Privacy Policy of Limited Liability Company «COSMODEV» (LLC «COSMODEV») regarding the Processing of Personal Data

1. General Provisions

1.1. This Privacy Policy of Limited Liability Company «COSMODEV» (hereinafter referred to as the "Policy") has been developed in accordance with Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter referred to as the "Personal Data Law") to ensure the protection of the rights and freedoms of individuals when processing their personal data, including the right to privacy, personal and family confidentiality.

1.2. This Policy applies to all personal data processed by Limited Liability Company «COSMODEV» (hereinafter referred to as the "Operator").

1.3. This Policy covers all relationships related to the processing of personal data that have arisen both before and after the approval of this Policy.

As of the date of approval of this Policy, any previously enacted internal regulations of the Operator governing the processing of personal data shall be deemed void.

1.4. In accordance with Part 2, Article 18.1 of the Personal Data Law, this Policy is published in open access on the Internet on the Operator's website - https://cosmodev.ru.

1.5. Key terms used in this Policy:

Personal data - any information relating directly or indirectly to an identified or identifiable natural person (personal data subject);

Personal data operator (Operator) - a government authority, municipal authority, legal entity, or individual who independently or jointly with others organizes and/or performs the processing of personal data, and determines the purposes of processing, the composition of personal data to be processed, and the actions (operations) performed on personal data;

Processing of personal data - any operation or set of operations performed on personal data, with or without the use of automation tools. Processing of personal data includes, but is not limited to:

• collection;
• recording;
• systematization;
• accumulation;
• storage;
• updating (modification, amendment);
• retrieval;
• use;
• transfer (distribution, provision, access);
• anonymization;
• blocking;
• deletion;
• destruction;

Automated processing of personal data - processing of personal data using computing technologies;

Dissemination of personal data - actions aimed at disclosing personal data to an indefinite number of persons;

Provision of personal data - actions aimed at disclosing personal data to a specific person or a specific group of persons;

Blocking of personal data - temporary suspension of personal data processing (except when processing is required to clarify personal data);

Destruction of personal data - actions resulting in the permanent inability to restore the content of personal data in personal data information systems and/or the destruction of physical media containing personal data;

Anonymization of personal data - actions resulting in the inability to identify a personal data subject without the use of additional information;

Personal data information system - a set of personal data contained in databases, along with information technologies and technical means used to process such data.

1.6. Main Rights and Obligations of the Operator.

1.6.1. The Operator is entitled to:

1. independently determine the composition and list of measures necessary and sufficient to ensure compliance with the obligations established by the Personal Data Law and other relevant legal acts, unless otherwise provided by the Personal Data Law or other federal laws;
2. entrust the processing of personal data to another party with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with such party. The party processing personal data on behalf of the Operator is obliged to comply with the principles and rules for processing personal data established by the Personal Data Law, maintain the confidentiality of personal data, and take necessary measures to ensure compliance with the obligations established by the Personal Data Law;
3. in the event of withdrawal of consent to the processing of personal data by the data subject, the Operator has the right to continue processing the personal data without such consent if there are legal grounds as provided by the Personal Data Law.

1.6.2. The Operator is obliged to:

1. organize the processing of personal data in accordance with the requirements of the Personal Data Law;
2. respond to requests and inquiries from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
3. provide the authorized body for the protection of the rights of personal data subjects (Federal Service for Supervision of Communications, Information Technology, and Mass Media - Roskomnadzor) with necessary information upon request within 10 business days from the date of receiving such a request. This period may be extended by no more than five business days, in which case the Operator must send a reasoned notification to Roskomnadzor explaining the reasons for the extension;
4. ensure interaction, in accordance with the procedures established by the federal executive authority responsible for security, with the state system for detecting, preventing, and mitigating the consequences of computer attacks on the information resources of the Russian Federation, including notifying the system about computer incidents that result in unauthorized transfer (provision, dissemination, access) of personal data.

