PRIVACY POLICY
(on the Processing and Protection of Personal Data)
This Policy is governed solely by the legislation of the Russian Federation, including Federal Law No. 152-FZ “On Personal Data”, and applies exclusively to the processing of personal data conducted within the territory of the Russian Federation.
The term “Operator” is used herein as defined under Russian Federal Law No. 152-FZ and does not correspond to the concepts of “controller” or “processor” under the GDPR or other foreign legislation.
The terminology and structure of this Policy reflect the requirements of Russian Federal Law No. 152-FZ and do not imply compliance with foreign personal data regulations, including the GDPR, CCPA, or UK DPA 2018.
1. General Provisions
1.1. This Privacy Policy of Sole Proprietor Kseniya Valeryevna Zapevalova regarding the processing of personal data (the "Policy") is developed in accordance with paragraph 2, part 1, article 18.1 of Federal Law No. 152-FZ dated 27 July 2006 "On Personal Data" (the "Personal Data Law") to ensure the protection of human and civil rights and freedoms during the processing of personal data, including the right to privacy and protection of personal and family confidentiality.
1.2. This Policy applies to all personal data processed by Sole Proprietor Kseniya Valeryevna Zapevalova (Primary State Registration Number for Individual Entrepreneurs 321332800026000, Taxpayer Identification Number 330710683454, e-mail: info@numbervan.ru, registered address: Russian Federation, Vladimir Region, Murom).
1.3. This Policy extends to all relations in the field of personal data processing, regardless of whether such relations arose before or after the approval of this Policy.
1.4. Pursuant to part 2, article 18.1 of the Personal Data Law, this Policy is published for unrestricted access on the Operator’s website.
2. Terms and Definitions
“Personal Data” means any information relating to an identified or identifiable natural person (the “Personal Data Subject”).
“Personal Data permitted by the Personal Data Subject for dissemination” means personal data made accessible to an unlimited number of persons by the Personal Data Subject by granting consent for its dissemination.
“Personal Data Operator” or “Operator” means a state or municipal authority, legal entity, or natural person that independently or jointly with others organises and/or carries out personal data processing and determines its purposes, the categories of personal data to be processed, and the operations performed on personal data.
“Processing of Personal Data” means any action (operation) or set of actions (operations) performed with personal data, with or without the use of automated means, including:
collection, recording, systematisation, accumulation, storage, updating (clarification, modification), retrieval, use, transfer (provision, access), dissemination, anonymisation, blocking, deletion, destruction.
“Automated Processing of Personal Data” means personal data processing using computer technologies.
“Provision of Personal Data” means actions aimed at disclosing personal data to a specific person or group of persons.
“Blocking of Personal Data” means the temporary suspension of personal data processing (unless required for personal data clarification).
“Destruction of Personal Data” means actions rendering it impossible to restore personal data in information systems and/or the destruction of physical media containing personal data.
“Anonymisation (as defined under Russian law) of Personal Data” means actions making it impossible to identify the Personal Data Subject without the use of additional information.
“Personal Data Information System” means a set of personal data contained in databases along with information technologies and technical tools ensuring their processing.
“Cross-Border Transfer of Personal Data” means the transfer of personal data to the territory of a foreign state, foreign authority, foreign natural person, or foreign legal entity.
3. Procedure and Conditions for Processing and Storage of Personal Data
3.1. Personal data are processed by the Operator in accordance with the legislation of the Russian Federation.
3.2. Personal data are processed upon obtaining the consent of the Personal Data Subjects, as well as without such consent in cases permitted by Russian law.
3.3. Consent for the processing of personal data permitted for dissemination is executed separately from other consents of the Personal Data Subject.
3.4. Consent for processing personal data permitted for dissemination may be provided:
(a) directly to the Operator, or
(b) through the information system of the authorised body for the protection of personal data subjects.
3.5. The Operator performs both automated and non-automated personal data processing.
3.6. Only employees whose job functions include the processing of personal data are granted access to such data.
3.7. Personal data processing is carried out by:
• obtaining personal data orally or in writing with the consent of the Personal Data Subject;
• entering personal data into journals, registers, and the Operator’s information systems;
• other methods of processing permitted by applicable law.
