PRIVACY POLICY

Shoptera

Last updated: January 1, 2025 | Binding version — Czech informational translation available at shoptera.ai

This Privacy Policy describes how Statistix s.r.o., reg. ID: 21035334, registered office Kaprova 42/14, Staré Město, 110 00 Prague, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague ("we", "us", "our") collects, processes, uses, and protects personal data in connection with the operation of the Shoptera platform at shoptera.ai ("Platform").

Where this Privacy Policy uses capitalised terms without defining them, such terms have the meanings set out in the Shoptera Terms of Service available at shoptera.ai/terms.

We process all personal data in accordance with applicable legislation, primarily: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data ("GDPR"); Act No. 127/2005 Coll., on Electronic Communications, as amended; and Act No. 480/2004 Coll., on Certain Information Society Services, as amended.

1. Who is the Controller?

The controller of your personal data is Statistix s.r.o., reg. ID: 21035334, Kaprova 42/14, Staré Město, 110 00 Prague, Czech Republic. You can contact us regarding any data protection matters at: [email protected].

As the Shoptera Platform is a B2B service used exclusively by businesses, the primary data subjects are individuals acting in a professional or commercial capacity — typically business owners, marketing managers, and e-commerce operators. We do not knowingly collect personal data from consumers or minors.

2. What Personal Data Do We Collect?

2.1 ACCOUNT AND REGISTRATION DATA. When you register for the Platform or manage your account, we collect: name and surname, business email address, company name and registration details, billing address, and login credentials (stored in hashed form).

2.2 TRANSACTION AND BILLING DATA. In connection with subscription payments, we process: subscription plan details, billing history, invoice data, and payment confirmation records. Full payment card data is processed exclusively by our third-party payment processor and is not stored by us.

2.3 PRODUCT FEED DATA. The core function of the Platform requires us to download, store, and process your product XML feed. These feeds are structured product catalogues intended for Google Shopping and typically contain product titles, descriptions, prices, images, GTINs, categories, and stock availability. While product feeds are business data rather than personal data, we acknowledge that in some cases feeds may incidentally contain data that could be linked to individuals (for example, seller names or contact details embedded in product attributes). We process such data solely to the extent necessary to provide the optimisation service and treat it with the same level of care as other personal data.

2.4 DATA COLLECTED BY THE ENRICHMENT AGENT. The Enrichment Agent feature operates by accessing publicly available product pages on your e-commerce store in order to extract missing product attributes (such as material, colour, dimensions, or FAQ content). This process is equivalent to standard web crawling of public URLs you have provided to us. We do not intentionally collect personal data through this feature; however, if publicly accessible pages on your store contain personal data (for example, customer review names or seller contact information), such data may be incidentally processed as a technical by-product of the enrichment process. We retain only the extracted product attributes and discard any other content without further processing.

2.5 USAGE AND TECHNICAL DATA. When you use the Platform, we automatically collect: IP address, device type and browser information, session data and timestamps, feature usage logs, Suggestion acceptance and rejection records, and error logs. This data is used solely for service operation, stability monitoring, and improvement.

2.6 COMMUNICATION DATA. If you contact us for support or other purposes, we process your contact details, the content of your messages, and any attachments you provide. We also retain records of email communications sent through our platform (e.g., renewal notifications, onboarding emails) to document delivery and compliance.

2.7 COOKIE AND TRACKING DATA. We use cookies and similar technologies on our Website and within the Platform. For details, see Section 7 of this Privacy Policy.

3. Why and on What Legal Basis Do We Process Your Data?

The table below sets out each processing purpose, the data used, and the applicable legal basis under the GDPR.

Where processing is based on legitimate interest, we have assessed that our interests are not overridden by your rights and interests given the B2B nature of the Platform and the limited sensitivity of the data involved. You may object to such processing at any time (see Section 5).

Where processing is based on consent (e.g., marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

4. Who Do We Share Personal Data With?

4.1 DATA PROCESSORS. We engage the following categories of third-party service providers who process personal data strictly on our behalf and under our instructions:

4.2 OTHER DISCLOSURES. We may also disclose personal data to: (i) public authorities or law enforcement bodies where required by applicable law or valid legal process; (ii) professional advisors (lawyers, auditors) under obligations of confidentiality; (iii) a successor entity in the event of a merger, acquisition, or sale of assets, provided that the successor is bound by equivalent data protection obligations.

4.3 INTERNATIONAL TRANSFERS. Some of our service providers, notably Amazon Web Services and Resend, are based in or operate infrastructure in the United States of America. Where personal data is transferred outside the European Economic Area, we ensure that adequate safeguards are in place — primarily Standard Contractual Clauses (SCCs) adopted by the European Commission. We conduct transfer impact assessments where required and apply additional technical measures (such as encryption at rest and in transit) to protect transferred data.

5. Your Rights as a Data Subject

As a data subject under the GDPR, you have the following rights. You can exercise any of these rights by contacting us at [email protected].

✓ Right of access

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of the data and information about how it is processed (Art. 15 GDPR). We may charge a reasonable fee for additional copies.

