Processing of personal data

1. General Provisions

This Policy regarding personal data has been developed in accordance with the requirements of Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data” (hereinafter referred to as the “Personal Data Law”) and establishes the procedure for processing personal data as well as the measures taken by LLC "iGuides" (TIN 7704813936, OGRN 1127746626347, email adv@iguides.ru) (hereinafter – the “Operator”) to protect personal data of users of the Website – https://www.iguides.ru (also referred to as the “Policy”, the “Agreement”).

The Operator’s primary goal and condition for its activities is to ensure the protection of the rights and freedoms of individuals and citizens in the processing of their personal data, including the protection of the right to privacy, personal and family confidentiality.

The User is obliged to fully familiarize themselves with this Policy prior to beginning use of the Website. The use of the Website and the completion by the User of any forms on the Website implies full and unconditional acceptance by the User of this Policy in accordance with Article 438 of the Civil Code of the Russian Federation. This document is publicly available and is subject to publication on the official Website https://www.iguides.ru.

Local regulations and other documents governing the processing of personal data of Russian Website users are developed in consideration of the provisions of this Policy.

The Operator has the right to make amendments to this Policy due to operational practices or legal changes, without prior notification of the User and/or obtaining their consent. When changes are made, the header of the Policy indicates the date of the latest version update. The new version of the Policy comes into force at the moment it is posted on the Website, unless otherwise stipulated in the new version. Therefore, we recommend reviewing the Policy upon each return visit to the Website. The Operator may, at its discretion, notify the User about updates and/or changes to this Agreement in a manner that the Operator deems most appropriate. The use of the Website and the materials and services offered on it at any given time indicates the User’s unconditional acceptance of all terms of this Agreement. If the User disagrees with the current version of this Agreement either in whole or in part, they must promptly request the Administration to delete their account and discontinue using the Website until their account is removed. By accepting this Agreement through using the Website and filling out any forms placed on it, the User confirms their consent to the Operator’s processing of their personal data voluntarily provided by the User when filling out the respective forms on the Website, as well as those provided by the User when entering into service agreements with the Website Operator.

Legal grounds for the processing of personal data:

• Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data”;
• Federal Law No. 149-FZ dated 27.06.2006 “On Information, Information Technologies, and the Protection of Information”;
• Contracts and agreements entered into between the Operator and the Data Subject.

2. Terms and Definitions

For the purposes of this Policy, the following terms and definitions are used, interpreted in accordance with the legislation of the Russian Federation and commonly accepted Internet terminology:

2.1. Operator

A state or municipal authority, legal or natural person that, independently or jointly with others, organizes and/or carries out the processing of personal data, and also determines the purposes of personal data processing, the composition of the personal data to be processed, and the actions (operations) performed with personal data;

2.2. Personal data subject

Any visitor to the website (https://www.iguides.ru);

2.3. Personal data

Any information relating directly or indirectly to an identified or identifiable User of the Website (https://www.iguides.ru);

Personal data allowed by the subject for distribution – personal data that the data subject has made available to an unlimited number of persons by giving consent for the processing of such data in accordance with the Personal Data Law.

2.4. Processing of personal data

Any action (operation) or set of actions (operations), performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data;

2.5. Website

A collection of graphic and information materials, as well as computer programs and databases, ensuring their availability on the Internet at the network address https://www.iguides.ru;

2.6. Automated processing of personal data

Processing of personal data using computing technology;

2.7. Distribution of personal data

Actions aimed at disclosing personal data to an indefinite number of persons;

2.8. Provision of personal data

Actions aimed at disclosing personal data to a specific person or a specific group of persons;

2.9. Blocking of personal data

Temporary suspension of personal data processing (except when processing is necessary to clarify personal data);

2.10. Destruction of personal data

Actions that make it impossible to restore the content of personal data in the personal data information system and/or that result in the destruction of physical media containing personal data;

2.11. Anonymization of personal data

Actions resulting in the impossibility, without the use of additional information, to determine the ownership of personal data by a specific data subject;

2.12. Personal data information system

A set of personal data contained in databases and technologies and technical tools that ensure their processing;

2.13. Cross-border transfer of personal data

Transfer of personal data to the territory of a foreign state, to a foreign authority, foreign individual, or foreign legal entity.

