AROA

Privacy Policy

Klimova Angelina Vladimirovna, self-employed individual applying the special tax regime “Tax on Professional Income”

1. General Provisions

1.1. This Privacy Policy (hereinafter – the “Policy”) is developed in accordance with the requirements of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, as amended, and defines the procedure for processing personal data and the measures taken to ensure their security by Klimova Angelina Vladimirovna, a self-employed individual applying the special tax regime “Tax on Professional Income” (hereinafter – the “Operator”).

1.2. The Operator’s primary objective is to respect the rights and freedoms of data subjects, including the protection of privacy, personal and family secrets.

1.3. This Policy applies to all information received by the Operator through the mobile application “AROA” (hereinafter – the “Application”), the website www.aroa-patterns.com (hereinafter – the “Website”), as well as through other communication channels (email, messengers, etc.).

2. Key Terms Used in the Policy

2.1. Automated processing of personal data – processing of personal data using computer technology.

2.2. Blocking of personal data – temporary suspension of personal data processing (except where processing is required to clarify personal data).

2.3. Website – a set of graphic and information materials, as well as computer programs and databases ensuring their availability on the Internet at www.aroa-patterns.com.

2.3.1. Mobile application – software for mobile devices under the name “AROA”, distributed through application stores (App Store, Google Play, etc.).

2.4. Personal data information system – a set of personal data contained in databases and information technologies and technical means ensuring their processing.

2.5. Anonymization of personal data – actions that result in the impossibility of determining, without additional information, whether personal data belongs to a specific data subject.

2.6. Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion and destruction of personal data.

2.7. Operator – a government authority, municipal authority, legal entity or individual that, independently or jointly with others, organizes and/or carries out the processing of personal data, and also determines the purposes of personal data processing, the composition of personal data to be processed and the actions (operations) performed with personal data.

2.8. Personal data – any information relating directly or indirectly to an identified or identifiable data subject.

2.9. Personal data made publicly available by the data subject – personal data access to which is provided to an unlimited number of persons by the data subject by giving separate consent to their processing and dissemination in accordance with Federal Law No. 152-FZ “On Personal Data”.

2.10. User – any individual using the Website and/or the Application.

2.11. Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons.

2.12. Dissemination of personal data – any actions aimed at disclosing personal data to an indefinite number of persons (transfer of personal data) or at making personal data available to an unlimited number of persons, including publishing personal data in mass media, posting them in information and telecommunication networks or otherwise providing access to personal data.

2.13. Cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual or a foreign legal entity.

2.14. Destruction of personal data – any actions as a result of which personal data are irreversibly destroyed with no possibility of further restoration of the content of personal data in the personal data information system and/or as a result of which the physical media containing personal data are destroyed.

3. Main Rights and Obligations of the Operator

3.1. Rights of the Operator

The Operator has the right to:

receive from the data subject accurate information and/or documents containing personal data necessary for processing;

in case the data subject withdraws their consent to the processing of personal data, continue processing without consent where there are grounds provided by Federal Law No. 152-FZ “On Personal Data” and other federal laws;

independently determine the composition and list of legal, organizational and technical measures necessary and sufficient to ensure fulfillment of the obligations provided by personal data legislation, unless otherwise established by federal laws or regulations.

3.2. Obligations of the Operator

The Operator shall:

provide the data subject, upon their request, with information relating to the processing of their personal data, in the manner and within the time limits established by the legislation of the Russian Federation;

organize the processing of personal data in accordance with the requirements of the applicable legislation of the Russian Federation;

respond fully and in a timely manner to requests and inquiries of personal data subjects and their legal representatives;

at the request of the authorized body for the protection of the rights of personal data subjects, provide the necessary information within the period established by law (no more than 30 calendar days from the date of receipt of the request);

ensure the publication of and unrestricted access to this Personal Data Processing Policy;

take legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, as well as from other unlawful actions;

cease transfer, dissemination, provision of access, processing and destroy personal data in cases and in the manner stipulated by the legislation of the Russian Federation;

fulfill other obligations provided by the legislation of the Russian Federation on personal data.

