Axis.Moscow Island

Policy of LLC “Kirke” on the Processing of Personal Data 1. General Provisions 1.1. This Policy of LLC “Kirke” on the Processing of Personal Data (hereinafter – the “Policy”) is developed in accordance with the requirements of clause 2 of part 1 of Article 18.1 of the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” (hereinafter – the “Personal Data Law”) to ensure the protection of the rights and freedoms of individuals when processing their personal data, including the protection of privacy, personal and family secrets. 1.2. The operator of personal data processing is: LLC “Kirke” (hereinafter – the “Operator”) Email: axisaparts@gmail.com Phone: +7 (929) 659-27-85 OGRN: 1247700820003 TIN: 9705236428 KPP: 770501001 Legal address: 115035, Moscow, ul. Sadovnicheskaya, 67, building 2, room 1 1.3. In accordance with the requirements of part 2 of Article 18.1 of the Personal Data Law, this Policy is publicly available on the Operator’s website at https://axis.moscow (hereinafter – the “Website”). 1.4. Key terms used in the Policy: Personal data – any information relating directly or indirectly to an identified or identifiable individual (data subject); Operator of personal data (operator) – a government body, municipal body, legal entity, or individual that independently or jointly organizes and/or processes personal data and determines the purposes, composition, and actions performed with personal data; Data subject – an individual who can be directly or indirectly identified using personal data; Processing of personal data – any action or set of actions performed with personal data, using automation or otherwise, including collection, recording, systematization, accumulation, storage, updating (clarification, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction; Automated processing of personal data – processing using computing equipment; Distribution of personal data – actions aimed at disclosing personal data to an indefinite range of persons; Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons; Blocking of personal data – temporary cessation of personal data processing (except when processing is necessary for data clarification); Destruction of personal data – actions that make it impossible to restore personal data content in the information system and/or destroy its physical media; Anonymization of personal data – actions that make it impossible to identify the data subject without additional information; Information system of personal data – a set of databases containing personal data and the IT and technical means for its processing. 1.5. Main rights and obligations of the Operator: 1.5.1. Obligations of the Operator: Process personal data solely for purposes specified in this Policy and in accordance with Russian law; take necessary measures to fulfill obligations under the Personal Data Law; Not disclose personal data without the consent of the data subject (hereinafter – the “User”), unless otherwise required by law; Process personal data in compliance with principles and rules established by the Personal Data Law; Organize protection of personal data in accordance with Russian law; Consider User inquiries regarding personal data processing and provide reasoned responses; Provide Users with free access to their personal data; Take measures to clarify, block, destroy, or anonymize Users’ personal data where required by law. 1.5.2. Rights of the Operator: Independently determine the scope and set of measures necessary for compliance with legal obligations, unless otherwise provided by law; Delegate personal data processing to a third party with User consent, unless federal law provides otherwise, based on a contract, including a state or municipal contract; Continue processing personal data without User consent if there are legal grounds for this; Obtain accurate information and/or documents containing the User’s personal data for the purposes specified in this Policy; Request timely updates of personal data from the User. 1.6. Main rights and obligations of the data subject: 1.6.1. Obligations of the data subject: Ensure accuracy of personal data provided to the Operator; Provide information necessary for updating or correcting personal data. 1.6.2. Rights of the data subject: Receive full information regarding the processing of their personal data by the Operator, except as provided by law; Request correction, blocking, or destruction of personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the declared purpose; Provide consent for personal data processing in a separate document; Withdraw consent for personal data processing; Exercise other legally established rights to protect their personal data. 1.7. The Operator and Users also have other rights and obligations as established by Russian law. 1.8. The Operator must maintain confidentiality and not disclose personal data to third parties without legal grounds. Security measures include antivirus software, data encryption, access restrictions, logging, separate storage of data processed for different purposes, and other actions required by law. 1.9. Compliance with this Policy is controlled by the authorized person responsible for organizing personal data processing at the Operator. 1.10. Liability for violating Russian legislation on personal data processing and protection is determined in accordance with Russian law. 2. Purposes of Personal Data Processing 2.1. Processing of personal data is limited to achieving specific, predetermined, and lawful purposes. Data processing incompatible with collection purposes is prohibited. Processed data must not be excessive relative to the declared purposes. 2.2. The Operator processes personal data for the following purposes: Conducting its activities in accordance with internal regulations, including concluding and executing contracts with counterparties for accommodation booking; Delegating personal data processing to third parties in accordance with part 3 of Article 6 of the Personal Data Law; Informing about the Website, monitoring, and improving service quality; Establishing feedback with Users, including sending notifications and requests; Proper provision of services, processing User requests and applications; Providing effective customer and technical support; Maintaining internal guest records; Web analytics, statistical, and research activities; Conducting marketing and advertising actions, including newsletters, to establish and further develop relations (with prior consent of the data subject); Carrying out current business activities (including, but not limited to, negotiations, litigation, claims management, conclusion of business, financial and entrepreneurial contracts, sending offers and commercial proposals); Concluding and regulating employment relationships and related matters, ensuring compliance with labor, tax, insurance, and pension legislation; Fulfilling requirements of Russian legislation. 