PRIVACY POLICY
1. GENERAL POLICY
The policy of personal data processing (hereinafter referred to as the «Policy») is developed in accordance with the Federal Law of 27.07.2006. No. 152-FZ «On Personal Data» (hereinafter referred to as «152-FZ»). This Policy defines the procedure for processing of personal data of persons (hereinafter referred to as the «User») collected during the use of Operator Mobile Application "CampuZ" (hereinafter referred to as the «CampuZ»), measures to ensure the security of personal data and the procedure for storing personal data by the Limited Liability Company CapmpuZ (hereinafter referred to as the «Operator») for the purpose of protecting the rights and liberties of a person while processing his personal data, including the protection of privacy rights, personal and family secrets.

1.1. The following main terms are used in the Policy:
Automated processing of personal data - personal data processing by means of computer technologies;
Personal data information system - a combination of personal data contained in databases, and information technologies and hardware used for data processing;
Personal data processing - any action (operation) or a combination of actions (operations) performed both automatically or manually with personal data, including collection, recording, systematization, accumulation, storage, specification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking and destruction of personal data;
Dissemination of personal data - an action related to disclosing personal data to a definite range of persons by prior consent, in cases provided for by federal law.
Depersonalization of personal data - an action, as a result of which it is impossible to
determine without the use of additional information the identity of the individual who is a subject of personal data;
Blocking of personal data - the temporary cessation of personal data processing (except for the cases when the processing is necessary for personal data specification);
Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the respective database and/or as a result of which the tangible medium of personal data is destroyed.
Provision of personal data - actions related to making personal data available to a definite person or a definite range of persons.
Mobile application – a program designed to run on a mobile devices.
Operator - an organization, independently or jointly with other persons organizing the
processing of personal data, as well as determining the purposes of processing personal data subject to processing, actions (operations) performed with personal data. The Operator is the Limited Liability Company CampuZ located at the address: 18-202, Demakova street, Novosibirsk, Russia.
User — a user of the Internet and, in particular, of the CampuZ, who has his own personal page (profile/account).
2. PRINCIPLES AND TERMS OF THE PERSONAL DATA PROCESSING
2.1. Principles of personal data processing
The processing of personal data by the Operator is carried out on the basis of the following principles:
– legal and equitable basis;
– restrictions on the processing of personal data by the achievement of specific, pre-
determined and legal purposes;
– preventing the processing of personal data incompatible with the purposes of personal data collection;
– preventing the unification of databases containing personal data, processing of which is carried out for purposes incompatible with each other;
– processing of only those personal data that meet the purposes of their processing;
– compliance of character and scope of processed personal data with the declared purposes of such data processing;
– preventing the processing of personal data that is excessive in relation to the declared purposes of data processing;
– ensuring the accuracy, adequacy and relevance of personal data in relation to the purposes of data processing;
– destruction or depersonalization of personal data upon achieving the purposes of their processing as well as when such purposes cease to be relevant if the Operator can not eliminate the admitted violations of personal data, unless otherwise provided for by federal law.

2.2. Terms of the processing of personal data
The processing of personal data is carried out by the Operator under the following terms:
- the processing of the personal data of the Users of the CampuZ is carried out in
accordance with the Civil Code of the Russian Federation, the Constitution of the Russian Federation, the current legislation of the Russian Federation in the field of personal data protection.
- the processing of personal data by the CampuZ is carried out in compliance with the
principles and terms provided for by the legislation of the Russian Federation.
The processing of personal data is allowed in the following cases:
- the processing of personal data is necessary for the use of the CampuZ, to which the User is a party;
- the processing of personal data is necessary to protect the life, health or other vital interests of the User of the CampuZ, if the obtaining of consent is impossible;
- the processing of personal data is necessary for the implementation of the rights and legal interests of the Operator or third parties or for the achievement of socially significant purposes, provided that the rights and liberties of the User of the CampuZ are not violated thereby;
- the processing of personal data is carried out for statistical or other research purposes, except for the processing of personal data in order to promote goods, works, services on the market by making direct contacts with potential consumers by means of communications, as well as for political agitation, subject to mandatory depersonalization of personal data.

2.3. Purposes of the processing of personal data
2.3.1. The processing of the personal data of the User of the CampuZ is carried out solely in order to provide the User with the opportunity to interact with the CampuZ.
2.3.2. Information constituting personal data on the CampuZ is any information related to a certain person or a subject to such information to a person (a subject of personal data).
3. RIGHTS OF A PERSONAL DATA SUBJECT
3.1. The subject of personal data decides to provide his personal data and consent to the processing thereof freely, of his own will and in his own interest. Consent to the processing of personal data may be given by the subject of personal data or his representative in any form which provides evidence of its receipt, unless otherwise provided for by federal law. Obligation to provide evidence of the consent of the personal data subject to processing of his personal data or evidence of the grounds specified in 152-FZ is assigned to the Operator.