1.7. Main Rights of Personal Data Subjects. A personal data subject has the right to:

1. obtain information regarding the processing of their personal data, except in cases provided by federal law. The information is provided to the data subject in an accessible form and must not contain personal data related to other personal data subjects, unless there are legal grounds for disclosing such data. The list of information and the procedure for obtaining it are established by the Personal Data Law;
2. request that the Operator clarify their personal data, block or delete it if the data is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purposes of processing, and take legal measures to protect their rights;
3. give prior consent to the processing of personal data for the purposes of promoting goods, works, and services on the market;
4. appeal to Roskomnadzor or to a court regarding unlawful actions or inaction by the Operator in the processing of their personal data.

1.8. Control over compliance with this Policy is carried out by an authorized person responsible for organizing the processing of personal data at the Operator, appointed by order of the sole executive body of the Operator or, in its absence, by the sole executive body itself.

1.9. Liability for violations of the legislation of the Russian Federation and the Operator’s internal regulations regarding the processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.

2. Purposes of Personal Data Processing

2.1. The processing of personal data is limited to achieving specific, pre-defined, and lawful purposes. The processing of personal data that is incompatible with the purposes of collecting such data is not permitted.

2.2. Only personal data that is necessary to achieve the stated purposes of processing shall be processed.

2.3. The Operator processes personal data for the following purposes:

• conducting its business activities in accordance with its Charter, including concluding and executing contracts with counterparties;
• compliance with labor legislation within the framework of employment and other directly related relationships, including: assisting employees with employment, education, and career advancement; recruiting and selecting candidates for employment with the Operator; ensuring the personal safety of employees; monitoring the quantity and quality of work performed; safeguarding property; maintaining personnel and accounting records; preparing and submitting required reports to authorized government bodies; organizing personal registration of employees in mandatory pension and social insurance systems;
• promoting the Operator’s goods, works, and services in the market through direct contact with potential consumers using communication tools;
• performing functions, powers, and duties imposed on the Operator by applicable law.

2.4. The processing of employees' personal data may be carried out solely to ensure compliance with applicable laws and other regulatory legal acts.

3. Legal Grounds for Personal Data Processing

3.1. The legal grounds for personal data processing are a set of legal acts in pursuance of and in accordance with which the Operator processes personal data, including:

• Constitution of the Russian Federation;
• Civil Code of the Russian Federation;
• Labor Code of the Russian Federation;
• Tax Code of the Russian Federation;
• Federal Law No. 14-FZ of 08.02.1998 "On Limited Liability Companies";
• Federal Law No. 402-FZ of 06.12.2011 "On Accounting";
• Federal Law No. 167-FZ of 15.12.2001 "On Mandatory Pension Insurance in the Russian Federation";
• other legal acts governing relations related to the activities of the Operator.

3.2. The legal grounds for personal data processing also include:

• the Charter of the Operator;
• contracts concluded between the Operator and personal data subjects;
• the consent of personal data subjects to the processing of their personal data.

4. Scope and Categories of Processed Personal Data, Categories of Personal Data Subjects

4.1. The content and volume of processed personal data must correspond to the stated purposes of processing set forth in Section 2 of this Policy. The processed personal data must not be excessive in relation to the stated purposes of processing.

4.2. The Operator may process personal data of the following categories of personal data subjects.

4.2.1. Job candidates applying for employment with the Operator – for the purposes of complying with labor legislation within employment and other directly related relationships:

• surname, first name, patronymic;
• gender;
• citizenship;
• date and place of birth;
• contact information;
• education, work experience, qualifications;
• other personal data provided by candidates in résumés and cover letters.

4.2.2. Current and former employees of the Operator – for the purposes of complying with labor legislation within employment and other directly related relationships:

• surname, first name, patronymic;
• gender;
• citizenship;
• date and place of birth;
• image (photograph);
• passport details;
• residential registration address;
• actual residence address;
• contact information;
• individual taxpayer identification number (INN);
• insurance number of individual personal account (SNILS);
• information on education, qualifications, professional training, and advanced training;
• marital status, presence of children, family ties;
• employment history, including awards, recognitions, and (or) disciplinary actions;
• marriage registration data;
• military registration data;
• disability information;
• alimony deduction information;
• income information from previous employment;
• information on legal capacity (details of guardianship or custodianship documents, grounds for any limitations on legal capacity, court decisions);
• information on participation in the management of business entities (excluding housing, housing construction, garage cooperatives, horticultural, gardening, country consumer cooperatives, homeowners associations, and registered trade unions), and engagement in entrepreneurial activities;
• other personal data provided by employees in accordance with labor law requirements.

