Citronium LLC PRIVACY POLICY for Processing of Personal Data

1.General Provisions

This Privacy Policy of Processing of Personal Data (hereinafter - Policy) is an internal regulatory document of LLC “Citronium” (OGRN 1141215002433, TIN 1215179744), which defines general provisions in the field of the legality of the processing and security of personal data.

This Policy is a public document and is developed in accordance with the requirements of the Federal Law of 27.07.2006 № 152-FZ “On Personal Data” of the Russian Federation (hereinafter - the Federal Law “On Personal Data”), other federal laws governing the processing of personal data, as well as adopted pursuant to their enforcement subordinate regulations.

This Policy defines the terms of receipt (collection), storage, use, and transfer of information about individuals - subjects of personal data (hereinafter - Users) via the site (hereinafter - the Site), providing access to information about Users to third parties.

This Policy is a legally binding document for the Users of the Site in accordance with its primary purpose.

Each User must read this Policy before using the Site. If the User does not agree with any of the sections of this Policy, they must stop further use of the Site. Using the Site, namely: viewing the content of the Site, entering data into the Application for feedback, filling forms on the Site and others means the User’s full and unconditional consent to the terms of this Policy.

During the processing of personal data, the Operator performs the following actions: collection, recording, systematization, accumulation, storage, clarification (updating, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction.

The Operator doesn’t check the reliability of the information provided or received from the Users, and doesn’t control their legal capacity. The Operator assumes that the User in all cases without exception provides full and reliable information about himself and keeps this information up to date.

2. Terms and Definitions

Automated processing of personal data is the processing of personal data by means of computer technologies.

Blocking personal data is temporary termination of processing of personal data (except in cases where the processing is necessary to clarify personal data).

Personal data protection is a set of technical, organizational, and technical measures aimed at protecting information related to a certain or determinable subject of personal data on the basis of such information.

Information is information (messages, data) regardless of the form of its presentation.

The company is Citronium LLC.

Confidentiality of personal data is mandatory for the operator or other person who received access to personal data, the requirement is not to disclose personal data to third parties, and their distribution without the consent of the subject of personal data or some other legal basis.

Processing of personal data is any action (operation) or a set of actions (operations) with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, change), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of personal data performed with or without the use of automation.

The Operator is Citronium LLC, carrying out the processing of personal data, as well as determining the processing of personal data, the composition of personal data to be processed, and actions (operations) performed with personal data.

Personal data (hereinafter - PD) is any information relating to an identified or definable individual (the subject of personal data) directly or indirectly.

Provision of personal data is actions aimed at disclosure of personal data to a certain person or a certain scope of persons.

Employees (employees of the Company) are full-time or part-time employees of the Company, regardless of their position in the Company.

Dissemination of personal data are actions aimed at the disclosure of personal data to an indefinite scope of persons.

The Website is a set of software and hardware for computers, allowing the publication of data on the Internet for public viewing. The site can be accessed via a unique electronic address or its alphabetic designation - . It may contain graphic, text, audio, video, as well as other information reproducible by computer.

The subject of personal data (Site User) is a defined or definable individual.

Cross-border transfer of personal data is a transfer of personal data to a foreign authority, a foreign individual, or a foreign legal entity in a foreign country.

Destruction of personal data is actions that result in it becoming impossible to restore the content of personal data in the information system of personal data and (or) as a result of which the material media of personal data is destroyed.

The User acknowledges and agrees that the placement of information on the Site, as well as its transfer to the Operator, including their personal data, is done independently, voluntarily and at his own discretion. By placing their personal data on the Site the User confirms that they do it voluntarily and that they voluntarily provide the data to the Operator for processing.

3. Principles of Personal Data Processing

3.1 Processing of personal data shall be carried out on a lawful and fair basis.

3.2 Processing of personal data shall be limited to achieving specific, predetermined, and legitimate purposes.

3.3 Processing of personal data that is incompatible with the purposes for which the personal data is collected shall not be permitted.

3.4 Databases containing personal data, which are processed for purposes incompatible with each other, shall not be combined.

3.5 Only personal data that meets the purposes for which it is being processed may be processed.

3.6 The content and scope of processed personal data must be consistent with the stated processing purposes.

3.7 Processing of personal data that is excessive in relation to the stated processing purposes shall not be permitted.

3.8 When processing personal data, the accuracy of personal data, its sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing must be ensured.