4. Main Rights and Obligations of Data Subjects

4.1. Rights of data subjects

Data subjects have the right to:

obtain information relating to the processing of their personal data, except in cases provided by federal laws. The information shall be provided to the data subject in an accessible form and shall not contain personal data of other subjects, except where there are lawful grounds for disclosing such data. The list of information and the procedure for obtaining it are regulated by Federal Law No. 152-FZ “On Personal Data”;

request that the Operator clarify, block or destroy their personal data if such data are incomplete, outdated, inaccurate, unlawfully obtained or are not necessary for the stated purposes of processing, as well as take legal measures to protect their rights;

specify as a condition their prior consent for the processing of personal data for the purpose of promoting goods, works and services on the market;

withdraw their consent to the processing of personal data at any time by sending an appropriate notice to the Operator;

appeal to the authorized body for the protection of the rights of personal data subjects or to a court against unlawful actions or omissions of the Operator in processing their personal data;

exercise other rights provided by the legislation of the Russian Federation.

4.2. Obligations of data subjects

Data subjects shall:

provide the Operator with reliable and up-to-date personal data about themselves;

promptly inform the Operator of any changes or clarifications of their personal data;

not provide the Operator with inaccurate information about themselves or information about third parties without their consent.

4.3. Liability

Persons who have provided the Operator with inaccurate information about themselves or information about another data subject without that person’s consent shall be liable in accordance with the legislation of the Russian Federation.

5. Personal Data that May Be Processed by the Operator

5.1. Surname, first name, patronymic (full name).

5.2. Email address.

5.3. Phone numbers.

5.4. The Website and/or the Application also collect and process anonymized data about visitors (including cookies) using web analytics services (Yandex.Metrica, Google Analytics and others), subject to the User’s consent to the use of cookies, except for strictly necessary cookies.

5.5. User identifier in the Application (User ID).

5.6. Device data (device model, operating system version, system language).

5.7. Data on the use of the Application (log files, date and time of actions in the Application, statistics on the use of features, etc.).

5.8. The above data are hereinafter collectively referred to as “Personal Data” in this Policy.

5.9. The Operator does not process special categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life, etc.), except in cases where the data subject has given separate, free and informed consent to such processing in accordance with the requirements of Article 10.1 of Federal Law No. 152-FZ.

5.10. The processing of personal data made publicly available by the data subject from among special categories is allowed only subject to the prohibitions and conditions established by law and upon the existence of separate consent of the data subject.

5.11. The User’s consent to the processing of personal data made publicly available for dissemination is formalized separately from other consents and must comply with the requirements of Article 10.1 of Federal Law No. 152-FZ, as well as with the requirements of the authorized body for the protection of personal data subjects’ rights.

5.11.1. The User provides the Operator with consent to the processing of personal data made publicly available for dissemination directly, in a form that makes it possible to confirm the fact that consent has been obtained (for example, electronic or written consent indicating the date and purpose of processing).

5.11.2. The Operator shall, no later than three business days from the date of receipt of the User’s consent, publish information on the conditions for processing such personal data, as well as on the existence of prohibitions and conditions for their processing by an unlimited number of persons.

5.11.3. The transfer (dissemination, provision, access) of personal data made publicly available by the data subject shall be terminated at any time at the request of the data subject. Such request shall contain: surname, first name, patronymic (if any), contact information (phone number, email address or postal address) of the subject, as well as a list of personal data for which processing is to be terminated. The specified data may be processed only by the Operator to whom this request is addressed.

5.11.4. Consent to the processing of personal data made publicly available for dissemination ceases to be effective upon receipt by the Operator of the request specified in clause 5.11.3.

6. Principles of Personal Data Processing

6.1. Personal data shall be processed on a lawful, fair and transparent basis.

6.2. The processing of personal data shall be limited to the achievement of specific, predetermined and lawful purposes. Processing of personal data inconsistent with the purposes of their collection is not allowed.

6.3. It is not allowed to combine databases containing personal data the processing of which is carried out for purposes that are incompatible with each other.

