Policy on the processing of personal data TakeToken Limited LTD

Introduction

This document defines the personal data processing policy of TakeToken Limited LTD (hereinafter referred to as the “Company”).

The Company acts as a personal data operator in accordance with the legislation of the Russian Federation on personal data.

This Policy has been developed in accordance with the applicable legislation of the Russian Federation on personal data, including:

  • Federal Law of the Russian Federation No. 152-FZ dated 27.07.2006 “On Personal Data” (hereinafter referred to as “152-FZ” or the “Personal Data Law”), which establishes the main principles and conditions of personal data processing, as well as the rights, obligations, and responsibilities of the parties involved in such processing;
  • Resolution of the Government of the Russian Federation No. 1119 dated 01.11.2012 “On Approval of Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems”;
  • Resolution of the Government of the Russian Federation No. 687 dated 15.09.2008 “On Approval of the Regulation on Specific Features of Personal Data Processing Without the Use of Automation Tools”.

This Policy applies to all personal data that the Company may receive about the personal data subject during the use of any Company websites, applications, products, and/or services, as well as Company accounts on third-party websites, social networks, messengers, and applications.

This Policy covers any action (operation) or set of actions (operations) performed with or without the use of automation tools in relation to personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, usage, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.

The use of any Company websites, applications, products, and/or services may be subject to additional terms that may amend and/or supplement this Policy and/or have special provisions regarding personal data, which are set out in the respective sections of the documentation for such websites, applications, products, and/or services.

This Policy is subject to review and, if necessary, update in the event of changes in the legislation of the Russian Federation on personal data.

The Policy may be amended by the Company at its sole discretion, including but not limited to cases when such changes result from changes in applicable law or changes in the operation of the Company’s websites, applications, products, and/or services.

 

Key Terms Used in This Policy

  • Automated processing of personal data – processing of personal data using computer technology.
  • Blocking of personal data – temporary suspension of personal data processing (except where processing is necessary to clarify personal data).
  • Personal data information system – a set of personal data contained in databases and information technologies and technical means ensuring their processing.
  • Anonymization of personal data – actions that make it impossible to determine the identity of a personal data subject without additional information.
  • Processing of personal data – any action (operation) or set of actions performed with or without automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction.
  • Operator – a state or municipal authority, legal or natural person who organizes and/or carries out personal data processing independently or jointly with others, and determines the purposes and scope of personal data processing.
  • Personal data – any information related directly or indirectly to an identified or identifiable natural person (personal data subject).
  • Personal data made publicly available by the subject – personal data to which access is provided by the subject via consent in accordance with the Personal Data Law.
  • User – an individual using the Company’s websites, applications, products, and/or services.
  • Provision of personal data – actions aimed at disclosing personal data to a specific party.
  • Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons or providing access to personal data to an unlimited number of people.
  • Cross-border transfer of personal data – transfer of personal data to a foreign country, foreign authority, or a foreign legal/natural person.
  • Destruction of personal data – any actions resulting in the irreversible destruction of personal data, preventing restoration of its content.

 

Principles of Personal Data Processing

The processing of personal data is based on the following principles:

  • Processing is carried out on a lawful and fair basis.

  • Processing is limited to achieving specific, pre-defined, and lawful purposes.

  • Processing of personal data that is incompatible with the purposes of data collection is not permitted.

  • It is prohibited to merge databases containing personal data that are processed for incompatible purposes.

  • The content and scope of the processed personal data must correspond to the declared purposes of processing. The data processed must not be excessive in relation to the stated purposes.

  • Accuracy and sufficiency of personal data must be ensured during processing; data must be updated as necessary in relation to the declared purposes of processing.

  • Personal data must be stored in a form that allows identifying the data subject no longer than required by the purposes of processing unless a longer retention period is established by federal law or contract involving the data subject.

  • Personal data must be destroyed or anonymized upon achieving the purposes of processing or when the need to achieve these purposes no longer exists, unless otherwise provided by federal law.

 

Scope and Categories of Processed Personal Data and Categories of Data Subjects

The Company may collect the following categories of personal data about Users when they use the Company’s websites, applications, products, and/or services:

  • Personal data provided during registration (account creation), such as full name, phone number, address, date of birth;

  • Electronic data (HTTP headers, IP address, cookies, web beacons, pixel tags, browser identifier data, hardware and software information, Wi-Fi network data, International Mobile Equipment Identity – IMEI);

  • Date and time of access to the Company’s websites, applications, products, and/or services;

  • Information about User activity while using the Company’s websites, applications, products, and/or services (search history, purchase data, likes, as well as files and content stored in the Company’s personal data information systems);

  • Other information about the User necessary for processing in accordance with the terms governing the use of specific Company websites, applications, products, and/or services.

The Company collects anonymized statistics on the use of its websites and mobile applications for the purpose of improving and developing them.

The Company does not process special categories of personal data related to race, ethnicity, political opinions, religious or philosophical beliefs, sexual life, or other sensitive categories.

Conditions for Personal Data Processing

The processing of personal data is carried out in compliance with the principles and rules established by the Federal Law “On Personal Data” (hereinafter also referred to as the “Personal Data Law”). Processing of personal data is performed in the following cases:

  • When the data subject has given consent to the processing of their personal data;

  • When the processing is necessary to achieve goals stipulated by international treaties or laws of the Russian Federation, or to perform functions, powers, and duties imposed on the operator by Russian law;

  • When the processing is required for the execution of a contract to which the personal data subject is a party, beneficiary, or guarantor, or to conclude a contract at the initiative of the personal data subject;

  • When the processing is necessary to protect the life, health, or other vital interests of the data subject, if obtaining their consent is not possible;

  • When the processing is necessary to exercise the rights and legitimate interests of the operator or third parties, or to achieve socially significant objectives, provided this does not violate the rights and freedoms of the data subject;

  • When the processing is carried out for statistical or research purposes, provided the personal data is anonymized (except for marketing via direct communication with potential consumers);

 

Company Obligations

In accordance with the requirements of the Federal Law “On Personal Data”, the Company is obligated to:

  • Provide the data subject, upon request, with information regarding the processing of their personal data, or provide a lawful refusal within thirty days from the date of receiving the request from the data subject or their representative;

  • Clarify, block, or delete personal data upon request of the data subject if the data is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing, within no more than seven working days from the date the data subject or their representative provides proof of such issues;

  • Maintain a log of data subject requests, recording each request and the actions taken in response;

  • Notify the data subject if personal data was obtained not from them, except in the following cases:

    • The data subject has been informed of the data processing by the Company;

    • The data was obtained by the Company in connection with the execution of a contract involving the data subject, or based on federal law;

    • The data was made publicly available by the data subject or obtained from public sources;

    • The Company processes personal data for statistical or research purposes without violating the data subject’s rights;