2.3. The Operator does not process special categories of personal data related to race, ethnicity, political views, religious or philosophical beliefs, intimate life, or criminal convictions. 3. Legal Grounds for Personal Data Processing Constitution of the Russian Federation; Civil Code of the Russian Federation; Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”; Federal Law No. 149-FZ of 27.07.2006 “On Information, Information Technologies, and Protection of Information”; Federal Law No. 294-FZ of 26.12.2008 “On Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Implementation of State (Municipal) Control (Supervision)”; Presidential Decree No. 188 of 06.03.1997 “On Approval of the List of Confidential Information”; Government Resolution No. 1119 of 01.11.2012 “On Approval of Requirements for Personal Data Protection in Information Systems of Personal Data”; FSTEC Russia Order No. 21 of 18.02.2013 “On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data in Information Systems of Personal Data”; Consent of data subjects for personal data processing, executed separately from other consents of the data subject (in accordance with part 1 of Article 10.1 of the Personal Data Law); Agreements concluded between the Operator and data subjects. 4. Scope and Categories of Personal Data, Categories of Data Subjects 4.1. Categories of data subjects: Employees of the Operator who have concluded an employment contract with the Operator, including former employees and applicants; Self-employed individuals (NPD payers) providing services or performing work for the Operator; representatives of counterparties – individuals who are employees, authorized representatives, or contact persons of organizations and individual entrepreneurs providing services or having contracts with the Operator; Guests – individuals who have actually used the accommodation and related services of the Operator; Clients – individuals who have concluded or intend to conclude a service agreement with the Operator, including those who have submitted requests or made bookings but have not yet used the service; website visitors (users); Individuals browsing the pages of https://axis.moscow on a computer and/or mobile device. 4.2. Personal data processed by the Operator includes: Full name; Date and place of birth; Gender, citizenship, age; Registration and actual residence addresses; Mobile phone number; Email address; Passport data: series, number, issuing authority, date of issue; Birth certificate data; Other or similar identity document information; Information about accompanying persons; For foreign citizens: visa and migration card data; contact phone numbers, email addresses, purpose of visit; Data automatically transmitted to website services (through forms) when using them with software installed on the User’s device, namely: IP address, cookie data, analytics trackers, browser information (or other software used to access the services), behavioral data. 4.3. The Operator ensures that the content and scope of processed personal data correspond to the purposes of processing specified in Section 2 of this Policy. 5. Procedure and Conditions for Processing and Storing Personal Data 5.1. Personal data processing is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation using automated means and transmission over the Internet. 5.2. Actions performed by the Operator with personal data for the purposes specified in Section 2 of the Policy include: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction. 5.3. Personal data processing is carried out by the Operator on the condition of obtaining the User’s consent (hereinafter – “Consent”) obtained in accordance with the requirements of Federal Law No. 152-FZ “On Personal Data,” except in cases provided by the legislation of the Russian Federation when personal data processing may be carried out without such Consent. 5.4. The User makes the decision to provide their personal data and gives Consent freely, voluntarily, and in their own interest. 5.5. The duration of personal data processing is determined by achieving the purposes for which the personal data were collected unless another period is provided by a contract with the User or applicable law. Processing may cease upon achievement of the processing purposes, loss of necessity, expiration of Consent, withdrawal of Consent by the User, or detection of unlawful processing. 5.6. If the Operator has delegated personal data processing and storage to another person under the relevant contract/agreement, the Operator is responsible to the User for the actions of that person. If the Operator has delegated processing and storage to a foreign legal entity, both the Operator and such entity are responsible to the User. 5.7. Consent may be withdrawn as follows: by contacting the Operator via email: axisaparts@gmail.com, with a request to cease personal data processing. The processing will cease within 10 business days from the date of receipt by the Operator of the corresponding request, except in cases provided by the Personal Data Law. This period may be extended by no more than five business days, in which case the Operator must send the data subject a motivated notification specifying the reasons for the extension. 5.8. The Operator distributes personal data authorized by the User for distribution, i.e., performs actions aimed at disclosing such data to an indefinite circle of persons, in compliance with the requirements, prohibitions, and conditions established by part 9 of Article 9 and Article 10.1 of Federal Law No. 152-FZ. Disclosure or distribution to third parties without User consent is not allowed unless provided by federal law. Consent for the processing of personal data authorized by the User for distribution is executed separately from other consents of the User for processing their personal data, in accordance with Roskomnadzor requirements. Transfer of personal data to third parties is carried out by the Operator only under a corresponding contract with a third party, the essential condition of which is the obligation of the third party to ensure confidentiality and security of personal data during processing. Transfer of personal data to third parties is carried out only to the extent necessary to achieve the purposes of processing and only to persons who have a contract with the Operator regarding confidentiality and personal data protection. 