Purposes of Processing Users’ Personal Data

The Union collects and stores only such personal information that is necessary for the provision of Services or the execution of agreements and contracts with the User, except in cases where legislation requires mandatory storage of personal information for a period established by law.

The Union processes the User’s personal information for the following purposes:

Purposes	Categories of Data Subjects	List of Personal Data	Categories of Personal Data	Methods and Duration of Processing and Storage	Procedure for Personal Data Destruction
Providing access to Services, including registration on the Services	Website users	First name, last name, email address	General	For 3 years from the date of last activity on the website	Deletion from the personal data operator’s servers
Identification of the User who provided personal data by filling out web forms on the Union’s Services for communication, payment transactions, and feedback	Website users	First name, last name, email address	General	For 3 years from the date of last activity on the website	Deletion from the personal data operator’s servers
Providing information, consulting, informational and technical support to the User	Website users	First name, last name, email address	General	For 30 days from the date of providing support/information to the User	Deletion from the personal data operator’s servers
Establishing feedback with the User, including sending notifications, informational messages, requests related to the use of Services, informational materials posted on the Services, processing User’s requests and applications	Website users	First name, last name, email address	General	For 3 years from the date of last activity on the website	Deletion from the personal data operator’s servers
Conducting research if necessary, including analysis to improve the quality of Services	Website users	First name, last name, email address	General	For 3 years from the date of last activity on the website	Deletion from the personal data operator’s servers
Providing the User with effective client and technical support in case of problems related to the use of Services	Website users	First name, last name, email address	General	For 30 days from the date of providing support/information to the User	Deletion from the personal data operator’s servers

List of Personal Data Subject to Consent for Processing

Within this Policy, the User’s personal information is understood as:

Personal information that the User voluntarily provides about themselves when filling out web forms or during the use of the Services, including, but not limited to, the following personal data of the User: first name, last name, email address. Information mandatory for providing the Services is specially marked. Other information is provided by the User at their discretion or if necessary for a specific purpose of personal data processing. The personal data provided by the User are not biometric.

Data that are automatically transmitted to the Services during their use through software installed on the User’s device, including IP address, cookie data, information about the User’s browser (or other software used to access the Services), technical characteristics of the hardware and software used by the User, date and time of access to the Services, addresses of requested pages, and other similar information.

The Union processes anonymized data about the User if this is allowed in the User’s browser settings (enabled cookie storage and JavaScript technology).

Legal Grounds and Principles of Personal Data Processing

The basis for collection, processing, and storage of personal data are:

• Articles 23 and 24 of the Constitution of the Russian Federation;
• Articles 2, 5, 6, 7, 9.18-22 of the Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”;
• Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”;
• The Charter of the Union.

Personal data processing is carried out based on the following principles:

• Legality and fairness of personal data processing;
• Processing personal data in accordance with specific, predetermined, and lawful purposes;
• Only personal data relevant to the purposes of their processing are subject to processing;
• Accuracy, sufficiency, relevance, and reliability of personal data;
• Legality of technical measures aimed at personal data processing;
• Reasonableness and expediency of personal data processing;
• Storage of personal data no longer than required by the processing purposes or the term of the User’s consent;
• The processed personal data are subject to destruction or anonymization within 30 (thirty) working days from the User’s withdrawal of consent to personal data processing.

Personal Data Processing

During processing, the following actions will be performed with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction.

Personal data collection is carried out by the following methods:

• Personal data provided by Users on the Services, including filling out web forms;
• Automatic collection of data about personal data subjects using technologies and services: web protocols, cookies, web beacons, which are activated only when the User enters their data.

Storage and Use of Personal Data

• Users’ personal data are stored exclusively on properly protected electronic media and processed using automated systems, except in cases where non-automated processing of personal data is required by the legislation of the Russian Federation;
• The confidentiality of the User’s personal information is maintained, except when the User voluntarily provides information about themselves for public access to an unlimited number of persons. When using certain Services, the User agrees that some of their personal information becomes publicly available;
• When processing personal data of data subjects, the Union ensures the use of databases located on the territory of the Russian Federation.

