Personal Data Processing Policy of the Zapnoty Service

This English translation is provided for informational purposes only. In case of any discrepancy or conflict between this English version and the Russian version published at zapnoty.ru/privacy, the Russian version shall prevail.

1.1. Operator: Individual Entrepreneur Antonov Aleksandr Viktorovich, INN 262517638904, OGRNIP 312265133100116. Full details are provided in Section 13 of this Policy.

1.2. Contact email address for inquiries related to personal data processing: privacy@zapnoty.ru.

1.3. The Policy applies to any processing of personal data carried out by the Operator within the operation of the Service, including the processing of data received from the websites zapnoty.ru, zapnoty.com, app.zapnoty.ru, app.zapnoty.com and related subdomains, via the Service's API, via the Telegram and Max messenger bots, and via forms integrated with the Service.

1.4. Use of the Service signifies the user's consent to this Policy and to the conditions for processing their personal data set out in it. In the event of disagreement with the Policy's terms, the user must discontinue use of the Service.

2.1. Personal Data (PD) — any information relating to a directly or indirectly identified or identifiable individual (personal data subject).

2.2. Processing of personal data — any action (operation) or set of actions with personal data performed with or without the use of automation: collection, recording, systematization, accumulation, storage, clarification, retrieval, use, transfer, anonymization, blocking, deletion, destruction.

2.3. Operator — a person who, independently or jointly with others, organizes and/or carries out the processing of personal data and determines the purposes of processing.

2.4. Processor (person carrying out processing on behalf of the operator) — a person processing personal data on behalf of the Operator.

2.5. Personal data subject — an individual to whom personal data relate. In the context of the Service, two categories of subjects are distinguished: Developer and Developer's End User (see Section 3).

2.6. Developer — an individual, individual entrepreneur, or representative of a legal entity registered in the Service as a Customer and using the Service's API and Dashboard.

2.7. Developer's End User — an individual interacting with the Developer through the Service: receiving notifications and confirmation codes from the Developer, filling out the Developer's forms, etc.

3.1. With respect to Developers, the Operator acts as the operator of personal data within the meaning of Federal Law 152-FZ. The Operator independently determines the purposes and means of processing the Developer's personal data necessary for the provision of the Service.

3.2. With respect to Developers' End Users, the Operator acts as a person carrying out processing of personal data on behalf of the Developer (processor within the meaning of Part 3 of Article 6 of Federal Law 152-FZ). In this case, the operator of End Users' personal data is the Developer itself; the Developer determines the purposes of collection and processing of such data, is obliged to obtain End Users' consent to processing, and to have its own document governing the processing of such data.

3.3. The terms of the Developer's instruction to the Operator regarding the processing of End Users' data are determined by the Public Offer for Provision of Zapnoty Services and this Policy. The instruction is for consideration within the payment for services under the Plan.

3.4. Regarding third parties (Acquirer, OAuth providers, infrastructure provider, messenger operators) — see Section 6.

4.1. From the Developer, the Operator processes the following categories of personal data:

4.1.1. identification and contact data: name (surname and/or nickname, if any), email address, OAuth provider identifier (Yandex user ID, VKontakte user ID);

4.1.2. technical data: IP address, browser user-agent, time of the last login to the Dashboard, interface locale;

4.1.3. identifiers of linked messenger accounts: internal Telegram and Max identifiers, username, display name;

4.1.4. email address for receiving fiscal receipts (if different from the primary one);

4.1.5. masked payment data (last four digits of the card number, expiry date, payment system — all data are obtained from the Acquirer); the Operator does not receive or store the card number itself;

4.1.6. API and Dashboard usage statistics, action logs (audit logs), billing operations log.

4.1.7. analytic identifiers and information about page views on the Operator's website processed by the Yandex Metrica service: anonymized visitor identifier, anonymized (with the last octets zeroed) IP address, user-agent, referral source, sequence of viewed pages. The data are used solely for aggregated analytics and do not allow individual identification of a specific subject.

