Personal Data Processing Policy

Personal Data Processing Policy of Investment Assets Platform LLC

Introduction

The operator of personal data whose actions are described herein is Investment Assets Platform LLC, a company established in accordance with the laws of the Russian Federation and registered at Office 6, Floor/Premises 4/2, 15 1st Volkonsky Lane, Tverskaya municipal district, Moscow, 127473. Below in this text, "we," "our," or other similar terms shall be interpreted as referring to Investment Assets Platform LLC. At the same time, the pronouns "you", "your" and the like should be considered to refer to the personal data subject whose information is processed by us.

Your confidentiality is of utmost importance to us, regardless of whether you are a current customer, partner or any other individual whose data we process. Through this document, we aim to make all interested parties aware of how we process and protect personal data. If you have any reason to believe that we are processing your personal data, we encourage you to read this Policy.

The terms used in this Policy and not specifically defined herein ("personal data", "processing of personal data" and others) have the meaning ascribed to them by the legislation of the Russian Federation and, primarily, by Federal Law No. 152-FZ dated 27 July 2006 "On Personal Data". However, we process personal data in accordance with all laws that apply to the protection of personal data, including the European Union General Data Protection Regulation 2016/679 (GDPR).

In accordance with established data protection regulations, there may be differences in procedures for the collection and processing of data as well as in procedures for protecting data between the offices in the various countries where we do business. Data sources are separated or combined, if necessary, but data is always protected.

Legal grounds and purposes of personal data processing

As any other organization does, we process personal data in order to comply with the requirements set forth by applicable law. In particular, we process employees’ personal data to comply with labor and tax laws and we process customers’ data to comply with anti-money laundering and counter-terrorist financing laws. Where the processing of personal data is not directly required by applicable laws and regulations, we will process personal data only in the following cases:

  • Personal data processing is required to conclude or perform a contract to which you are a party or a beneficiary (for example, to an order of the client or to interact with him on issues concerning services under an existing contract);

  • Personal data processing is required to enforce our rights and legitimate interests or to protect the rights and interests of third parties (e.g., to identify conflicts of interest, to ensure employees’ safety, and to defend our rights in court);

  • We have received your consent to the processing of your personal data (for marketing or other similar purposes).

Regardless of the particular grounds for processing personal data, we process it in accordance with all laws and other regulations that govern personal data protection, including Federal Law No. 152-FZ dated 27 July 2006 "On Personal Data" and the General Regulation on Protection of Personal Data of the European Union (GDPR). We do our best to ensure that your personal data is processed in a transparent and secure manner.

Methods of collecting personal data and its contents

The content of personal data and the methods for collecting it depend on the purposes for which personal data is processed.

Applicants' personal data that we process in order to evaluate the employability of candidates (forename, patronymic, surname; education; profession and other data specified in the CV) is collected directly from employees or their authorized persons by sending such data to us via electronic communication channels.

As part of compliance with labor and tax laws, as well as regulations on the implementation of social benefits, we process a wide range of information relating to our employees (surname, forename and patronymic; sex; date of birth (age); place of birth; series, number, issuing authority and date of issue of passport; marital status; education; profession; income information; military registration data; information about employment; insurance number of an individual’s personal account; taxpayer identification number; citizenship; date and place of registration; actual place of residence; employment history; contact information (phone numbers, e-mail addresses). Those details come directly to us from employees as part of copies and originals of documents.

The information required for the execution of clients' orders, as well as for direct interaction with them (surname, forename and patronymic; e-mail address, telephone number, position and place of work) is provided to us by clients or their representatives via electronic channels of communication. Similarly, we receive more detailed information on our clients who are founders, managers and beneficial owners of companies, when necessary to identify them in accordance with the legislation on money laundering and combating terrorism (surname, forename, patronymic; date of birth; nationality; copy of passport and information for determining the financial status of the client and his level of political influence). At the same time, since such information is used to comply with legal requirements, it may be verified, supplemented and updated using third-party sources (including commercial databases).