3.8. Personal data may not be disclosed or disseminated to third parties without the consent of the Personal Data Subject unless federal law provides otherwise.
3.9. Personal data may be transferred to investigative authorities, the Federal Tax Service, the Pension Fund, the Social Insurance Fund, and other authorised state bodies in accordance with applicable legislation.
3.10. The Operator implements legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, dissemination, or other unauthorised actions, including:
• identifying threats to personal data security;
• adopting internal regulations and other documents governing the processing and protection of personal data;
• appointing persons responsible for ensuring personal data security;
• creating the necessary conditions for working with personal data;
• maintaining accounting logs of documents containing personal data;
• ensuring proper functioning of information systems used for personal data processing;
• ensuring storage conditions that prevent unauthorised access;
• training employees engaged in personal data processing.
3.11. Personal data are stored in a form that allows identifying the Personal Data Subject no longer than required to achieve the purposes of processing unless federal law, contract, or agreement establishes a different retention period.
3.12. When collecting personal data, including through the Internet, the Operator ensures recording, systematisation, accumulation, storage, updating (clarification, modification), and retrieval of personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation unless otherwise permitted by law.
3.13. Types of personal data processed and purposes of processing:
3.13.1. Types of processed personal data:
• full name;
• telephone number;
• e-mail address.
3.13.2. Purposes of processing:
• compliance with the Constitution and federal laws;
• performance of civil-law relations;
• maintaining accounting records;
• notifying the Personal Data Subject of changes to services provided under contract;
• obtaining feedback, reviews, and recommendations;
• conducting surveys for effective communication with clients and potential clients.
3.14. Categories of Personal Data Subjects:
• natural persons participating in civil-law relations with the Operator.
3.15. Personal data processed by the Operator:
• data obtained during civil-law relations.
3.16. Storage of Personal Data:
3.16.1. Personal data may be obtained, processed, and stored on paper or electronically.
3.16.2. Paper documents containing personal data are stored in locked cabinets or locked rooms with restricted access.
3.16.3. Personal data processed by automated means for different purposes are stored in separate directories.
3.16.4. Documents containing personal data may not be stored in open electronic directories (file-sharing folders).
3.16.5. Personal data must be destroyed upon achieving the purposes of processing or if retention is no longer required.
3.17. Destruction of Personal Data:
3.17.1. Paper documents are destroyed by burning, shredding, chemical decomposition, or other irreversible methods.
3.17.2. Personal data stored on electronic media are destroyed by erasing or formatting.
3.17.3. Destruction of personal data must be confirmed by an act of destruction.
3.18. Cookies and Analytics:
The Operator uses cookies and visitor analytics data (IP address, cookies, browser data, access time, page address with advertising block, referrer, and other statistics). These data are used to improve website content and functionality. Personal Data Subjects may disable cookies in their browser settings, understanding that certain functions may not work correctly.
4. Protection of Personal Data
4.1. The Operator has established a Personal Data Protection System consisting of legal, organisational, and technical subsystems.
4.2. The legal protection subsystem includes regulatory and organisational documents ensuring the creation, functioning, and improvement of the personal data protection system.
4.3. The organisational protection subsystem includes management structures, access control systems, and security measures for interactions with employees, partners, and third parties.
4.4. The technical protection subsystem includes hardware, software, and technical tools ensuring the protection of personal data.
4.5. The main personal data protection measures include:
• appointing a responsible officer;
• identifying current threats to personal data security;
• developing internal policies on personal data processing;
• establishing access rules and maintaining logs of personal data operations;
• assigning individual passwords in accordance with job duties;
• using certified information security tools;
• deploying certified antivirus software with regular updates;
• ensuring storage conditions preventing unauthorised access;
• detecting and responding to unauthorised access attempts;
• restoring personal data modified or destroyed due to unauthorised access;
• training employees in personal data legislation and internal regulations;
• conducting internal audits and monitoring.
5. Rights of Personal Data Subjects and Obligations of the Operator
5.1. Personal Data Subjects have the right to:
• access their personal data and receive confirmation of processing;
• obtain information on legal grounds and purposes of processing;
• obtain information on methods of processing;
• know the name and address of the Operator;
• obtain information on third parties granted access to personal data under contract or law;
• know processing and storage periods;
• understand the procedure for exercising their rights;
• receive information on data processors acting on behalf of the Operator;
• address the Operator with requests;
• challenge actions or omissions of the Operator.