4.2.3. Family members of employees of the Operator – for the purposes of complying with labor legislation within employment and other directly related relationships:

• surname, first name, patronymic;
• degree of kinship;
• year of birth;
• other personal data provided by employees in accordance with labor law requirements.

4.2.4. Individuals – clients and counterparties of the Operator (including potential clients); participants, managers, and controlling persons of the Operator, clients, and counterparties of the Operator (legal entities) (including potential ones) – for the purposes of conducting the Operator’s business activities:

• surname, first name, patronymic;
• date and place of birth;
• passport details;
• residential registration address;
• contact information;
• job title;
• individual taxpayer identification number (INN);
• insurance number of individual personal account (SNILS);
• bank account number;
• information on legal capacity (details of guardianship or custodianship documents, grounds for any limitations on legal capacity, court decisions);
• information on participation in the management of business entities (excluding housing, housing construction, garage cooperatives, horticultural, gardening, country consumer cooperatives, homeowners associations, and registered trade unions), and engagement in entrepreneurial activities;
• other personal data provided by clients and counterparties (individuals) necessary for the conclusion and execution of contracts.

4.2.5. Representatives (employees) of the Operator’s clients and counterparties (legal entities) – for the purposes of conducting the Operator’s business activities:

• surname, first name, patronymic;
• passport details;
• contact information;
• job title;
• other personal data provided by representatives (employees) of clients and counterparties, necessary for the conclusion and execution of contracts.

4.2.6. Visitors of the Operator’s website – for the purposes of conducting the Operator’s business activities:

• surname, first name, patronymic;
• contact information (phone number, email address);
• additional data provided by the user in the "Comment" field;
• user data (IP addresses; cookies and other data collected through internet analytics services (Yandex.Metrica and others); location data; OS type and version; browser type and version; device type and screen resolution; referral source (which site or advertisement the user came from); OS and browser language settings).

4.3. The Operator does not process biometric personal data (data that characterizes the physiological and biological features of an individual and can be used to identify the individual).

4.4. The Operator does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, health status, or sex life, except in cases provided by Russian law.

5. Procedures and Conditions for Personal Data Processing

5.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. The processing of personal data is carried out with the consent of the personal data subjects to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.

5.3. The Operator processes personal data for each specific purpose of processing using the following methods:

• non-automated processing of personal data;
• automated processing of personal data, with or without transmission of the resulting information via information and telecommunication networks;
• mixed processing of personal data.

5.4. Only employees of the Operator whose official duties include the processing of personal data are permitted to process personal data.

5.5. The processing of personal data for each processing purpose specified in Section 2.3 of this Policy is carried out by means of:

• obtaining personal data orally and in writing directly from personal data subjects;
• entering personal data into journals, registers, and other documents on paper and into the Operator’s information systems;
• using other methods of processing personal data.

5.6. Disclosure to third parties and dissemination of personal data without the consent of the personal data subject is not permitted, unless otherwise provided for by federal law. Consent to the processing of personal data permitted by the personal data subject for dissemination shall be executed separately from other consents of the personal data subject to the processing of their personal data.

The requirements for the content of consent to the processing of personal data permitted for dissemination are approved by Order No. 18 of Roskomnadzor dated February 24, 2021.

5.7. The transfer of personal data to investigative and law enforcement authorities, the Federal Tax Service, the Social Fund of Russia, and other authorized public authorities and organizations is carried out in accordance with the legislation of the Russian Federation.

