Privacy Policy

This Policy of MultiKassa Limited Liability Company (hereinafter – MultiKassa, the Operator) regarding the processing of personal data (hereinafter - the Policy) has been developed in pursuance of the requirements of paragraph 2, part 1, article 18.1 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" (hereinafter - the Law on Personal Data) in order to ensure the protection of the rights and freedoms of individuals and citizens in the processing of their personal data, including the protection of the rights to privacy, personal and family secrets.

This Policy of the Operator regarding the processing of personal data (hereinafter - the Policy) is developed to implement the requirements of the legislation of the Russian Federation in the field of personal data in MultiKassa, as well as to ensure the protection of the rights of individuals when processing their personal data.

Key terms used in the Policy:

Main rights and obligations of the Operator.

The Operator has the right to:

independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law on Personal Data and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;

entrust the processing of personal data to another person with the consent of the data subject, unless otherwise provided by federal law, on the basis of a contract concluded with this person. The person carrying out the processing

in the event that the data subject withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the data subject if there are grounds specified in the Law on Personal Data.

The Operator is obliged to:

organize the processing of personal data in accordance with the requirements of the Law on Personal Data;

respond to requests and inquiries from data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;

report to the authorized body for the protection of the rights of data subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) upon request of this body the necessary information within 10 working days from the date of receipt of such request. This period may be extended, but not more than by five working days. To do this, the Operator must send to Roskomnadzor a reasoned notification indicating the reasons for extending the deadline for providing the requested information;

in the manner determined by the federal executive body authorized in the field of security, ensure interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, including informing it about computer incidents that resulted in the unlawful transfer (provision, dissemination, access) of personal data.

Main rights of the data subject.

The data subject has the right to:

receive, upon request, complete information about their personal data processed in MultiKassa;

access their personal data when contacting MultiKassa;

clarify their personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;

terminate the processing of their personal data;

provide their personal data and consent to its processing freely, voluntarily and in their own interest;

withdraw consent to the processing of their personal data;

appeal, in accordance with the legislation of the Russian Federation, the actions (inaction) of MultiKassa in the processing of personal data;

exercise other rights provided for by the legislation of the Russian Federation.

Control over the implementation of the requirements of this Policy is carried out by the authorized person responsible for organizing the processing of personal data at the Operator.

MultiKassa processes personal data in compliance with the following principles and rules:

processing is carried out on a lawful and fair basis;

processing is limited to achieving specific, pre-determined and legitimate purposes;

only personal data that meets the purposes of processing is processed, with mandatory compliance of its scope and content with the stated purposes of processing;

processed personal data is destroyed or depersonalized upon reaching the processing goals or in the event of loss of the need to achieve these goals, unless otherwise provided by the legislation of the Russian Federation.

The Operator processes personal data for the following purposes:

to carry out MultiKassa's activities in organizing a database that includes User requests for the purchase/sale of cryptocurrencies that are not digital financial assets;

to provide MultiKassa users with access to MultiKassa services, information and/or materials contained on the website, including access to the user's personal account;

to comply with the legislation of the Russian Federation, in particular, Federal Law No. 115 of 07.08.2001 "On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism."

The legal basis for processing personal data is the set of regulatory legal acts in pursuance of which and in accordance with which the Operator processes personal data, including:

The Constitution of the Russian Federation;

The Civil Code of the Russian Federation;

The Labor Code of the Russian Federation;

The Tax Code of the Russian Federation;

Federal Law No. 14-FZ of 08.02.1998 "On Limited Liability Companies";

Federal Law No. 115 of 07.08.2001 "On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism";

Federal Law No. 402-FZ of 06.12.2011 "On Accounting";

Federal Law No. 167-FZ of 15.12.2001 "On Mandatory Pension Insurance in the Russian Federation";

other regulatory legal acts governing relations related to the activities of the Operator.

the consent of data subjects to the processing of their personal data.

The content and scope of processed personal data must correspond to the stated processing purposes provided for in Chapter 3 of this Policy. Processed personal data should not be excessive in relation to the stated purposes of their processing.

The Operator may process the personal data of data subjects with respect to:

last name, first name, patronymic;

email address;

passport data;

date and place of birth;

registration address;

crypto-wallet numbers and their network;

phone number;

other personal data communicated in appeals by data subjects to the personal data operator.

other data, if obtaining such is not required by law and is provided by the data subject.

The Operator processes biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish their identity) in accordance with the legislation of the Russian Federation.

The Operator does not process special categories of personal data relating to race, ethnic origin, political opinions, religious or philosophical beliefs, health status, or intimate life, except in cases provided for by the legislation of the Russian Federation.

The Operator processes personal data in accordance with the requirements of the legislation of the Russian Federation.

Personal data is processed with the consent of the data subjects to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.

The Operator processes personal data for each purpose of their processing in the following ways:

non-automated processing of personal data;

automated processing of personal data with or without the transfer of information obtained through information and telecommunication networks;

mixed processing of personal data.

Only employees of the Operator whose job responsibilities include the processing of personal data are allowed to process personal data.

The processing of personal data for each processing purpose specified in paragraph 2.3 of the Policy is carried out by:

obtaining personal data in oral and written form directly from the data subjects;

entering personal data into the Operator's logs, registers and information systems by the Operator's employees, third parties, or by the data subject themselves;

using other methods of processing personal data.

Disclosure to third parties and dissemination of personal data without the consent of the data subject is not allowed, unless otherwise provided by federal law.

