SHOTTAS | www.shottasseeds.com

Last updated: 22 March 2026

1 — General Information on Personal Data Processing

1. Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the “Regulation”), NEXURA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, Jana III Sobieskiego Street, No. 11, Unit E6, 40-082 Katowice, REGON: 529659910, NIP: 6343044968, KRS: 0001127082, acting as the data controller, hereby provides the following information on the processing of personal data of Clients using the Store. The data controller takes care to secure any data made available. All data is protected and secured against unauthorized disclosure, acquisition, processing in breach of the Regulation, or any unauthorized modification, loss, damage, or destruction. Personal data are processed by the Controller in compliance with the provisions of the GDPR and relevant Polish laws supplementing the GDPR.
2. Personal data processing means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
3. Personal data are information about an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2 — Details of the Data Controller

1. The controller of the Client’s personal data is NEXURA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, Jana III Sobieskiego Street, No. 11, Unit E6, 40-082 Katowice, REGON: 529659910, NIP: 6343044968, KRS: 0001127082. Hereinafter in this document referred to as NEXURA.
2. You can contact the Controller in matters relating to the processing of your personal data, including exercising your rights (access, rectification, erasure, restriction, portability, objection), by:
a. email: info@shottasseeds.com
b. post: Jana III Sobieskiego Street, No. 11, Unit E6, 40-082 Katowice, Poland
3. The Controller has not appointed a Data Protection Officer. All data protection enquiries should be directed to the contact details provided above.

3 — Legal Basis, Purposes of Processing, and Requirement to Provide Data

1. NEXURA primarily processes the Client’s personal data for purposes related to concluding a Sale Agreement and/or an Account Management Agreement (jointly also: Agreement), and subsequently for their implementation, settlement, and termination. This also includes processing personal data for communication between NEXURA and the Client to the extent necessary to perform the Agreement. NEXURA processes this personal data under Article 6(1)(b) of the Regulation, as the processing is necessary for the conclusion and performance of the Agreement to which the Client is a party, and to undertake actions before concluding the Agreement. Providing personal data for this purpose is both a contractual and statutory requirement. In the event that such data are not provided, the Controller will not be able to conclude the Agreement.
2. NEXURA processes the Client’s personal data also for the purpose of handling complaints submitted by the Client regarding the Sale Agreement and/or the Account Management Agreement. NEXURA processes this personal data on the basis of Article 6(1)(f) of the Regulation, i.e., the processing is necessary for the purposes of the legitimate interests pursued by the Controller related to defending against claims. Providing personal data for this purpose is a contractual requirement. In the event of not providing such data, the Controller will not be able to conclude the Agreement.
3. NEXURA also processes the Client’s personal data for the purpose of pursuing claims related to non-performance or improper performance of the Client’s obligations under the Agreement, in particular payment obligations. NEXURA processes this personal data under Article 6(1)(f) of the Regulation, i.e., the processing is necessary for the purposes of legitimate interests pursued by the Controller in connection with the pursuit of claims. Providing personal data for this purpose is a contractual requirement. If such data are not provided, the Controller will not be able to conclude the Agreement.
4. NEXURA processes the Client’s personal data for the purpose of marketing its own services and those offered by entities affiliated with NEXURA. NEXURA processes these personal data under Article 6(1)(a) of the Regulation, i.e., based on the Client’s consent.
5. NEXURA processes the Client’s personal data also due to legal obligations incumbent on NEXURA, particularly under tax laws. NEXURA processes these personal data under Article 6(1)(c) of the Regulation, i.e., where processing is necessary to comply with a legal obligation to which the Controller is subject. Providing personal data for this purpose is a statutory requirement. In the event of not providing such data, the Controller will not be able to conclude the Agreement.
6. NEXURA processes the Client’s personal data also for handling requests sent to Customer Service, where they are not directly connected with concluding or performing the Agreement. NEXURA processes these personal data under Article 6(1)(f) of the Regulation, i.e., processing is necessary for the purposes of the legitimate interests pursued by the Controller in the scope of providing client support. Providing personal data for this purpose is a contractual requirement. If such data is not provided, the Controller will not be able to proceed with the request.

