Axis.Moscow Arbat

Privacy Policy of LLC “Kairos” Regarding the Processing of Personal Data 1. General Provisions 1.1. This Personal Data Policy of LLC “Kairos” (hereinafter – the Policy) has been developed in compliance with the requirements of clause 2 of part 1 of article 18.1 of the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” (hereinafter – the Personal Data Law) in order to ensure the protection of the rights and freedoms of individuals when processing their personal data, including the protection of the right to privacy, personal and family confidentiality. 1.2. The operator of personal data processing is: LLC “Kairos” (hereinafter – the Operator) Email: team@axis.moscow Phone: +7 (929) 659-27-85 OGRN: 1217700445874 INN: 7707457348 KPP: 770701001 Legal address: 127051, Moscow, Tsvetnoy Boulevard, 25/1, Room 3/Office 18 1.3. In compliance with the requirements of part 2 of article 18.1 of the Personal Data Law, this Policy is published in freely accessible form on the Operator’s website at https://axis.moscow (hereinafter – the Site). 1.4. Key terms used in this Policy: personal data – any information relating directly or indirectly to an identified or identifiable individual (personal data subject); personal data operator (operator) – a state body, municipal body, legal entity or individual who independently or jointly with other persons organizes and/or carries out the processing of personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, and actions (operations) performed with personal data; personal data subject – an individual who can be directly or indirectly identified using personal data; processing of personal data – any action (operation) or set of actions (operations) performed with personal data using automation tools or without them. Processing of personal data includes, among other things: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction; automated processing of personal data – processing of personal data using computing equipment; distribution of personal data – actions aimed at disclosing personal data to an indefinite circle of persons; provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons; blocking of personal data – temporary suspension of personal data processing (except where processing is required for clarification of personal data); destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which the material carriers of personal data are destroyed; anonymization of personal data – actions as a result of which it becomes impossible, without using additional information, to determine the ownership of personal data to a specific personal data subject; personal data information system – a set of personal data contained in databases and the information technologies and technical means ensuring their processing. 1.5. Basic rights and obligations of the Operator. 1.5.1. The Operator shall: process personal data exclusively for the purposes specified in the Policy, in accordance with the procedure established by the current legislation of the Russian Federation, and take necessary and sufficient measures to ensure compliance with the obligations provided by the Personal Data Law and regulatory legal acts adopted in accordance therewith; not disclose personal data without the consent of the personal data subject (hereinafter – the User), unless otherwise provided by the current legislation of the Russian Federation; carry out personal data processing in compliance with the principles and rules provided by the Personal Data Law; organize the protection of personal data in accordance with the requirements of the legislation of the Russian Federation; consider User (or their legal representative) requests regarding personal data processing and provide reasoned responses; provide the User (or their legal representative) with the opportunity to access their personal data free of charge; take measures to clarify, block, destroy, or anonymize the User’s personal data in cases established by the Personal Data Law. 1.5.2. The Operator shall have the right to: independently determine the composition and list of measures necessary and sufficient to ensure compliance with the obligations provided by the Personal Data Law and regulatory legal acts adopted in accordance therewith, unless otherwise provided by the Personal Data Law or other federal laws; entrust the processing of personal data to another person with the User’s consent, unless otherwise provided by federal law, on the basis of a concluded agreement with that person, including a state or municipal contract, or by adopting an act by a state or municipal body; in case of withdrawal of the User’s consent to personal data processing, continue processing personal data without the User’s consent if there are grounds specified in the Personal Data Law; receive from the User reliable information and/or documents containing the User’s personal data for the purposes of processing specified in the Policy; require the User to promptly clarify the provided personal data. 1.6. Basic rights and obligations of the personal data subject. 