3. Processing, Storage, and Transfer of Website Users’ Personal Data

3.1. Personal data on the Website is processed both with and without the use of automation tools.

3.2. The categories of personal data subjects include Users of the Website.

For this category of subjects, the Website Administration processes personal data for the following purposes:

• User authorization on the Website by completing and submitting an application form with the relevant information;
• Establishing feedback from the Operator to the personal data subject, including sending notifications and requests regarding the provision of services;
• Identification of the personal data subject;
• Providing effective customer and technical support to the personal data subject in case of problems using the Website;
• Informing the User via email;
• Providing the User with access to services, information, and/or materials on the Website;
• Sending the User notifications about new products and services, special offers, and various events.

Category of Personal Data | List of Personal Data | Method of Processing | Processing and Storage Period

General personal data | Personal information provided by the User when filling out forms on the Website, such as: first name, last name, address, social media username, city of residence, photo image of the face. | Processing method: collection, recording, systematization, accumulation, clarification (updating, modification), use, storage, blocking, deletion, and destruction. | Storage period: no more than 1 year from the User's last use of the Website (last successful login) or no more than 6 months in case of deletion of data at the User’s request.

General personal data | Data entered by the User during Website registration, such as: email address, photo image of the face. | Processing method: collection, recording, systematization, accumulation, clarification (updating, modification), use, storage, blocking, deletion, and destruction. | Storage period: no more than 3 years from the User's last use of the Website (last successful login) or no more than 6 months in case of deletion of data at the User’s request.

Technical data | IP address, browser information (or other software used to access Website services), access time, requested page address, as well as other data provided by the User after registration or during Website usage. | Processing method: collection, recording, systematization, accumulation, storage, blocking, destruction, and anonymization. | Storage period: no more than 1 year from the User's last use of the Website (last successful login) or no more than 6 months in case of deletion of data at the User’s request.

3.4. Consent of the personal data subject to the processing of data permitted for distribution is issued separately from other consents for personal data processing. Requirements for the content of such consent are established by the authorized body for the protection of personal data subjects’ rights.

3.5. Consent to the processing of data permitted for distribution is provided directly to the Operator by the personal data subject.

3.6. Users’ personal data is stored electronically in the Website’s personal data information system, as well as in archived copies of the Website’s databases. Organizational and technical measures are observed to ensure the security of the stored data and to prevent unauthorized access. Only authorized Website Administration employees who have signed a non-disclosure agreement may access Users’ personal data.

3.7. The Website Administration may transfer Users’ personal data to third parties only when necessary to prevent threats to life and health, or as required by law.

3.8. The Website Administration must provide Users’ personal data only to authorized individuals and only to the extent necessary for their job responsibilities, in accordance with this privacy policy and Russian legislation.

3.9. When transferring Users’ personal data, the Website Administration warns recipients that this data may be used only for the purposes for which it was disclosed and requires written confirmation of compliance with this condition.

3.10. Other rights, responsibilities, and actions of Website Administration employees involved in personal data processing are determined by their job descriptions.

3.11. All information regarding the transfer of Website Users’ personal data is recorded to control the lawful use of this information by recipients.

3.12. To improve service quality and ensure legal protection, the Website Administration may store log files of actions performed by Users during Website usage.

4. Rights and Responsibilities of the Operator

4.1. The Operator has the right to:

• Receive from the personal data subject accurate information and/or documents containing personal data;
• Request the timely clarification of personal data provided by the personal data subject;
• In case the personal data subject withdraws their consent to process personal data or sends a request to cease processing, the Operator has the right to continue processing the data without consent if there are legal grounds specified in the Personal Data Law;
• Independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations under the Personal Data Law and regulations adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws.