4 — Categories of Personal Data Processed by the Controller

1. NEXURA primarily processes the Client’s personal data necessary for the proper performance of the Agreement and identification of the Client, which includes:
a. first name(s) and last name;
b. residential address;
c. email address;
d. bank account number;
e. phone number.

5 — Categories of Data Recipients

1. Under the Regulation, a recipient of data is defined as a natural or legal person, a public authority, an agency, or any other body to which personal data is disclosed, whether or not it is a third party. A third party, as per the Regulation, is a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. A processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
2. Public authorities that may receive personal data in specific proceedings in accordance with Union or Member State law are not considered recipients.
3. In light of the above definitions, NEXURA notifies of the following categories of recipients:
a. Entities providing legal and accounting services related to NEXURA’s business;
b. Entities providing IT services related to NEXURA’s business, including hosting services;
c. Courier companies;
d. Subcontractors and entities cooperating with the Controller, which may be commissioned with individual tasks related to performing the Agreement;
e. Entities, other than those listed above, that by law are entitled to obtain from NEXURA information related to NEXURA’s business, which may include the Client’s personal data.
f. GetResponse S.A., ul. Grunwaldzka 413, 80-309 Gdańsk, Poland — provider of the email marketing platform used by the Controller to send the Newsletter and manage Subscriber data (first name, email address). GetResponse acts as a data processor on behalf of the Controller under a data processing agreement pursuant to Article 28 of the GDPR;

6 — Intention to Transfer Personal Data to a Third Country or an International Organization

1. In connection with the use of services provided by Google LLC (Google Analytics) and Meta Platforms Ireland Limited (Facebook, Instagram), some of your personal data may be transferred to third countries outside the European Economic Area, in particular to the United States of America. Such transfers are carried out on the basis of standard contractual clauses (SCC) adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, which provide appropriate safeguards for the protection of personal data. You can access the standard contractual clauses at: https://commission.europa.eu/law/law-topic/data-protection_en Information on data processing by Google is available at: https://policies.google.com/privacy Information on data processing by Meta Platforms Ireland is available at: https://www.facebook.com/privacy/explanation
2. In connection with the use of the GetResponse email marketing platform (GetResponse S.A., ul. Grunwaldzka 413, 80-309 Gdańsk, Poland), your personal data (first name, email address) are processed for the purpose of sending the Newsletter. GetResponse S.A. is established in Poland (within the EEA); however, GetResponse uses sub-processors whose infrastructure may be located outside the EEA, including in the United States of America (e.g. Google Cloud). Such transfers are carried out on the basis of standard contractual clauses (SCC) adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, or on the basis of an adequacy decision (EU–U.S. Data Privacy Framework), as applicable. Information on data processing by GetResponse is available at: https://www.getresponse.com/legal/privacy The list of GetResponse’s sub-processors is available at: https://www.getresponse.com/legal/data-processing-agreement

