Personal Data Processing Policy

1. Terms and Definitions

1.1. This Policy uses specific terms defined as follows. Other terms and definitions not covered in this Policy will be interpreted by the parties in accordance with applicable legislation, unless otherwise specified in the Policy:

• Personal Data: Any information relating to an identified or identifiable individual (data subject).
• Data Subject: An individual to whom personal data directly or indirectly pertains.
• Personal Data Operator (Operator): An entity that independently organizes and/or processes personal data, determines the purposes of processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.
• Personal Data Processing: Any action or set of actions performed with personal data, whether using automated means or not, including collection, recording, systematization, accumulation, storage, updating (modification), retrieval, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, and destruction.
• Blocking of Personal Data: Temporary suspension of personal data processing (except when processing is necessary to update personal data).
• Destruction of Personal Data: Actions that make it impossible to restore the content of personal data in the information system and/or result in the destruction of physical media containing personal data.
• Automated Personal Data Processing: Processing of personal data using computing technology.
• Dissemination of Personal Data: Actions aimed at disclosing personal data to an indefinite group of persons.
• Provision of Personal Data: Actions aimed at disclosing personal data to a specific person or group of persons.
• Anonymization of Personal Data: Actions that make it impossible to identify the data subject without additional information.
• Personal Data Information System: A set of personal data contained in databases and the information technologies and technical means used to process them.
• Cross-Border Transfer of Personal Data: Transfer of personal data to a foreign state authority, foreign individual, or foreign legal entity.
• Special Categories of Personal Data: Data concerning racial or ethnic origin, political opinions, religious beliefs, health status, and biometric personal data.
• Cookies: Small text files stored on a user's device when visiting a website, containing fragments of information necessary for its operation (e.g., session settings, authentication data), collecting statistics, or personalizing content. Some cookies may include personal data, such as IP addresses or unique identifiers.

2. General Provisions

2.1. Ensuring the confidentiality and security of personal data processing is a priority for the Company. Personal data processing complies with legislative requirements, including the Civil Code of the Russian Federation, the Labor Code of the Russian Federation, Federal Law No. 152-FZ of July 27, 2006, "On Personal Data," and Federal Law No. 149-FZ of July 27, 2006, "On Information, Information Technologies, and Information Protection."

2.2. The Company has adopted internal regulatory documents mandatory for all employees involved in personal data processing.

2.3. The processing, storage, and confidentiality of personal data are carried out in accordance with Russian legislation on personal data protection and the Company's internal regulations.

2.4. This Policy defines the principles, procedures, and conditions for processing personal data to protect the rights and freedoms of individuals, including their right to privacy, personal, and family secrets. It also establishes the liability of Company employees with access to personal data for non-compliance with regulations governing personal data processing and protection.

2.5. The Company ensures the collection and processing of personal data using databases located within the Russian Federation.

2.6. Note: In accordance with Part 2 of Article 18.1 of Federal Law No. 152-FZ, this Policy does not include detailed information about the measures taken to protect personal data or other information that could harm the Company or data subjects if disclosed to an unlimited audience.

3. Concept and Composition of Personal Data

3.1. Personal data includes information provided by the data subject that directly or indirectly identifies them.

3.2. Consent to personal data processing and acceptance of this Policy are deemed obtained when the data subject performs any of the following actions, including but not limited to: registering in the Company’s information systems; concluding a contract (including accepting an offer) or performing actions indicating consent; filling out web forms with personal data; submitting information via email, online consultants, callback services, or file attachments; providing data personally (orally or in writing) or through an authorized representative; submitting a resume for employment; or starting to use the Company’s services. These provisions comply with Article 9 of Federal Law No. 152-FZ, Article 438 of the Civil Code of the Russian Federation, and Roskomnadzor clarifications. Separate written consent is required for special categories of data, and the data subject retains the right to withdraw consent at any time. All instances of data provision are recorded with the date and time, confirming voluntary and informed consent.

3.3. If the data subject disagrees with this Policy, they must immediately cease using the Company’s services, partially or fully, and refrain from providing data. Refusal to provide data may result in the Company’s inability to provide services, for which the Company is not liable.

3.4. The Company is not responsible for third-party websites linked from its site.

3.5. The data subject is responsible for the completeness and accuracy of the provided data. In case of inaccuracies, the data must be updated, including through a written request to the Company in accordance with the Rules for Handling Data Subject Requests.