4.2. From the Developer's End User, the Operator, as a processor on behalf of the Developer, processes:

4.2.1. End User identifiers in messengers (Telegram chat_id, Max user identifier), locale, username, and display name — to the extent transmitted by the messenger operator;

4.2.2. the content of messages and submissions sent by the End User to the Developer through the Service (support dialogues, form responses, etc.);

4.2.3. the payload of form submissions placed by the Developer on its own websites: the composition of fields and their content are entirely determined by the Developer; the Operator does not control which data the Developer collects from its End Users.

4.3. Special categories of personal data (information about health, racial or ethnic origin, political, religious or philosophical beliefs, sex life) and biometric personal data are not deliberately collected or processed by the Operator. The Developer undertakes not to send such data to the Service without separate written agreement with the Operator.

5.1. Summary table of purposes and legal bases of processing:

5.2. Processing of personal data not specified in the table is carried out only on the basis of one of the legal grounds provided for by Article 6 of 152-FZ.

6.1. The Operator transfers personal data to third parties exclusively to the extent and for the purposes listed below.

6.2. Acquirer — Joint-Stock Company TBank (INN 7710140679):

6.2.1. for the purposes of accepting payment and generating fiscal receipts (54-FZ), the Operator transfers to the Acquirer: the Customer's email address for sending the receipt, the name of the goods/service, the payment amount, the order identifier on the Operator's side. The Customer enters the bank card details directly on the Acquirer's side; the Operator does not receive or store them;

6.2.2. from the Acquirer, the Operator receives: masked payment data (last four digits of the card, expiry date, payment system), operation status, identifier of the stored card for subsequent recurring charges.

6.3. OAuth providers — Yandex LLC and VKontakte LLC: when the Developer chooses to authorize via OAuth, the Developer is authenticated on the side of the relevant provider and grants the provider consent to transfer to the Operator part of the profile data (name, email address, user identifier). The Operator does not transfer data to OAuth providers; only data explicitly authorized by the Developer at the time of authorization is received from the providers.

6.4. Infrastructure provider (hoster): the Operator hosts the Service on virtual private servers (VDS) of an infrastructure provider located within the territory of the Russian Federation. The provider acts as a person carrying out processing on behalf of the Operator with respect to the provision of computing infrastructure and has no independent access to the substantive content of personal data.

6.5. Messenger operators — Telegram (Telegram FZ-LLC) and Max (Communication Platform LLC): when a message is sent to an End User via the relevant bot provider, the Operator transfers to the messenger operator: the chat/user identifier in that messenger, the text of the message, attached media, and buttons. The transfer is made to the extent necessary for delivery of the message. The End User who has linked a messenger account to the Service agrees that the relevant messenger operator processes the specified data in accordance with its own privacy policy.

6.6. Analytics — Yandex LLC (Yandex Metrica service): the Operator's website uses the Yandex Metrica web analytics service. Yandex LLC acts as a processor on behalf of the Operator and processes anonymized data about visits (see clause 4.1.7) on servers located within the territory of the Russian Federation in accordance with Yandex's privacy policy. The service processes data in anonymized form (including with the last octets of the IP address zeroed) and does not allow identification of a specific subject; the corresponding cookies are set automatically when accessing the website. Use of the website by a user constitutes consent to such processing. The user may opt out by disabling cookies in browser settings or leaving the website. Details — in the Cookies Notice at /cookies.

6.7. State authorities: the Operator transfers personal data upon reasoned requests of authorized state authorities to the extent and in the manner established by the legislation of the Russian Federation.

6.8. Other transfer of personal data to third parties without the subject's consent or another legal basis is not carried out.

7.1. Summary table of retention periods:

7.2. Upon reaching the established retention period, the relevant personal data are subject to destruction or anonymization, except where law provides for a different retention period.

7.3. Inactive Developer accounts on the Free plan are deleted automatically in accordance with the rules set out in Section 13 of the Public Offer.

8.1. The Operator does not carry out cross-border transfer of personal data. All servers and infrastructure of the Service are located within the territory of the Russian Federation.

8.2. The version of the Service available at the .com domains is technically hosted on the same servers within the Russian Federation; for users of any jurisdiction, data are stored and processed within the territory of the Russian Federation.

