CONFIDENTIALITY POLICY OF ISC-CX FOR SERVICES IN THE RUSSIAN FEDERATION

 
The terms and conditions of this Confidentiality Policy (hereinafter, the “Policy”) apply to any information received by Maxxoll Limited Liability Company registered at the address: 55 Nevsky prospect, bld. A, office 4.3, workplace 15, taxpayer identification number (TIN) 7840096879, primary state registration number (OGRN) 1217800100330 (hereinafter, “ISC-CX”) and its affiliates about individuals / legal entities / individual entrepreneurs – users/visitors (hereinafter, the “User”) of any of the tools, mobile applications, websites, and services as well as any other products of ISC-CX (hereinafter, the “Services”) when (or in relation to) using the Services by the User in the Russian Federation.

1. GENERAL

1.1. The User shall irrevocably accept the conditions of this Policy to the full extent when starting to use the Services. In case of disagreement with this Policy on the whole or disagreement with any clause hereof the User shall refrain from using the Services. By using ISC-CX Services the User gives its direct and express consent to the use of information on itself in compliance with this Policy.

1.2. ISC-CX puts high value on confidentiality and security of information provided to it by the Users when using the Services. This Policy contains the descriptions of methods of collection, transfer, protection, and other use of User information.

2. BASIC TERMS

2.1. The following basic terms are used in the Policy:
Application shall mean ISC-CX mobile application for provision of services by independent providers for service quality inspection “mystery shopper”;
Services shall mean mobile applications, websites, tools, services, and any other products of ISC-CX;
personal data shall mean any information related to directly or indirectly identified or identifiable individual (data subject);
personal data processing shall mean any act (operation) or series of acts (operations) performed with personal data with or without the use of automation facilities, including collection, recording, systematization, accumulation, storage, amendment (update, changing), extraction, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, and destruction of personal data;
automated processing of personal data shall mean processing of personal data by through the use of computer equipment;
dissemination of personal data shall mean actions aimed at disclosure of personal data to general public;
provision of personal data shall mean actions aimed at disclosure of personal data to a certain person or a certain group of persons;
blocking of personal data shall mean suspension of personal data processing (except when processing is necessary in order to update the personal data);
destruction of personal data shall mean actions resulting in impossibility of recovering the content of personal data in the personal data information system and (or) in destruction of tangible media containing personal data;
anonymization of personal data shall mean actions resulting in impossibility of determining the specific data subject to whom the personal data belong without using additional information;
personal data information system shall mean the aggregate of personal data contained in databases and information technologies and hardware and software which ensure processing of such data;
personal data subject shall mean an individual to whom personal data relate directly or indirectly.

3. PRINCIPLES OF PERSONAL DATA PROCESSING IN ISC-CX

3.1. Processing of personal data shall be performed on a lawful and equitable basis.

3.2. Processing of personal data shall be limited by achievement of specific, predetermined, and lawful purposes. Personal data processing incompatible with the personal data collection purposes is not permitted.

3.3. It is not permitted to perform integration of databases containing personal data the processing whereof is carried out for purposes incompatible with each other.

3.4. Only those personal data may be processed which meet the purposes of processing thereof.

3.5. The content and volume of personal data being processed shall comply with the claimed purposes of processing and be not redundant with respect to the claimed purposes of processing thereof.

3.6. The accuracy of personal data, their sufficiency, and their relevance with respect to the personal data processing purposes, if necessary, shall be ensured at processing of personal data. Necessary measures shall be taken to delete or update incomplete or inaccurate data.

3.7. Storage of personal data shall be performed in a form which makes it possible to identify the data subject for a period no longer than required by the personal data processing purposes, unless the personal data storage period is established by a federal law or a contract to which the data subject is a party, or a beneficiary or guarantor thereunder. The processed personal data shall be destroyed or anonymized after achievement of the processing purposes or when there is no further need in achievement of such purposes.

3.8. In the course of collection of personal data, inter alia through Internet, it is necessary to ensure recording, systematization, accumulation, storage, amendment (update, change), or extraction of personal data of citizens of the Russian Federation by using databases located within the Russian Federation.

