Privacy Policy

This Policy of the "Rub-Ex" service (hereinafter referred to as the "Operator") regarding the processing of personal data (hereinafter referred to as the "Policy") is developed pursuant to the requirements of clause 2, part 1, article 18.1 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" (hereinafter referred to as the Personal Data Act) to ensure the protection of human and civil rights and freedoms in the processing of personal data, including the protection of rights to privacy, personal, and family secrets.

This Policy of the Operator regarding the processing of personal data has been developed to implement in Rub-Ex the requirements of the legislation of the Russian Federation in the field of personal data, as well as to ensure the protection of the rights of individuals in the processing of their personal data.

Basic concepts used in the Policy:

personal data – any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data);

personal data operator (operator) – a state body, municipal body, legal entity, or individual independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data subject to processing, and actions (operations) performed with personal data;

personal data processing – any action (operation) or a set of actions (operations) performed with personal data, using automated tools or without using such tools, including:

collection;

recording;

systematization;

accumulation;

storage;

clarification (update, modification);

extraction;

use;

transfer (distribution, provision, access);

depersonalization;

blocking;

deletion;

destruction;

automated processing of personal data – processing of personal data using computer technology;

distribution of personal data – actions aimed at disclosing personal data to an indefinite circle of persons;

provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons;

blocking of personal data – temporary suspension of personal data processing (unless processing is necessary to clarify personal data);

destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;

depersonalization of personal data – actions as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data by a specific personal data subject;

personal data information system – a set of personal data contained in databases and information technologies and technical means ensuring their processing;

cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual, or foreign legal entity;

User — any visitor to the website https://rub-ex.com/;

Website — a set of graphic and information materials, as well as computer programs and databases, ensuring their availability on the Internet at the network address https://rub-ex.com/.

Basic rights and obligations of the Operator.

The Operator has the right to:

self-determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Personal Data Act and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Act or other federal laws;

entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, based on a contract concluded with this person. The person carrying out the processing of personal data on behalf of the Operator must comply with the principles and rules of personal data processing provided for by the Personal Data Act, observe the confidentiality of personal data, and take necessary measures to ensure the fulfillment of obligations provided for by the Personal Data Act;

in the event the personal data subject revokes their consent to process personal data, the Operator may continue processing personal data without the consent of the subject subject to the grounds specified in the Personal Data Act.

The Operator is obliged to:

organize the processing of personal data in compliance with the requirements of the Personal Data Act;

respond to appeals and requests from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Act;

report to the authorized body for the protection of personal data subjects' rights (the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)), upon request, the necessary information within 10 working days from the date of receipt of such request. This period can be extended, but not more than by five working days. To do this, the Operator must send Roskomnadzor a motivated notification indicating the reasons for extending the period for providing the requested information;

in the manner established by the federal executive body authorized in the field of security, interact with the state system for the detection, prevention, and elimination of the consequences of computer attacks on information resources of the Russian Federation, including informing it about computer incidents that resulted in the illegal transfer (provision, distribution, access) of personal data.

Basic rights of the personal data subject.

The personal data subject has the right to:

receive complete information upon request about their personal data processed in Rub-Ex;

familiarize themselves with their personal data by contacting Rub-Ex;

clarify their personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained, or unnecessary for the stated purpose of processing;

terminate the processing of their personal data;

provide their personal data and consent to its processing freely, of their own will, and in their own interest;

withdraw consent to the processing of their personal data;

appeal against actions (inactions) of Rub-Ex in the processing of personal data in accordance with the legislation of the Russian Federation;

exercise other rights stipulated by the legislation of the Russian Federation.

Control over the implementation of the Policy requirements is exercised by an authorized person responsible for organizing personal data processing by the Operator.

The processing of personal data by Rub-Ex is carried out in compliance with the following principles and rules:

processing is carried out on a legal and fair basis;

processing is limited to achieving specific, predetermined, and legitimate goals;

only personal data that meet the purposes of their processing are subject to processing, with a mandatory compliance of their volume and content with the stated goals;

processed personal data are destroyed or depersonalized upon reaching the processing goals or if it is no longer necessary to achieve these goals, unless otherwise provided by the legislation of the Russian Federation.

