PRIVACY POLICY

Saint Petersburg, Russia

March 15th, 2021

This policy has been drawn up in accordance with Part 2 of Article 18.1 of the Federal Law No. 152-FZ «On Personal Data» dated 27.07.2006, and the Regulation of the European Parliament and the Council (EU) No. 2016/679 «On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) dated April 27, 2016, as well as the California Consumer Privacy Act (CCPA) and defines the policy of private entrepreneur Ekaterina Mikhailovna Golubeva (hereinafter referred to as the Operator) regarding the processing of personal data and contains information about the requirements for the protection of personal data implemented by the Operator. This policy applies to all personal data processed through the Service which the Operator receives or can receive from the User. 

  1. GENERAL TERMS
    1. The following terms and definitions for the purposes of this policy have the following meanings:
      • «Personal data» is any information related to a directly or indirectly identified or identifiable natural person («personal data subject»); an identifiable natural person is a person who can be identified directly or indirectly, in particular, by reference to an identifier such as first name, last name, patronymic (if any), identification number, individual taxpayer number, SNILS (personal insurance policy number), bank details, year, month, date and place of birth, address, e-mail address, phone number, family, social, property status, education, profession, income, metadata that are transmitted to the Operator in the process of using the Service using the software installed on the User’s device (including data location, HTTP headers, IP address, cookie data, information about the User’s browser, technical characteristics of equipment and software used by the User, date and time of access to the Service, addresses of the requested pages of the Service and other similar information), one or several physical, physiological cultural, genetic, spiritual, economic, cultural factors or by referring to factors of social identity. For the purposes of this policy, personal data also includes information about the User, the processing of which is provided for by the Agreement governing the use of the Service. In accordance with the Decree of the President of the Russian Federation No. 188 dated March 6, 1997, personal data is classified as confidential information. The Operator collects only such personal data that is necessary for the execution of the Agreement.
      • «GDPR» is the Regulation of the European Parliament and the Council (EU) No. 2016/679 «On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC» (General Data Protection Regulation) dated April 27, 2016.
      • «CCPA» is California Consumer Privacy Act.
      • «Operator», «Controller» is a private entrepreneur Ekaterina Mikhailovna Golubeva, OGRNIP (Primary State Registration Number of the Individual Entrepreneur) 318784700276751, INN (Tax identification number) 781438336415, with a registered office in Saint Petersburg, processing personal data, as well as determining the purpose of personal data processing, the content of personal data to be processed, actions (operations) performed with personal data. The Operator is the Controller within the GDPR meaning.
      • «User» is any natural person with full capacity to act (sui juris) (subject of personal data) including acting on behalf of and in the interests of a legal entity who may in the process of using the Service provide the Operator with the personal data, either independently or through a legal entity represented by him/her that has expressed consent with the terms and conditions set forth in the Agreement by signing it including electronically. In the context of this policy, the User also means persons whose personal data is processed by the Operator on behalf of the User contained in the Agreement. For minors under the age of 16, the Operator processes personal data solely based on the prior consent of the parents.
      • «Service», «Personal Data Information System» is a computer program which is a set of data, commands, and audiovisual displays generated by it, activated sequentially to obtain a certain result by the User provided for by the Game logic, without paying a fee or after paying a fee posted on the Internet on the website http://www.astradia.com and available for download through mobile application stores, i.e. Google Play, App Store and any others at the choice of the Administration.
      • «Agreement« is a license agreement/contract, transaction, user agreement, terms of use, terms of sale, or other agreement between the User and the Operator, governing the use of the Service and containing the User’s order to the Operator to process personal data.
      • «Processing of personal data», «Personal data processing» are actions (operations) with personal data, including collection, recording, systematisation, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalisation, blocking, deletion, destruction.
      • «Processor» is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of and at request of the Controller.
      • «Recipient» is a natural or legal person, government agency, authority, or other body to which personal data is disclosed, regardless of whether they are third parties or not. However, public authorities that may receive personal data as part of a specific investigation in accordance with EU law or the law of a member state are not considered recipients; the processing of such data by such public authorities must comply with the applicable data protection regulations depending on the purposes of the processing.
      • «Third party» is a natural or legal person, government body, agency, or other body other than the data subject, controller, processor, as well as persons authorised to process personal data under the direct supervision of the controller or processor.