1.6.1. The personal data subject shall: ensure the accuracy of the personal data provided to the Operator, necessary for the purposes of processing specified in the Policy; provide the Operator with information, if necessary, to clarify (update, modify) the provided personal data. 1.6.2. The personal data subject shall have the right to: receive full information regarding the processing of their personal data by the Operator, except in cases provided by the legislation of the Russian Federation; clarify, block, or destroy their personal data in cases where personal data is incomplete, outdated, inaccurate, illegally obtained, or unnecessary for the declared purpose of processing; provide the Operator with consent to personal data processing, signed in a separate document; withdraw consent to personal data processing; take legal measures to protect their rights. 1.7. The Operator and Users also have other rights and bear other obligations provided by the legislation of the Russian Federation. 1.8. The Operator shall maintain confidentiality and shall not disclose personal data to third parties without legal grounds. To protect data, the Operator uses, among other measures: antivirus software, data encryption, access restriction, keeping a personal data processing log, separate storage of personal data processed for different purposes, and other actions provided by the legislation of the Russian Federation. 1.9. Control over compliance with this Policy shall be carried out by the authorized person responsible for organizing personal data processing at the Operator. 1.10. Liability for violation of the requirements of the legislation of the Russian Federation and regulatory acts in the field of personal data processing and protection is determined in accordance with the legislation of the Russian Federation. 2. Purposes of Personal Data Processing 2.1. The processing of personal data is limited to achieving specific, predefined, and lawful purposes. Processing of personal data incompatible with the purposes for which the data was collected is not permitted. The personal data processed must not be excessive in relation to the declared purposes of processing. 2.2. The Operator processes personal data for the following purposes: conducting its activities in accordance with internal regulations, including concluding and performing contracts with counterparties, such as arranging and executing accommodation bookings; delegating processing powers to third parties in accordance with Part 3 of Article 6 of the Personal Data Law; informing about the website’s operation, monitoring, and improving service quality; establishing feedback with the User, including sending notifications and inquiries; proper provision of services, processing requests and applications from the User; providing effective client and technical support in case of issues; maintaining internal guest records; web analytics, statistical, and research activities; carrying out marketing and advertising activities, including informational mailings, for the purpose of establishing and further developing relationships (subject to prior consent of the personal data subject); conducting current business operations (including, but not limited to, negotiations, legal disputes, claim activities, conclusion of business, financial, and entrepreneurial agreements, sending offers, commercial proposals); establishing and regulating labor relations and other directly related relations, ensuring compliance with labor, tax, insurance, and pension legislation of the Russian Federation; complying with the legislation of the Russian Federation. 2.3. The Operator does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, intimate life, or criminal convictions. 3. Legal Grounds for Processing Personal Data The processing of personal data is based on: The Constitution of the Russian Federation; The Civil Code of the Russian Federation; Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”; Federal Law No. 149-FZ of 27.07.2006 “On Information, Information Technologies, and Protection of Information”; Federal Law No. 294-FZ of 26.12.2008 “On Protecting the Rights of Legal Entities and Individual Entrepreneurs During State Control (Supervision) and Municipal Control”; Decree of the President of the Russian Federation No. 188 of 06.03.1997 “On Approving the List of Confidential Information”; Resolution of the Government of the Russian Federation No. 1119 of 01.11.2012 “On Approving Requirements for Personal Data Protection During Processing in Personal Data Information Systems”; Order of the FSTEC of Russia No. 21 of 18.02.2013 “On Approving the Composition and Content of Organizational and Technical Measures to Ensure Personal Data Security During Processing in Personal Data Information Systems”; consent of personal data subjects for processing, obtained separately from other consents of the subject regarding personal data processing (in accordance with Part 1 of Article 10.1 of the Personal Data Law); contracts concluded between the Operator and personal data subjects. 4. Scope and Categories of Personal Data, Data Subjects 4.1. Data subjects include: Current and former employees and job applicants; Self-employed individuals providing services; Representatives of contractors; Guests who used accommodation services; Clients with active or pending service agreements; Website visitors. 4.2. Personal data includes: Full name, date, and place of birth; Gender, citizenship, age; Registration and residence addresses; Phone number and email; Passport and identity document details; Birth certificate information; Data of accompanying persons; Visa and migration card information for foreign citizens; IP address, cookies, analytics trackers, browser/device information, and behavioral data. 4.3. The Operator ensures that the content and volume of processed personal data correspond to the purposes listed in Section 2 of this Policy. 