4.2. The Operator is obliged to:

• Provide the personal data subject, upon request, with information about the processing of their personal data, including: the purposes and methods of processing used by the Operator ; the name and location of the Operator; information about persons who have access to personal data ; the personal data being processed; the source of the data; the processing timeframes, including storage periods ; and whether cross-border transfers are carried out or intended;
• Organize the processing of personal data in accordance with current Russian legislation;
• Provide the personal data subject or their legal representative with the necessary information within 10 business days of receiving a request. This period may be extended, but not by more than 5 business days, if the Operator sends a reasoned notice with justification for the extension;
• If refusing to provide the requested information, the Operator must issue a written reasoned response no later than 10 business days from the request date. This period may be extended, but not more than 5 business days;
• Provide necessary information to the authorized body for the protection of personal data subjects’ rights within 10 business days of receiving a request. This period may also be extended by no more than 5 business days with a justified notice;
• Publish or otherwise ensure unrestricted access to this Policy, as well as to information on the implemented requirements for personal data protection. The Operator collecting personal data via telecommunications networks must ensure access to this document using such networks;
• Take or ensure the adoption of legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as other unlawful actions;
• Stop transmission (distribution, provision, access) of personal data, stop processing and destroy personal data in the manner and in cases provided by the Personal Data Law;
• Respond to and fulfill a User’s request to update/destroy their personal data no later than 7 business days from receipt;
• Respond to and fulfill a Data Subject’s request to update personal data within 7 business days of submission;
• If the Data Subject withdraws their consent to processing, stop processing and destroy the data within 30 days unless further storage is legally required;
• If a personal data subject requests the termination of processing, the Operator must comply within 10 business days unless otherwise provided by law;
• If immediate destruction of data is not possible, the Operator blocks such data and ensures its destruction within no more than six months;
• Take measures to prevent unauthorized or accidental access to personal data by third parties, including measures for deletion, modification, blocking, restriction of copying and/or distribution;
• If the Operator, Roskomnadzor, or another interested party identifies unlawful or accidental transmission (provision, dissemination) of personal data resulting in a violation of rights:
  • Within 24 hours — notify Roskomnadzor of the incident, its alleged causes, the presumed damage, and the corrective measures taken, including contact details of the person authorized to interact with Roskomnadzor;
  • Within 72 hours — notify Roskomnadzor of the results of the internal investigation and provide information about the individuals responsible for the incident (if any);
• Fulfill other duties as stipulated by the Personal Data Law.

5. Rights and Responsibilities of Personal Data Subjects

5.1. Personal data subjects have the right to:

• Receive information regarding the processing of their personal data, except as provided by federal laws. The information must be provided by the Operator in an accessible form and must not contain personal data related to other subjects unless there are legal grounds for disclosure. The list of information and the procedure for obtaining it are established by the Personal Data Law;
• Request the Operator to clarify their personal data, block or destroy it if the data is incomplete, outdated, inaccurate, obtained unlawfully, or is not required for the stated purpose of processing, and to take legal measures to protect their rights;
• Set a condition of prior consent for the processing of personal data for marketing purposes — including promotion of goods, works, and services using communication tools, as well as for political campaigning. This processing is considered to be without consent unless the Operator proves otherwise;
• Withdraw their consent to the processing of personal data, and demand the cessation of such processing;
• File complaints with the authorized body for the protection of personal data subjects’ rights or in court regarding unlawful actions or inaction of the Operator in relation to the processing of their personal data;
• Protect their rights and legal interests, including claiming damages and/or compensation for moral harm through judicial proceedings;
• Exercise other rights provided by Russian legislation.

5.2. Personal data subjects must:

• Provide the Operator with accurate data about themselves;
• Inform the Operator about any clarification (update, change) of their personal data;
• Comply with the legislation of the Russian Federation on personal data.

5.3. Persons who provide inaccurate data about themselves to the Operator, or data about another personal data subject without the latter’s consent, bear responsibility in accordance with Russian legislation.

6. Principles of Personal Data Processing

6.1. Personal data shall be processed lawfully and fairly.

6.2. The processing of personal data is limited to the achievement of specific, predetermined, and legitimate purposes. Processing that is incompatible with the purposes of collecting personal data is not permitted.

6.3. It is prohibited to combine databases containing personal data that are processed for purposes incompatible with one another.

6.4. Only personal data that meets the processing purposes shall be processed.

6.5. The content and volume of processed personal data must correspond to the stated processing purposes. The processing of personal data that is excessive in relation to the stated purposes is not allowed.

6.6. The accuracy of personal data, their sufficiency, and, where necessary, their relevance to the purposes of processing shall be ensured. The Operator must take necessary measures and/or ensure that such measures are taken to remove or clarify incomplete or inaccurate data.

6.7. Personal data shall be stored in a form that allows the identification of the personal data subject for no longer than required by the purposes of their processing, unless a longer storage period is required by federal law, a contract to which the data subject is a party, a beneficiary, or a guarantor. The processed personal data shall be destroyed or anonymized upon the achievement of the processing purposes or when there is no longer a need to achieve these purposes, unless otherwise provided by federal law.

7. Conditions of Personal Data Processing

7.1. Personal data shall be processed with the consent of the personal data subject to the processing of their personal data.