4. LEGAL GROUNDS FOR PROCESSING OF PERSONAL DATA AND USER RIGHTS IN THE RUSSIAN FEDERATION

4.1. Processing of personal data shall be performed in compliance with Federal law of July 27, 2006 No. 152-FZ “On Personal Data”, the Labor Code of the Russian Federation, the Resolution of the RF Government of 01.11.2012 No. 1119 “On approval of security requirements of personal data in case of their processing in personal data information systems”, the Resolution of the RF Government of September 15, 2008 No. 687 “On approval of the Regulation on special aspects of personal data processing performed without the use of automation facilities”, and other regulations in the sphere of personal data protection.

4.2. The User shall be empowered to:

a) obtain full information on his/her/its personal data and processing thereof (inter alia by using automation facilities);

b) designate his/her representatives for protection of his/her/its personal data;

c) exercise free unpaid access to his/her/its personal data, including the right to obtain copies of any record which contains personal data, except as otherwise provided for by the Federal Law “On Personal Data”;

d) request ISC-CX to enter necessary changes in, delete, or block the personal data if they are incomplete, obsolete, unreliable, or obtained in violation of the laws of the Russian Federation;

e) request ISC-CX to notify all persons/entities earlier provided with incorrect, incomplete, or obsolete personal data on all changes made thereto;

f) appeal against acts or omissions of the person responsible for processing of personal data to the authorized body for protection of rights of data subjects or through a judicial proceeding if the employee who is the data subject believes that ISC-CX performs processing of his/her personal data in violation of the requirements of the Federal Law “On Personal Data” or otherwise infringes his/her rights and freedoms;

g) revoke his/her/its consent to personal data processing.

5. PURPOSES OF PERSONAL DATA PROCESSING

5.1. ISC-CX shall only collect, store, and process those personal data which are necessary for the provision of services and performance of its activities, as well as for security of third party rights and lawful interests provided that the rights of the data subject are not infringed.

5.2. A User’s personal data may be processed for the following purposes:

5.2.1. to identify the data subject;

5.2.2. to provide access to ISC-CX Services, access to the User’s account in the Application and other ISC-CX Services;

5.2.3. to provide technical support when using ISC-CX Services;

5.2.4. to communicate with the User, if necessary, inter alia to send notifications, queries, and information related to the use of Services, advertising information, and to process queries and requests from data subjects;

5.2.5. to carry out statistical and other studies on the basis of anonymized data;

5.2.6. to make cash settlements, pay remunerations, perform the tax agent function;

5.2.7. to ensure security of Services and control the lawful use thereof.

5.3. ISC-CX shall not process special categories of personal data related to race, national identity, political views, religious beliefs, health status, and biometric personal data.

5.4. Processing of personal data shall be performed by ISC-CX upon the User’s consent both with and without the use of automation facilities.

5.5. ISC-CX shall neither provide nor disclose information containing personal data of data subjects to any third party without the User’s consent save to the extent that it is necessary to do so in order to prevent threat to life and health and except as otherwise provided for by the applicable laws in the sphere of personal data protection.

5.6. Upon a substantiated request of a competent authority and exclusively in the framework of compliance with the law in force, the User’s personal data may be transferred to the following authorities without the User’s consent:
·        to judicial authorities in connection with administration of justice;
·        to the Federal Security Service bodies;
·        to prosecution authorities;
·        to police authorities;
·        to other authorities and organizations to the extent permitted by mandatory regulations.
5.7. When consent to processing of personal data is received from the User’s representative, the authority of such representative to give such consent on behalf of the data subject may be verified by ISC-CX.

5.8. Should the User revoke his/her/its consent to processing of personal data, ISC-CX shall be empowered to continue processing of such personal data without the User’s consent where permitted by the applicable laws.

5.9. Legal regulation of the procedure and time limits for storage of documents containing personal data of data subjects shall be conducted on the basis of the List of standard managerial archival documents created in the course of activity of government authorities, municipal authorities and organizations, with an indication of the storage period thereof as approved by the Order of the Federal Archival Agency of 20.12.2019 No.236.

