Privacy Policy for Users’ Personal Data of the Website

1. General Provisions

1.1. This Privacy Policy for Users’ Personal Data of the Website (hereinafter referred to as the “Policy”) has been developed in accordance with the requirements of Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data,” as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data.

1.2. LIMITED LIABILITY COMPANY FIRM “EXPONIC” (hereinafter referred to as the “Operator”) ensures the protection of processed personal data from unauthorized access and disclosure, unlawful use, or loss in accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data.”

1.3. This Policy is a publicly available document and applies exclusively to the website located on the information and telecommunications network “Internet” at the following address: https://exporussia.com (hereinafter referred to as the “Website”).

1.4. This Policy does not apply to third-party websites that a personal data subject may access via the Website.

1.5. The Policy establishes mandatory general requirements and rules for employees of the Operator involved in the processing of personal data regarding work with all types of information carriers containing personal data of personal data subjects who use the Website.

1.6. This Policy does not apply to matters of ensuring the security of personal data classified as information constituting a state secret of the Russian Federation.

1.7. The main objectives of this Policy are:

ensuring the protection of human and civil rights and freedoms in the processing of personal data, including the right to privacy, personal and family confidentiality;
preventing unauthorized actions by the Operator’s employees and third parties related to the collection, systematization, accumulation, storage, clarification (updating, modification) of personal data, as well as other forms of unlawful interference with information resources and the Operator’s local computer network;
ensuring a legal and regulatory confidentiality regime for undocumented information of the Website Users;
protecting constitutional rights of citizens to personal privacy and confidentiality of information constituting personal data, and preventing potential threats to the security of Website Users.

1.8. Key terms used in this Policy:

Website – a combination of software and hardware for computers that ensures the publication of information and data for public access, united by a common purpose, through technical means used for communication between computers on the Internet;

User – a personal data subject who has access to the Internet and uses the capabilities of the Website;

Personal Data – any information relating directly or indirectly to an identified or identifiable natural person (personal data subject);

Head – the sole executive body of the Operator;

Processing of Personal Data – any action (operation) or set of actions (operations) performed with personal data using automation tools or without their use. Processing of personal data includes, but is not limited to:

collection;
recording;
systematization;
accumulation;
storage;
clarification (updating, modification);
extraction;
use;
transfer (provision, access);
depersonalization;
blocking;
deletion;
destruction.

Automated Processing of Personal Data – processing of personal data using computer technology;

Dissemination of Personal Data – actions aimed at disclosure of personal data to an indefinite group of persons;

Provision of Personal Data – actions aimed at disclosure of personal data to a specific person or a specific group of persons;

Blocking of Personal Data – temporary cessation of processing of personal data (except where processing is necessary to clarify personal data);

Destruction of Personal Data – actions resulting in the impossibility of restoring the content of personal data in a personal data information system and/or resulting in the destruction of tangible media containing personal data;

Depersonalization of Personal Data – actions resulting in the impossibility of determining, without the use of additional information, the ownership of personal data by a specific personal data subject;

Personal Data Information System (PDIS) – a set of personal data contained in databases and information technologies and technical means ensuring their processing.

2. Principles of Processing

2.1. When processing personal data, the Operator’s employees are guided by the following principles:

personal data shall be processed on a lawful and fair basis;
processing of personal data shall be limited to the achievement of specific, predetermined, and legitimate purposes. Processing of personal data that is incompatible with the purposes of personal data collection is not permitted;
databases containing personal data processed for purposes that are incompatible with one another shall not be merged;
the content and scope of processed personal data shall correspond to the stated purposes of processing. Processed personal data shall not be excessive in relation to the purposes of their processing;
accuracy and sufficiency of personal data shall be ensured during processing;
storage of personal data shall be carried out no longer than required to achieve the purposes of personal data processing, unless the retention period is established by federal law or by an agreement with the User;
processed personal data shall be destroyed or depersonalized upon achievement of the processing purposes or if the need to achieve such purposes is no longer applicable, unless otherwise provided by law.

2.2. Conditions for processing personal data:

processing of personal data of Website Users is carried out in accordance with the requirements of applicable legislation in the field of personal data protection;
processing of personal data on the Website is carried out in compliance with the principles and rules set forth in this Policy and the legislation of the Russian Federation.

2.3. Processing of personal data of Website Users is carried out exclusively for the following purpose: promotion of goods, works, and services on the market.

2.5. Personal data used on the Website are provided by the User independently by entering such data into the relevant form when registering an account, constitute confidential information, and are processed exclusively using automated means.

3. User Rights

3.1. The User has the right:

to receive information about the Operator, its location, and the availability of personal data relating to the User held by the Operator, as well as to access such personal data, except in cases expressly provided for by law;
to receive from the Operator the following information regarding the processing of their personal data:
confirmation of the fact of personal data processing by the Operator and the purposes of such processing;
legal grounds and purposes for processing personal data;
purposes and methods of personal data processing used by the Operator;
name and location of the Operator, information about persons who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or in accordance with applicable law;
processed personal data relating to the relevant User and the source of their receipt;
time limits for personal data processing, including storage periods;
procedure for exercising the rights of the personal data subject provided for by federal law;
information on actual or intended cross-border transfer of data;
name or full name and address of the person processing personal data on behalf of the Operator, if processing has been or will be entrusted to such person;
other information provided for by applicable legislation of the Russian Federation;
to request modification, clarification, or destruction of information relating to themselves;
to appeal unlawful actions or inaction in the processing of personal data and to seek appropriate compensation in court;
to appoint representatives to protect their personal data;
to require the Operator to notify them of all changes made to their personal data or of exclusions thereof;
to appeal to the authorized body for the protection of personal data subjects’ rights or to a court against actions or inaction of the Operator if the User believes that the Operator processes their personal data in violation of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” or otherwise violates their rights and freedoms;
to protect their rights and legitimate interests, including compensation for damages or moral harm in court.