7.2. The Operator has the right to use the information provided by the User, including personal data, to ensure compliance with applicable laws (including to prevent and/or suppress unlawful and/or illegal actions by Users). Disclosure of information provided by the User may be made only in accordance with applicable law, by court order, or as otherwise required by law.

7.3. Personal data processing begins when the User fills out a relevant form to obtain services provided on the Website or otherwise provides their personal data, and continues until the relationship between the Operator and the User ends (e.g., deletion of the account or withdrawal of consent for processing).

7.4. The Operator has the right to transfer the User’s personal information to third parties in the following cases:

• The User has given consent to such transfer;
• The transfer is necessary for the User to access a specific service/functionality of the Website;
• The transfer is required by Russian or other applicable legislation as part of a legally established procedure;
• The transfer occurs as part of a sale or other transfer of the Website (in whole or in part), in which case the acquirer assumes all obligations under this Policy with respect to the acquired personal information.

7.5. The Operator does not sell or rent out personal data to third parties for marketing purposes without prior consent from the Users.

7.6. Access to Users’ personal data is permitted within the Operator’s organization and its staff.

7.7. The Operator will make every reasonable effort to:

• Collect only the minimum necessary amount of confidential information about Users;
• Use confidential information strictly for the purposes stated at the time of collection;
• Prevent confidential information from being shared with third parties, except as outlined in this Agreement or the legislation of the Russian Federation.

7.8. The Operator stores and protects Users’ personal data from unauthorized access and distribution in accordance with internal rules and regulations. The confidentiality of Users’ personal data is maintained, except in cases where the Website technology or the software settings used by the User provide for open data sharing with other Website Users or with users on the Internet.

7.9. The User’s personal information is kept confidential, except in cases where the User voluntarily shares information about themselves for public access.

7.10. The Operator ensures confidentiality and security of personal data during processing in accordance with Russian legislation. Appropriate standards of technological and operational security are applied to protect information provided by visitors from unauthorized access, disclosure, alteration, or destruction.

7.11. Personal data is stored on the Website for no more than 3 years from the date of the User’s last activity (successful authorization). If the data is deleted by either party’s initiative, the data is retained in the Administration's databases for no more than six months in accordance with Russian legislation.

7.12. After the above retention period expires, the User’s personal data is destroyed. Destruction is carried out using certified software that guarantees data erasure (as defined by the specified characteristics of certified data destruction tools).

7.13. The Operator does not process Users’ personal data in paper (physical) form.

8. Procedure for Collection, Storage, Transfer, and Other Types of Personal Data Processing

8.1. The security of personal data processed by the Operator is ensured by implementing legal, organizational, and technical measures necessary for full compliance with applicable legislation in the field of personal data protection.

8.2. The Operator ensures the security of personal data and takes all possible measures to prevent unauthorized access.

8.3. The User’s personal data will not be transferred to third parties, except in cases required by applicable legislation or if the personal data subject has given consent to the Operator to transfer the data to a third party for the fulfillment of civil law obligations.

8.4. If inaccuracies in personal data are identified, the User may update the data independently by sending a notification to the Operator’s email address (adv@iguides.ru) with the note "Update of personal data," or by using the Support chat available on the Website.

8.5. The duration of personal data processing is determined by the achievement of the purposes for which the personal data was collected, unless otherwise stipulated by contract or applicable legislation. The User may revoke their consent to personal data processing at any time by sending a notice to the Operator via email (adv@iguides.ru) with the note "Withdrawal of consent to personal data processing" or via the Support chat on the Website.

8.6. All information collected by third-party services, including payment systems, communication providers, and other service providers, is stored and processed by those parties (Operators) in accordance with their User Agreements and Privacy Policies. The data subject is responsible for familiarizing themselves with such documents. The Operator is not liable for the actions of such third parties.

8.7. When collecting personal data, including via telecommunications networks (Internet), the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of Russian citizens using databases located on the territory of the Russian Federation, except in cases specified in Article 18 of the Personal Data Law.

8.8. Prohibitions set by the personal data subject regarding the transfer (excluding access), as well as the processing or conditions for processing of personal data allowed for distribution, do not apply in cases of processing for governmental, public, or other public interests as defined by Russian legislation.

8.9. The Operator ensures the confidentiality of personal data during processing.

8.10. The Operator stores personal data in a form that allows the identification of the personal data subject for no longer than necessary for the processing purposes unless a longer retention period is required by federal law, a contract, or other legal grounds.

