The Client has the right to lodge a complaint with a supervisory authority, which in Poland is the President of the Personal Data Protection Office.