5.8. The Operator shall take necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, dissemination, and other unauthorized actions, including:

• identifying current security threats to personal data during processing;
• adopting internal regulations and other documents governing personal data processing and protection;
• appointing persons responsible for ensuring personal data security in the Operator’s structural units and information systems;
• creating necessary conditions for working with personal data;
• maintaining records of documents containing personal data and data media;
• organizing the operation of information systems used for personal data processing;
• storing personal data under conditions that ensure their security and prevent unauthorized access;
• providing training to the Operator’s employees involved in personal data processing;
• using information protection tools that have passed conformity assessment procedures as required by law; 
• using information protection tools with certified data destruction functionality for destroying personal data; 
• evaluating the effectiveness of personal data security measures before commissioning information systems; 
• ensuring the proper operation of computer equipment used for personal data processing in accordance with operational and technical documentation, taking into account the technical requirements of information systems and information protection tools; 
• detecting and recording incidents of unauthorized access to personal data and unauthorized repeated or additional recording of data after their retrieval from the personal data information system, and taking appropriate measures; 
• restoring personal data modified, deleted, or destroyed as a result of unauthorized access; 
• establishing rules for access to personal data processed in the Operator’s information systems and ensuring registration and recording of all actions performed with personal data in these systems; 
• monitoring the measures taken to ensure personal data security and the level of protection of information systems.

5.9. The Operator stores personal data in a form that allows identification of the personal data subject no longer than required for the purpose of processing, unless a different storage period is established by federal law or contract.

5.9.1. Personal data on paper is stored by the Operator for the document retention periods established by the legislation of the Russian Federation on archiving (Federal Law No. 125-FZ of October 22, 2004 "On Archival Affairs in the Russian Federation", and the List of Standard Administrative Archival Documents arising from the activities of government bodies, local authorities, and organizations, with retention periods approved by Rosarkhiv Order No. 236 of December 20, 2019).

5.9.2. The retention period for personal data processed in personal data information systems corresponds to the retention period for personal data on paper.

5.10. The Operator shall cease processing personal data in the following cases:

• if unlawful processing is detected — within three business days from the date of detection;
• upon achievement of the processing purpose;
• upon expiration or withdrawal of the consent of the personal data subject to the processing of the relevant data, where the processing of such data is allowed only with consent under the Personal Data Law.

5.11. Upon achievement of the purposes of personal data processing, or upon withdrawal of consent by the personal data subject to their processing, the Operator shall cease processing such data unless:

• otherwise provided for by a contract to which the personal data subject is a party, beneficiary, or guarantor;
• the Operator is entitled to process the data without the subject’s consent on grounds provided for by the Personal Data Law or other federal laws;
• otherwise provided for by another agreement between the Operator and the personal data subject.

5.12. Upon receipt of a personal data subject’s request to cease processing their personal data, the Operator shall cease processing such data within no more than 10 business days from the date of receiving the request, except where processing is permitted by the Personal Data Law. This period may be extended by no more than five business days, in which case the Operator shall send the personal data subject a substantiated notification stating the reasons for the extension.

5.13. When collecting personal data, including via the Internet, the Operator shall ensure the recording, systematization, accumulation, storage, updating (modification), and retrieval of personal data of Russian Federation citizens using databases located within the territory of the Russian Federation, except as provided for by the Personal Data Law.

5.14. If the retention period for personal data is not established by federal law or by a contract to which the personal data subject is a party, beneficiary, or guarantor, such personal data shall be destroyed or anonymized upon achievement of the processing purposes or if it is no longer necessary to achieve those purposes, unless otherwise provided by federal law.

6. Updating, Rectification, Deletion, Destruction of Personal Data, and Responses to Data Subjects’ Requests for Access to Personal Data

6.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of processing, as well as other information specified in Part 7, Article 14 of the Personal Data Law, shall be provided by the Operator to the personal data subject or their representative within 10 business days from the date of request or receipt of the request from the personal data subject or their representative. This period may be extended, but by no more than five business days, in which case the Operator shall send a substantiated notification to the personal data subject indicating the reasons for the extension.

The information provided shall not include personal data related to other personal data subjects, unless there are legal grounds for disclosing such personal data.

The request must include:

• the surname, first name, and patronymic (if applicable) of the personal data subject; 
• the number of the primary identity document of the personal data subject or their representative, details of the document’s issuance date and issuing authority;
• information confirming the data subject’s relationship with the Operator (contract number, date of contract, reference or other details), or other information confirming the fact of processing of personal data by the Operator;
• the signature of the personal data subject or their representative.

The request may be submitted as an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

The Operator shall provide the information specified in Part 7, Article 14 of the Personal Data Law to the personal data subject or their representative in the same form in which the corresponding request was submitted, unless otherwise specified in the request.