5.2. The Operator is obliged to:
• provide information on personal data processing when collecting data;
• notify Personal Data Subjects if data are obtained from third parties;
• explain consequences of refusal to provide personal data;
• publish and ensure unrestricted access to this Policy and information on protection measures;
• implement legal, organisational, and technical protection measures;
• respond to requests from Personal Data Subjects, their representatives, and the authorised supervisory body.
6. Updating, Correction, Deletion and Destruction of Personal Data; Responses to Requests
6.1. Confirmation of processing, legal grounds, purposes, and other information under article 14(7) of the Personal Data Law shall be provided to the Personal Data Subject or their representative upon request. The Operator does not disclose personal data relating to other subjects unless legally permitted.
A request must include:
• details of the identity document of the Personal Data Subject or their representative;
• information confirming the subject’s relation with the Operator (contract number/date etc.);
• signature of the Personal Data Subject or their representative.
Electronic requests must be signed with a qualified electronic signature in accordance with Russian law.
If the request lacks required information or the requester lacks rights to access the data, the Operator shall issue a reasoned refusal.
Access may be restricted if it violates the rights of third parties.
6.2. If inaccurate personal data are identified, the Operator shall block such data for the verification period. If inaccuracy is confirmed, the Operator shall update the data within seven business days.
6.3. If unlawful processing is detected, the Operator shall block such personal data upon receipt of the request.
6.4. Upon achieving the purposes of processing or withdrawal of consent, personal data must be destroyed unless:
• otherwise provided by contract;
• the Operator is permitted to process data without consent under law;
• another agreement with the Personal Data Subject applies.
7. Operator Details
Sole Proprietor Kseniya Valeryevna Zapevalova
Primary State Registration Number for Individual Entrepreneurs: 321332800026000
Taxpayer Identification Number: 330710683454
Address: Murom, Vladimir Region, Russian Federation
E-mail: info@numbervan.ru
(on the Processing and Protection of Personal Data)
This Policy is governed solely by the legislation of the Russian Federation, including Federal Law No. 152-FZ “On Personal Data”, and applies exclusively to the processing of personal data conducted within the territory of the Russian Federation.
The term “Operator” is used herein as defined under Russian Federal Law No. 152-FZ and does not correspond to the concepts of “controller” or “processor” under the GDPR or other foreign legislation.
The terminology and structure of this Policy reflect the requirements of Russian Federal Law No. 152-FZ and do not imply compliance with foreign personal data regulations, including the GDPR, CCPA, or UK DPA 2018.
1. General Provisions
1.1. This Privacy Policy of Sole Proprietor Kseniya Valeryevna Zapevalova regarding the processing of personal data (the "Policy") is developed in accordance with paragraph 2, part 1, article 18.1 of Federal Law No. 152-FZ dated 27 July 2006 "On Personal Data" (the "Personal Data Law") to ensure the protection of human and civil rights and freedoms during the processing of personal data, including the right to privacy and protection of personal and family confidentiality.
1.2. This Policy applies to all personal data processed by Sole Proprietor Kseniya Valeryevna Zapevalova (Primary State Registration Number for Individual Entrepreneurs 321332800026000, Taxpayer Identification Number 330710683454, e-mail: info@numbervan.ru, registered address: Russian Federation, Vladimir Region, Murom).
1.3. This Policy extends to all relations in the field of personal data processing, regardless of whether such relations arose before or after the approval of this Policy.
1.4. Pursuant to part 2, article 18.1 of the Personal Data Law, this Policy is published for unrestricted access on the Operator’s website.
2. Terms and Definitions
“Personal Data” means any information relating to an identified or identifiable natural person (the “Personal Data Subject”).
“Personal Data permitted by the Personal Data Subject for dissemination” means personal data made accessible to an unlimited number of persons by the Personal Data Subject by granting consent for its dissemination.
“Personal Data Operator” or “Operator” means a state or municipal authority, legal entity, or natural person that independently or jointly with others organises and/or carries out personal data processing and determines its purposes, the categories of personal data to be processed, and the operations performed on personal data.
