Personal Data Processing Policy

General Provisions
1.1. The Personal Data Processing Policy of the Individual Entrepreneur Kruglikova Svetlana Yuryevna, INN: 771474709585, address: Moscow, 26 Begovaya Street, acting on the basis of OGRNIP 323774600330870 dated May 24, 2023 (hereinafter referred to as the "Company" or "Operator"), defines the main goals, methods, conditions, and principles for processing personal data subjects and personal data processed, the Company's functions when processing personal data, the rights of personal data subjects, and the requirements for protecting personal data. One of the main conditions of the Company’s activity is ensuring an adequate level of security for information, including personal data.
1.2. This Personal Data Processing Policy has been developed in compliance with clause 2, part 1, Article 18.1 of the Federal Law "On Personal Data" No. 152-FZ dated July 27, 2006 (hereinafter referred to as the "Personal Data Law") to ensure the protection of the rights and freedoms of individuals in processing their personal data, including the right to privacy, personal and family secrets, and it complies with the Constitution of the Russian Federation, legislative and regulatory legal acts of the Russian Federation, including:
The Labor Code of the Russian Federation;
Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006;
Decree of the President of the Russian Federation No. 188 "On the Approval of the List of Confidential Information" dated March 6, 1997;
Resolution of the Government of the Russian Federation No. 687 "On the Approval of the Regulation on the Peculiarities of Personal Data
Processing without Using Automation Tools" dated September 15, 2008;
Resolution of the Government of the Russian Federation No. 512 "On the Approval of the Requirements for Material Carriers of Biometric Personal Data and the Technologies for Storing Such Data Outside Personal Data Information Systems" dated July 6, 2008;
Resolution of the Government of the Russian Federation No. 1119 "On the Approval of the Requirements for Protecting Personal Data during Processing in Personal Data Information Systems" dated November 1, 2012;
Other regulatory legal acts of the Russian Federation and normative documents of authorized state bodies.
This Personal Data Processing Policy applies to all personal data processed by the Company. All personal data processed by the Company is confidential information protected by law. This Personal Data Processing Policy applies to the relations involving the processing of personal data that arose with the Company both before and after the approval of this Personal Data Processing Policy. This Personal Data Processing Policy is available on the Company’s website.
1.3. This Personal Data Processing Policy defines any action (operation) or set of actions (operations) related to the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transmission (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data, and the requirements for protecting personal data.
1.4. Any local regulatory documents of the Company regarding the processing of personal data are developed based on this Personal Data Processing Policy.
1.5. Terms and definitions used in this Personal Data Processing Policy:
Personal Data — any information related directly or indirectly to a specific or identifiable individual (personal data subject).
Information — data regardless of its form.
Personal Data Operator (Operator) — a state body, municipal body, legal or natural person, independently or together with others, that organizes and/or processes personal data and determines the purpose of processing, the composition of personal data to be processed, and the actions (operations) performed with the data.
Personal Data Processing — any action (operation) or a set of actions (operations) involving personal data, performed with or without automation tools. Personal data processing includes, but is not limited to: collecting; recording; systematizing; accumulating; storing; clarifying (updating, modifying); retrieving; using; transmitting (distributing, providing, accessing); anonymizing; blocking; deleting; destroying.
Automated Personal Data Processing — processing personal data using computing technology.
Personal Data Provision — actions aimed at disclosing personal data to a specific person or group of people.
Personal Data Distribution — actions aimed at disclosing personal data to an undefined group of people.
Cross-border Transfer of Personal Data — the transfer of personal data to a foreign state, foreign authority, foreign individual, or foreign legal entity.
Personal Data Blocking — temporary suspension of personal data processing (except when processing is necessary for data clarification).
Personal Data Destruction — actions that result in the impossibility of restoring personal data in a personal data information system and/or that destroy physical media containing personal data.
Personal Data Anonymization — actions that result in the impossibility of identifying the personal data subject without additional information.
