Personal Data Processing Policy

1. GENERAL PROVISIONS

1.1. This document (hereinafter referred to as the "Policy") defines the policy regarding the processing of personal data by Limited Liability Company "Deeray" (address: 603003, Nizhny Novgorod Oblast, Nizhny Novgorod, Kultury Street, Building 6, Apt. 124; TIN: 5252043442; TRRC: 526301001; State Registration Number: 1185275039102), hereinafter referred to as the "Operator".

1.2. This Policy has been developed in compliance with the requirements set forth in Part 2 of Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter referred to as the "Personal Data Act").

1.3. Definitions contained in Article 3 of the Personal Data Act are used in this Policy with identical meanings.

1.4. The scope of this Policy applies to all operations performed by the Operator with personal data, whether through automated means or not.

1.5. Main Rights and Obligations of the Operator:

1.5.1. The Operator has the right:

• To receive accurate information and/or documents containing personal data from the subject of personal data;
• To request timely clarification of the personal data provided by the subject of personal data.

1.5.2. The Operator is obligated:

• To process personal data in accordance with current legislation of the Russian Federation;
• To consider inquiries from the subject of personal data (or their legal representative) regarding the processing of personal data and provide substantiated responses;
• To provide the subject of personal data (or their legal representative) with free access to their personal data;
• To take measures to clarify, destroy, or block the personal data of the subject of personal data upon receiving a legitimate and justified request from them (or their legal representative);
• To organize the protection of personal data in accordance with the requirements of the legislation of the Russian Federation.

1.6. Main Rights and Obligations of Subjects of Personal Data:

1.6.1. Subjects of personal data have the right:

• To obtain complete information about their personal data processed by the Operator;
• To access their personal data, including the right to obtain a copy of any record containing their personal data, except in cases stipulated by federal law;
• To request clarification, blocking, or destruction of their personal data in cases where the personal data is incomplete, outdated, inaccurate, obtained unlawfully, or unnecessary for the stated purpose of processing;
• To revoke consent to the processing of their personal data;
• To take legally prescribed measures to protect their rights;
• To exercise other rights provided by the legislation of the Russian Federation.

1.6.2. Subjects of personal data are obligated:

• To provide the Operator only with accurate data about themselves;
• To provide documents containing personal data in the volume necessary for the purpose of processing;
• To inform the Operator about clarifications (updates, changes) to their personal data.

1.6.3. Individuals who have provided the Operator with inaccurate information about themselves or information about another subject of personal data without the latter's consent bear responsibility in accordance with the legislation of the Russian Federation.

2. VOLUME AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF SUBJECTS OF PERSONAL DATA

2.1. The Operator may process personal data of the following subjects of personal data:

• Employees, former employees, candidates for employment, and relatives of employees of the Operator;
• Clients and counterparties of the Operator (individuals);
• Representatives/employees of clients and counterparties of the Operator (legal entities);
• Users of the Operator’s product (hereinafter referred to as the "Product").

2.2. Personal data processed by the Operator includes:

• Surname, name, and patronymic of the subject of personal data;
• Place of residence (region/city);
• Profession/specialization or area of professional interest;
• Mobile phone number;
• Email address (e-mail);
• History of queries and views on the website and its services (for website visitors and users of the product);
• Other information (the list provided may be reduced or expanded depending on the specific case and purpose of processing).

2.3. The Operator ensures that the content and volume of the processed personal data correspond to the stated purposes of processing and takes measures to eliminate any excessiveness of such data relative to the stated purposes of processing if necessary.

2.4. The Operator processes biometric personal data only upon written consent from the respective subjects of personal data or in other cases stipulated by the legislation of the Russian Federation.

2.5. Processing of special categories of personal data related to racial or ethnic origin, political views, religious or philosophical beliefs, or intimate life is not carried out by the Operator.

2.6. Transborder transfer of personal data is not carried out by the Operator.

3. PURPOSES OF COLLECTING PERSONAL DATA

3.1. Personal data is processed by the Operator for the following purposes:

• Entering into contracts with subjects of personal data and subsequent performance thereof;
• Conducting promotions, surveys, interviews, tests, and research on the website;
• Providing subjects of personal data with the Operator’s services and products, as well as information on the development of new products and services by the Operator, including advertising materials;
• Communicating with subjects of personal data, including processing their requests and inquiries, and informing them about the operation of the Product;
• Monitoring and improving the quality of the Operator’s services and products, including those offered on the website;
• Personnel management and accounting of the Operator’s employees, regulation of labor and other relations directly connected therewith;
• Recruitment and selection of candidates for employment at the Operator;
• Compilation of statistical reports;
• Conducting business activities;
• Performing other functions, powers, and obligations imposed on the Operator by the legislation of the Russian Federation.

4. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

4.1. Legal grounds for the processing of personal data by the Operator include:

• Constitution of the Russian Federation;
• Labor Code of the Russian Federation;
• Civil Code of the Russian Federation;
• Federal Law No. 149-FZ dated July 27, 2006 "On Information, Information Technologies and on Protection of Information";
• Law of the Russian Federation No. 2124-1 dated December 27, 1991 "On Mass Media";
• Federal Law No. 294-FZ dated December 26, 2008 "On Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Implementation of State Control (Supervision) and Municipal Control";
• Decree of the President of the Russian Federation No. 188 dated March 6, 1997 "On Approval of the List of Confidential Information";
• Government Decree of the Russian Federation No. 512 dated July 6, 2008 "On Approval of Requirements for Material Carriers of Biometric Personal Data and Storage Technologies for Such Data Outside Personal Data Information Systems";
• Government Decree of the Russian Federation No. 687 dated September 15, 2008 "On Approval of the Regulation on Specifics of Processing Personal Data Without Using Automation Means";
• Government Decree of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of the Requirements for the Protection of Personal Data When Processed in Personal Data Information Systems";
• Order of Roskomnadzor No. 996 dated September 5, 2013 "On Approval of Requirements and Methods for Anonymizing Personal Data";
• Order of FSTEC Russia No. 21 dated February 18, 2013 "On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data Processed in Personal Data Information Systems";
• Charter documents of the Operator;
• Contracts concluded between the Operator and the subjects of personal data;
• Consent of the subjects of personal data for the processing of personal data;
• Other grounds when consent for the processing of personal data is not required by law.

5. ORDER AND CONDITIONS FOR THE PROCESSING OF PERSONAL DATA

5.1. The Operator processes personal data using the following methods:

• Non-automated processing of personal data;
• Automated processing of personal data with or without transmission of the obtained information via telecommunication networks;
• Mixed processing of personal data.

5.2. Actions performed by the Operator with personal data include collection, systematization, accumulation, storage, clarification (updating, changing), use, dissemination (including transfer), anonymization, blocking, destruction, and any other actions in accordance with the current legislation of the Russian Federation.

5.3. The Operator processes personal data upon obtaining consent from the subject of personal data (hereinafter referred to as "Consent"), except for cases stipulated by the legislation of the Russian Federation when personal data can be processed without such Consent.

5.4. The subject of personal data makes the decision to provide their personal data and gives Consent freely, voluntarily, and in their own interest.

5.5. Consent is given in any form that allows confirmation of its receipt. In cases stipulated by the legislation of the Russian Federation, Consent must be in writing.

5.6. Conditions for ceasing the processing of personal data may include achieving the purposes of processing personal data, expiration of the period of Consent, revocation of Consent by the subject of personal data, or detection of unlawful processing of personal data.

5.7. Consent may be revoked by sending a written notice to the Operator via registered mail.

5.8. When processing personal data, the Operator adopts or ensures the adoption of necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, disclosure, dissemination of personal data, as well as from other unlawful actions concerning personal data.

5.9. Personal data is stored in a form allowing identification of the subject of personal data for no longer than necessary for the purposes of processing, unless otherwise stipulated by federal law.

5.10. When storing personal data, the Operator uses databases located within the territory of the Russian Federation.

6. UPDATING, CORRECTING, DELETING, AND DESTROYING PERSONAL DATA, RESPONDING TO REQUESTS FROM SUBJECTS OF PERSONAL DATA REGARDING ACCESS TO THEIR PERSONAL DATA

6.1. If inaccuracies in personal data or illegality of their processing are confirmed, the Operator must update the data or cease their processing accordingly.

6.2. The fact of inaccuracy in personal data or illegality of their processing may be established either by the subject of personal data or by competent state authorities of the Russian Federation.

6.3. Upon a written request from the subject of personal data or their representative, the Operator must provide information about the processing of the subject's personal data. The request must contain the number of the main document confirming the identity of the subject of personal data and their representative, information about the date of issue of the document and the issuing authority, information confirming the participation of the subject of personal data in relationships with the Operator (contract number, contract signing date, verbal designation, and/or other information), or other information confirming the fact of processing personal data by the Operator, along with the signature of the subject of personal data or their representative. The request may be submitted in electronic form and signed with an electronic signature in accordance with the legislation of the Russian Federation.

6.4. If the request from the subject of personal data does not contain all the necessary information or the subject does not have the right to access the requested information, a motivated refusal will be sent to them.

6.5. Pursuant to paragraph 6.3, the subject of personal data may request the Operator to clarify their personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, obtained unlawfully, or unnecessary for the stated purpose of processing, as well as take legally prescribed measures to protect their rights.

6.6. Upon achieving the purposes of processing personal data, as well as upon revocation of Consent by the subject of personal data, personal data must be destroyed if:

• The Operator is not entitled to process personal data without Consent from the subject of personal data;
• There is no agreement under which the subject of personal data is a party, beneficiary, or guarantor;
• There is no other agreement between the Operator and the subject of personal data allowing retention.

7. CONCLUDING PROVISIONS

7.1. All relations related to the processing of personal data that are not addressed in this Policy are regulated in accordance with the provisions of the legislation of the Russian Federation.

7.2. The Operator reserves the right to make changes to this Policy. When changes are made, the current version indicates the date of the last update. The new version of the Policy comes into effect upon its publication on the website unless otherwise specified in the new version of the Policy. The current version is always available on the Operator's website.