We collect information intended for marketing purposes (such as invitations to seminars and events, newsletters, or other news about our services or the company in general) through direct communication with customers, prospective customers, and their representatives. We also collect this information through our website, which can be accessed at www.invest-platforma.ru.

Our site uses cookies to analyze site statistics and evaluate the effectiveness of our advertising campaigns, based on anonymized data about site traffic (number of visitors, referring sources, pages visited, and total time spent on the site).

Cookies are text files that are placed on your computer when you visit our site and allow the site to recognize your device when you visit the site again. Cookies stored on your device may be used by us or by third-party web analytics services such as Google Analytics or Hotjar. Cookies collect information in an anonymous form and we do not use this data to identify visitors to our website, even though the technology used makes such identification possible. You may refuse to receive cookies from our website and delete existing cookies by selecting the appropriate settings on your browser. If you wish to do so, please refer to the instructions or support service of your browser to learn how to manage cookies.

No biometric personal data or information classified as special categories of personal data (including racial or ethnic origin, political opinions, religious or philosophical beliefs, or health information) will be processed by us. The only exception is information about our employees’ health, which is processed in order to comply with legal requirements (for the calculation of social benefits, to ensure proper working conditions and other similar purposes).

Where and how we keep and protect personal data

We process personal data both with and without the use of automated means by collecting, systematizing, accumulating, storing, specifying, using, blocking, transferring (to a limited extent) and deleting it.

When processing personal data using automated means, we implement organizational, legal and technical measures that prevent unauthorized access to personal data by those who are not authorized to process it. Among other things, these measures include:

  • Modeling personal data security threats;

  • Ensuring a security regime for the premises where personal data information systems are located, preventing the possibility of persons who do not have the right to access them having uncontrolled entry into or presence in these premises;

  • Determining the list of persons whose access to personal data is necessary for the performance of their official duties;

  • Exercising control over access to personal data (including the application of password protection measures)

  • Exercising control over the security of personal data (including control over the installation of software updates)

  • Ensuring that personal data is available (including through backing up personal data at specified intervals);

  • Ensuring protection against malicious programs and ensuring anti-virus protection of personal data information systems.

We implement access control to the premises used for personal data processing with no automation technology. If there are documents stored in the premises outside of locked cabinets (safes or boxes), persons not entitled to access the personal data stored therein shall be entitled to enter the said premises only in the presence of authorized employees, who shall oversee the compliance of such persons with access restrictions to personal data.

Personal data of Russian citizens is processed using databases located on the territory of the Russian Federation.

Sharing and personal data with and disclosing it to third parties

We do not disclose the personal data of clients and other persons to third parties unless such disclosure is required by applicable law, to perform contracts with counterparties or to provide legal services to our clients. In other cases, the sharing of your personal data with third parties is possible only based on your prior consent (at your request). In this case, in the course of business activities that involve the processing of personal data, we often use the services of third-party providers. Therefore, personal data may be transmitted to providers who process personal data on our behalf by providing us with related services (including information technology partners providing us with hosting services, CRM systems, financial accounting systems, messaging systems, and other similar business automation solutions). We ensure that all such providers enter with us into data processing agreements to take the legal, organizational and technical measures necessary to protect your personal data.

When personal data is shared to foreign countries, such personal data shall be shared with jurisdictions that provide adequate protection of a subject's rights to personal data. The submission of personal data to countries that do not provide adequate protection of a subject's rights to personal data is performed based only on your written consent, as well as for the purposes of performing a contract to which you are a party.

Personal data is submitted to governmental authorities (including as part of the provision of accounting, tax and other reports) in accordance with the requirements of applicable law.

Period for retaining personal data

The retention period for personal data depends on the relevance of the purposes for which the personal data is processed. We retain personal data for at least as long as is necessary to achieve the processing purposes mentioned above.

Applicants' personal data is retained until the relevant vacancy is closed. Employees' personal data is processed throughout the term of the employment contract, and, after it terminates, for the duration of our activities (to the extent necessary to provide reference information at the request of state bodies and non-budgetary funds).