“Processing of Personal Data” means any action (operation) or set of actions (operations) performed with personal data, with or without the use of automated means, including:
collection, recording, systematisation, accumulation, storage, updating (clarification, modification), retrieval, use, transfer (provision, access), dissemination, anonymisation, blocking, deletion, destruction.
“Automated Processing of Personal Data” means personal data processing using computer technologies.
“Provision of Personal Data” means actions aimed at disclosing personal data to a specific person or group of persons.
“Blocking of Personal Data” means the temporary suspension of personal data processing (unless required for personal data clarification).
“Destruction of Personal Data” means actions rendering it impossible to restore personal data in information systems and/or the destruction of physical media containing personal data.
“Anonymisation (as defined under Russian law) of Personal Data” means actions making it impossible to identify the Personal Data Subject without the use of additional information.
“Personal Data Information System” means a set of personal data contained in databases along with information technologies and technical tools ensuring their processing.
“Cross-Border Transfer of Personal Data” means the transfer of personal data to the territory of a foreign state, foreign authority, foreign natural person, or foreign legal entity.
3. Procedure and Conditions for Processing and Storage of Personal Data
3.1. Personal data are processed by the Operator in accordance with the legislation of the Russian Federation.
3.2. Personal data are processed upon obtaining the consent of the Personal Data Subjects, as well as without such consent in cases permitted by Russian law.
3.3. Consent for the processing of personal data permitted for dissemination is executed separately from other consents of the Personal Data Subject.
3.4. Consent for processing personal data permitted for dissemination may be provided:
(a) directly to the Operator, or
(b) through the information system of the authorised body for the protection of personal data subjects.
3.5. The Operator performs both automated and non-automated personal data processing.
3.6. Only employees whose job functions include the processing of personal data are granted access to such data.
3.7. Personal data processing is carried out by:
• obtaining personal data orally or in writing with the consent of the Personal Data Subject;
• entering personal data into journals, registers, and the Operator’s information systems;
• other methods of processing permitted by applicable law.
3.8. Personal data may not be disclosed or disseminated to third parties without the consent of the Personal Data Subject unless federal law provides otherwise.
3.9. Personal data may be transferred to investigative authorities, the Federal Tax Service, the Pension Fund, the Social Insurance Fund, and other authorised state bodies in accordance with applicable legislation.
3.10. The Operator implements legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, dissemination, or other unauthorised actions, including:
• identifying threats to personal data security;
• adopting internal regulations and other documents governing the processing and protection of personal data;
• appointing persons responsible for ensuring personal data security;
• creating the necessary conditions for working with personal data;
• maintaining accounting logs of documents containing personal data;
• ensuring proper functioning of information systems used for personal data processing;
• ensuring storage conditions that prevent unauthorised access;
• training employees engaged in personal data processing.
3.11. Personal data are stored in a form that allows identifying the Personal Data Subject no longer than required to achieve the purposes of processing unless federal law, contract, or agreement establishes a different retention period.
3.12. When collecting personal data, including through the Internet, the Operator ensures recording, systematisation, accumulation, storage, updating (clarification, modification), and retrieval of personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation unless otherwise permitted by law.
3.13. Types of personal data processed and purposes of processing:
3.13.1. Types of processed personal data:
• full name;
• telephone number;
• e-mail address.
3.13.2. Purposes of processing:
• compliance with the Constitution and federal laws;
• performance of civil-law relations;
• maintaining accounting records;
• notifying the Personal Data Subject of changes to services provided under contract;
• obtaining feedback, reviews, and recommendations;
• conducting surveys for effective communication with clients and potential clients.
3.14. Categories of Personal Data Subjects:
• natural persons participating in civil-law relations with the Operator.
3.15. Personal data processed by the Operator:
• data obtained during civil-law relations.