5. Procedure and Conditions for Processing and Storing Personal Data 5.1. The Operator processes personal data in accordance with the requirements of the legislation of the Russian Federation using automation tools with data transmission over the Internet. 5.2. The list of actions performed by the Operator with the User’s personal data for the purposes set out in Section 2 of this Policy includes: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction. 5.3. Personal data is processed by the Operator upon obtaining the User’s consent (hereinafter referred to as “Consent”) in accordance with Federal Law No. 152-FZ of 27.07.2006 “On Personal Data,” except in cases provided by the legislation of the Russian Federation where processing of personal data may be carried out without such Consent. 5.4. The User makes the decision to provide their personal data and gives Consent freely, of their own will, and in their own interest. 5.5. The duration of personal data processing is determined by the achievement of the purposes for which the personal data were collected, unless another term is provided by a contract with the User or applicable law. The condition for termination of personal data processing may be the achievement of the processing purposes or the loss of necessity to achieve these purposes, expiration of the Consent, withdrawal of Consent by the User, or detection of unlawful processing of personal data. 5.6. If the Operator entrusts the processing and storage of personal data to another party under a relevant contract/agreement, the Operator is responsible to the User for the actions of that party. If the Operator entrusts the processing and storage of personal data to a foreign legal entity, both the Operator and that entity are responsible to the User. 5.7. Consent may be withdrawn as follows: the personal data subject contacts the Operator by sending a message to the e-mail: team@axis.moscow, requesting the termination of personal data processing. Processing will cease within 10 business days from the date the Operator receives the request, except in cases provided by the Personal Data Law. This term may be extended, but not more than five business days. The Operator must send the personal data subject a reasoned notice explaining the reason for the extension. 5.8. The Operator distributes personal data permitted by the User for dissemination, i.e., performs actions aimed at disclosure to an indefinite circle of persons, in compliance with the requirements, prohibitions, and conditions set forth in Part 9 of Article 9 and Article 10.1 of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data.” Disclosure to third parties and distribution of personal data without the User’s consent is not allowed unless otherwise provided by federal law. Consent to the processing of personal data permitted by the User for dissemination is obtained separately from other consents given by the User for the processing of their personal data, in accordance with the content requirements approved by Roskomnadzor. Transfer of personal data to third parties is carried out by the Operator only under a relevant contract with the third party, the essential condition of which is the obligation of the third party to ensure confidentiality and security of personal data during processing. Transfer is carried out only to the extent necessary to achieve the processing purposes and exclusively to persons with a confidentiality and personal data protection agreement with the Operator. 5.9. When processing personal data, the Operator takes or ensures the adoption of necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, and other unlawful actions. 5.10. Personal data is stored in a form allowing the identification of the User for a period not exceeding what is required to achieve the processing purposes, except in cases where the storage period is established by federal law, a contract in which the User is a beneficiary or guarantor, or another agreement. 5.11. The Operator, when processing personal data, complies with the requirements of Article 18 of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data.” 5.12. The Operator ceases processing personal data in the following cases: unlawful processing is detected within the deadlines specified in Section 6 of this Policy; the purpose of processing has been achieved; the consent of the personal data subject for processing has expired or has been withdrawn, when processing is allowed only with consent under the Personal Data Law. 5.13. Collection of personal data, including via the Internet, recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of Russian citizens using databases located outside the Russian Federation is prohibited, except in cases provided by the Personal Data Law. 6. Updating, Correction, Deletion, Destruction, Anonymization of Personal Data, and Responses to Data Subject Requests for Access 6.1. In the event of unlawful processing of personal data detected following a request from the User (or their representative) or a request from an authorized body for the protection of data subjects’ rights, the Operator shall block the unlawfully processed personal data related to the relevant User or ensure its blocking from the moment of such a request or receipt of the specified User request for the duration of the verification. In the event of detecting inaccurate personal data following a request from the User or their representative, or by request of an authorized body for the protection of data subjects’ rights, the Operator shall block the personal data related to this User or ensure their blocking from the moment of such a request for the duration of the verification, provided that the blocking of personal data does not violate the rights and legitimate interests of the User or third parties. 