4. Purposes and Duration of Personal Data Processing

4.1. Personal data processing is limited to achieving specific, predefined, and lawful purposes established by the Company's internal regulations for each category of data subjects, in line with the services provided. The Company does not process personal data for purposes incompatible with those established or combine databases with incompatible processing purposes.

4.2. The scope and content of processed personal data align with the stated purposes and are not excessive. Necessary measures are taken to delete or correct incomplete or inaccurate data.

4.3. Personal data is stored in a form that allows identification of the data subject for no longer than required by the processing purposes, unless otherwise specified by law or contract. Upon achieving the processing purposes or if they become unnecessary, personal data is destroyed or anonymized unless otherwise required by federal law.

4.4. Unless otherwise specified in a resume, the data subject consents to inclusion in the Company's personnel reserve for employment purposes. In this case, personal data may be processed until employment or the data subject's request for exclusion from the reserve.

4.5. The purposes of personal data processing are strictly defined in accordance with Russian legislation and may include fulfilling contractual obligations, complying with legal requirements, and pursuing the operator's legitimate interests. A complete list of purposes is provided in Appendix No. 1 to this Policy. Processing is based on the data subject's consent or legal requirements, with storage durations limited to the period necessary to achieve these purposes unless otherwise specified by federal law. Use of data for other purposes or beyond the established period is not permitted without additional legal grounds.

4.6. The Company does not collect or process special categories of personal data.

4.7. The duration of personal data processing is determined by the contract term, Order No. 558 of the Ministry of Culture of the Russian Federation dated August 25, 2010, the statute of limitations, and other legal requirements.

5. Rights and Obligations

5.1. Rights of the Company as a Personal Data Operator Defend its interests in court.

• 5.1.1. Defend its interests in court.
• 5.1.2. Provide personal data to third parties as required by law (e.g., tax or law enforcement authorities).
• 5.1.3. Refuse to provide personal data in cases permitted by law.
• 5.1.4. Use personal data without consent in cases permitted by law.

5.2. Obligations of the Company as a Personal Data Operator

• 5.2.1. Provide data subjects with access to documents and materials containing their personal data, unless otherwise prohibited by law.
• 5.2.2. Update, destroy, or block personal data if it is incomplete, outdated, inaccurate, or illegally obtained, and notify the data subject of such actions.
• 5.2.3. Comply with Russian legislation.

5.3. Rights of the Data Subject

• 5.3.1. Request clarification, blocking, or destruction of their personal data if it is incomplete, outdated, inaccurate, illegally obtained, or unnecessary for the stated purpose, and take legal measures to protect their rights.
• 5.3.2. Request a list of their personal data processed by the Company and the source of such data.
• 5.3.3. Obtain information about the processing and storage duration of their personal data.
• 5.3.4. Demand notification of all persons previously provided with incorrect or incomplete personal data about any corrections or additions made.
• 5.3.5. Appeal unlawful actions or inaction regarding their personal data to the authorized data protection body or in court.

5.4. Data Subject Request Procedures. If the Company's website or services do not provide automated forms for deleting, updating, or withdrawing consent for personal data processing, the data subject may exercise these rights as outlined in Section 11 of this Policy.

5.5. Obligations of the Data Subject

• 5.5.1. Provide accurate and necessary personal data and confirm their accuracy with original documents.
• 5.5.2. Notify the Company of changes to personal data required for processing purposes and confirm these changes with original documents.
• 5.5.3. Comply with Russian legislation.

6. Composition of Personal Data

6.1. The Company may process personal data with or without automation, as detailed in Appendix No. 1 to this Policy.

6.2. For employment evaluation purposes, the Company may process personal data listed in Appendix No. 1, determined by the scope of information required to assess the candidate's suitability for the position.

6.3. The Company may collect data related to IP addresses, statistical information about actions performed while using the Company's services, unique identifiers, language, access location, and other automatically transmitted data, including IP address, device network number (MAC address, device ID), electronic serial number (IMEI, MEID), advertising identifiers (GAID, IDFA, OAID), access date and time, cookies, browser information, and referrer (previous page address).

6.4. The Company may collect additional personal data necessary for providing services or complying with Russian data protection laws.