3.16. Storage of Personal Data:
3.16.1. Personal data may be obtained, processed, and stored on paper or electronically.
3.16.2. Paper documents containing personal data are stored in locked cabinets or locked rooms with restricted access.
3.16.3. Personal data processed by automated means for different purposes are stored in separate directories.
3.16.4. Documents containing personal data may not be stored in open electronic directories (file-sharing folders).
3.16.5. Personal data must be destroyed upon achieving the purposes of processing or if retention is no longer required.
3.17. Destruction of Personal Data:
3.17.1. Paper documents are destroyed by burning, shredding, chemical decomposition, or other irreversible methods.
3.17.2. Personal data stored on electronic media are destroyed by erasing or formatting.
3.17.3. Destruction of personal data must be confirmed by an act of destruction.
3.18. Cookies and Analytics:
The Operator uses cookies and visitor analytics data (IP address, cookies, browser data, access time, page address with advertising block, referrer, and other statistics). These data are used to improve website content and functionality. Personal Data Subjects may disable cookies in their browser settings, understanding that certain functions may not work correctly.
4. Protection of Personal Data
4.1. The Operator has established a Personal Data Protection System consisting of legal, organisational, and technical subsystems.
4.2. The legal protection subsystem includes regulatory and organisational documents ensuring the creation, functioning, and improvement of the personal data protection system.
4.3. The organisational protection subsystem includes management structures, access control systems, and security measures for interactions with employees, partners, and third parties.
4.4. The technical protection subsystem includes hardware, software, and technical tools ensuring the protection of personal data.
4.5. The main personal data protection measures include:
• appointing a responsible officer;
• identifying current threats to personal data security;
• developing internal policies on personal data processing;
• establishing access rules and maintaining logs of personal data operations;
• assigning individual passwords in accordance with job duties;
• using certified information security tools;
• deploying certified antivirus software with regular updates;
• ensuring storage conditions preventing unauthorised access;
• detecting and responding to unauthorised access attempts;
• restoring personal data modified or destroyed due to unauthorised access;
• training employees in personal data legislation and internal regulations;
• conducting internal audits and monitoring.
5. Rights of Personal Data Subjects and Obligations of the Operator
5.1. Personal Data Subjects have the right to:
• access their personal data and receive confirmation of processing;
• obtain information on legal grounds and purposes of processing;
• obtain information on methods of processing;
• know the name and address of the Operator;
• obtain information on third parties granted access to personal data under contract or law;
• know processing and storage periods;
• understand the procedure for exercising their rights;
• receive information on data processors acting on behalf of the Operator;
• address the Operator with requests;
• challenge actions or omissions of the Operator.
5.2. The Operator is obliged to:
• provide information on personal data processing when collecting data;
• notify Personal Data Subjects if data are obtained from third parties;
• explain consequences of refusal to provide personal data;
• publish and ensure unrestricted access to this Policy and information on protection measures;
• implement legal, organisational, and technical protection measures;
• respond to requests from Personal Data Subjects, their representatives, and the authorised supervisory body.
6. Updating, Correction, Deletion and Destruction of Personal Data; Responses to Requests
6.1. Confirmation of processing, legal grounds, purposes, and other information under article 14(7) of the Personal Data Law shall be provided to the Personal Data Subject or their representative upon request. The Operator does not disclose personal data relating to other subjects unless legally permitted.
A request must include:
• details of the identity document of the Personal Data Subject or their representative;
• information confirming the subject’s relation with the Operator (contract number/date etc.);
• signature of the Personal Data Subject or their representative.
Electronic requests must be signed with a qualified electronic signature in accordance with Russian law.
If the request lacks required information or the requester lacks rights to access the data, the Operator shall issue a reasoned refusal.
Access may be restricted if it violates the rights of third parties.
6.2. If inaccurate personal data are identified, the Operator shall block such data for the verification period. If inaccuracy is confirmed, the Operator shall update the data within seven business days.
6.3. If unlawful processing is detected, the Operator shall block such personal data upon receipt of the request.
6.4. Upon achieving the purposes of processing or withdrawal of consent, personal data must be destroyed unless:
• otherwise provided by contract;
• the Operator is permitted to process data without consent under law;
• another agreement with the Personal Data Subject applies.
7. Operator Details
Sole Proprietor Kseniya Valeryevna Zapevalova
Primary State Registration Number for Individual Entrepreneurs: 321332800026000
Taxpayer Identification Number: 330710683454
Address: Murom, Vladimir Region, Russian Federation
E-mail: info@numbervan.ru