      • «Automated processing of personal data» is the processing of personal data using computer technology.
      • «Non-automated processing of personal data», «Processing of personal data without the use of automation» is the processing of personal data contained in the personal data information system or extracted from such a system in cases when such actions are with personal data as the use, refinement, dissemination, destruction of personal data in relation to each of the personal data subjects is performed with the direct participation of a person.
      • «Distribution of personal data» are actions aimed at the disclosure of personal data to an indefinite circle of persons.
      • «Provision of personal data» are actions aimed at transferring personal data to a specific person or a specific circle of persons.
      • «Blocking of personal data» is a temporary termination of the processing of personal data (unless the processing is necessary to clarify personal data).
      • «Destruction of personal data» are actions as a result of which it is impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.
      • «Anonymization of personal data» are actions as a result of which it is impossible to determine whether personal data belongs to a specific owner without using additional information. Within the meanings of the GDPR it’s called «pseudonymisation».
      • «Use of personal data» are actions (operations) with personal data committed for the purpose of making decisions, transactions, or other actions that give rise to legal consequences related to the subjects of personal data or otherwise affect their rights and freedoms or the rights and freedoms of others persons.
      • «Sale of personal data» are actions as a result of which information and databases with personal data of persons are transferred from the operator to third parties by completing a transaction.
      • «Publicly available personal data» is personal data access to an unlimited circle of persons to which is granted with the consent of the subject or to which, in accordance with federal laws, the requirement of confidentiality does not apply.
      • «Confidentiality of personal data» is a requirement upon a person who has access to personal data not to allow its distribution without the consent of the subject or other legal basis.
      • «Statistics» is information about the use of the Service, as well as the viewing by the Users of individual elements of the Service (web pages, frames, content, etc.), collected using Counters, cookies, beacons, and other similar technologies.
      • «Cookies», «cookie» is a small piece of data sent by the web server and stored on the User’s device. Cookies contain small pieces of text and are used to store information about how browsers work. They allow you to store and receive identification information and other information on computers, smartphones, phones, and other devices. Cookie specifications are described in RFC 2109 and RFC 2965. Other technologies are used for the same purposes, including data stored by browsers or devices, identifiers associated with devices, and other software. In this policy, all of these technologies are referred to as «cookies».
      • «Web beacons» are images in electronic form (single-pixel (1×1) or empty GIF images). Web beacons can help the Operator recognise certain types of information on the User’s device, for example, cookies, the time and date of viewing the page, and the description of the page where the web beacon is located.
      • «Counter» is part of the Service, a computer program that uses a piece of code that is responsible for analysing cookies, collecting statistical and personal data of Users. Personal data is collected in anonymised form.
      • «IP-address» is a number from the numbering resource of a data network built based on the IP protocol (RFC 791) which uniquely identifies a terminal (computer, smartphone, tablet, other device) when providing telematic communication services, including Internet access, other device or means of communication included in the information system and owned by the User.
      • «HTTP header» is a row in the HTTP message that contains a colon-separated name-value pair. The HTTP header format follows the common ARPA network text message header format described in RFC 822.
      • «Token» is a unique set of characters that identifies the User in accounts of third-party web services. The token allows an authorised connection to the Service using authorisation through third-party web services (for example, Microsoft Authenticator, Google Authorisation, social networks, Google Play, Apple AppStore etc.).
    2. All other terms and definitions found in the text of this policy are interpreted by the Parties in accordance with applicable law, current recommendations (RFC) of international standardisation bodies on the Internet, and the usual rules for the interpretation of relevant terms on the Internet.
    3. Terms and definitions used in this Agreement can be used both in the singular and in the plural, depending on the context, the terms can be spelled both in uppercase and lowercase letters.
    4. The names of the headings (articles), as well as the design of this document, are intended only for the convenience of using the text of the Agreement and have no literal legal value.
    5. This policy has been developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, Federal Law No. 149-FZ «On Information, Information Technologies and Information Protection» dated July 27, 2006, Federal Law No. 152-FZ «On Personal data” dated July 27, 2006, and other federal laws. For Users located in the European Union, this policy also takes into account the mandatory requirements of the Regulation of the European Parliament and of the Council (EU) No. 2016/679 » On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” dated April 27, 2016, (GDPR), as well as the California Consumer Privacy Act (CCRA).