The Operator processes personal data for the following purposes:

carrying out the activities of Rub-Ex in organizing a database including Users' requests to buy/sell cryptocurrencies that are not digital financial assets;

providing exactly the Rub-Ex user with access to Rub-Ex services, information, and/or materials contained on the Website, including access to the user's personal cabinet;

execution of RF legislation, in particular Federal Law No. 115-FZ of 07.08.2001 "On countering the legalization (laundering) of criminally obtained incomes and terrorist financing".

The legal basis for personal data processing is an aggregate of regulatory legal acts in execution of which and in accordance with which the Operator processes personal data, including:

Constitution of the Russian Federation;

Civil Code of the Russian Federation;

Labor Code of the Russian Federation;

Tax Code of the Russian Federation;

Federal Law of 08.02.1998 No. 14-FZ "On Limited Liability Companies";

Federal Law of 07.08.2001 No. 115-FZ "On countering the legalization (laundering) of criminally obtained incomes and terrorist financing";

Federal Law of 06.12.2011 No. 402-FZ "On Accounting";

Federal Law of 15.12.2001 No. 167-FZ "On Compulsory Pension Insurance in the Russian Federation";

other regulatory legal acts governing relations related to the Operator's activities;

consent of personal data subjects to the processing of their personal data.

The content and volume of the processed personal data must match the stated processing purposes provided in section 3 of this Policy. The processed personal data must not be excessive in relation to the stated purposes of their processing.

The Operator may process personal data of personal data subjects with regard to:

surname, first name, patronymic;

email address;

passport data;

date and place of birth;

registration address;

number of crypto wallets and their networks;

phone number;

other personal data communicated in inquiries by subjects of personal data to the Personal Data Operator;

other data if obtaining such is not required by law and is provided by the personal data subject.

The processing by the Operator of biometric personal data (information that characterises physical and biological features of a person on the basis of which their identity can be established) is conducted in accordance with the legislation of the Russian Federation.

The Operator does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, state of health, or intimate life, except in cases prescribed by the legislation of the Russian Federation.

Processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

Personal data processing is carried out with the consent of the personal data subjects to the processing of their personal data, and without it in cases prescribed by the legislation of the Russian Federation.

The Operator carries out personal data processing for each corresponding processing purpose in the following ways:

non-automated processing of personal data;

automated processing of personal data with or without the transmission of information over information and telecommunication networks;

mixed processing of personal data;

Operator employees whose job duties involve handling personal data are granted access to process personal data.

Processing of personal data for each purpose specified in Section 3 of the Policy is carried out by:

obtaining personal data orally and in writing directly from personal data subjects;

entering personal data into logs, registers, and the Operator's information systems by employees of the Operator, third parties, or the personal data subjects themselves;

using other methods of personal data processing.

Disclosure to third parties and dissemination of personal data are not allowed without the consent of the personal data subject, unless otherwise provided by federal law.

Transmission of personal data to inquiry and investigative authorities, the Federal Tax Service, the Social Fund of Russia, and other appropriate executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

The Operator takes necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution, and other unauthorized actions, including:

identifying threats to personal data security during its processing;

adopting local acts and other documents regulating relations in the field of processing and protecting personal data;

appointing individuals responsible for ensuring ongoing personal data security within the divisions and information systems of the Operator;

creating the necessary conditions for working with personal data;

organizing the recording of documents containing personal data;

organizing work with information systems where personal data are processed;

storing personal data in conditions that ensure their safety and prevent unauthorized access to them;

organizing training for Operator's employees working with personal data.

The Operator stores personal data in a form permitting the identification of the personal data subject no longer than required by each processing goal, unless a specific retention period for personal data is established by federal law or contract.

The retention period for personal data processed in information systems conforms to the retention period of personal data on paper materials, unless a different storage period is required by activities performed by Rub-Ex.

The Operator terminates the processing of personal data in the following cases:

A fact of illicit processing takes place. Period - within three working days from the detection date;

achievement of their processing purposes;

expiration of the period of the data subject's consent or upon their withdrawal of consent to the processing of said data, where, per the Personal Data Act, the processing of such data is exclusively permitted by consent.

Upon achieving the personal data processing purposes, or in the case of revocation of the subject's personal data consent, the Operator terminates processing, unless otherwise established by an agreement in which the subject is a party, beneficiary, or guarantor.

Upon the subject's addressing to the Operator demanding processing termination within no more than 10 working days from the receipt date, the Operator shall terminate personal data processing, unless exceptions established by the Personal Data Act exist. The indicated time period may be extended up to five working days. The Operator shall send the subject a reasoned notification of causes leading to the deadline extension.

