1. General Provisions
This Personal Data Processing Policy is drawn up in accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter referred to as the Personal Data Law) and defines the procedure for processing personal data and security measures taken by Gramor Studio, TIN/OGRN 773270830273/320774600014291, Individual Entrepreneur K.V. Ershov (hereinafter referred to as the Operator).
1.1. The Operator's primary goal and condition for conducting its activities is to comply with human and civil rights and freedoms when processing personal data, including protecting the rights to privacy, personal and family secrets.
1.2. This Policy of the Operator regarding personal data processing applies to all information that the Operator may obtain about visitors to the website.
2. Basic Concepts Used in the Policy
2.1. **Automated Personal Data Processing** — processing of personal data using computing equipment.
2.2. **Personal Data Blocking** — temporary suspension of personal data processing (except when processing is necessary to clarify personal data).
2.3. **Website** — a set of graphical and informational materials, as well as computer programs and databases ensuring their availability on the internet.
2.4. **Information System of Personal Data** — a set of personal data contained in databases and information technologies and technical means ensuring their processing.
2.5. **Personal Data Anonymization** — actions resulting in the impossibility of determining the ownership of personal data to a specific User or other personal data subject without additional information.
2.6. **Personal Data Processing** — any action (operation) or set of actions (operations) performed using automation means or without such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.
2.7. **Operator** — a state body, municipal body, legal or natural person organizing and/or performing personal data processing independently or jointly with other persons, as well as determining the purposes of personal data processing, composition of personal data to be processed, and actions (operations) performed with personal data.
2.8. **Personal Data** — any information relating directly or indirectly to a specific or identifiable User of the website.
2.9. **Personal Data Authorized for Distribution** — personal data to which access by an unlimited number of persons is granted by the personal data subject through consent to process personal data authorized for distribution in the manner provided by the Personal Data Law.
2.10. **User** — any visitor to the website.
2.11. **Personal Data Provision** — actions aimed at disclosing personal data to a specific person or specific group of persons.
2.12. **Personal Data Distribution** — any actions aimed at disclosing personal data to an unlimited number of persons (transfer of personal data) or making personal data available to an unlimited number of persons, including publication of personal data in mass media, placement in information and telecommunication networks, or providing access to personal data by any other means.
2.13. **Cross-Border Transfer of Personal Data** — transfer of personal data to the territory of a foreign state to a foreign authority, foreign natural person, or foreign legal entity.
2.14. **Personal Data Destruction** — any actions resulting in irreversible destruction of personal data with impossibility of further recovery of personal data content in the information system of personal data and/or destruction of material carriers of personal data.
3. Main Rights and Obligations of the Operator
3.1. The Operator has the right to:
* receive accurate information and/or documents containing personal data from the personal data subject;
* continue processing personal data without consent of the personal data subject in cases specified by the Personal Data Law if consent is revoked;
* independently determine the composition and list of measures necessary and sufficient to ensure compliance with obligations provided by the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws.
3.2. The Operator is obliged to:
* provide the personal data subject with information regarding processing of their personal data upon request;
* organize personal data processing in accordance with current legislation of the Russian Federation;
* respond to appeals and requests of personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
* report necessary information to the authorized body for protection of personal data subjects' rights within 30 days from the date of receiving such request;
* publish or otherwise ensure unrestricted access to this Personal Data Processing Policy;
* take legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data;
* cease transfer (distribution, provision, access) of personal data, stop processing, and destroy personal data in accordance with the procedure and cases provided by the Personal Data Law;
* fulfill other obligations provided by the Personal Data Law.
4. Main Rights and Obligations of Personal Data Subjects
4.1. Personal data subjects have the right to:
* receive information regarding processing of their personal data, except in cases provided by federal laws. The information is provided to the personal data subject by the Operator in an accessible form and should not contain personal data relating to other personal data subjects, except when there are legal grounds for disclosing such personal data. The list of information and procedure for obtaining it is established by the Personal Data Law;
* require the Operator to clarify their personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained, or not necessary for the declared purpose of processing, as well as take measures provided by law to protect their rights;
* impose a condition of prior consent when processing personal data for purposes of promoting goods, works, and services on the market;
* revoke consent to personal data processing;
* appeal unlawful actions or inaction of the Operator in processing their personal data to the authorized body for protection of personal data subjects' rights or through judicial proceedings;
* exercise other rights provided by the legislation of the Russian Federation.