The transfer of personal data to bodies of inquiry and investigation, the Federal Tax Service, the Social Fund of Russia, and other authorized bodies of executive power and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, dissemination, and other unauthorized actions, including:

identifying threats to the security of personal data during their processing;

adopting local regulatory acts and other documents governing relations in the field of processing and protection of personal data;

appointing persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;

creating the necessary conditions for working with personal data;

organizing the accounting of documents containing personal data;

organizing work with information systems in which personal data are processed;

storing personal data under conditions that ensure their safety and exclude unauthorized access to them;

organizing training for Operator employees who process personal data.

The Operator stores personal data in a form that allows identification of the data subject for no longer than is required for each purpose of processing personal data, unless the storage period for personal data is established by federal law or contract.

The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data on paper media, unless a different storage period is required by the activities carried out by MultiKassa.

The Operator ceases processing personal data in the following cases:

the fact of their unlawful processing is revealed. The deadline is within three working days from the date of detection;

the purpose of their processing has been achieved;

the term of validity has expired or the consent of the data subject to the processing of such data has been withdrawn, when, according to the Law on Personal Data, the processing of this data is permitted only with consent.

Upon achieving the purposes of processing personal data, as well as in the event of withdrawal by the data subject of consent to their processing, the Operator ceases processing this data, unless otherwise provided by a contract to which the data subject is a party, beneficiary or guarantor;

Upon the request of a data subject to the Operator to cease processing personal data, within a period not exceeding 10 working days from the date of receipt of the relevant request by the Operator, the processing of personal data is terminated, except in cases provided for by the Law on Personal Data. This period may be extended, but not more than five working days. To do this, the Operator must send the data subject a reasoned notification indicating the reasons for extending the deadline.

When collecting personal data, including through the information and telecommunication network Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except in cases specified in the Law on Personal Data.

Confirmation of the fact that the Operator processes personal data, the legal basis and purposes of processing personal data, as well as other information specified in part 7 of Article 14 of the Law on Personal Data, is provided by the Operator to the data subject or their representative within 10 working days from the moment of the request or receipt of the request of the data subject or their representative. This period may be extended, but not more than five working days. To do this, the Operator should send the data subject a reasoned notification indicating the reasons for extending the deadline for providing the requested information.

The information provided does not include personal data relating to other data subjects, except in cases where there are legal grounds for disclosing such personal data.

The request must contain:

the number of the main document proving the identity of the data subject or their representative, information about the date of issue of the specified document and the authority that issued it;

information confirming the participation of the data subject in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact that the Operator processes personal data;

the signature of the data subject or their representative.

The Operator provides the information specified in part 7 of Article 14 of the Law on Personal Data to the data subject or their representative in the form in which the relevant request or inquiry was sent, unless otherwise specified in the request or inquiry.

If the request (inquiry) of the data subject does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data, or the subject does not have the right to access the requested information, then a reasoned refusal is sent to them.

The right of the data subject to access their personal data may be limited in accordance with part 8 of Article 14 of the Law on Personal Data, including if the data subject's access to their personal data violates the rights and legitimate interests of third parties.

If inaccurate personal data is identified when the data subject or their representative contacts or requests it, or at the request of Roskomnadzor, the Operator blocks the personal data relating to this data subject from the moment of such contact or receipt of the specified request for the period of verification, unless the blocking of personal data violates the rights and legitimate interests of the data subject or third parties.

If the fact that personal data is inaccurate is confirmed, the Operator, based on information provided by the data subject or their representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven working days from the date of submission of such information and removes the blocking of personal data.

If unlawful processing of personal data is detected when the data subject or their representative contacts or requests it, or by Roskomnadzor, the Operator blocks the unlawfully processed personal data relating to this data subject from the moment of such contact or receipt of the request.

When the Operator, Roskomnadzor, or other interested person detects the fact of unlawful or accidental transfer (provision, dissemination) of personal data (access to personal data) that resulted in a violation of the rights of data subjects, the Operator:

within 24 hours - notifies Roskomnadzor of the incident that occurred, the alleged reasons that led to the violation of the rights of data subjects, the alleged harm caused to the rights of data subjects, and the measures taken to eliminate the consequences of the incident, and also provides information about the person authorized by the Operator to interact with Roskomnadzor on issues related to the incident;

within 72 hours - notifies Roskomnadzor of the results of the internal investigation of the identified incident and provides information about the persons whose actions caused it (if any).

Procedure for the destruction of personal data by the Operator.

Conditions and terms for the destruction of personal data by the Operator:

achieving the purpose of processing personal data or the loss of the need to achieve this goal - within 30 days;

reaching the maximum storage periods for documents containing personal data - within 30 days;

the data subject (or their representative) providing confirmation that the personal data was obtained illegally or is not necessary for the stated purpose of processing - within seven working days;

withdrawal by the data subject of consent to the processing of their personal data, if their storage for the purpose of their processing is no longer required - within 30 days.

Upon achieving the purpose of processing personal data, as well as in the event of withdrawal by the data subject of consent to their processing, personal data is subject to destruction, if:

otherwise provided by a contract to which the data subject is a party, beneficiary or guarantor;

the operator is not entitled to process without the consent of the data subject on the grounds provided for by the Law on Personal Data or other federal laws;

otherwise provided by another agreement between the Operator and the data subject.

Responsibility for violating the requirements of the legislation of the Russian Federation in the field of personal data is determined in accordance with the legislation of the Russian Federation.

This Policy is a publicly available document and is subject to publication on the official website of MultiKassa, in the information and telecommunications network "Internet" at the Internet address: https://multikassa.com/policy/.