3.9 Personal data shall be stored in a form enabling identification of the subject of personal data, no longer than required by the purposes of personal data processing, unless the period of personal data storage is established by federal law, an agreement to which the subject of personal data is a party, a beneficiary or a guarantor.

3.10. Upon attainment of the processing objectives or if it is no longer necessary to attain those objectives, personal data shall be destroyed or depersonalized, unless otherwise provided for by federal law.

4. Categories of Personal Data Subjects.

The subjects of personal data are divided into the following categories:

4.1 Users of the website

5. Purpose of Personal Data Processing

5.1 The Site processes the User’s personal data for the following purposes:

5.1.1. Interact with the User.

5.1.2 Provide the registration (authorization) on the Site, access to the Site, and any other cases related to such activities.

5.1.3. Provide the Site User with access to the personalized resources on the Site.

5.1.4. Provide feedback to the Site User, including sending notices, requests regarding the use of the Site and provision of services, and processing requests and applications from the Site User.

5.1.5. Create an account, if the Site User has agreed to create an account.

5.1.6. Provide effective customer and technical support to the Site User when problems arise related to the use of the Site.

5.1.7. Ensure performance and security of the Site, to confirm actions performed by Users of the Site, to prevent fraud, computer attacks, and other abuses, as well as to investigate such cases. 5.1.8. for analyzing the use of the Site.

The Site collects and stores only the personal data of the Site User, which are necessary for providing services or performing agreements and contracts with the Site User, except for cases, when the legislation provides obligatory storage of personal data during the term specified by the legislation.

6. Rights of Personal Data Subjects

6.1 The subject of personal data has the right to receive information regarding the processing of their personal data, including the data containing

• confirmation of the fact of processing of personal data in the Company;

• the legal basis and purpose of personal data processing;

• personal data processing methods applied in the Company;

• name and location of the Company, information about persons (excluding employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract by the Company or on the basis of federal law;

• processed personal data relating to the relevant personal data subject, the source of their receipt, unless another procedure for presentation of such data is provided by federal law

• the terms of processing personal data, including the period of their storage;

• The procedure of exercising by the subject of personal data of their rights provided by the Federal Law “On Personal Data”;

• information about performed or expected cross-border transfer of data;

• name or full name and address of the person processing personal data by order of the Company, if the processing is or will be assigned to such person;

• other information required by the Federal Law “On Personal Data” or other federal laws.

6.2 The subject of personal data shall have the right to request the Company to update his personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained, or are not necessary for the stated purpose of processing, and also to take statutory measures to protect their rights.

6.3 If the subject of personal data believes that the Company is processing his personal data in violation of the requirements of the Federal Law “On Personal Data” or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal the actions or inaction of the Company to the authority to protect the rights of subjects of personal data (the Federal Service for Supervision of Communications, Information Technology and Mass Communications - Roskomnadzor) or in court.

6.4 The subject of personal data has the right to protection of his/her rights and legitimate interests, including compensation for losses and (or) compensation for moral harm in court.

6.5 Other rights specified in Chapter 3 of the Federal Law “On Personal Data”.

7. Personal Data Privacy

7.1 Information on personal data, which becomes known to the Company, shall be treated as confidential and protected by law.

7.2 The Company employees and other persons having access to the processed personal data have signed an undertaking not to disclose confidential information and have been warned of possible disciplinary, administrative, civil, and criminal liability in case of breach of standards and requirements of the Russian Federation legislation in force regarding personal data processing.

8. Measures to Ensure Security of Processed Personal Data

8.1 In order to ensure the security of processed personal data, the Company takes necessary legal, organizational, and technical protection measures.

8.2 The Operator undertakes not to provide any personal data about Users to individuals and organizations which declare possible improper use of such information (distribution of unauthorized advertising, spam, providing information to other persons, and so forth).

8.3 The Operator isn’t responsible for the possible non-purposeful use of the information placed on the Website by Users or other persons, which took place without notification of the Operator with the violation of the Website information security or in the absence of such violation.

9. Location of Databases Containing Personal Data of Citizens of the Russian Federation

9.1 The databases containing the personal data of citizens of the Russian Federation are located on the territory of the Russian Federation.

10. Regulation of Personal Data Processing

10.1 Processing of personal data in the Company is carried out in accordance with this Policy and other local regulations on the processing of restricted information, including personal data.

11. Personal Data Permitted to be Processed under this Policy.

11.1 Personal data permitted to be processed under the Policy are not special or biometric and provided by the Site User by filling out special forms on the Site without time limitation (until the Site user revokes his consent to the processing of personal data). Depending on the web form that the User fills out, the data includes the following information:

• last name, first name, middle name;

• contact phone number;

• E-mail address;

• name of the organization (place of work);

• position.