4.2. Personal data subjects are obliged to:
* provide the Operator with accurate data about themselves;
* inform the Operator about clarification (updating, changing) of their personal data.
4.3. Persons who provided the Operator with false information about themselves or information about another personal data subject without the latter's consent shall bear responsibility in accordance with the legislation of the Russian Federation.
5. Personal Data That the Operator May Process
5.1. Surname, name, patronymic.
5.2. Email address.
5.3. Phone numbers.
5.4. The website also collects and processes anonymized visitor data (including cookies) using internet analytics services (Yandex Metrica, Google Analytics, and others).
5.5. The above-mentioned data are collectively referred to as Personal Data throughout this Policy.
5.6. The Operator does not process special categories of personal data relating to racial or national origin, political views, religious or philosophical beliefs, or intimate life.
5.7. Processing of personal data authorized for distribution from among special categories of personal data specified in Part 1 of Article 10 of the Personal Data Law is allowed if the prohibitions and conditions provided for in Article 10.1 of the Personal Data Law are observed.
5.8. The User's consent to process personal data authorized for distribution is obtained separately from other consents for processing their personal data. The conditions provided for in Article 10.1 of the Personal Data Law, among others, are observed. The requirements for the content of such consent are established by the authorized body for protecting the rights of personal data subjects.
5.8.1 The User provides the Operator with consent to process personal data authorized for distribution directly.
5.8.2 The Operator is obliged to publish information about processing conditions, prohibitions, and conditions for processing personal data authorized for distribution by an unlimited number of persons no later than three business days from receiving the User's consent.
5.8.3 The transfer (distribution, provision, access) of personal data authorized by the personal data subject for distribution must be stopped at any time upon the subject's request. This request must include the surname, name, patronymic (if any), contact information (phone number, email address, or mailing address) of the personal data subject, as well as a list of personal data whose processing is to be stopped. The personal data specified in this request can only be processed by the Operator to whom it is sent.
5.8.4 Consent to process personal data authorized for distribution ceases to be valid upon receipt by the Operator of the request specified in clause 5.8.3 of this Personal Data Processing Policy.
6. Principles of Personal Data Processing
6.1. Personal data processing is carried out on a lawful and fair basis.
6.2. Personal data processing is limited to achieving specific, pre-defined, and lawful purposes. Processing of personal data incompatible with the purposes of collecting personal data is not allowed.
6.3. Merging databases containing personal data processed for incompatible purposes is not allowed.
6.4. Only personal data that meet the purposes of their processing are subject to processing.
6.5. The content and scope of processed personal data correspond to the declared processing purposes. Excessive processing of personal data in relation to the declared purposes is not allowed.
6.6. During personal data processing, accuracy, sufficiency, and, when necessary, relevance of personal data in relation to processing purposes are ensured. The Operator takes necessary measures and/or ensures their adoption to delete or clarify incomplete or inaccurate data.
6.7. Personal data storage is carried out in a form that allows identifying the personal data subject for no longer than required by the processing purposes, unless a personal data storage period is established by federal law or a contract where the personal data subject is a party, beneficiary, or guarantor. Processed personal data are destroyed or anonymized upon achieving processing purposes or if the need to achieve these purposes ceases, unless otherwise provided by federal law.
7. Purposes of Personal Data Processing
7.1. The purpose of processing the User's personal data:
* informing the User through sending email messages;
* conclusion, execution, and termination of civil contracts;
* providing the User with access to services, information, and/or materials contained on the website https://aicrpro.com.
7.2. The Operator also has the right to send the User notifications about new products and services, special offers, and various events. The User can always opt out of receiving informational messages by sending an email to ai@aicrpro.com with the пометкой "Opt-out of notifications about new products, services, and special offers."
7.3. Anonymized User data collected using internet analytics services are used to gather information about User actions on the website, improve website quality, and enhance its content.
8. Legal Bases for Personal Data Processing
8.1. The legal bases for the Operator’s processing of personal data are:
contracts concluded between the Operator and the personal data subject;
federal laws and other regulatory legal acts in the field of personal data protection;
Users’ consents to process their personal data and to process personal data authorized for distribution.
8.2. The Operator processes the User’s personal data only if they are filled in and/or sent by the User independently through special forms located on the website or sent to the Operator via email. By filling out the relevant forms and/or sending their personal data to the Operator, the User expresses their consent to this Policy.
8.3. The Operator processes anonymized data about the User if it is allowed in the User’s browser settings (cookie saving and JavaScript usage are enabled).