If the request from the personal data subject does not contain all the required information in accordance with the Personal Data Law, or if the data subject does not have the right to access the requested information, a substantiated refusal will be sent to the requester.

The personal data subject’s right to access their personal data may be restricted in accordance with Part 8, Article 14 of the Personal Data Law, including cases where such access infringes the rights and legitimate interests of third parties.

6.1.1. The personal data subject may submit the request specified in Clause 6.1 of this Policy, a withdrawal of consent to personal data processing, or any other inquiry related to personal data processing by sending a notification to the Operator via email at mail@cosmodev.ru or info@cosmodev.ru with the subject line “Withdrawal of Consent to Personal Data Processing” / “Request for Confirmation of Personal Data Processing” / “Inquiry Regarding Personal Data Processing”.

6.2. If inaccurate personal data is identified following a request from the personal data subject or their representative, or at the request of Roskomnadzor, the Operator shall block the personal data related to that subject from the moment of such request until the verification is complete, provided that the blocking of the personal data does not infringe the rights and legitimate interests of the personal data subject or third parties.

If the inaccuracy of the personal data is confirmed, the Operator shall rectify the personal data based on the information provided by the personal data subject or their representative, or by Roskomnadzor, or based on other necessary documents, within seven business days from the date such information is provided, and shall remove the block on the personal data.

6.3. If unlawful processing of personal data is identified following a request from the personal data subject or their representative, or by Roskomnadzor, the Operator shall block the unlawfully processed personal data related to that subject from the moment of such request or receipt of such request.

6.4. If the Operator, Roskomnadzor, or any other concerned party identifies a case of unlawful or accidental transfer (disclosure, dissemination) of personal data (unauthorized access to personal data) that has violated the rights of personal data subjects, the Operator shall:

• within 24 hours — notify Roskomnadzor of the incident, the presumed causes that led to the violation of personal data subjects’ rights, the presumed harm caused, and the measures taken to eliminate the consequences of the incident, and provide information about the person authorized by the Operator to liaise with Roskomnadzor on matters related to the incident;
• within 72 hours — notify Roskomnadzor of the results of the internal investigation of the identified incident and provide information about the persons whose actions caused the incident (if identified).

6.5. Procedure for the destruction of personal data by the Operator.

6.5.1. Conditions and timeframes for the destruction of personal data by the Operator:

• achievement of the purpose of personal data processing or loss of necessity to achieve that purpose — within 30 days;
• reaching the maximum retention period for documents containing personal data — within 30 days;
• submission by the personal data subject (or their representative) of proof that the personal data was obtained unlawfully or is no longer necessary for the declared purpose of processing — within seven business days;
• withdrawal by the personal data subject of their consent to the processing of their personal data, if retention is no longer required for processing purposes — within 30 days.

If it is not possible to destroy the personal data within the specified period, the Operator shall block such personal data or ensure its blocking (if processing is performed by another entity on behalf of the Operator) and shall ensure the destruction of the personal data within no more than six months, unless a different period is established by federal law.

6.5.2. Upon achievement of the purpose of personal data processing or withdrawal of consent by the personal data subject to the processing of their personal data, such personal data shall be subject to destruction unless:

• otherwise provided for by a contract to which the personal data subject is a party, beneficiary, or guarantor;
• the Operator is entitled to process such data without the subject’s consent on grounds provided for by the Personal Data Law or other federal laws;
• otherwise provided for by another agreement between the Operator and the personal data subject.

6.5.3. The destruction of personal data shall be carried out by a commission established by order of the Operator’s sole executive body.

6.5.4. The methods of personal data destruction are determined in the Operator’s internal regulations and in accordance with the applicable legislation of the Russian Federation.

---

¹ The Operator processes personal data of the User only if such data is voluntarily entered and/or submitted by the User via special forms provided on the website https://cosmodev.ru or sent to the Operator via email. By completing the relevant forms and/or submitting their personal data to the Operator, the User gives their consent to this Policy.

² The Operator processes the specified anonymized data about the User if permitted by the User’s browser settings (such as enabling the saving of “cookies” and the use of JavaScript technology).