During the collection of personal data, including through the Internet, the Operator ensures recording, systematization, accumulation, storage, specification (updating, modification), extraction of personal data of RF citizens utilizing databases located on the territory of the Russian Federation, except for instances established under the Personal Data Act.

Confirmation of personal data processing by the Operator, legal basis, and goals along with other details stipulated by part 7 art. 14 of the Personal Data Act, are granted to the subject or their representative within 10 business days of inquiry or receipt of the request. Said term can be extended for five business days maximally. The Operator shall send to the personal data subject an explained justification specifying the reasons extending the deadline.

Provided information shall not incorporate the personal data attributed to other personal data subjects, unless lawful bases for disclosure exist.

The inquiry should include:

the core identity document number belonging to the subject or their representative, information on the issue date, and issuing authority;

details proving the personal data subject's connection to the Operator (contract number, contract execution date, conditional verbal designation and/or other records), or other specifics corroborating personal data processing by the Operator;

signature of the personal data subject or their proxy.

The Operator presents the information laid down in part 7 art. 14 of the Personal Data Act, to the personal data subject or their representative in a form matching the relevant appeal, unless a distinct form was specified.

If the subject's appeal (inquiry) does not highlight all critical specifics per Personal Data Act regulations, or the subject isn't entitled to the required data, a well-reasoned refusal is forwarded to them.

The user's right to access their own data may be constrained under part 8 art. 14 of the Personal Data Act, including scenarios where the user's access infringes the privileges or lawful interests of third persons.

Should false or inherently inappropriate personal data be detected through a subject's, an attorney's, or Roskomnadzor's inquiry, the Operator freezes such corresponding personal data effective from the request time for the verification interval, provided such blockage won't disregard subjects' or third-party privileges.

Upon verifying data inaccuracy, relying on materials supplied by the subject or a proxy or Roskomnadzor, or relevant documentary evidence, the Operator clears out accurate information within seven corporate days post document submission and subsequently revokes data blockage.

In cases detecting unsanctioned personal data processing originating from the personal data subject's, their proxy's, or Roskomnadzor's inquiry, the Operator initiates block procedures spanning to corresponding inappropriate subjects triggering upon corresponding petition acquisition.

Upon ascertaining an unauthorized or accidental release (disclosure, dissemination, granting entry, handling) of subject's personal records by the Operator, Roskomnadzor, or any other vested party yielding subject's rights violation, the Operator:

notifies Roskomnadzor within 24 hours of the incident, its inferred trigger mechanisms sparking subject privileges violation, deduced damage, coupled with remediation action plans executed minimizing incident footprints, and submits details pertinent to an Operator's proxy designated correlating Roskomnadzor interactions tackling the affair;

alerts Roskomnadzor spanning 72 hours describing explicit internal investigation outcomes framing the discovered contingency, detailing individuals potentially fostering the root causes (assuming existing data).

Operator's approach concerning personal information annihilation.

Conditions scaling personal information elimination deadlines carried through by the Operator:

executing personal data processing goals paired with relinquishing operational requirements fetching corresponding objectives — constrained strictly within 30 days;

meeting uppermost temporal retention benchmarks of documentation framing individual entities — capped to 30 days;

subject data provisioning (derived by their legal deputy) certifying illegal possession or rendering elements excessively unsolicited bypassing stated operations scopes — spanning maximally seven business schedules;

withdrawal enacted leveraging subjects retracting prior approval backing continuous processing frameworks strictly missing supplemental necessities sustaining operations — strictly executed in 30 days outlines.

Reaching operational benchmarks aligned with processing personal entities accompanying a concurrent subject withdrawal from earlier endorsements dictates data total obliteration assuming:

unspecified contravening contractual constructs bounding subject dependencies directly enlisting beneficiaries or guarantors framing alternative dispositions;

Operator possesses absent legal capacities fostering operations discounting subject agreements anchored solidly upon Personal Data Act frameworks complementing equivalent legislative dictates;

otherwise undiscovered explicit settlement binding Operator with the personal entity subject nullifying deletion directives.

Liability governing contraventions breaching Russian Federative prerequisites encompassing personal entity operations equates solely within corresponding Russian Federation legislation contexts.

This Policy represents an entirely public document expressly directed supporting mainstream disclosure onto Rub-Ex authoritative site through globally connected architectures assigned to addresses: https://rub-ex.com/.