    6. This policy defines the procedure and conditions for the processing of personal data by the Operator, including the procedure for transferring personal data to third parties, the features of manual processing of personal data, the procedure for accessing personal data, the system for protecting personal data, the procedure for organizing internal control and liability for violations in the processing of personal data, and also other issues.
    7. This policy takes effect from the moment it is approved by the Operator and is valid indefinitely until it is replaced with a new policy.
    8. The Operator has the right to make changes to this policy without the consent of the User. All changes to the policy are made by the regulatory act of the Operator.
    9. This policy applies to all stages of the personal data processing performed using the Service without using automation tools. The Operator does not control and is not responsible for websites owned by third parties which the User can access by clicking on the links posted on the Service.
  2. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
    1. The Operator’s processing of the User’s personal data is guided by the following documents:
      • — The Constitution of the Russian Federation;
      • — Civil Code of the Russian Federation;
      • — Tax Code of the Russian Federation;
      • — Federal Law No. 152-FZ «On Personal Data» dated July 27, 2006;
      • — Federal Law No. 149-FZ «On Information, Information Technologies and Information Protection» dated July 27, 2006;
      • — Law of the Russian Federation No. 2300-1 «On Protection of Consumer Rights» dated February 7, 1992;
      • — Decree of the Government of the Russian Federation No. 1025 «On approval of the Rules of consumer services for the population in the Russian Federation» dated August 15, 1997;
      • — Decree of the Goskomstat of the Russian Federation No. 1 “On approval of unified forms of primary accounting documentation for labor accounting and remuneration” dated January 5, 2004;
      • — Decree of the Government of the Russian Federation No. 687 «On approval of the regulation on the specifics of personal data processing carried out without the use of automation tools» dated September 15, 2008;
      • — Decree of the Government of the Russian Federation No. 1119 «On approval of requirements for the protection of personal data during its processing in personal data information systems» dated November 1, 2012;
      • — Order of the FSTEC of Russia (Federal Service for Technical and Export Control) No. 21 «On approval of the composition and content of organizational and technical measures to ensure the security of personal data during its processing in personal data information systems» dated February 18, 2013;
      • — Order of the FSB of Russia (Federal Security Service) No. 378 «On approval of the composition and content of organizational and technical measures to ensure the security of personal data during its processing in information systems of personal data using cryptographic information protection tools necessary to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data. data for each of the security levels» dated July 10, 2014;
      • — Regulation of the European Parliament and the Council (EU) No. 2016/679 «On the protection of natural persons regarding processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
      • — California Consumer Privacy Act (CCPA);
      • — other laws, statutes, codes, rules, regulations, and requirements established in the field of the Operator’s activities.
    2. The User’s personal data is processed on the basis and in pursuance of the Agreement governing the use of the Service, and other transactions, agreements, or contracts concluded between the User and the Operator or based on the User’s separate consent to such processing.
    3. The User’s personal data is processed by the Operator only if the User reached the age of 16. In case the User is under 16 years old, then the obligatory consent of the legal representatives of the User is required, otherwise the Operator upon detecting a discrepancy in age with the required one shall remove the User from the Service.
  3. PURPOSES FOR COLLECTION OF THE PERSONAL DATA
    1. The Operator processes only the personal data necessary for using the Service or executing transactions, agreements, and contracts with the User, except for cases when the legal norms of the Russian Federation, the European Union, or the United States of America provide for the mandatory storage of personal information for a period specified by law.
    2. When processing personal data, the Operator does not combine databases containing personal data which is to be processed for incompatible purposes.
    3. The Operator processes the personal data of the User for the following purposes:
      • — using personal data of Users who are physical persons using the Service for the purpose of concluding and executing the Agreement or any other transaction with the Operator;
      • — using personal data of Users for the purpose of proper operation of the Service in accordance with the expectations of Users in particular for correct identification of Users and exchange of their geodata between them;
      • — placing customised advertising and/or other information in any section of the Service and interrupting the use of the Service with advertising information;
      • — conducting statistical and other studies of the use of the Service based on anonymised data;
      • — conducting marketing programs, various offers, promotions, and advertising events related to the Service;
      • — compliance with the mandatory requirements of the legislation of the Russian Federation, the European Union, or the United States of America.