5.10. Destruction of documents containing personal data shall be performed by any method which excludes familiarization of unauthorized persons with the materials being destroyed and the possibility of reconstruction of their texts.

6. CONFIDENTIALITY OF PERSONAL DATA

6.1. Information related to personal data which became known in the course of ISC-CX activity is confidential and protected by the law in force.

6.2. Persons who have obtained access to personal data being processed have signed a confidentiality obligation and have been notified of possible disciplinary, administrative, civil, and criminal liability in case of violation of the rules and regulations provided for by the applicable laws of the Russian Federation in the sphere of personal data protection.

6.3. Persons who have obtained access to personal data being processed may not communicate personal data of a data subject to a third party without consent of such data subject, save to the extent that it is necessary to do so in order to prevent threat to life and health and except as otherwise provided for by the applicable laws in the sphere of personal data protection.

6.4. Persons who have obtained access to personal data undertake not to disclose personal data for commercial purposes without written consent of the data subject. Processing of personal data of data subjects for the purposes of promotion of goods, works, services on the market by direct contact with a potential customer by using telecommunication facilities may only be performed subject to prior consent of the data subject.

7. MEASURES TAKEN TO ENSURE PROTECTION OF PERSONAL DATA

7.1. A person responsible for organization of personal data processing in ISC-CX has been appointed.

7.2. Local acts have been approved by the order of CEO of ISC-CX which establish procedures for identification and prevention of violations of the laws of the Russian Federation in the sphere of personal data and determine, for each personal data processing purpose, the content of personal data to be processed, categories of subjects whose personal data are processed, the time limits for processing and storage thereof, the procedure of destruction upon achievement of the processing purposes or upon occurrence of other lawful grounds.

7.3. Legal, organizational, and technical measures are being taken as provided for by the respective regulations, to ensure security of personal data in the course of processing thereof in informational personal data systems of ISC-CX.

7.4. In case of processing of personal data without the use of automation facilities, the requirements established by the Resolution of the RF Government of September 15, 2008 No. 687 “On approval of the Regulation on special aspects of personal data processing performed without the use of automation facilities” are complied with.

7.5. For the purpose of internal control of compliance of personal data processing with the established requirements of applicable laws, ISC-CX has organized periodic inspections of personal data processing environment.

7.6. ISC-CX employees directly involved in processing of personal data are being familiarized with the provisions of the laws of the Russian Federation on personal data (including the personal data protection requirements) and local regulations related to processing of personal data.

7.7. ISC-CX is liable under the law of the Russian Federation for violation of the obligations to ensure security and confidentiality of personal data in the course of processing thereof.

8. OTHER USER INFORMATION OBTAINED BY ISC-CX

8.1. For the purposes of this Policy, the User information (hereinafter, the “Information”) is understood as:

8.1.1. Information provided by the User about himself/herself at registration or when using the Services, and the User’s comments given and (or) added by using the Services.
Provision of specially designated mandatory information is a prerequisite for obtaining access to the Services. Other information will be provided by the User in the latter’s discretion. ISC-CX takes as a premise that the User provides reliable and sufficient information and keeps the same updated. Provision of unreliable information will result in immediate blocking of the User’s account.
8.1.2. Information which is automatically transferred to the Services by the User’s devices in the course of the use of the Services by the User through the software installed on such devices. Such information includes without limitation: IP address of the User, type of the User’s viewing program, address of the Service and / or Internet resource requested by the User, date and time of Service request, and other similar information.
8.1.3. Other User information which shall be obtained in compliance with the conditions of use of individual ISC-CX Services.

9. PURPOSES OF OBTAINING INFORMATION BY ISC-CX

9.1. ISC-CX shall only receive and store such information which is necessary for provision of Services, rendering of services, development and improvement of products and/or Services, execution, performance, and termination of contracts and agreements with the User.

9.2. The Information shall be used for the following purposes:

9.2.1. Communication with Users when they apply to the technical support desk. ISC-CX technical support desks may request information from the Users concerning matters related to the use of Services.

