Personal Data Processing and Privacy Policy

Version effective from [EFFECTIVE_DATE]

Working draft — requires legal review

This is a working draft under Russian Federal Law No. 152-FZ “On Personal Data”. Operator details and the actual list of processors ([...]) must be filled in before publication. Prior to publication, the document must be verified by a qualified lawyer and aligned with the person responsible for personal-data processing within the Operator’s organisation.

This Policy describes what personal data the Operator of the Syucai Platform ([OPERATOR_NAME]) collects from users, on what legal grounds and for what purposes it processes, to whom it discloses, and how it protects such data. The Policy has been developed in accordance with Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” and is adopted to comply with Article 18.1 of that law.

1. Operator information

Operator: [OPERATOR_NAME].

PSRN/PSRNSP: [OPERATOR_OGRN]. TIN: [OPERATOR_INN].

Registered address: [OPERATOR_ADDRESS].

Personal-data contact: [PRIVACY_EMAIL].

The person responsible for organising personal-data processing is appointed by the Operator’s order and disclosed upon request to the address above.

2. Data subjects and processed data

2.1. Categories of data subjects: visitors to [DOMAIN], registered clients, verified masters, representatives of partner legal entities, persons contacting support.

2.2. Categories of personal data: surname, name; contact phone; email; date of birth (for methodology calculations); time zone; payment identifiers (no full card numbers — only tokens from payment providers); IP address and device identifiers; history of bookings, messages, and calls on the Platform; subscription and financial transaction data of masters.

2.3. The Operator does not collect biometric or special categories of personal data.

2.4. The Operator does not receive or store full payment card numbers — payments are processed on the side of PCI DSS-certified payment providers (CloudPayments, YooKassa).

3. Processing purposes

3.1. User registration and authentication, master verification, access recovery.

3.2. Performance of the offer agreement: master matching, booking and conducting Consultations, calculating and transferring fees.

3.3. Operating the payment perimeter: processing payments and refunds, reporting to payment providers and tax authorities.

3.4. User communication: notifications by email, push, SMS, messengers about booking status, Account changes, and service operations.

3.5. Security and audit: fraud prevention, incident investigation, access journaling.

3.6. Service analytics and improvement in anonymised form.

3.7. Marketing communications — only with a separate User consent and with an unsubscribe option in every email.

4. Legal grounds for processing

4.1. The data subject’s consent (Article 6(1)(1) of 152-FZ) obtained through the Platform interface at registration and at separate actions (e.g., marketing consent).

4.2. Performance of a contract to which the data subject is a party (Article 6(1)(5) of 152-FZ) — this public offer.

4.3. Compliance with the Operator’s obligations under Russian legislation (tax, accounting, anti-money-laundering legislation, Roskomnadzor requirements).

4.4. Protection of the Operator’s and third parties’ rights and legitimate interests (Article 6(1)(7) of 152-FZ) — for audit, fraud prevention, and dispute resolution.

5. Methods and terms of processing, localisation

5.1. Personal data is processed both with and without the use of automation. Recording, systematisation, accumulation, storage, refinement, retrieval, use, transfer, depersonalisation, blocking, deletion, and destruction take place pursuant to this Policy.

5.2. Storage of personal data of Russian citizens uses databases located in the Russian Federation (Article 18(5) of 152-FZ). The actual list of server sites and processors is — [HOSTING_DETAILS].

5.3. Processing periods correspond to the processing purposes. Upon achievement of the purposes or withdrawal of consent, the data is deleted or anonymised within 30 business days, unless otherwise required by Russian law (e.g., tax records — 5 years; accounting records — 5 years; access journals — 1 year).

6. Transfer to third parties

6.1. The Operator engages the following categories of processors acting on the Operator’s instruction in accordance with Article 6(3) of 152-FZ: payment providers (CloudPayments, YooKassa) for payments; email provider ([EMAIL_PROVIDER]); push provider (Expo / VK Push Service for RuStore); transcription provider for voice messages and video calls ([TRANSCRIPTION_PROVIDER]); video provider (LiveKit); hosting and monitoring provider ([HOSTING_PROVIDER]).

6.2. A processing agreement is in place with each processor, containing confidentiality obligations and protection measures aligned with the Operator’s requirements.

6.3. Transfer to public authorities takes place only on the grounds and in the manner prescribed by Russian legislation.

6.4. Cross-border transfer of personal data to countries that do not provide adequate protection is performed only with the data subject’s written consent (Article 12 of 152-FZ) or in other cases provided for by that article; the actual list of cross-border transfers — [CROSS_BORDER_DETAILS].

7. Cookies and technical identifiers

7.1. The Platform uses strictly necessary cookies (authentication, CSRF protection), functional cookies (selected language, regional settings), and anonymised analytics cookies.

7.2. Marketing cookies and third-party trackers are enabled only with explicit User consent via the cookie banner.

7.3. The User may decline non-essential cookies or remove them through browser controls; declining strictly necessary cookies will impede correct Platform operation.

8. Data subject rights

Under Article 14 of 152-FZ a data subject has the right to: receive information about the processing of their personal data; request its correction, blocking, or destruction; withdraw consent to processing; appeal the Operator’s actions to Roskomnadzor and to court.

Requests are sent to [PRIVACY_EMAIL], stating the full name, contact details, the substance of the request, and a method of identity verification (e.g., passport scan with the photo redacted — for certain requests). Response within 30 calendar days of receipt (Article 20(1) of 152-FZ).

Complaints may also be addressed to Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Communications).

9. Personal-data protection measures

9.1. The Operator applies legal, organisational, and technical measures to protect personal data from unlawful access, destruction, modification, blocking, copying, distribution, and other unlawful actions.

9.2. Technical measures include: encryption of sensitive database fields and backup copies; encryption of data in transit (TLS 1.2+); two-factor authentication for administrative accounts; access and operations journaling; regular vulnerability audits and component updates.

9.3. Organisational measures include: internal policies and staff instructions; least-privilege access; personal-data confidentiality obligations.

10. Amendments to the Policy

10.1. The Operator may amend this Policy. The new version is published at [DOMAIN]/privacy and takes effect upon publication, unless a later date is specified.

10.2. Material changes affecting subject rights are notified to Users by email or other channels at least 14 calendar days before the changes take effect.

11. Contacts for requests and inquiries

For any personal-data processing questions, subject-right exercise, or consent withdrawal — [PRIVACY_EMAIL].

For official correspondence: [OPERATOR_ADDRESS], marked “Personal data request”.

Personal-data requests — [PRIVACY_EMAIL].

← Back to home