  4. VOLUME AND CATEGORIES OF PERSONAL DATA BEING PROCESSED, CATEGORIES OF PERSONAL DATA OWNERS
    1. The Operator can receive the User’s personal data from various sources, in particular:
      • — from the Service or the Operator’s website in the course of their operation;
      • — when the User contacts the technical support of the Service;
      • — as part of the User’s participation in marketing programs, various offers, promotions, and advertising activities of the Operator related to the Service.
    2. The Operator processes personal data necessary for the execution of the Agreement or another transaction with the User.
    3. Personal data allowed to be processed in accordance with this policy and provided by Users who are physical persons using the Service by filling in the appropriate input fields when using the Service may include the following information: 
      • — token;
    4. Personal data processed in accordance with this policy and automatically transferred to the Operator in the process of using the Service including the software installed on the User’s device may include the following information: 
      • — HTTP headers;
      • — IP address of the device;
      • — cookie data;
      • — data collected by counters;
      • — data collected by web beacons;
      • — information about the browser;
      • — technical specifications of the device and software;
      • — technical data on the operation of the Service, including the dates and times of use and access to the Service;
      • — addresses of requested pages of the Service website;
      • — geolocation data.
    5. In accordance with this policy, the Operator processes the personal data of persons belonging to the following categories of personal data owners:
      • — physical persons using the Service in accordance with the Agreement on its use.
    6. Certain categories of personal data of Users using the Service both on their own behalf and on behalf of an individual they represent are processed with the following features:
      • User’s contact information (last name, first name, and patronymic/middle name, gender, date of birth, city, country, cell phone number, email address, messenger identifiers, token). A number of data is used to identify the User in the Service and on the Operator’s website including when the User contacts technical support. Email addresses and phone numbers can be used to send messages to Users (for example, about security or messages with important warnings). Users can also provide names (or nicknames) to be used in emails to the Operator.
      • Information about the User’s use of the Service including date and time of access to the Service. Such information is processed in order to study the activity of the Service and its interaction with the User, in particular how long it took for the Service to perform a particular operation at the request of the User, what functions are used by the Users more often than others. Such information helps the Operator to improve the Service, increase its performance, and make it more convenient to use.
      • Technical characteristics of the User’s device including its IP address, and its software. Information such as the type of device, operating system, IP address, method of connecting to the network, etc., may be needed in order for the Operator to be able to take into account the specifics of the operation of the Service on various devices, in various networks and ensure its compatibility with third-party software security.
      • Data collected by counters and cookie data. The processing of this data helps the Operator to study the activity of the Service and its website using third-party software tools, determine the number of downloads, installations, deletions of the Service from the User’s device, the sources of transition to the download page. Such information helps the Operator to better understand the behaviour of Users and improve the distribution channels of the Service.
      • Information about the approximate location of the User including received from the Service running in the background on the device. Both in the active state and in the background the Service can collect data about the User’s location provided to him by the User’s device hardware for the purposes of marketing and statistical research of the User’s use of the Service.
  5. TERMS AND PROCEDURES OF PERSONAL DATA PROCESSING
    1. The Operator has the right to process the personal data of the User without notice to the authorised body for the protection of the rights of personal data subjects in accordance with Part 2 of Article 22 (Clauses 2 and 8) of the Federal Law «On Personal Data».
    2. The Operator processes the User’s personal data using the personal data information system without using automation tools in accordance with the laws, statutes, codes, rules, regulations, and requirements of the Russian Federation that establish requirements for ensuring the security of personal data during its processing and for observing the rights of personal data subjects. Such actions with personal data as the use, refinement, distribution, destruction of personal data of the User are performed with the direct participation of the Operator’s employees in accordance with the features approved by the Decree No. 687 of the Government of the Russian Federation dated September 15, 2008. 
    3. The Operator processes and stores the User’s personal data for a period determined in accordance with the Agreement on the use of the Service, or about which the Operator informed the User upon receipt of the User’s consent to the processing of the personal data in another way (in a check-box, an SMS message, in email, etc.).
    4. Concerning the personal data of the User, its confidentiality is maintained, except for cases when the User voluntarily provides information about himself/herself for general access to an unlimited circle of persons.