9.2.2. Identification of a party in the framework of relationship occurring as a result of the use of Services, execution, performance, and termination of contracts and agreements with ISC-CX, and for resolution of disputes.

9.2.3. Communication with the User, inter alia for sending notifications, messages, or warnings through communication lines with respect to the use of Services, execution, performance, and termination of contracts and agreements.

9.2.4. Processing of Users’ queries.

9.2.5. Carrying out of statistical and other studies on the basis of anonymized data.

9.2.6. Improvement of quality of Services, convenience of the use thereof by the Users.

9.2.7. In order to ensure security of Services and control the lawful use thereof.

9.2.8. For the purpose of sending information, including advertisement.

9.2.9. For cash settlements, payment of remunerations, performance of the tax agent functions.

10. CONDITIONS FOR INFORMATION PROCESSING, TRANSFER TO THIRD PARTIES

10.1. ISC-CX shall store and process Information in compliance with internal documents and applicable laws of the Russian Federation. When there is no further need in processing of Information for the purposes provided for in this Policy, ISC-CX shall delete Information held by the same. In case of change or deletion of Information, ISC-CX may retain a part thereof for the purpose of resolution of disputes and claims, performance of contracts and agreements with the Users, and for compliance with all technical requirements and restrictions and those established by the RF laws in relation to the use of Services.

10.2. With respect to Information, its confidentiality shall be maintained and ensured except when the User has voluntarily disclosed such Information to the general public.

10.3. ISC-CX shall be empowered to transfer Information to third parties in the following cases:

10.3.1. The User has given express consent to such acts, including acceptance of the conditions of this Policy when using the Services;

10.3.2. Such transfer is provided for by the Russian and/or other applicable laws;

10.3.3. For the purposes of protection of rights and lawful interests of ISC-CX and/or third parties when the User’s actions have caused and/or may cause:

a) infliction or threatened infliction of damages to other Users or any third parties;

b) misrepresentation to third parties regarding the source of information (sender of messages of any nature, programs, queries) if ISC-CX is misrepresented as the source of information;

c) violation of copyright or exclusive rights of third parties to the results of intellectual activity;

d) unauthorized access to computational and data resources and network resources of ISC-CX and/or third parties;

e) violation of the conditions for provision of Services by ISC-CX or restriction of capabilities of other Internet users to obtain the same.

10.4. When logging on and using ISC-CX Services, the User gives consent to cross-border transfer of his/her personal data and other Information outside the Russian Federation to countries which have signed the “Convention on protection of individuals in case of automated processing of personal data” executed in Strasbourg on 28/01/1981 or other countries which ensure appropriate protection of the rights of data subjects.

10.5. When logging on and using ISC-CX Services, the User agrees that his/her personal data and other Information may be transferred to third parties, including without limitation: Multisearch AG (address: Aeschengraben 29, 4051 Basel, Switzerland), Multisearch GmbH (address: Landshuter Allee 8-10, München, Germany), other affiliates and (or) contractors of ISC-CX, for purposes necessary for the use of the Application and other services of ISC-CX, assurance of operability of the Application and other services of ISC-CX, fulfillment of tasks and participation in programs by the User which are offered in the Application and other services of ISC-CX, technical support, improvement of Services operation, and for other purposes covered by this Policy.

11. USING COOKIE FILES

11.1. Some of ISC-CX Services use cookie files. Cookie files do not do harm to the User’s computers and do not contain viruses. Cookie files help make the ISC-CX Services more convenient, effective, and secure. Cookie files are small text files stored on the User’s device and saved in the browser.
Most of the cookie files used are so-called “session cookie files”. They are automatically deleted after the User’s session. Other cookie files are retained in the memory of the User’s device until you delete them. These cookie files make it possible to recognize the User’s browser at the next site session.
The User can configure his/her browser so that it would inform the User of the use of cookie files and the User could decide in each specific case whether to accept or reject a cookie file. As an alternative, the User’s browser may be configured to automatically accept cookie files under certain conditions or permanently reject the same, or automatically delete cookie files when closing the browser. Disabling of cookie files may limit the functionality of the website.
Cookie files necessary to ensure electronic communication or certain functions you want to use (e.g., shopping cart) are stored in compliance with article 6 paragraph 1 clause f of the General Data Protection Regulation approved by EC Regulation 2016/679 of April 27, 2016 (GDPR). ISC-CX has a lawful interest in storage of cookie files in order to ensure provision of optimized services without technical errors. When other cookie files (e.g. those used to analyze the User’s behavior in Internet) are saved, they will be considered separately in this confidentiality policy.