6.4. Only personal data that meet the stated purposes of processing shall be processed.

6.5. The content and volume of processed personal data shall correspond to the stated purposes and shall not exceed the volume necessary for such purposes (data minimization principle).

6.6. When processing personal data, their accuracy, sufficiency and, where necessary, relevance to the purposes of processing shall be ensured. The Operator shall take all necessary measures to delete, clarify or update incomplete, outdated or inaccurate data.

6.7. Personal data shall be stored in a form that allows identifying the data subject for no longer than required by the purposes of processing, unless a different period is established by federal law, a contract or an agreement to which the data subject is a party. Upon achievement of the purposes of processing or loss of the need to achieve them, personal data shall be destroyed or anonymized unless otherwise required by law.

7. Purposes of Personal Data Processing

7.1. The purpose of processing the User’s personal data is to provide access to the services, information and/or materials available in the mobile Application “AROA”, on the Website www.aroa-patterns.com, as well as through other communication channels (email, messengers, etc.).

7.2. The Operator has the right to send the User informational messages about new products, services, special offers and various events. The User may opt out of receiving such messages at any time by sending a notification to the Operator at info@aroa-patterns.com with the subject line “Refusal to receive notifications about new products, services and special offers”. Such refusal does not affect the User’s right to use the services of the Website.

7.3. Anonymized User data collected using web analytics services (such as Yandex.Metrica, Google Analytics) are used to analyze Users’ actions on the Website, to improve the quality of the Website and its content. Such data are processed subject to the User’s consent to the use of cookies, except where such consent is not required by law.

8. Legal Grounds for Personal Data Processing

8.1. The legal grounds for processing personal data by the Operator are:

federal laws and other regulatory legal acts in the field of personal data protection;

consents of data subjects to the processing of their personal data, executed separately and in accordance with the requirements of Federal Law No. 152-FZ;

other grounds provided by the legislation of the Russian Federation (for example, performance of a contract, protection of the vital interests of the data subject, etc.).

8.2. The Operator processes the User’s personal data only if such data are independently filled in and/or submitted by the User through special forms in the mobile Application “AROA”, on the Website www.aroa-patterns.com, as well as through other communication channels (email, messengers, etc.) or by email. By filling in the forms and/or submitting personal data, the User gives their free, informed and unambiguous consent to the processing of personal data in accordance with this Policy.

8.3. The processing of anonymized User data is carried out subject to the User’s permission for the use of cookies and JavaScript technologies, granted through browser settings or other methods provided by law.

8.4. The data subject independently decides to provide their personal data and gives consent to their processing freely, of their own will and in their own interest. The Operator records the fact of obtaining consent in any officially verifiable form.

9. Conditions for Personal Data Processing

9.1. Personal data shall be processed with the consent of the data subject to the processing of their personal data, unless otherwise provided by federal law.

9.2. The processing of personal data is necessary for the fulfillment of obligations and the exercise of the rights and legitimate interests of the Operator or third parties, provided that the rights and freedoms of the data subject are not violated.

9.3. The processing of personal data is necessary to achieve the purposes stipulated by international treaties of the Russian Federation or federal laws, as well as to perform powers imposed on the Operator by the legislation of the Russian Federation.

9.4. The processing of personal data is necessary for the performance of a contract to which the data subject is a party or for entering into a contract at the initiative of the data subject.

9.5. The processing of personal data is necessary for the administration of justice, for the execution of judicial acts or acts of other bodies and officials in accordance with the legislation of the Russian Federation.

9.6. The processing of personal data is allowed in cases provided by the legislation of the Russian Federation without obtaining the data subject’s consent, including:

to protect the life, health or other vital interests of the data subject if obtaining consent is impossible;

for the exercise of the professional activities of a journalist, for scientific, literary or other creative activities, provided that the rights of the data subject are respected;

for statistical or other research purposes with mandatory anonymization of data.

9.7. Processing is carried out of personal data to which access is provided to an unlimited number of persons at the initiative of the data subject (publicly available personal data).

9.8. Processing is carried out of personal data that must be published or disclosed in accordance with federal law.

10. Security and Procedure for Processing Personal Data

The security of personal data processed by the Operator is ensured by implementing legal, organizational and technical measures necessary for full compliance with the requirements of the applicable legislation of the Russian Federation in the field of personal data protection.