8.11. Grounds for terminating personal data processing may include achieving the purpose of processing, expiration of the consent period, withdrawal of consent, a request to stop processing, or identification of unlawful data processing.

9. Procedure for the Destruction and Blocking of Personal Data

9.1. If unlawful processing of personal data is discovered upon a User’s request, the Website Administration blocks the unlawfully processed personal data related to that User starting from the moment of the request and for the duration of the verification period.

9.2. If inaccurate personal data is discovered upon a User’s request, the Website Administration blocks the personal data related to that User starting from the moment of the request and for the duration of the verification period, unless such blocking violates the rights and legal interests of the User or third parties.

9.3. If the inaccuracy of personal data is confirmed, the Website Administration, based on the information provided by the User or other necessary documents, clarifies the personal data within seven (7) business days from the date such information is provided and removes the blocking of the data.

9.4. If unlawful processing of personal data by the Website Administration is confirmed, the Administration shall cease the unlawful processing within three (3) business days from the date such unlawful processing was identified.

9.5. If it is not possible to ensure the lawfulness of personal data processing, the Website Administration shall destroy such data within ten (10) business days from the date the unlawful processing was identified.

9.6. The Website Administration notifies the User of the correction of violations or the destruction of their personal data.

9.7. Upon achievement of the purpose of personal data processing, the Website Administration stops processing the personal data and destroys it within thirty (30) days from the date the purpose was achieved.

9.8. If a User submits a request to the Website Administration to stop processing personal data, the Administration shall stop processing such data within ten (10) business days from the date of receiving the request, unless otherwise stipulated by the Personal Data Law. This period may be extended by no more than five (5) business days if the Administration sends the User a reasoned notice indicating the reasons for the delay.

9.9. If it is not possible to destroy the personal data within the timeframes specified in clauses 9.4–9.8 of this Policy, the Website Administration shall block such personal data and ensure its destruction within a period not exceeding six (6) months, unless otherwise established by federal law.

9.10. After the expiration of the statutory retention period for documents containing the User’s personal data, or in the presence of other legal grounds, such documents are subject to destruction.

9.11. To that end, the Website Administration establishes an expert commission and conducts an expert evaluation of the value of documents.

9.12. Based on the results of the evaluation, documents containing the User’s personal data that are subject to destruction shall either be erased from information storage devices or the physical storage media themselves shall be destroyed.

10. List of Actions Performed by the Operator with Collected Personal Data

10.1. The Operator performs the following actions with personal data:

• Collection
• Recording
• Systematization
• Accumulation
• Storage
• Clarification (updating, modification)
• Retrieval
• Use
• Transfer (distribution, provision, access)
• Anonymization
• Blocking
• Deletion
• Destruction

10.2. The Operator carries out automated processing of personal data, including receiving and/or transferring the obtained data via information and telecommunication networks or without the use of such networks.

11. Confidentiality of Personal Data

11.1. The Operator and other persons who have gained access to personal data are obliged not to disclose or distribute such data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.

12. Final Provisions

12.1. The User may obtain any clarifications on questions related to the processing of their personal data by contacting the Operator via email (adv@iguides.ru) or using the Support chat available on the Website.

12.2. The Website may contain links to websites and other informational resources of third parties on the Internet, placed solely for the User’s convenience. The Operator does not endorse or evaluate third-party sites, nor the information they contain, nor any potential outcomes of their use. The Operator does not verify the accuracy or relevance of such information. Responsibility for using third-party sites lies entirely with the User.

12.3. This Policy applies only to the Website’s services. The Operator does not control and is not responsible for third-party websites/services which the User may access via links available on the Website, including for any information about the User processed by third parties.

12.4. The User is independently responsible for the security (resistance to brute-force attacks) of the means they use to access their account, and must maintain their confidentiality. The User is responsible for all actions (and consequences) performed through or using the Website's services under their account, including any voluntary transfer of login credentials to third parties under any terms (including contracts or agreements). All actions performed using the User’s account are considered to have been performed by the User.

12.5. Individuals involved in the processing of personal data must comply with the Operator’s internal regulations related to confidentiality and security of personal data.

12.6. The Website is not intended for or specifically targeted at persons under the age of 18. The Policy does not provide for the intentional collection or storage of personal data of individuals under 18 years of age.