PRIVACY POLICY

General Provisions

This Privacy Policy has been drafted in compliance with the Russian Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as the “Personal Data Law”) to lay down the procedure for processing personal data, as well as measures to ensure the security of personal data adopted by OOO Nauchnye Razvlechenia (hereinafter referred to as the “Data Controller”).

The Data Controller sets it as its primary goal and a defining priority for the company’s activities to protect human and civil rights and freedoms in the processing of personal data, including the right to privacy, as well as the right to personal and family secrets.

This Privacy Policy (hereinafter referred to as the “Policy”) shall apply to all personal data that the Controller may obtain from users of the company’s software (hereinafter referred to as the “Software”).

Key Terms and Definitions

“Automated processing of personal data” means the processing of personal information using computer technology.

“Blocking of personal data” is a temporary suspension of any processing of personal information (except for cases where processing is necessary to rectify inaccurate personal data).

“Software” is the “サイエンスワールドl” software.

“Personal data information system” is a set of personal data stored in databases, and the information technology and technical means used for their processing.

“Anonymization of personal data” is the process of removing personal identities, making it impossible to attribute, without additional information, personal data to a specific user or another data subject.

“Processing of personal data” means any action (operation) or a set of actions (operations) performed on personal data, with or without the use of automation tools, including: collection, recording, organization, accumulation, storage, rectification (updating, altering), extraction, use, transfer (dissemination or provision of access to), anonymization, blocking, deletion, and destruction of personal data.

“Data controller” is a state or municipal body, a legal or natural person that organizes and/or performs the processing of personal data, independently or jointly with other persons, as well as determines the purposes of such processing, the content of personal data to be processed, and the set of actions (operations) to be performed on personal data.

“Personal data” means any persontified or identifiable user of the “サイエンスワールド” software.

“Publicly disseminated personal data” means personal data allowed as public by the data subject with his/her consent to the processing of his/her personal data, permitted by the data subject for dissemination in the manner prescribed by the Personal Data Law (hereinafter referred to as “Publicly disseminated personal data”).

“User” is any person using the “サイエンスワールド” software.

“Provision of access to personal data” means actions aimed at disclosing personal data to a specific person or group of persons.

“Dissemination of personal data” means any actions aimed at disclosing personal data to the general public (the transfer of personal data), or making personal data available to the general public, including publishing personal data in mass media, posting them on information and social networks, or providing public access to personal data in any other way.

“Trans-border transfer of personal data” is the transfer of personal data to a foreign country, to either a state body or a natural or legal person.

“Destruction of personal data” means any actions resulting in the permanent and irreversible deletion of perta from the personal data information system and/or physical destruction of personal data storage devices.

Data Controller’s Rights and Obligations

The Data Controller has the right to:

obtain accurate personal data and/or documents containing accurate personal data from the data subject;

if the data subject withdraws consent to data processing, the Controller may continue processing his/her personal data without such consent if they can demonstrate compelling legitimate grounds for doing so, specified in the Personal Data Law;

independently determine the number and scope of measures tulfillment of obligations stipulated in the Personal Data Law and corresponding regulatory acts, unless otherwise provided by the Personal Data Law or other federal laws.

The Data Controller is obligated to:

provide the data subject, upon his/her request, with information regarding the processing of his/her personal data;

process personal data in compliance with the procedure established by existing Russian law;

respond to requests and inquiries from the data subject and his/her legal representatives in compliance with the Personal Data Law;

provide to the authorized body for the protection of data subjects’ rights, at this body’s request, the information it requires within 30 days of receipt of such request;

publish or otherwise provide unrestricted access to this Privacy Policy; take appropriate legal, organizational and technical measures to protect persotion, alteration, blocking, copying, provision of access to, dissemination, or any other unlawful actions;

cease the transfer (dissemination or provision of access to) of personal data, or cease processing and destroy personal data, in the cases and manner prescribed by the Personal Data Law;

fulfill other obligations stipulated by the Personal Data Law.