    5. The Operator has the right to transfer the User’s personal data to third parties using modern methods of connection encryption via the secure HTTPS protocol in the following cases: 
      • — the User has requested such a transfer from the Operator;
      • — there is the User’s consent to such actions;
      • — the transfer is necessary for the User in order to use certain functions of the Service (for example, for authorisation through accounts on social networks) or for the execution of a certain agreement, contract, or transaction with the User;
      • — the transfer is provided for by the legislation of the Russian Federation or other legal norms as part of the procedure established by laws, statutes, codes, rules, regulations, and requirements;
      • — in the event of a transfer of rights to the Service, it is necessary to transfer personal data to the acquirer simultaneously with the transfer of all obligations to comply with the terms of this policy in relation to the received personal data received;
      • — to ensure the protection of the rights and legitimate interests of the Operator or third parties when the User violates this policy or the Agreement on the use of the Service;
      • — in other cases provided for by laws, statutes, codes, rules, regulations, and requirements.
    6. The Processors can be:
      •  — website hosting provider; 
      • — operator of an electronic platform distributing a mobile application; 
      • — other persons entrusted with the processing of personal data on behalf of the Operator.
    7. In the event personal data of a User located in the EU is leaked, the Operator without undue delay and if possible no later than 72 hours after he/she becomes aware of this, notifies the competent supervisory EU authority about the leak of personal data, except in cases when this leak of personal data is unlikely to turn into risks for the rights and freedoms of individuals. 
    8. The Operator shall take the necessary organisational and technical measures in order to protect the User’s personal data from unauthorised or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties. In particular, all processed data is transferred using modern methods of connection encryption via the secure HTTPS protocol.
    9. In case a violation of personal data protection can create a high degree of risk for the rights and freedoms of individuals, the Operator notifies the User about the leakage of personal data without unreasonable delay. A communication to the data subject is not required if any of the following conditions are met: (a) The Operator has taken appropriate technical and organisational protective measures to personal data affected by the leak, including measures that display personal data in an incomprehensible form for any person who does not have the right to access it, including cryptographic protection; (b) the Operator has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects is no longer able to get realised; (c) a disproportionate effort is required. In this case, instead, a communication is made to the public or a similar measure is taken by which the data subjects are equally informed.
    10. The Operator shall take the necessary organisational and technical measures to protect the User’s personal data from unauthorised or accidental access, destruction, alteration, blocking, copying, distribution, as well as from other unlawful actions of third parties.
    11. The Operator together with the User takes all necessary measures to prevent losses or other negative consequences caused by the loss or unauthorised disclosure of the User’s personal data.
    12. The Operator has the right to transfer personal data to the bodies of inquiry and investigation, other authorised bodies on the grounds stipulated by laws, statutes, codes, rules, regulations, and requirements.
    13. When collecting personal data, the Operator records, systematises, accumulates, stores, clarifies (updates, changes), extracts personal data of Users who are citizens of the Russian Federation using databases located on the territory of the Russian Federation.
    14. The Operator stops processing the personal data of the Users (which is processed with their consent) upon expiration of the User’s consent to the processing or upon withdrawal of the User’s consent to the processing of the personal data, as well as in the event of unlawful processing of personal data or the liquidation of the Operator.
  6. ACCESS TO PERSONAL DATA
    1. The right to access the personal data of the User is reserved only to the Operator’s and/or the Processor’s employees who are allowed by their work duties to work with the User’s personal data based on a list of persons authorised to work with personal data which is approved by the Operator and/or the Processor. 
    2. The list of employees who have access to personal data shall be maintained by the Operator and/or the Processor in an up-to-date state.
    3. Access to the personal data of the User by third parties who are not employees of the Operator and/or the Processor is prohibited without the consent of the User, except for cases established by laws, statutes, codes, rules, regulations, and requirements.
    4. The access of the Operator’s and/or the Processor’s employee to the personal data of the User ceases from the date of termination of the employment relationship or from the date the employee loses the right to access the personal data of the User in connection with changed job duties, position or other circumstances in accordance with the procedure established by the Operator and/or the Processor. In the event of termination of employment, all media with the User’s personal data that were at the disposal of the dismissed employee of the Operator and/or the Processor are transferred to a higher-ranking employee in the manner established by the Operator and/or the Processor.
  7. UPDATE, CORRECTION, DELETION, AND DESTRUCTION OF PERSONAL DATA
    1. The User may at any time change, update, supplement, or delete the personal data provided to them or part thereof using the Service interface.