Transfer of Personal Data

The Union does not transfer personal data to third parties without the User’s consent, except when the transfer is carried out to ensure compliance with the legislation of the Russian Federation, prevent or stop illegal actions by the User, and protect the lawful interests of the Union and third parties.

Destruction of Personal Data

The Union destroys personal data of data subjects in the following cases:

• There is a threat to the security of the Services;
• Violation by the User of the Policy conditions;
• Expiry of the personal data storage period;
• Upon User’s request.

User Rights

The User has the right to receive information about personal data processing, including:

• Confirmation of the fact of personal data processing;
• Legal grounds for personal data processing;
• Purposes and methods of personal data processing used by the Union;
• Personal data processed relating to the relevant User, the source of their receipt, unless otherwise provided by the legislation of the Russian Federation;
• Terms of personal data processing, including storage periods;
• Procedure for exercising rights provided by the legislation of the Russian Federation;
• Information about actual or intended cross-border data transfers;
• Information about persons to whom personal data may be disclosed based on an agreement with the Union or in accordance with the legislation of the Russian Federation;
• Name or full name and address of the person processing personal data on behalf of the Union if such processing is or will be entrusted to such a person;
• Other information provided by the legislation of the Russian Federation.

The User has the right to protect their personal data.

The User has the right to change their personal data by contacting the support service of the personal data operator.

The User is entitled to receive the information specified in clause 7.1 of the Policy an unlimited number of times by sending the Union the relevant request in the manner provided in section 12 of the Policy.

Union Obligations

In accordance with applicable law, the Union must:

• Provide, upon User’s request, information on the processing of their personal data specified in clause 6.1 of the Policy or provide a justified refusal;
• Take necessary and sufficient measures to fulfill the obligations provided by law;
• Upon User’s request, clarify processed personal data, block or delete them if they are incomplete, outdated, inaccurate, illegally obtained, or unnecessary for the stated processing purpose;
• Ensure the legality of personal data processing. If ensuring the legality is impossible, the Union must destroy or ensure destruction of personal data within 10 (ten) working days from the date of identifying unlawful processing;
• Upon withdrawal of User’s consent to personal data processing, stop processing and destroy personal data within 30 (thirty) working days from the date of receiving such withdrawal, as provided in section 12 of the Policy. Exceptions are cases when processing can be continued in accordance with Russian legislation.

Union Actions for Personal Data Protection

Protection of personal data processed by the Union is ensured by implementing legal, organizational, and technical measures necessary and sufficient to comply with the requirements of the Russian Federation legislation on personal data protection.

Legal measures include:

• Development of local acts of the Union implementing the requirements of Russian legislation (including the Privacy Policy on processing and protecting personal data posted on the Services);
• Refusal of any methods of personal data processing that do not correspond to the Union’s predefined purposes.

Organizational measures include:

• Appointment of a person responsible for organizing personal data processing;
• Limiting the number of Union employees with access to personal data and organizing a permission system for such access;
• Familiarization of Union employees with Russian personal data legislation, including personal data protection requirements, and local acts of the Union on personal data processing, training of these employees.

Cross-Border Transfer of Personal Data

The Operator does not perform cross-border transfers of personal data.

Limitation of the Policy’s Application

The Policy applies exclusively to the Services and does not apply to other Internet resources.

The Union is not responsible for the actions of third parties who gained access to the personal data of the personal data subject due to their own fault.

User Requests

The User has the right to send requests to the Union, including requests regarding the use of their personal data:

• In writing at: 117292, Moscow, internal municipal district Akademichesky, 60-letiya Oktyabrya Ave., 10A, 6th floor, office 3V.
• In electronic form at the email address: h2-union@mail.ru.

When submitting a request in writing or electronically, it must include the following information:

• Number of the primary document proving the User’s identity;
• Date of issue and issuing authority of that document;
• Information confirming the User’s participation in relations with the Union;
• User’s signature.

The Union undertakes to consider and respond to the received request within 30 (thirty) days from the date of receipt.

All correspondence received by the Union from the User (written or electronic) is classified as restricted information and is not disclosed without the User’s written consent.