10.1. The Operator ensures the preservation of personal data and takes all necessary measures to prevent unauthorized access to personal data, their destruction, modification, blocking, copying, provision, dissemination and other unlawful actions.

10.2. The User’s personal data are not transferred to third parties without the User’s consent, except in cases provided by the legislation of the Russian Federation or where such transfer is necessary to perform obligations under a civil law contract to which the data subject is a party.

10.3. If inaccuracies are identified in personal data, the User has the right to update them independently by sending a corresponding notice to the Operator’s email address info@aroa-patterns.com with the subject line “Updating personal data”.

10.4. The period of personal data processing is determined by the achievement of the purposes for which they were collected, unless another period is established by federal law, a contract or an agreement to which the data subject is a party. The User has the right to withdraw their consent to the processing of personal data at any time by sending a notice to info@aroa-patterns.com with the subject line “Withdrawal of consent to personal data processing”.

10.5. All information collected by third-party services, including payment systems, communication tools and other service providers, is stored and processed by such parties in accordance with their User Agreements and Privacy Policies. The data subject and/or User must independently review these documents. The Operator is not responsible for the actions of third parties, including the above providers.

10.6. Restrictions set by the data subject on the transfer (except for granting access), as well as on the processing or conditions of processing personal data made publicly available for dissemination, do not apply where personal data are processed in state, public and other public interests as defined by the legislation of the Russian Federation.

10.7. The Operator guarantees the confidentiality of personal data and takes necessary measures to protect them from unauthorized access and other unlawful actions.

10.8. Personal data shall be stored in a form that allows identifying the data subject for no longer than required by the purposes of processing, unless another period is established by federal law, a contract or an agreement to which the data subject is a party.

10.9. The processing of personal data shall be terminated upon achievement of the purposes of processing, expiry of the consent period, withdrawal of consent by the data subject, as well as upon detection of unlawful processing of personal data. In such cases, the data shall be deleted or anonymized in accordance with the law.

11. Actions Performed with Personal Data

11.1. The Operator performs the following actions (operations) with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion and destruction of personal data.

11.2. Personal data processing may be carried out using automated tools, including the receipt and/or transfer of information via information and telecommunication networks, as well as without the use of such tools.

11.3. All actions with personal data are performed in accordance with the requirements of the applicable legislation of the Russian Federation and this Personal Data Processing Policy.

12. Cross-Border Transfer of Personal Data

12.1. The Operator carries out cross-border transfer of personal data only if the foreign state to whose territory the transfer is planned ensures reliable protection of the rights of personal data subjects in accordance with the legislation of the Russian Federation.

12.2. Before cross-border transfer, the Operator assesses the level of protection of personal data in the recipient country and documents the results of such assessment, as well as the justification of the decision on the possibility of the transfer.

12.3. Cross-border transfer of personal data may be carried out in the following cases:

with the written consent of the data subject to such transfer;

for the performance of a contract to which the data subject is a party;

in other cases provided by the legislation of the Russian Federation.

12.4. The consent of the data subject to cross-border transfer shall be formalized separately and must be free, informed and specific. The subject has the right to withdraw their consent at any time by sending a corresponding notice to the Operator.

12.5. The Operator takes all necessary measures to ensure confidentiality and security of personal data during their cross-border transfer and monitors compliance with data processing conditions in the recipient country.

13. Confidentiality of Personal Data

The Operator and other persons who have gained access to personal data shall not disclose personal data to third parties and shall not disseminate personal data without the consent of the data subject, unless otherwise provided by federal law.

14. Final Provisions

14.1. The User has the right to receive explanations and additional information regarding the processing of their personal data by contacting the Operator via email at info@aroa-patterns.com.

14.2. The Operator reserves the right to amend and supplement this Personal Data Processing Policy. All changes come into force from the moment the updated version of the Policy is published.

14.3. This Policy is valid indefinitely until it is replaced by a new version, which will be made publicly available on the Internet at: www.aroa-patterns.com.