    2. If the Operator independently identifies that the User’s personal data is incomplete or inaccurate, the Operator shall take all possible measures to update personal data and make appropriate corrections.
    3. If it is impossible to update incomplete or inaccurate personal data of the User, the Operator takes measures to delete it.
    4. If it is becomes known that the processing of the User’s personal data is unlawful, the processing by the Operator shall stop and the personal data shall be deleted.
    5. If the Service interface is inoperative or the Service does not have a function for changing, updating, supplementing, or deleting the personal data by the User, as well as in any other cases, the User has the right to demand in writing from the Operator the clarification of his/her personal data, its blocking or destruction if personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated processing purpose.
    6. The Operator makes the necessary changes to the personal data that are incomplete, inaccurate, or irrelevant in a period not exceeding seven business days from the date the User provides information confirming that the personal data is incomplete, inaccurate, or outdated. 
    7. The Operator destroys the User’s personal data illegally obtained or not necessary for the stated processing purpose within a period not exceeding seven business days from the date the User submits information confirming that such personal data is illegally obtained or is not necessary for the stated processing purpose.
    8. The Operator notifies the User of the changes made and measures taken and takes reasonable measures to notify third parties to whom the personal data of this User was transferred.
    9. User’s rights to change, update, supplement, or delete personal data may be limited in accordance with the requirements of laws, statutes, codes, rules, regulations, and requirements. Such restrictions, in particular, may provide for the Operator’s obligation to save personal data changed, updated, supplemented, or deleted by the User for a period specified by laws, statutes, codes, rules, regulations, and requirements and to transfer such personal data in accordance with the established procedure to state authorities.
  8. RESPONSES TO USER’S REQUESTS FOR ACCESS TO PERSONAL DATA AND ITS DELETION
    1. The User has the right to receive information from the Operator regarding the processing of his/her personal data, including:
      1. onfirmation of the fact that personal data is processed by the Operator;
      2. legal grounds and purposes for processing personal data;
      3. methods of processing personal data used by the Operator;
      4. the name and location of the Operator, information about persons (except for the employees of the Operator) who have access to personal data or to whom personal data may be disclosed based on an agreement with the Operator or based on laws, statutes, codes, rules, regulations, and requirements;
      5. processed personal data related to the respective User, the source of its receipt, unless otherwise provided for by laws, statutes, codes, rules, regulations, and requirements;
      6. terms for processing personal data, including periods for its storage;
      7. the procedure for the User to exercise the rights provided for by applicable laws, statutes, codes, rules, regulations, and requirements in the field of personal data;
      8. information on completed or suspected cross-border data transfer;
      9. name or surname, name, middle name, and address of the person who processes personal data on behalf of the Operator, if the processing is or will be entrusted to such a person;
      10. other information provided by laws, statutes, codes, rules, regulations, and requirements. 
    2. The Operator provides free of charge the opportunity to familiarise yourself with the personal data processed and stored in the Operator’s information system within thirty calendar days from the date of receipt of a written request from the User.
    3. In case the Operator refuses to provide information on the availability of personal data about the User or personal data to the User upon his/her request or upon receipt of a request from the User, the Operator shall provide in writing a reasoned response, which is the basis for such a refusal, within a period not exceeding thirty calendar days from the date of receipt of the User’s request.
    4. The Operator provides an opportunity to send a request for deletion of personal data (information about which was received by the User) by sending a request to the email address privacy@astradia.com (for Users from the Russian Federation and the rest of the world) or privacyEU@astradia.com (for Users from the EU). 
    5. If the User sends a request, in accordance with clause 8.4, the Operator shall delete his/her personal data within thirty calendar days from the receipt of such a written request from the User. 
  9. INFORMATION ON THE REQUIREMENTS FOR THE PROTECTION OF PERSONAL DATA AND THEIR IMPLEMENTATION
    1. The security of personal data during its processing in the information system is ensured by a personal data protection system that neutralises current threats defined in accordance with part 5 of article 19 of the Federal Law «On Personal Data».
    2. The personal data protection system used by the Operator includes legal, organisational, technical, and other measures to ensure the security of personal data, defined taking into account current threats to the security of personal data and information technologies used in information systems.