Data Subject’s Rights and Obligations

4.1. Data subjects have the right to: obtain information regarding the processing of their personal data, except in cases provided for by federal law. The information shall be provided in accessible language and shall not contain personal data relating to other data subjects, except when there are legal grounds for disclosing such personal data. The list of data and the procedure for obtaining them are established by the Personal Data Law;

ask the Controller to rectify, block or destroy their personal data if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing; and take measures provided for by law to protect their rights;

require informed prior consent when their personal data are processed to market goods, works, or services;

withdraw consent to the processing of personal data;

appeal, to the authorized body for the protection of data subjects’ rights or to the court against unlawful actions or omissions by the Controller in the processing of their personal data;

exercise other rights provided for by Russian law.
4.2. Data subjects are obligated to: provide the Controller with accurate personal data;

notify the Controller when their personal data need to be rectified, updated or changed.
4.3. Individuals who have provided the Controller with false personal data or personal data of another data subject without the latter’s consent shall be liable under Russian law.

The Controller may process the following personal data of the users:

5.1. Full name;
5.2. Phone number;
5.3. Email address;
5.4. Shipping address (if applicable).
5.5. The above data are collectively referred to, hereinafter in the Policy, as Personal Data.
5.6. The Controller doesn’t process special categories of personal data relating to racial or ethnic origin, political views, religious or philosophic believes, or intimate life.
5.7. The Controller may process publicly disseminated personal data from the special categories of personal data specified in Article 10 of the Personal Data Law, provided that the prohibitions and terms set forth in Article 10.1 of the Personal Data Law are met and complied with.
5.8. The User’s consent to the processing of publicly disseminated personal data shall be executed separately from any other consents to the processing of his/her personal data. In this case, the terms shall be those set out, in particular, in Article 10.10 of the Personal Data Law. The requirements for the content of such consent are established by the authorized body for the protection of data subjects’ rights.
5.9. The Controller shall obtain the consent to the processing of publicly disseminated personal data from the User directly.
5.9.1. The Controller has an obligation to publish, within three working days of receipt of the said User’s consent, the information on the terms of and prohibitions on the processing of publicly disseminated personal data.
5.9.2. The transfer (dissemination or provision o to) of publicly disseminated personal data may be terminated at any time at the data subject’s request. Such request shall include the data subject’s full name and contact information (phone number, email or postal address), as well as a list of personal data whose processing is to be terminated. The personal data in this request may be processed only by the Controller to whom the request is directed.
5.9.3. The consent to the processing of publicly disseminated personal data shall terminate upon receipt by the Controller of the request specified in clause 5.9.2. of this Privacy Policy in compliance with the Personal Data Law.

Principles of Personal Data Processing

6.1. Personal data shall be processed lawfully and fairly.
6.2. Personal data shall only be processed for specific, explicit, and lawful purposes, and may not be processed further in any manner incompatible with those purposes.
6.3. Databases containing personal data that are processed for purposes that are incompatible with each other shall not be merged.
6.4. Only personal data that are necessary for each specific purpose of processing shall be processed.
6.5. The scope and amount of personal data undergoing processing shall be consistent with and limited to the stated purpose of processing.
6.6. Personal data undergoing processing shall be accurate, complete, and, where necessary, kept up to date. The Controller shall take every reasonable step and/or make the necessary arrangements to ensure that personal data that are inaccurate or incomplete are deleted or rectified.
6.7. Personal data shall be kept in a form that permits identification of data subjects, for no longer than is necessary for the purposes for which the personal data are processed, unless another retention period is provided for by federal law or a contract to which the data subject is a party, or under which the data subject is a beneficiary or guarantor. Personal data undergoing processing shall be deleted or anonymized once the purposes of processing have been achieved or become irrelevant, unless otherwise provided by federal law.

Purposes of Personal Data Processing

7.1. The purposes of personal data processing include: informing users by sending them emails;

concluding, executing or terminating civil law contracts;

providing users with access to services, information and/or materials contained in the Software;

analyzing user data (Software users) in order to generate statistical data.
7.2. For each specific purpose of processing there are defined: personal data category – publicly available data, listed in clauses 5.1-5.4 of this Policy;

meetention period – in compliance with the Personal Data Law.
7.3. The Controller may also send the User notifications about new products and services, special offers and various events. The User can always unsubscribe from such notifications by sending a request titled “Unsubscribe from notifications about new products and services, and special offers” to the Controller’s email address at: support@naumag.com.

