1. General provisions

This Personal Data Processing Policy is drafted in accordance with Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” (the “Personal Data Law”) and defines the procedure for processing personal data and the security measures taken by Sole Proprietor Mark Kats (the “Operator”).

1.1.The Operator’s primary goal and condition for carrying out its activities is to respect human and civil rights and freedoms when processing personal data, including the right to privacy, personal and family secrets.

1.2.This Policy applies to all information the Operator may obtain about visitors to the website https://shd.xyz.su.

2. Key terms used in the Policy

2.1.Automated processing of personal data — processing using computer technology.

2.2.Blocking of personal data — temporary suspension of processing (except where processing is required to clarify personal data).

2.3.Website — a set of graphic and information materials, software and databases available on the Internet at https://shd.xyz.su.

2.4.Personal data information system — a set of personal data contained in databases and information technologies and technical means that ensure their processing.

2.5.Anonymization of personal data — actions as a result of which it is impossible, without additional information, to determine that the personal data belongs to a specific User or another data subject.

2.6.Processing of personal data — any action (operation) or set of actions performed with or without automation: collection, recording, systematization, accumulation, storage, updating (modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.

2.7.Operator — a public authority, local authority, legal entity or individual who organizes and/or performs personal data processing and determines the purposes, scope, and operations performed on personal data.

2.8.Personal data — any information relating, directly or indirectly, to an identified or identifiable User of the website https://shd.xyz.su.

2.9.Personal data made public by the data subject — personal data to which an unlimited number of persons is granted access by the data subject by giving consent in accordance with the Personal Data Law.

2.10.User — any visitor of the website https://shd.xyz.su.

2.11.Provision of personal data — actions aimed at disclosing personal data to a specific person or a specific circle of persons.

2.12.Distribution of personal data — actions aimed at disclosing personal data to an unlimited number of persons or providing access to personal data in any way.

2.13.Cross-border transfer of personal data — transfer of personal data to the territory of a foreign state to its authorities, foreign individuals or legal entities.

2.14.Destruction of personal data — actions resulting in the irreversible destruction of personal data.

3. Operator’s rights and obligations

3.1.The Operator has the right to:

• receive reliable information and/or documents containing personal data from the data subject;
• continue processing upon withdrawal of consent where permitted by the Personal Data Law;
• independently determine measures sufficient to fulfill statutory obligations.

3.2.The Operator is obliged to:

• provide the data subject, upon request, with information regarding the processing of their personal data;
• organize processing as required by the laws of the Russian Federation;
• respond to requests from data subjects and their legal representatives;
• provide the competent supervisory authority with requested information within 10 days of receipt;
• publish or otherwise provide unrestricted access to this Policy;
• take legal, organizational, and technical measures to protect personal data;
• cease transfer/processing and destroy personal data in cases prescribed by law.

4. Data subjects’ rights and obligations

4.1.Data subjects have the right to:

• receive information regarding the processing of their personal data;
• request rectification, blocking, or destruction of personal data;
• require prior consent for processing for direct marketing;
• withdraw consent to processing;
• challenge unlawful actions/inaction of the Operator before the competent authority or in court.

4.2.Data subjects must provide accurate information about themselves and notify the Operator of updates.

4.3.Persons who provide inaccurate information about themselves or about another person without that person’s consent bear liability under Russian law.

5. Principles of personal data processing

5.1.Processing is carried out lawfully and fairly.

5.2.Processing is limited to achieving specific, predetermined, and lawful purposes.

5.3.Combining databases processed for incompatible purposes is not allowed.

5.4.Only data relevant to the purposes of processing is processed.

5.5.The content and volume of processed data correspond to the stated purposes; excess data is not allowed.

5.6.Accuracy, sufficiency, and, where necessary, relevance of personal data are ensured; measures are taken to delete or rectify incomplete or inaccurate data.

5.7.Data is stored no longer than required for processing purposes unless otherwise provided by law.

6. Purposes of personal data processing

• Purpose: to provide the User with access to services, information, and/or materials available on the website.
• Personal data: email address.
• Legal basis: Federal Law “On Information, Information Technologies and Information Protection” No. 149-FZ of 27.07.2006.
• Types of processing: collection, recording, systematization, accumulation, storage, destruction, and anonymization of personal data.

7. Conditions for personal data processing

7.1.Processing based on the data subject’s consent.

7.2.Processing necessary to achieve purposes set by international treaties or laws, or to exercise the Operator’s powers and duties.

7.3.Processing necessary for the administration of justice or enforcement of judicial or other acts.

7.4.Processing necessary for performance of a contract with the data subject or for entering into a contract at the data subject’s initiative.

7.5.Processing necessary for the legitimate interests of the Operator or third parties provided the rights and freedoms of the data subject are not infringed.

7.6.Processing of personal data made public by the data subject.

7.7.Processing of data required to be published or disclosed under federal law.

8. Collection, storage, transfer, and other processing

The security of personal data processed by the Operator is ensured through legal, organizational, and technical measures.

8.1.The Operator safeguards personal data and prevents unauthorized access.

8.2.Personal data is not transferred to third parties except as required by law or with the data subject’s consent for contract performance.

8.3.If inaccuracies are discovered, the User may update data by emailing info@xyz.su with the note “Personal data update”.

8.4.Retention lasts until the processing purposes are achieved unless otherwise provided by contract/law. The User may withdraw consent by emailing info@xyz.su with the note “Withdrawal of consent to personal data processing”.

8.5.Information collected by third-party services (payment systems, communications providers, etc.) is stored and processed by those parties under their terms and privacy policies. The Operator is not responsible for third-party actions.

8.6.Restrictions imposed by the data subject on the transfer/processing of personal data made public do not apply where processing is carried out in state, public, or other public interests defined by Russian law.

8.7.Confidentiality of personal data is ensured during processing.

8.8.Data is stored in a form that allows identification of the data subject no longer than required for processing purposes unless otherwise provided by law/contract.

8.9.Processing may cease due to: achievement of purposes, expiry/withdrawal of consent, demand to stop processing, or detection of unlawful processing.

9. List of actions performed with personal data

9.1.Collection, recording, systematization, accumulation, storage, rectification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.

9.2.Automated processing with or without transmission over communication networks.

10. Cross-border transfer of personal data

10.1.Before starting cross-border transfers, the Operator notifies the competent supervisory authority (a notice separate from the general processing notice).

10.2.Before sending the notice, the Operator obtains necessary information from foreign recipients.

11. Confidentiality of personal data

The Operator and other persons who have access to personal data must not disclose it to third parties without the data subject’s consent unless otherwise required by federal law.

12. Final provisions

12.1.Any questions regarding personal data processing: info@xyz.su.

12.2.Changes to this document will be reflected herein; the Policy is valid indefinitely until replaced by a new version.

12.3.The current version is publicly available at https://shd.xyz.su.