Personal Data Information System — a system of personal data contained in databases and processed using information technologies and technical means.

1.6. Personal Data processed by the Company:
1.6.1. In this Personal Data Processing Policy, personal data refers to information that a buyer, contractor, distributor, or any other person registering or purchasing goods or services on the Company’s website, esply.ru, provides independently during registration (creating an account) or without registration on the Website or while using the Website. Mandatory personal data requested by the Website must be provided during registration or use of the Website without registration. Other information is provided at the discretion of the buyer, contractor, distributor, or another person.
1.6.2. The Company does not verify the accuracy of personal data provided by the buyer, contractor, distributor, or other persons but assumes that the data provided is accurate and sufficient.
1.6.3. By providing personal data, the buyer, contractor, distributor, or any other person confirms that this information is provided voluntarily, knowingly, of their own free will, and in their own interest.
Principles, Purposes, and Conditions for Personal Data Processing
2.1. The Company, as a personal data operator, processes the personal data of individuals who are clients of the Company, the Company's partners, contractors, distributors, employees, job applicants, and other individuals involved in legal relations with the Company.
2.2. The processing of personal data by the Company takes into account the need to protect the rights and freedoms of personal data subjects, including the right to privacy, personal and family secrets, based on the following principles:
Personal data is processed by the Company on a lawful and fair basis;
Personal data processing is limited to achieving specific, pre-defined, and legitimate purposes;
The processing of personal data incompatible with the purposes of collection is not allowed;
The combining of databases containing personal data processed for incompatible purposes is not allowed;
Only personal data that meets the processing purposes is subject to processing;
The content and volume of processed personal data correspond to the declared processing purposes, and excessive personal data processing is not allowed in relation to these purposes;
The accuracy, sufficiency, and, in cases requiring it, relevance of personal data must be ensured in relation to the purposes of processing;
Personal data is stored in a form that allows the identification of the personal data subject for no longer than required by the purposes of personal data processing unless a different period is stipulated by federal law, contract, or other legal requirements;
Processed personal data is destroyed or anonymized upon achieving the processing purposes or when the need to achieve these purposes no longer exists, unless otherwise provided by federal law.
2.3. The Company processes personal data for the following purposes:
To ensure compliance with the Constitution of the Russian Federation, legislation, and other regulatory legal acts of the Russian Federation, as well as local regulations of the Company;
To carry out the functions, powers, and duties assigned to the Company by Russian law, including providing personal data to government authorities;
To prepare, conclude, execute, and terminate contracts with contractors;
To exercise the rights and legitimate interests of the Company within the scope of its activities, as specified in its Charter and other local regulations, or in the public interest;
To fulfill the obligations imposed on the Operator by Russian legislation, particularly in areas such as labor and taxation, which include: complying with laws and regulations, assisting employees in employment, training, and career development, ensuring personal safety, controlling the quantity and quality of work performed, ensuring the safety of employee and employer property, maintaining accounting and tax records, generating and submitting timely accounting, tax, and statistical reports, and complying with data protection laws concerning employees, clients, or contractors of the Company.
2.4. The list of personal data processed by the Company is determined following Russian legislation and the Company's internal regulations, considering the purposes specified in this Personal Data Processing Policy.
2.5. The Company does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, or intimate life.
2.6. The Company ensures the processing of personal data by taking legal, organizational, and technical measures necessary to meet the requirements of Russian law and the Company's local regulations for personal data protection, including:
Appointing a person responsible for organizing the processing of personal data at the Company;
Informing employees directly involved in personal data processing of Russian legislation and the Company's local regulations on personal data protection, including protection requirements, and training these employees;
Publishing this Personal Data Processing Policy on the Website or otherwise providing unrestricted access to it;
Providing personal data subjects or their representatives with information on the existence of personal data relating to the subject and allowing them access to such data if requested, unless otherwise required by Russian law;
Terminating the processing and destroying personal data when required by Russian law;
Other actions as prescribed by Russian personal data legislation.