5.9. The Operator takes or ensures the adoption of necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution, and other unlawful actions regarding personal data. 5.10. Personal data is stored in a form allowing identification of the User for no longer than necessary to achieve the purposes of processing, except in cases where the retention period is established by federal law, a contract, or the User is a beneficiary or guarantor under such contract. 5.11. During personal data processing, the Operator complies with Article 18 of Federal Law No. 152-FZ “On Personal Data.” 5.12. The Operator ceases personal data processing in the following cases: Detection of unlawful processing within the timelines specified in Section 6 of the Policy; Achievement of the purposes of processing; Expiration or withdrawal of the data subject’s consent to processing, where according to the Personal Data Law processing is allowed only with consent. 5.13. Collection, recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of Russian citizens using databases located outside the Russian Federation are not allowed, except as specified by the Personal Data Law. 6. Updating, Correction, Deletion, Destruction, Anonymization of Personal Data; Responses to Data Subject Requests for Access 6.1. In case of detection of unlawful personal data processing upon request of the User (or their representative) or authorized body for protection of personal data subjects’ rights, the Operator shall block unlawfully processed personal data related to the respective User or ensure their blocking from the moment of such request for the period of verification. If inaccurate personal data are detected upon request of the User (or their representative) or authorized body, the Operator shall block the relevant personal data or ensure their blocking from the moment of such request for the period of verification, provided that blocking does not infringe on the rights and legitimate interests of the User or third parties. 6.2. Upon confirmation of inaccurate personal data, the Operator shall, based on information provided by the User (or their representative) or the authorized body for the protection of personal data subjects’ rights, or other necessary documents, update the personal data or ensure its updating within seven business days from the date of submission of such information. 6.3. In case of detection of unlawful processing of personal data, the Operator shall, within three business days from the date of detection, stop unlawful processing or ensure its cessation, and if lawful processing cannot be ensured, destroy such personal data or ensure their destruction within ten business days from the date of detection. 6.4. Upon achievement of the purposes of personal data processing, the Operator shall destroy personal data or ensure their destruction within thirty days from the date of achieving the processing purposes, unless otherwise stipulated by a contract with the User or another agreement between the Operator and the User, or if the Operator is not entitled to process personal data without the User’s consent based on Federal Law No. 152-FZ or other federal laws. 6.5. In case of withdrawal of consent by the User to personal data processing, and if retention of personal data is no longer required for the purposes of processing, the Operator shall destroy personal data or ensure their destruction within thirty days from receipt of the withdrawal, unless otherwise stipulated by a contract or agreement, or if the Operator is not entitled to process personal data without consent under Federal Law No. 152-FZ or other federal laws. 6.6. Within seven business days from the date the User (or their representative) provides information confirming that such personal data were obtained unlawfully or are unnecessary for the stated processing purpose, the Operator shall destroy such personal data. 6.7. Upon detection by the Operator, Roskomnadzor, or another interested party of unlawful or accidental transfer (provision, distribution) of personal data resulting in a violation of data subject rights, the Operator shall: within 24 hours – notify Roskomnadzor of the incident, its presumed causes, the alleged harm to data subject rights, and measures taken to mitigate consequences, and provide information about the person authorized by the Operator to interact with Roskomnadzor regarding the incident; within 72 hours – notify Roskomnadzor of the results of the internal investigation of the incident and provide information about persons whose actions caused the incident (if applicable). 6.8. Methods of personal data destruction are established in the Operator’s internal regulations. 6.9. Processed data shall be destroyed or anonymized (including, but not limited to, replacing parts of the information specified in Section 4 with an ID) upon achievement of the processing purposes or if the need to achieve such purposes is lost. The procedure for anonymization is defined in the Operator’s internal regulations. 6.10. Detailed actions to prevent and detect violations in personal data processing are established in the Operator’s internal regulations. 7. Responsibility of the Parties 7.1. The Operator is responsible for violation of the requirements of Federal Law No. 152-FZ “On Personal Data” in accordance with the legislation of the Russian Federation. 7.2. The User has the right to claim compensation for losses and/or moral damage in court. Moral harm caused to the User as a result of violation of their rights, improper data processing, or failure to comply with personal data protection requirements under Federal Law No. 152-FZ and this Policy shall be compensated in accordance with Russian legislation. Compensation for moral damage is independent of compensation for property damage or other losses incurred by the User. 8. Dispute Resolution 8.1. Disputes and/or disagreements arising between the User and the Operator shall be resolved in accordance with the current legislation of the Russian Federation. 8.2. This Policy and relations between the User and the Operator are governed by the current legislation of the Russian Federation. 9. Final Provisions 9.1. The Operator has the right to make changes to the Policy without the User’s consent. 9.2. The new version of the Policy comes into effect from the moment it is published on the Website, unless otherwise provided. The new version applies to relations arising after its entry into force. The current version of the Policy is always available on the Operator’s Website. When changes are made, the Operator notifies users by publishing the new version of the Policy on the Website.