✓ Right to rectification

If we hold inaccurate or incomplete personal data about you, you have the right to request its correction or completion without undue delay (Art. 16 GDPR).

✓ Right to erasure

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where processing is unlawful (Art. 17 GDPR). This right does not apply where processing is required for compliance with a legal obligation, for the establishment or defence of legal claims, or for archiving purposes.

✓ Right to restriction of processing

You may request that we restrict processing of your personal data in certain circumstances — for example, while the accuracy of data is contested or while an objection is being assessed (Art. 18 GDPR).

✓ Right to data portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller (Art. 20 GDPR).

✓ Right to object

You have the right to object at any time to processing of your personal data based on our legitimate interests (Art. 21 GDPR). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. You may object to direct marketing processing at any time and without justification.

✓ Right to withdraw consent

Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

✓ Right to lodge a complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to file a complaint with the supervisory authority. In the Czech Republic, this is the Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz. You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

We will respond to all requests within 30 days. In complex cases, this period may be extended by a further two months, of which we will notify you.

6. How Long Do We Retain Your Data?

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. The general retention periods are set out in Section 3. In addition, the following specific rules apply:

6.1 ACCOUNT DATA. Retained for the duration of the active account and deleted within 30 days of account deletion, unless a longer period is required for legal or dispute-related reasons.

6.2 PRODUCT FEED DATA AND SUGGESTIONS. Retained for 18 months from the date of last processing. Upon account deletion or subscription cancellation, feed data is scheduled for deletion within 90 days.

6.3 ENRICHMENT AGENT CACHE. Raw page content retrieved by the Enrichment Agent is retained only for as long as necessary to extract the relevant product attributes — a maximum of 30 days — after which it is permanently deleted. Only the extracted structured attributes are retained as part of the project data.

6.4 BILLING AND INVOICING RECORDS. Retained for 10 years in accordance with Czech accounting and tax legislation.

6.5 SUPPORT COMMUNICATIONS. Retained for the duration of the active account relationship and for 3 years thereafter.

6.6 MARKETING COMMUNICATIONS. Retained until you opt out of receiving such communications, but no longer than 2 years from the date of last engagement.

6.7 LEGAL DISPUTES. Where legal or regulatory proceedings are initiated or anticipated, relevant data is retained for the duration of the proceedings and for the remainder of the applicable limitation period thereafter.

7. Cookies and Tracking Technologies

7.1 WHAT ARE COOKIES. Cookies are small text files placed on your device when you visit our Website or use the Platform. We also use similar technologies such as local storage and session storage for Platform functionality. Cookies help us operate the service, remember your preferences, and understand how the Platform is used.

7.2 STRICTLY NECESSARY COOKIES. These cookies are essential for the Platform to function and cannot be disabled. They include:

session management and secure login to your Account;

remembering your in-session preferences and settings;

CSRF protection tokens essential for Platform security.

7.3 ANALYTICAL COOKIES. We use analytical cookies to understand how users interact with the Platform, identify errors, and improve our service. These may include first-party analytics tools. Where third-party analytics services are used, data is pseudonymised and not used for advertising purposes.

7.4 MARKETING COOKIES. We use marketing cookies only with your explicit consent. These may include tools such as Google Ads conversion tracking. You can update or withdraw your cookie consent at any time via the cookie preference tool on our Website.

7.5 HOW TO MANAGE COOKIES. You can manage your cookie preferences through the cookie consent tool on our Website or through your browser settings. Disabling certain cookies may affect the functionality of the Platform.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration. Our security measures include:

encryption of data in transit (TLS) and at rest (AES-256) across all AWS infrastructure;

access controls and role-based permissions limiting access to personal data to authorised personnel only;

distributed locking and isolated processing environments for AI Agent workloads (AWS Lambda);

regular security monitoring and vulnerability assessments;

data minimisation practices — we process only the data necessary for each specific function.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and affected data subjects without undue delay where required by the GDPR.

9. Data Processing on Behalf of Clients (Processor Role)

When you use the Platform to process product feeds that may contain personal data belonging to third parties (for example, data about individuals embedded within your feed or store pages), you act as the data controller and we act as your data processor. In this capacity, we process such data strictly in accordance with your instructions and the Data Processing Agreement (DPA) available at shoptera.ai/data-processing-agreement.

You are responsible for ensuring that you have a valid legal basis for sharing any personal data contained in your product feeds with us for processing, and for informing any affected individuals about such processing where required.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or Platform features. We will notify you of any material changes by email and/or via a notice within the Platform. The date of the most recent update is indicated at the top of this document.

Your continued use of the Platform following notification of an update constitutes acceptance of the revised Privacy Policy.

11. Contact

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact us:

Statistix s.r.o.

Kaprova 42/14, Staré Město, 110 00 Prague, Czech Republic

Email: [email protected]

Website: shoptera.ai

Statistix s.r.o. | Reg. ID: 21035334 | Kaprova 42/14, Staré Město, 110 00 Prague | shoptera.ai