2.7. Personal data is processed by the Company with the consent of the personal data subject unless otherwise provided by Russian law.
2.8. The Company does not disclose or distribute personal data to third parties without the consent of the personal data subject unless otherwise required by Russian law.
2.9. The Company may use the personal data of personal data subjects for the following purposes:
2.9.1. Communicating with the personal data subject, including sending notifications, inquiries, and information related to the Website, services, and sales of goods, as well as processing inquiries and requests from the personal data subject;
2.9.2. Informing the personal data subject about the Company's activities, including products and services provided by the Company;
2.9.3. Conducting statistical and other research based on anonymized data;
2.9.4. Improving the quality of the Website, making it more user-friendly, and developing new projects.
2.10. Filling out the appropriate form on the Website signifies the personal data subject's unconditional consent to this Personal Data Processing Policy.
2.11. The Company stores the personal data of the buyer, contractor, distributor, or other personal data subjects while complying with Russian legislation and ensuring its proper protection. The Company takes necessary and sufficient organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, and distribution, as well as from other unlawful actions by third parties.
2.12. Personal data is considered confidential, except when the personal data subject voluntarily provides information for general access by an unlimited number of people.
2.13. According to the Russian Federal Law "On Personal Data" No. 152-FZ of July 27, 2006, the Company processes personal data only in connection with the conclusion and performance of contracts to which the personal data subject is a party.

2.14. The Company has the right to entrust the processing of personal data to another party with the consent of the personal data subject based on a contract with that party. The contract must specify the actions (operations) with personal data that the party will perform, the purposes of processing, the obligation to maintain the confidentiality of personal data, and the responsibility to ensure the security of personal data during processing, following Article 19 of the Federal Law "On Personal Data."
2.15. Personal data processed by the Company includes: surname, first name, patronymic (including previous surnames, first names, and/or patronymics if they have changed), gender, date of birth, place of birth, taxpayer identification number (INN), personal insurance number (SNILS), home and mobile phone numbers, email address, citizenship information (including previous and other citizenships), passport data, residential address (registration and actual address), contact phone numbers, bank details, and other necessary personal data.
2.16. The personal data subject has the right to: demand clarification, blocking, or destruction of personal data if it is incomplete, outdated, inaccurate, obtained unlawfully, or not necessary for the declared purposes of processing; obtain information about the list of their personal data processed by the Operator and the source of its acquisition; receive information about the periods of personal data processing, including storage periods; file complaints with the authorized body or in court regarding unlawful actions or omissions in processing their personal data; and withdraw consent for personal data processing in cases provided by law.
2.17. To receive the necessary information, the personal data subject must submit a written request to the Company, signed personally, at the address: 26 Begovaya Street, Moscow, or contact the Customer Support Service by phone at +7(915)111-98-89, or via email at esply@mail.ru.
2.18. The Company provides the information specified in Part 7, Article 14 of the Personal Data Law to the personal data subject or their representative in the form requested in the inquiry, unless otherwise specified in the request. If the personal data subject's inquiry does not include all necessary information or if the personal data subject does not have the right to access the requested information, the Company will send a reasoned refusal.

Personal Data Processing
3.1. The Company collects, records, systematizes, accumulates, stores, clarifies (updates, modifies), retrieves, uses, transfers (distributes, provides, grants access), anonymizes, blocks, deletes, and destroys personal data.
3.2. Methods of personal data processing used by the Company:
Non-automated personal data processing;
Automated personal data processing, including with the transfer of information through telecommunication networks;
Mixed personal data processing.
3.2.1. Non-automated personal data processing is carried out in such a way that for each category of personal data, the storage location of personal data (physical carriers) is identifiable. The Company has a list of individuals responsible for processing personal data or having access to it. Separate storage of personal data processed for different purposes is ensured. The Company ensures the security of personal data and takes measures to prevent unauthorized access.