7 — Period of Storage of Personal Data

1. Personal data processed for the purpose of concluding an Agreement will be processed until the Agreement is concluded. If the Agreement is not concluded, the data will be erased no later than one (1) year after the Agreement conclusion procedure is discontinued. Where data are processed based on consent, they will be processed for the time stated in that consent, but no longer than until it is withdrawn.
2. Personal data processed in connection with the sale of Products will be processed for the duration of the Sale Agreement, and afterward for a period of five (5) years from the end of the calendar year in which the tax payment deadline fell, in accordance with Article 70(1) of the Polish Tax Ordinance Act of 29 August 1997 (i.e. the statutory tax document retention period).
3. Personal data processed in connection with Account management will be processed for the duration of the Account Management Agreement, and afterward for a period of one (1) year from the date the Account is deleted or the Agreement is terminated.
4. Data processed for the purpose of establishing, pursuing, or defending against claims will be processed until those claims become time-barred. Under Polish law, the general limitation period for claims is six (6) years from the date the claim became due (Article 118 of the Polish Civil Code). For claims related to business activity, the limitation period is three (3) years. If the applicable limitation period in the Consumer’s country of habitual residence is longer, that longer period shall apply.
5. Data processed because it is necessary for compliance with a legal obligation by the Controller — in particular under tax and accounting regulations — will be processed for five (5) years from the end of the calendar year in which the tax payment deadline fell (Article 70(1) of the Polish Tax Ordinance Act), or for any longer period required under applicable law.
6. Data processed for the Controller’s legitimate interests (such as handling customer service enquiries not related to the Agreement) will be processed for the duration of the enquiry and for a period of one (1) year after the enquiry is resolved, unless a longer period is necessary due to the nature of the matter or pending legal proceedings.
7. Data processed based on consent will be processed for the time indicated in the consent, but no longer than until consent is withdrawn. If consent is withdrawn before the expiry of the periods mentioned in points 1–6 above, the Controller will cease processing personal data for the purpose and scope covered by the consent but may continue to process them for other purposes and on other legal bases as indicated in points 1–6 above.

8 — Information on Automated Decision-Making, Including Profiling

1. The Client’s personal data will not be used for automated decision-making.

9 — Information on Processing Data for Purposes Other Than for Which They Were Collected

1. NEXURA does not plan to process personal data for any purpose other than that for which they were collected.

10 —Information on the Rights of the Client

1. The Client has the right to request from the Controller access to their personal data, including obtaining a copy of the data undergoing processing. The first copy is free of charge. For any subsequent copies requested by the Client, the Controller may charge a reasonable fee based on administrative costs.
2. The Client has the right to request that the Controller rectify their personal data if it is incorrect, particularly if it was collected with errors or has changed since its collection. This right also includes supplementing incomplete data.
3. The Client has the right to request that the Controller erase their personal data, subject to the cases specified in the Regulation. NEXURA may refuse to erase data in circumstances specified by law, in particular if continuing to process the data is necessary to fulfill a legal obligation under Union or Member State law or to establish, assert, or defend legal claims.
4. The Client has the right to request restriction of the processing of their personal data in the cases set out in the Regulation.
5. The Client has the right to object, pursuant to Article 21(1) of the Regulation, on grounds relating to their particular situation, at any time to the processing of personal data concerning them based on Article 6(1)(f) of the Regulation, including profiling based on those provisions. Should such an objection be raised, the Controller must cease processing those data unless it demonstrates compelling legitimate grounds for processing overriding the interests, rights, and freedoms of the Client, or for establishing, asserting, or defending legal claims.
6. The Client has the right to object to the processing of their personal data for direct marketing purposes, including profiling, as far as it is related to that direct marketing, pursuant to Article 21(2) of the Regulation.
7. The Client has the right to data portability. Under the Regulation, data portability entitles the Client to receive in a structured, commonly used, machine-readable format the personal data concerning them that they have provided to the Controller, and also to transmit those data to another controller without hindrance from the Controller. This right only applies to personal data processed on the basis of consent or a contract and by automated means. When exercising the right to data portability, the Client also has the right to have the personal data transmitted directly by the Controller to another controller, where technically feasible.
8. The Client has the right to withdraw at any time the consent referred to in point 4 above. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of that consent before its withdrawal. If personal data are also processed on grounds other than consent, the Controller may continue processing them on these other grounds.
9. The Client has the right to lodge a complaint with a supervisory authority. Pursuant to Article 77(1) of the GDPR, this right may be exercised before the supervisory authority of the EU/EEA Member State in which you have your habitual residence, your place of work, or in which the alleged infringement took place — regardless of where the Controller is established.
10. The lead supervisory authority for the Controller (established in Poland) is the President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warsaw, Poland; website: www.uodo.gov.pl.
11. You may also contact the data protection authority in your own country. A full list of EU/EEA data protection authorities is available at: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.