6.5. The Company uses temporary (session) and persistent cookies on its website. Temporary cookies are deleted after closing the browser, while persistent cookies remain until manually deleted or their storage period expires. Cookies enable website functionality, user preference recognition, and statistics collection for improving user experience and resolving errors. The purposes for using cookies include, but are not limited to:

• Technical Cookies: Essential for website and service functionality, enabling navigation, form completion, and checkbox state changes.
• Analytical Cookies: Collect data on visit frequency, viewed sections, clicked links, and navigation patterns.
• Marketing Cookies: Gather information about user actions on the Company's and third-party websites to deliver relevant advertisements, assess ad effectiveness, and limit ad impressions.

6.6. Data subjects can modify browser settings to delete existing cookies or prevent new ones from being saved (refer to browser manuals for details).

6.7. Disabling cookies may limit access to some or all website and service functionalities, for which the Company is not responsible.

7. Personal Data Security

7.1. The Company implements necessary organizational and technical measures to protect personal data from unauthorized access, destruction, alteration, blocking, or other unlawful actions. These measures include:

• Organizational Measures: Appointing a personal data processing officer and an information system security administrator, developing regulatory documents (Processing Policy, Data Protection Regulations), and conducting internal audits.
• Technical Measures: Creating a threat model, implementing an information protection system compliant with FSTEC and FSB requirements, introducing access control measures, and regularly assessing protection effectiveness.
• Personnel Measures: Conducting employee briefings, signing non-disclosure agreements, and ensuring compliance with regulations.
• Response Procedures: Establishing a regulated process for addressing violations, including incident documentation, investigation, and notification of regulators when necessary.

These measures comply with Federal Law No. 152-FZ, FSTEC orders, and the Company's internal standards, ensuring continuous improvement through annual threat model reviews, document updates, and legislative monitoring.

8. Personal Data Processing

8.1. Personal data processing is conducted only with legal grounds, including data subject consent, using three methods:

• Automated: Using software and information systems.
• (2) смешанным – сочетающим автоматизированные и неавтоматизированные методы;
• Non-Automated: Recording on physical media stored in secure locations with restricted access and mandatory logging.

Processing methods, technical means, responsible persons, and storage durations are specified for each purpose listed in Appendix No. 1, in compliance with Federal Law No. 152-FZ, the Company's regulations, and industry security standards, including regular monitoring and audits.

8.2. The Company does not disclose personal data to third parties without the data subject's consent, except as required by Russian data protection laws.

8.3. Personal data may be transferred to service providers as necessary for service provision, with providers using the data only per the Company's instructions and for the purposes outlined in this Policy.

8.4. If consent is withdrawn, the Company may continue processing personal data without consent in cases permitted by law.

8.5. Personal data provided or stored in written form is destroyed in a manner that prevents text recovery.

8.6. The Company may combine personal data with other information to provide, manage, and develop services.

8.7. In case of contract assignment, transfer of rights and obligations, or Company reorganization, personal data may be transferred to the new party or successor to fulfill obligations to the data subject. By accepting this Policy, the data subject consents to such transfers.

9. Personal Data Confidentiality

9.1. Personal data is confidential. The Company ensures that employees processing personal data sign non-disclosure agreements and are informed of their responsibilities under data protection laws.

10. Policy Publication

10.1. To ensure unrestricted access, this Policy is published on the Company's official website.

10.2. The Company may unilaterally amend this Policy at any time. Changes take effect on the date specified or 10 days after publication if no date is provided.

10.3. Data subjects are responsible for reviewing Policy updates at least monthly.

10.4. The Company does not provide additional notifications about Policy changes beyond website publication.

11. Final Provisions

11.1. This Policy is subject to updates in response to new legislation or regulations on personal data processing and protection, at least once every three years.

11.2. Compliance with this Policy is monitored by the Company's personal data processing officer.

11.3. Company employees with access to personal data are liable for non-compliance with data protection regulations in accordance with Russian legislation and internal Company policies.

11.4. Data subject requests must be submitted in writing to: ITMS Limited Liability Company, 614066, Perm, Stakhanovskaya St., 54, lit. P, office 305, or via email at info@tehzor.ru. Requests from representatives must include a copy of the authorization document.

11.5. All document copies must be certified per GOST R 6.30-2003 or GOST R 7.0.97-2016 (effective from July 1, 2018), including the word "True," the certifier's name, signature, initials, surname, and certification date.