8.4. The personal data subject independently decides whether to provide their personal data and gives consent freely, of their own will, and in their interest.
9. Conditions for Personal Data Processing
9.1. Personal data processing is carried out with the consent of the personal data subject to process their personal data.
9.2. Personal data processing is necessary to achieve the goals provided for by an international treaty of the Russian Federation or law, to fulfill the functions, powers, and obligations assigned to the Operator by the legislation of the Russian Federation.
9.3. Personal data processing is necessary for the administration of justice, execution of a judicial act, act of another body, or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings.
9.4. Personal data processing is necessary for the execution of a contract where the personal data subject is a party, beneficiary, or guarantor, as well as for concluding a contract at the initiative of the personal data subject or a contract where the personal data subject will be the beneficiary or guarantor.
9.5. Personal data processing is necessary for exercising the rights and legitimate interests of the Operator or third parties, or for achieving socially significant goals, provided that the rights and freedoms of the personal data subject are not violated.
9.6. Processing of personal data is carried out, to which access by an unlimited number of persons is granted by the personal data subject or at their request (hereinafter referred to as publicly available personal data).
9.7. Processing of personal data is carried out that is subject to publication or mandatory disclosure in accordance with federal law.
10. Procedure for Collection, Storage, Transfer, and Other Types of Personal Data Processing
The security of personal data processed by the Operator is ensured through the implementation of legal, organizational, and technical measures necessary to fully comply with the requirements of current legislation in the field of personal data protection.
10.1. The Operator ensures the safety of personal data and takes all possible measures to exclude unauthorized access to personal data.
10.2. The User's personal data will never, under any circumstances, be transferred to third parties, except in cases related to the execution of current legislation or if the personal data subject has given consent to the Operator to transfer data to a third party for fulfilling obligations under a civil contract.
10.3. In case of identifying inaccuracies in personal data, the User can update them independently by sending a notification to the Operator at ai@aicrpro.com with the пометкой «Personal Data Update».
10.4. The period for processing personal data is determined by achieving the goals for which the personal data were collected, unless a different period is provided by the contract or current legislation.
The User can revoke their consent to personal data processing at any time by sending a notification to the Operator via email at ai@aicrpro.com with the пометкой «Revocation of Consent for Personal Data Processing».
10.5. All information collected by third-party services, including payment systems, communication tools, and other service providers, is stored and processed by these entities (Operators) in accordance with their User Agreement and Privacy Policy. The personal data subject and/or User is obliged to independently and timely review these documents. The Operator is not responsible for the actions of third parties, including service providers mentioned in this clause.
10.6. Restrictions established by the personal data subject on transfer (except for providing access), as well as on processing or processing conditions (except for access) of personal data authorized for distribution, do not apply in cases of processing personal data in state, public, and other public interests defined by the legislation of the Russian Federation.
10.7. The Operator ensures the confidentiality of personal data during processing.
10.8. The Operator stores personal data in a form that allows identifying the personal data subject for no longer than required by the purposes of processing personal data, unless the storage period for personal data is established by federal law or a contract where the personal data subject is a party, beneficiary, or guarantor.
10.9. The conditions for terminating personal data processing may include achieving the goals of processing personal data, expiration of the consent period of the personal data subject, or revocation of consent by the personal data subject, as well as identification of unlawful processing of personal data.
11. List of Actions Performed by the Operator with Obtained Personal Data
11.1. The Operator performs collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.
11.2. The Operator performs automated processing of personal data with receipt and/or transfer of obtained information via information and telecommunication networks or without such.
12. Cross-Border Transfer of Personal Data
12.1. The Operator is obliged to ensure that the foreign state to which personal data is intended to be transferred provides reliable protection of personal data subjects' rights before initiating cross-border transfer of personal data.
12.2. Cross-border transfer of personal data to foreign states that do not meet the above requirements may only be carried out if there is written consent from the personal data subject to cross-border transfer of their personal data and/or execution of a contract where the personal data subject is a party.
13. Confidentiality of Personal Data
The Operator and other persons who have accessed personal data are obliged not to disclose or disseminate personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
14. Final Provisions
14.1. The User can obtain any clarifications on issues of interest regarding processing of their personal data by contacting the Operator via email at ai@aicrpro.com.
14.2. This document will reflect any changes to the Operator's personal data processing policy. The Policy is valid indefinitely until replaced by a new version.
14.3. The current version of the Policy is publicly available on the Internet at https://aicrpro.com/policy.