8.3. The Operator has not filed a notice with Roskomnadzor of intent to carry out cross-border transfer. In the event of a change in the Service's architecture, the Operator will separately notify subjects and file the necessary notices with the authorized body.

9.1. The personal data subject, in accordance with Articles 14, 20, and 21 of 152-FZ, has the right to:

9.1.1. receive information about the existence and composition of the personal data being processed, the source of obtaining them, the purposes, methods, and periods of processing;

9.1.2. demand clarification, blocking, or destruction of their personal data in cases where they are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;

9.1.3. withdraw consent to the processing of personal data (in cases where processing is carried out on the basis of consent);

9.1.4. appeal the actions (inaction) of the Operator to Roskomnadzor and in court.

9.2. For the Developer (as a subject with respect to whom the Operator acts as operator), rights are exercised as follows:

9.2.1. the relevant request is sent to privacy@zapnoty.ru from the email address specified in the Developer's Dashboard; the request states the substance of the demand and information allowing identification of the subject;

9.2.2. the Operator reviews the request and sends a reasoned response within no more than 30 (thirty) calendar days from receipt, unless a shorter period is established by law;

9.2.3. part of the rights (changing profile data, deleting the account, opting out of marketing communications, unlinking a messenger) the Developer may exercise independently in the Dashboard.

9.3. For the Developer's End User (as a subject with respect to whom the Operator acts as a processor on behalf of the Developer), the channel for exercising rights is as follows:

9.3.1. Discontinuing receipt of notifications (unsubscribing from a specific Developer's broadcasts). The End User sends in the Telegram bot or Max bot through which they receive notifications the /unsubscribe command (or alternatively /start → "My subscriptions") — in the displayed list, selects the relevant project and presses the "Unsubscribe" button. The commands operate identically in both bots supported by the Operator. Upon confirmation, the sending of notifications from that Developer to the End User stops, and the End User's identifier is removed from the subscription list of the relevant project.

9.3.2. Request to the Developer itself regarding processing and deletion of personal data. Since the operator of End Users' data is the Developer, the End User sends requests for access, clarification, blocking, or deletion of data directly to the Developer to which they are subscribed. The Operator assists the Developer in fulfilling such requests in the technical part.

9.3.3. Request directly to the Operator. The End User may contact the Operator directly at privacy@zapnoty.ru. In this case, the Operator will forward the request to the relevant Developer or, if the Developer is unavailable, will itself delete the End User's identifiers from its systems to the extent that such deletion is technically possible.

10.1. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, distribution, and other unlawful actions with respect to personal data.

10.2. The measures applied include, in particular:

10.2.1. transfer of data over secure channels using the TLS protocol;

10.2.2. encryption of secrets (API keys, webhook secrets, tokens) in storage;

10.2.3. differentiation of access rights of the Operator's employees and contractors to personal data on the principle of the minimum necessary scope;

10.2.4. maintenance of audit logs of significant actions of users and administrators;

10.2.5. application of mechanisms for protection against automated abuse (rate limiting, blocklists of disposable email services).

10.3. Detailed information about technical protection measures is not disclosed to avoid reducing their effectiveness.

11.1. The Service uses cookies and local storage technologies (localStorage) necessary for the operation of the Service and for storing user settings.

11.2. The composition, classification, and procedure for managing cookies are described in a separate document — the Cookies Notice (see /cookies).

12.1. The Operator may make changes to this Policy.

12.2. A new version of the Policy is published on the /privacy page of the Service stating the effective date. A separate notice to the Developer of specific changes is not sent; the Developer monitors the current version of the Policy independently.

12.3. The current version of the Policy is the version published at /privacy at the time of access. If an archived version is required, the Developer may request it at privacy@zapnoty.ru.

Individual Entrepreneur Антонов Александр Викторович
INN: 262517638904
OGRNIP: 312265133100116

Contacts for personal data inquiries:
— email of the person responsible for PD processing: privacy@zapnoty.ru
— general support: support@zapnoty.ru
— legally significant correspondence: legal@zapnoty.ru