12. CHANGING AND DELETION OF INFORMATION BY THE USER

12.1. The User may change, update, or complement the Information provided by him/her at any time in whole or in part, as well as the confidentiality parameters thereof, by applying to the support desk of ISC-CX or by using the Services.

12.2. The User may delete the Information provided by him/her, but the User shall take into account that deletion of such Information may result in impossibility of using the Services and termination of the User agreement.

13. MEASURES TAKEN TO PROTECT THE USER’S INFORMATION

13.1. ISC-CX shall take necessary and sufficient organizational, legal, and technical measures to protect Information against unauthorized access, destruction, amendment, blocking, copying, dissemination, and other unlawful acts of third parties therewith within the competence of ISC-CX.

13.2. In the framework of provision of Information security, ISC-CX shall perform, without limitation, the following actions:
- identify the User by login and password for access to Services provided by ISC-CX;
- continuously improve the methods of collection, storage, and receipt of Information to prevent unauthorized access to Services;
- only provide access to Information to a limited number of employees, partners, and contractors;
- when transferring the User’s data on payments, ISC-CX undertake not to use the same for unlawful purposes and not to interfere in or violate the procedure of operation of network serving payment systems;
- establish strict corporate and contractual obligations for compliance with confidentiality of Information.

14. LIABILITY FOR RECEIPT OF INFORMATION

14.1. This Policy is only applicable to the User Information received in the course of use of ISC-CX Services.

14.2. ISC-CX does not control and is not liable for processing of User information by third party websites which the User may visit by using the links available on the official website of ISC-CX.

15. PROCEDURE FOR AMENDING THIS POLICY

15.1. ISC-CX may amend this Policy at any time in its absolute discretion without notice to the User. When amendments are made, the relevant version shall contain the date of the last update. The new version of the Policy shall be effective from the moment of posting thereof on the Website unless otherwise provided for by the new version of the Policy.

15.2. The current version of the Policy is always available in the Application.

15.3. By continuing to use the Services the User automatically accepts the new version of this Policy.

15.4. ISC-CX recommends that the User should view this Policy from time to time in order to be aware of the relevant version hereof.

16. APPLICABLE LAW, DISPUTE RESOLUTION

16.1. This Policy and relations between the User and ISC-CX which arise in connection with application hereof shall be governed by the applicable laws of the Russian Federation.

16.2. The Parties will try to resolve all disputes and differences arising from this Policy by way of negotiations. Any negotiations related to a dispute shall be conducted in confidence without prejudice to the parties’ rights in any further judicial proceedings.

16.3. The Parties must comply with the complaint procedure. The complaint response period shall be Thirty (30) calendar days from the date of receipt of such complaint by a party.

16.4. Should it be impossible to resolve a dispute within Thirty (30) calendar days from the date of receipt of a complaint by a party, either party may refer the dispute for final resolution to a court of the Russian Federation in compliance with the law of procedure of the Russian Federation.

17. FEEDBACK, QUESTIONS AND SUGGESTIONS

17.1. The user may send all suggestions or questions related to this Policy and the revocation of consent to processing of personal data to Maxxoll LLC (TIN 7840096879, OGRN 1217800100330) to the address: 55 Nevsky prospect, bld. A, office 4.3, workplace 15, St. Petersburg.

17.2. In case of revocation of consent to processing of personal data the User’s account will be blocked and deleted within Sixty (60) days from the date of receipt of such revocation and the User may not use the Application and Services of ISC-CX, its Partners and Customers from the date of receipt of such revocation.