Legal Bases for Processing Personal Data

8.1. The legal bases for processing personal data by the Data Controller include: the Russian federal law No.149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”; the Controller’s statutory documents; contracts concluded between the Controller and the data subject; federal laws and other regulatory acts related to personal data protection; users’ consents to the processing of their personal data or the processing of publicly disseminated personal data.
8.2. The Controller will process the User’s personal data only if they are filled out and/or submitted by the User independently using special forms contained in the Software or sent to the Controller via email.
8.3. Data subjects will independently decide whether to provide their personal data to the Controller and give their consent freely, of their own free will and interest.

Procedure for Collecting, Storing, Transferring and Other Processing of Personal Data

The security of personal data processed by the Data Controller is ensured through appropriate legal, organizational and technical measures necessary for full compliance with existing personal data protection legislation.
9.1. The Controller has a duty to ensure the security of personal data and take all possible steps to prevent unauthorized persons from gaining access to personal data.
9.2. The User’s personal data will never, under any circumstances, be transferred to third parties, except for cases related to the execution of existing laws, or when the data subject has given consent to the Controller to transfer his/her data to a third party in order to fulfill obligations under a civil law contract.
9.3. If the User detects inaccuracies in his/her personal data, he/she can have this information rectified by sending a request titled “Request for rectification of personal data” to the Controller’s email address at: support@naumag.com.
9.4. Personal data will be kept for no longer than is necessary for the purpose for which the data were collected, unless a different retention period is provided for by existing law or contract. The User may at any time withdraw consent to the processing of his/her personal data by sending a notification titled “Withdrawal of consent to the processing of personal data” to the Controller’s email address at: support@naumag.com.
9.5. The data subject’s prohibitions on the transfer of his/her personal data (except access granting), as well as the terms of and prohibitions on processing (except access gaining) of his/her publicly disseminated personal data will not apply in cases where personal data are processed in state or other public interests defined by Russian law.
9.6. The Controller has a duty to ensure the confidentiality of personal data undergoing processing.
9.7. Personal data will be kept in a form that permits identification of data subjects, for no longer than is necessary for the purposes for which the personal data are processed, unless another retention period is provided for by federal law or a contract to which the data subject is a party, or under which the data subject is a beneficiary or guarantor.
9.8. The Controller will cease processing personal data once tse of such processing has been achieved, or after the data subject’s consent has expired or been withdrawn by the data subject, or if unlawful processing has been detected.

Procedure for Handling Personal Data adopted by the Data Controller

10.1. The Controller will collect, record, organize, accumulate, store, rectify (update, alter), extract, use, transfer (disseminate, provide, give access to), a.
10.2. The Controller will perform automated processing of personal data with or without receiving and/or transferring the data it has obtained via information and telecommunication networks.
10.3. The Controller will delete and destroy personal data when it is no longer relevant to the purpose of processing, after the storage period expires, or in any other circumstances provided for by law, in the manner prescribed by the local acts of the company.

Trans-border Transfer of Personal Data

11.1. Prior to any trans-border transfer of personal data, the Controller shall make sure that the foreign country where the personal data is being transferred provides adequate protection of the data subject’s rights. 11.2. Any trans-border transfer of personal data to other countries that do not meet the above requirements may take place only if the data subject consents in writing to such transfer of his/her personal data, and/or in the performance of a contract to which the data subject is a party.

Confidentiality of Personal Data

The Data Controller and other persons having access to personal data shall not disclose the subject’s personal data to a third party or disseminate the subject’s personal data without the subject’s consent, unless otherwise provided by federal law.

Final Provisions

13.1. The User may obtain any necessary explanations regarding the processing of his/her personal data by contacting the Controller via e-mail at: support@naumag.com.
13.2. This document shall reflect any changes to the Privacy Policy by the Controller. The current Policy shall remain in force indefinitely until replaced by a new version.