3.2.2. Automated personal data processing with the use of automation tools is carried out under the following conditions: The Company takes technical measures to prevent unauthorized access to personal data and its transmission to unauthorized persons; protective tools are set up to promptly detect instances of unauthorized access to personal data; technical means of automated personal data processing are isolated to prevent external influences; the Company performs regular data backups to allow for the immediate restoration of personal data in case of unauthorized access; continuous monitoring of personal data protection measures is carried out.
3.2.3. Personal data processing is carried out by employees who:
Have signed internal regulations governing the procedure for working with personal data;
Have signed confidentiality agreements regarding personal data when working with it;
Use individual access attributes for information systems containing personal data. Each employee is granted the minimum access rights necessary to perform their duties.
3.3. Personal data subjects have the right to:
Full information about their personal data processed by the Company;
Access their personal data, including the right to receive a copy of any record containing their personal data, except as provided by Russian law;
Request the correction of their personal data, its blocking, or its destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purposes of processing;
Withdraw consent to the processing of personal data;
Exercise other rights granted by Russian law.
3.4. Measures necessary and sufficient to ensure the Company's compliance with the operator's duties under Russian law on personal data include:
Appointing a person responsible for organizing personal data processing;
Adopting local regulations and other documents on personal data processing and protection;
Training employees of the Company whose duties involve personal data processing;
Obtaining personal data subjects' consent for data processing, unless otherwise provided by law;
Ensuring that personal data processed without automation tools is kept separate from other information, particularly by storing it on distinct material carriers in specific sections;
Preventing the transmission of personal data through open communication channels and computer networks without taking security measures established by the Company (except for publicly available or anonymized data);
Storing physical carriers containing personal data under conditions that ensure data security and prevent unauthorized access;
Conducting internal audits of compliance with Russian law on personal data processing;
Other measures as required by Russian law.
3.5. Personal data processing purposes for different categories of personal data subjects:
3.5.1. Personal data processing for representatives of legal entities and individual entrepreneurs, such as the Company's partners, contractors, and distributors, is carried out to facilitate logistics, payments, contract execution, debt notices, and sending legally significant messages, including marketing emails.
3.5.2. Personal data processing for individuals in civil law contracts is carried out to ensure compliance with civil, pension, tax, and other legal requirements, including monitoring the quality and quantity of services rendered, protecting the Company’s assets, and providing legal and tax reports.
3.5.3. Personal data processing for customers (individuals), including buyers of the Company’s products and Website visitors, is carried out for the following purposes:
Fulfilling the Company's obligations under contracts, including providing services, processing orders, selling and delivering goods;
Providing additional information about the Company, including product/service information via SMS, email, or phone calls;
Collecting feedback on products/services and analyzing the feedback;
Studying and analyzing the market through Website and app monitoring;
Organizing events, including promotional activities;
Analyzing preferences regarding the Company’s products/services through monitoring activity on the Website and apps;
Administering user accounts on the Website and apps;
Sending promotional and informational messages via email, SMS, or phone regarding the Company’s products, services, or activities.
3.6. When storing personal data, the following measures are taken to ensure data security and prevent unauthorized access: appointing an employee responsible for data processing, limiting physical access to data storage areas with locks, labeling and registering removable storage devices, and using certified information protection tools.
3.7. Personal data is stored in paper form in secure metal cabinets or safes, or other lockable locations. In electronic form, data is stored in databases and backed up regularly.
3.8. The Company does not process special categories of personal data related to race, ethnicity, political beliefs, religion, health, or intimate life, except in cases provided by law.
3.9. The Company records cookies on the user’s device to facilitate their experience on the Website and collects analytics to improve service quality. Cookies do not contain confidential information. By using the Website, the user consents to the collection and use of cookies for statistical and advertising purposes by third parties.