Clients' and their representatives' personal data shall be processed for the duration of their legal services, and then, after the contract with the client terminates, for a period of ten (10) years. Extended information collected in relation to our clients, founders, managers of companies and their beneficial owners, for the purpose of identifying them, shall be kept for at least ten (10) years after legal services to the clients in question terminate.

Information used for marketing and client business purposes will be processed until we are no longer operating as a legal entity.

The above processing time does not affect or limit in any way the rights of personal data subjects granted to you by applicable law (including the right to withdraw your consent to the processing of data).

Personal data of which the processing has expired is deleted in a secure way (without the possibility of being recovered).

Your rights as a personal data subject

In cases where we process your personal data based on your consent, you have the right to withdraw your consent to such processing at any time. In particular, you have the right to stop receiving marketing communications at any time: each of our marketing letters contains instructions on how you can revoke your subscription, but you can also revoke it at any time by contacting us at all@invest-platforma.ru.

You have the right to access information relating to the processing of your personal data by submitting a written request for the following information regarding the processing of your personal data::

  • Confirmation of the fact that personal data is being processed;

  • The legal basis and purpose for which personal data is being processed;

  • The applicable methods of processing personal data;

  • Information about persons who have access to personal data or to whom personal data may be disclosed based on a contract with us or on the basis of federal law;

  • The personal data relating to you that we process, and the source from which we collected it, unless the law provides otherwise;

  • The time period for which personal data is processed, including the period for which we retain it

  • The procedure to be followed for exercising rights provided for by law;

  • Information about a cross-border transfer of data;

  • Information on the location of a database containing personal data;

  • The name or surname, forename, patronymic and address of a person processing personal data on our behalf, if processing has been or will be assigned to such person;

  • Other information as stipulated by law.

A request for the above information should contain the number of the main document certifying your identity or the identity of your representative, information on the date when such document was issued and on the issuing authority, and information confirming your legal relationship with us, or information otherwise confirming the fact of that your personal data is processed. In addition, the request must be signed by you or your representative. We will respond to requests for the above information within thirty (30) days after we receive them.

You have the right to request us to clarify personal data, or to block or delete personal data if it is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing.

If we receive a request containing information about our processing of inaccurate personal data or inappropriate processing of personal data, we will immediately block such personal data for a period of verification. If there is a report of inaccurate processing of personal data, blocking is carried out provided that it does not violate your rights and/or legitimate interests of third parties.

When it is confirmed that personal data which is being processed is inaccurate, based on information provided by you, your representative or the authorized body for the protection of personal data subjects’ rights, we shall ensure that such personal data is corrected within 7 (seven) working days from the date when this information is submitted. If it is not possible to clarify the data within the specified period, we will clarify it as soon as possible thereafter. Data is unblocked when we receive your consent to continue processing the data in its unchanged form or further to the results of its clarification.

If an inspection reveals inappropriate processing of personal data, we will correct the data problem within three (3) working days from the date when the inappropriate processing is confirmed. If we cannot ensure that personal data is being processed legitimately, we will delete the data within a period not exceeding ten (10) working days from the date when the inappropriate personal data processing was revealed. We will immediately notify you or your representative that the personal data has been corrected or deleted, and, if the request or application was sent by the competent authority for the protection of the rights of personal data subjects, we will also notify the relevant authority.

If you revoke your consent to the processing of personal data, we will cease processing your personal data and delete it within thirty (30) days. The requirements of this clause shall not apply unless the contract to which you are a party, beneficiary or guarantor or applicable law provides otherwise.

You have the right to appeal to a court against any of our actions or omissions in processing and protecting personal data, as well as to take other statutory measures to protect your rights. If you believe that the way we process your personal data violates applicable law, you may also submit a complaint to the Federal Service for the Supervision of Communications, Information Technology and the Mass Media (commonly referred to in Russian as ‘Roscomnadzor’).

Familiarizing yourself with the Policy and the modification of it

An electronic copy of the current version of the Policy is available on our website. The hard copy of the Policy is kept at the location of Investment Assets Platform LLC.

We have the right to revise this Policy. We recommend that you periodically review this Policy for possible changes.

If you have any questions relating to the processing of your personal data, please contact us at all@invest-platforma.ru.

0