6.2. If inaccuracies in personal data are confirmed, the Operator shall correct the personal data or ensure their correction based on information provided by the User (or their representative) or the authorized body, or other necessary documents, within seven business days from the date such information is provided. 6.3. If unlawful processing of personal data is detected, the Operator shall cease the unlawful processing or ensure its cessation within three business days from the date of detection; if lawful processing cannot be ensured, the Operator shall destroy or ensure the destruction of such personal data within ten business days from the date of detection. 6.4. Upon achieving the purpose of processing personal data, the Operator shall destroy or ensure the destruction of personal data within thirty days from the date the processing purpose is achieved, unless otherwise provided by a contract to which the User is a beneficiary or guarantor, another agreement between the Operator and the User, or if the Operator is not authorized to process personal data without the User’s consent under Federal Law No. 152-FZ of 27.07.2006 or other federal laws. 6.5. If the User withdraws their consent to the processing of their personal data, and if retaining the personal data is no longer necessary for processing purposes, the Operator shall destroy or ensure the destruction of such personal data within thirty days from the date of receipt of the withdrawal, unless otherwise provided by a contract to which the User is a beneficiary or guarantor, another agreement between the Operator and the User, or if the Operator is not authorized to process personal data without the User’s consent under Federal Law No. 152-FZ of 27.07.2006 or other federal laws. 6.6. Within seven business days from the date the User (or their representative) provides information confirming that such personal data was obtained unlawfully or is unnecessary for the stated processing purpose, the Operator shall destroy such personal data. 6.7. In the event the Operator, Roskomnadzor, or another interested party identifies unlawful or accidental transfer (provision, dissemination) of personal data (access to personal data) resulting in a violation of data subjects’ rights, the Operator shall: within 24 hours – notify Roskomnadzor about the incident, its presumed causes leading to the violation of data subjects’ rights, the anticipated harm to the rights of data subjects, measures taken to mitigate the consequences, and provide information about the person authorized by the Operator to interact with Roskomnadzor regarding the incident; within 72 hours – notify Roskomnadzor of the results of the internal investigation of the incident and provide information about the persons whose actions caused it (if applicable). 6.8. Methods of destruction of personal data shall be established in the Operator’s internal regulations. 6.9. Processed data shall be destroyed or anonymized (including, but not limited to, replacing part of the information listed in section 4 with an ID) upon achieving the processing purpose or if the need to achieve such purposes is lost. The procedure for anonymizing personal data shall be established in the Operator’s internal regulations. 6.10. Detailed actions related to the prevention and detection of violations in personal data processing shall be established in the Operator’s internal regulations. 7. Liability of the Parties 7.1. The Operator is liable for violating the requirements of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data” in accordance with the legislation of the Russian Federation. 7.2. The User has the right to seek compensation in court for losses and/or moral damages. Moral damages caused to the User as a result of violation of their rights, breach of personal data processing rules, and requirements for the protection of personal data established in accordance with Federal Law No. 152-FZ, as well as the provisions of this Policy, are subject to compensation in accordance with the legislation of the Russian Federation. Compensation for moral damages is carried out independently of compensation for material damages and any losses incurred by the User. 8. Dispute Resolution 8.1. Disputes and disagreements between the User and the Operator are resolved in accordance with the laws of the Russian Federation. 8.2. This Policy and the relations between the User and the Operator are governed by Russian law. 9. Final Provisions 9.1. The Operator has the right to make changes to the Policy without the User’s consent. 9.2. The new version of the Policy takes effect upon posting on the Website unless otherwise specified. It applies to relations arising after its enactment. The current version is always available on the Operator’s website. Users are notified of changes by posting the new Policy version.