By filling in the relevant web forms and/or sending their personal data to the Operator, the User of the Website expresses their consent to the Policy.

11.2 The Operator also takes measures to protect personal data, which is automatically transmitted in the process of visiting the pages of the Website, including that from cookies:

• The IP address assigned to the User’s computer at the time of visiting the Site;

• Data about the location of the User;

• Received data about sessions.

• Cookies can be both “session” and “persistent”.

Session cookies

The Operator uses session cookies to assign a unique identification number to the User’s computer on each visit to the Site, and they are deleted when the browser is closed. Such files are also used to analyze the User’s use of the Site (the pages visited, the links used and the time spent on a particular page).

Persistent Cookies

The Site recognizes persistent cookies, which are stored on the hard disks of computers of Site Users, and by assigning unique identifiers to devices of Site Users, the Operator can create a database of actions and preferences of Site Users (in particular, about the frequency of visits and frequency of return of Site Users, about their preferences on the Site). It is important that cookies do not contain the personal data of Site Users, they only record their actions.

The Company may also use technologies such as pixels, web beacons, device fingerprints, etc. All of these technologies will hereinafter be referred to collectively as “cookies”.

Consent to the use of cookies

Session cookies do not require prior consent from Site users; persistent cookies require such consent.

Cookies are processed by Citronium LLC - by the Operator to the extent necessary to improve the operation and optimization of the Site. Third-party cookies are available to operators who place them on this Site. The Operator may also share information about the use of the Website with our social media and advertising and analytics partners.

11.3 The Operator uses cookies and similar technologies, which are divided into the following categories:

Strictly necessary cookies, which are required for the operation of the website, including logging in or paying for products, services.

Analytics cookies and customization files that collect information to be used either in aggregate form to help us understand how our websites are being used (e.g., to recognize and count the number of visitors and see how visitors move around the site), how effective our marketing campaigns are, or to help us customize our websites to you.

Performance and functionality cookies, which are used to improve the performance and functionality of our websites, but are not necessary to do so. However, without these cookies, some features (such as videos) may become unavailable.

Targeting and advertising cookies that record your visits to the website, the pages you open, and the links you click to make the website and advertising more relevant to your interests. (We may also share this information with third parties for this purpose).

Social media cookies allow you to share the pages and content of our websites that interest you through third-party social networks and other websites. These cookies may also be used for advertising purposes.

11.4 Setting Cookies.

The site user can always control the cookies on his or her device. Most browsers allow you to block, delete or disable cookies. If cookies are disabled, the user will lose access to some pages of our site or impair its functionality.

For more information on controlling cookies in various browsers, click here:

Chrome: Settings → Privacy & Security → Site settings → Cookies and other site data (chrome://settings/cookies).

Opera: Settings → Advanced → Privacy & Security → Site settings → Cookies and other site data.

Mozilla Firefox: Settings → Privacy and Security → Browser Privacy → Personal → Cookies (about:preferences#privacy).

Microsoft Edge: Settings and more → Settings → Site permissions → Cookies and site data → Saved cookies and data → Manage and delete cookies and site data (edge://settings/content/cookies).

Internet Explorer: Tools → Internet options → Privacy → Settings→ Advanced.

At the same time using cookie technology, the Operator doesn’t store and doesn’t use any specific data about the Users of the Website. The Operator draws attention to the fact that the User of the Site has the right to set his browser to refuse to register requests to the Site or to be warned about the requests for such registration. Disabling the cookies may result in an inability to access the Site.

The operator is not responsible for cookies used on third-party sites, which are linked to our site.

11.5 If the Operator cannot in any way correlate the information specified in paragraphs 11.1 - 11.4 of the Policy with the Site User (a natural person), the Operator will not consider this information as personal data.

12. Final Provisions

12.1 This Policy, as well as all amendments to it, are approved by the General Director of Citronium LLC.

12.2 Questions on the interpretation of this Policy should be addressed to the Company’s Personal Data Processor.

12.3 The Operator has the right to amend this Policy

12.4 The new Policy comes into force from the moment of its posting on the Website, unless otherwise stipulated by the new version of the Privacy Policy.

12.5 The current version of the Policy shall be stored at the address: Ulitsa Proletarskaya 21a-32, Yoshkar-Ola, Mariy El Republic, 424000, Russia