    3. With regard to personal data (which the User has given consent to being processed by third parties) the Operator based on an agreement has the right to attract another person ensuring the security of such personal data when being processing in the information system. At the same time, all processed data is transmitted using modern methods of connection encryption through the secure HTTPS protocol. 
    4. When processing personal data in the information system, the Operator ensures:
      1. taking measures aimed at preventing unauthorised access to the personal data of the User and/or transferring them to persons who do not have the right to access such information;
      2. timely detection of unauthorised access to personal data;
      3. avoidance of impact on technical means involved in the processing of personal data, as a result of which their functioning may be impaired;
      4. ability to immediately restore personal data modified or destroyed due to unauthorised access to it;
      5. continuous monitoring of the security level of personal data.
    5. In order to comply with security requirements and implement a personal data security system, the Operator has developed a private model of security threats to the personal data information system.
    6. In accordance with the Decree of the Government of the Russian Federation No. 1119 «On approval of requirements for the protection of personal data when processed in personal data information systems» dated November 1, 2012, the Operator has determined the level of protection of personal data when processing it in the personal data information system owned by the Operator.
    7. The Operator drew up an act determining the level of protection of personal data during the processing in the personal data information system.
    8. Based on the level of personal data security determined by the Operator when processing it in the personal data information system without using automation, the Operator developed and implemented a set of measures to protect and ensure the security of personal data.
    9. The Operator uses hardware and software for processing and protecting personal data, and also maintains a register of personal data protection means.
    10. The Operator keeps a journal of accounting and storage of removable storage media containing personal data.
    11. Technical means ensuring the functioning of the personal data information system are located in premises owned by the Operator based on ownership or other property rights (rent, use, etc.).
    12. All employees of the Operator authorised to work with personal data, as well as those associated with the operation and maintenance of the personal data information system, are familiar with the requirements of this policy, as well as with the Operator’s internal documents regulating the procedure for working with personal data.
    13. The Operator has organised the process of training employees in the use of personal data protection equipment managed by the Operator. The training is held by employees with constant access to personal data, and employees associated with the operation and maintenance of the personal data information system and personal data protection facilities.
    14. The internal documents of the Operator established that employees must immediately inform the appropriate official of the Operator about the loss, damage, or shortage of information carriers containing personal data, as well as about attempts to unauthorised disclosure of personal data, its reasons, and conditions.
  10. Consent to personal data processing 
    1. The User decides to provide his/her personal data and agrees to its processing freely, voluntarily, of his/her own free will, and in his/her interest.
    2. Consent to the processing of personal data provided by the User is specific, informed, and conscious. 
    3. In case the User’s personal data is processed on the basis and in pursuance of the Agreement governing the use of the Service, and other transactions, agreements or contracts concluded between the User and the Operator using the Service, such processing of the User’s personal data is carried out based on clause 5 of part 1 of Article 6 of the Federal of the Personal Data Law, subparagraph (b) of paragraph 1 of Article 6 GDPR and does not require separate consent.
    4. In case the User’s personal data is processed based on a separate consent to such processing, expressed directly when using the Service by clicking on the appropriate button, by ticking the indicator of the corresponding check-box, sending an SMS message or email, such consent to the processing of personal data is provided by the User in the form of an electronic document signed with a simple electronic signature in accordance with the Agreement governing the use of the Service.
    5. Consent to the processing of personal data may be revoked by the User following the procedure established by laws, statutes, codes, rules, regulations, and requirements.
  11. FINAL PROVISION
    1. If the User starts using the Service it means his/her acceptance of the terms of this policy. If the User disagrees with the terms of this policy, he/she should immediately stop using the Service.
    2. The law of the Russian Federation shall apply to this policy and the relationship between the User and the Operator arising out of and in connection to this policy. GDPR shall also apply to Users located in the European Union. CCPA shall apply to Users located in California (USA).
    3. This policy is always publicly available at the following link: http://astradia.com/privacy-policy/
    4. The User can send all suggestions or questions regarding this policy to the Operator’s customer support service by sending an electronic message to the following email address: privacy@astradia.com. Е-mail address for Users located in the European Union is the following: privacyEU@astradia.com
  12. DETAILS
    • Private entrepreneur Ekaterina Mikhailovna Golubeva, OGRNIP (Primary State Registration Number of the Individual Entrepreneur) 318784700276751, INN (Tax identification number) 781438336415
    • Registered office address: Saint Petersburg