3.10. The Company may collect technical information during Website visits, including IP addresses, device types, operating systems, browser types, and user navigation paths on the Website and in mobile apps. This data is used for improving the Company’s Website and services.
3.11. The Company may record phone conversations with clients. The Company is obligated to prevent unauthorized access to the recorded information.
3.12. By providing personal data, the subject agrees to receive electronic receipts under the contracts with the Company.
3.13. Personal data is stored no longer than required for the purposes of processing and is destroyed when no longer needed.
3.14. Personal data processing is terminated in the following cases:
The data has been unlawfully processed;
The purpose of the data processing has been achieved;
The processing period has expired, or the subject has withdrawn consent, except when processing is legally permitted without consent.
3.15. Upon achieving the purposes of personal data processing or upon the withdrawal of consent, the Company ceases processing, unless otherwise provided by law.
3.16. The destruction of personal data must be secure, preventing any possibility of recovery. The process is documented and carried out by a designated commission.
3.17. Methods for destroying personal data are defined by the Company's internal regulations.
3.18. Any issues related to personal data processing not covered by this Policy are governed by Russian law.
3.19. The Company reserves the right to amend this Policy. The updated version will specify the date of the latest changes and will come into effect when published unless otherwise specified.
Consent to Personal Data Processing
Under Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006, I confirm my consent to the processing of my personal data by Individual Entrepreneur Kruglikova Svetlana Yuryevna, INN 771474709585, acting on the basis of OGRNIP 323774600330870, registered at 26 Begovaya Street, Moscow.
I consent to the processing of the following personal data:

Full name, date of birth, delivery address(es), contact information (phone, email);
Order information, including order history and satisfaction levels;
Device type and browser information for Website and app access, including data collected through Yandex.Metrika, Google Analytics, etc.;
Geolocation;
Social media account information;
Skin and hair type;
Information about products purchased directly from the Company or its retail sellers;
Purchase location, including the specific retail store or chain;
Satisfaction information regarding products and services;
Activities on the Company’s Website and apps;
Feedback, including phone, email, and SMS reviews;
Data submitted for contests or promotional events organized by the Company.
The purpose of processing personal data includes:
Fulfilling obligations under contracts, including order processing, sales, and delivery of goods;
Providing additional information about the Company’s activities, products, and services via SMS, email, and phone;
Collecting feedback and analyzing customer satisfaction;
Market analysis through monitoring the Company's Website and apps;
Organizing events, including promotional activities;
Administering user accounts on the Website and apps;
Sending promotional and informational messages via email, SMS, or phone.
This consent includes the following actions: collection, recording, systematization, accumulation, storage, clarification (updating, modification), use, transfer (including distribution, provision to specific third parties or a group of third parties for the above purposes, access, and cross-border transfer), anonymization, blocking, deletion, and destruction.

I consent to the transfer of my personal data to the following legal entities:

Individual Entrepreneur Kruglikova Svetlana Yuryevna, for the purpose of processing and fulfilling orders, delivering goods, analyzing customer preferences related to the goods and services provided by Individual Entrepreneur Kruglikova Svetlana Yuryevna, conducting advertising and informational campaigns via email, SMS, or phone calls, as well as for obtaining feedback regarding products and services offered by Individual Entrepreneur Kruglikova Svetlana Yuryevna (including via SMS, email, phone calls), and analyzing the data received.
I agree.
I confirm that I am familiar with the requirements of Russian legislation regarding the processing of personal data, with the document "Personal Data Processing Policy of Individual Entrepreneur Kruglikova Svetlana Yuryevna," as well as with my rights and obligations in this area.
This consent is valid for a period of 5 (five) years. The consent period is automatically extended for the same duration if, during the period of this consent, the personal data subject visits the Website at least once using their account. The number of extensions is not limited.

I may withdraw this consent at any time by submitting a written request in accordance with the requirements of current Russian legislation, addressed to the location of Individual Entrepreneur Kruglikova Svetlana Yuryevna.