4. Operator’s Obligations

4.1. Upon receipt of a written request from the User, the Operator shall review it and provide a response in accordance with the procedure established by the Rules for Consideration of Requests of Personal Data Subjects and applicable legislation of the Russian Federation.

4.2. Upon receipt of a request from the authorized body for the protection of personal data subjects’ rights for information necessary to carry out its activities, the Operator shall provide such information within the time limits established by law.

4.3. If unlawful processing of personal data is identified, the Operator shall block the unlawfully processed personal data relating to the User from the moment such fact is established.

4.4. Upon achievement of the purposes of personal data processing, the Operator shall cease processing and destroy personal data in accordance with the Procedure for Destruction of Personal Data and applicable legislation of the Russian Federation.

4.5. The Operator is prohibited from making decisions based solely on automated processing of personal data that entail legal consequences for the personal data subject or otherwise affect their rights and legitimate interests.

5. Confidentiality of Personal Data

5.1. The Operator ensures the confidentiality and security of personal data during processing in accordance with the Operator’s local regulations and the requirements of applicable legislation.

5.2. The Operator does not disclose personal data to third parties or distribute them without the User’s consent, unless otherwise provided by applicable legislation of the Russian Federation.

6. Personal Data Processing

6.1. All personal data shall be obtained directly from the User. If consent to personal data processing is obtained from the User’s representative, such representative’s authority must be confirmed in accordance with the procedure established by law.

6.2. The list of persons authorized to access personal data is determined in accordance with the Operator’s local regulations and approved by an order of the Operator’s Head.

6.2. The Operator stores Users’ personal data from the moment they are provided until the consent to processing is withdrawn, the purposes of processing are achieved, the consent period expires, or in other cases expressly provided for by applicable legislation of the Russian Federation.

6.3. The Operator does not process Users’ personal data on paper media.

6.4. The Operator does not transfer personal data to third parties, including for processing purposes. Users’ personal data are processed exclusively by the Operator’s employees.

6.5. Blocking and deletion of personal data on the Website are carried out on the basis of a written request from the User or an authorized body.

6.6. Destruction of personal data is carried out by erasing information using certified software.

7. Personal Data Protection

7.1. When processing personal data, the Operator takes necessary legal, organizational, and technical measures, or ensures their implementation, to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination, and other unlawful actions.

7.2. Personal data security is ensured by:

identifying threats to personal data security during processing in personal data information systems;
applying organizational and technical measures necessary to meet personal data protection requirements;
accounting for machine-readable personal data media;
detecting unauthorized access to personal data and taking appropriate measures;
restoring personal data modified or destroyed as a result of unauthorized access;
establishing access rules to personal data processed in personal data information systems and ensuring registration and accounting of all actions performed with personal data;
monitoring the effectiveness of personal data security measures and protection levels of information systems;
appointing a person responsible for personal data processing;
establishing individual employee access passwords in accordance with job responsibilities;
using certified antivirus software;
training Operator employees directly involved in personal data processing on the requirements of Russian Federation personal data legislation, including data protection requirements.

7.3. Protected information about the User on the Website includes data that allow identification of the User or obtaining additional information about them as provided by legislation and this Policy.

7.4. Protected personal data objects include:

informatization objects and technical means for automated processing of information containing personal data;
information resources containing data on information and telecommunications systems using personal data, events related to managed objects, and business continuity plans and emergency operation procedures;
communication channels used to transmit personal data in the form of informative electrical signals and physical fields;
removable machine-readable information media used for personal data processing.

7.5. Technological information subject to protection includes:

information on access control systems at informatization facilities where personal data are processed;
control information;
technological information of access management tools;
characteristics of communication channels used to transmit personal data;
information on personal data protection tools, their composition, structure, principles, and technical solutions;
service data generated during software operation, messages, and inter-network interaction protocols as a result of personal data processing.

7.6. The personal data protection system complies with the requirements of Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012, and ensures:

timely detection and prevention of unauthorized access to personal data or their transfer to unauthorized persons;
prevention of interference with technical means of automated personal data processing that could disrupt their operation;
immediate restoration of personal data modified or destroyed due to unauthorized access;
continuous monitoring of the level of personal data protection.

8. Liability

8.1. All employees of the Operator involved in personal data processing are obliged to maintain confidentiality of personal data.

8.2. Persons guilty of violating personal data processing requirements shall bear liability in accordance with applicable legislation of the Russian Federation.

8.3. Responsibility for compliance with the personal data protection regime regarding personal data stored in the Website databases rests with the Operator’s employees responsible for personal data processing.

9. Final Provisions

9.1. This Policy was approved by Order of the Operator’s Head No. 1-PDn dated May 30, 2025, and remains in effect indefinitely until a new version enters into force.

9.2. In the event of changes in Russian Federation legislation on personal data protection, the Operator shall adopt a new version of the Policy reflecting such changes. Until then, the Policy shall apply insofar as it does not contradict applicable legislation.

9.3. The following contact details may be used to contact the Operator:

Phone: +7 (495) 981-5491

E-mail: info@exponic.ru

Postal address: 9 Karmanitsky Lane, Office 604, Moscow, 119002, Russian Federation