3.2. Rights of personal data subjects (Users)
3.2.1. The User has the right to receive information about the Operator, the place of his location, the presence of the Operator's personal data relating to his personal data (the User's data), as well as to acquaint himself with such personal data, except for the cases provided for by part 8 of Article 14 of 152-FZ.
3.2.2. The User has the right to receive from the Operator, upon a personal request or upon receipt of a written request from the User by the Operator, the following information regarding the processing of his personal data and including:
– confirmation of the fact of processing of personal data by the Operator, as well as the
purpose of such processing;
– legal grounds and purposes for the processing of personal data;
– purposes and methods of processing personal data used by the Operator;
– name and location of the Operator, information on persons (except for the operator's
employees) who have access to personal data or who can disclose personal data on the basis of a contract with the Operator or on the basis of 152-FZ;
– processed personal data relating to the relevant personal data subject, the source of their receipt, unless another procedure for providing such data is provided for by 152-FZ;
– the terms of processing of personal data, including the terms of their storage;
– the procedure for the subject of personal data to exercise the rights provided for by 152-FZ;
– information on the carried out or expected transboundary transfer of personal data;
– surname, first name, patronymic and address of the person carrying out the processing of personal data on behalf of the Operator, if the processing is entrusted or will be entrusted to such person;
– other information provided for by 152-FZ or other federal laws;
– to require changes, clarification, destruction of his personal information;
– to appeal against wrongful acts or omissions regarding the processing of personal data and to demand appropriate compensation in court;
– to supplement personal data of an evaluation nature with a statement expressing his own point of view; identify representatives to protect their personal data;
– to require the Operator to notify all changes or exceptions made therein.
3.2.3. The User has the right to appeal against the actions or omissions of the Operator in the authorized body for protecting the rights of subjects of personal data or in court proceedings if he believes that the Operator carries out the processing of his personal data in violation of the requirements of 152-FZ or otherwise violates his rights and liberties.
3.2.4. The User has the right to protect his rights and legal interests, including compensation for damages and (or) compensation for moral harm in court.
4. OBLIGATIONS OF THE OPERATOR
4.1. Upon a personal request or upon receipt of a written request from the subject of personal data or his representative, the Operator, provided that there are grounds, is obliged to provide information within the period specified in 152-FZ — within 30 days from the date of application or receipt of the request of the personal data subject or his representative. Such information should be provided to the personal data subject in an accessible form and they should not contain personal data relating to other personal data subjects, unless there are legal reasons for disclosing such personal data.

4.2. All appeals of subjects of personal data or their representatives are registered in the Journal of Registration of Citizens; Appeals (subjects of personal data) concerning the processing of personal data.

4.3. In case of refusal to provide personal data to the subject or his representative when applying for or when a personal data subject or his representative receives a request for information about the availability of personal data on the relevant personal data subject, the Operator must give a written response that contains a reference to the provision of part 8 of Article 14 152-FZ or other federal law, which is the basis for such refusal, within a period not exceeding 30 days from the date of the request of the personal data subject or his representative, or from the date of receipt of the request of the personal data subject or his representative.

4.4. In case of receiving a request from the authorized body for protection of the rights of subjects of personal data on providing information necessary for carrying out the activities of the specified body, the Operator shall send such information to the authorized body within 30 days from the date of the receipt of such request.

4.5. In case of revealing illegal processing of personal data when the subject of personal data or his representative or an authorized body for protection of the rights of subjects of personal data is contacted, the Operator shall block the illegally processed personal data relating to this personal data subject from the time of such action or receipt of the request for the verification period.

4.6. In case of revealing illegal processing of personal data carried out by the Operator, it shall be obliged to stop illegal processing of personal data within a period not exceeding 3 working days from the date of this detection. On the elimination of violations, the Operator is obliged to notify the subject of personal data or his representative, and, if the request of the personal data subject or his representative or the request of the authorized body for protection of the rights of subjects of personal data was sent by the authorized body for protection of the rights of subjects of personal data, also such authorized body. In the event that the purpose of processing personal data is achieved, the Operator must stop processing personal data and destroy personal data within a period not exceeding 30 working days from the date of achieving the purpose of processing personal data, unless otherwise provided by the contract to which the subject of personal data is a party.

4.7. It is prohibited to make decisions on the basis of an exclusively automated processing of personal data that generate legal consequences with respect to the subject of personal data or otherwise affect his rights and legal interests.
5. SAFETY OF PERSONAL DATA.
MEASURES APPLIED TO PROTECTION OF PERSONAL INFORMATION
5.1. The safety of personal data processed by the Operator is provided by the implementation of legal, organizational and technical measures necessary to ensure the requirements of federal legislation in the field of personal data protection.

5.2. To prevent unauthorized access to personal data, the Operator applies the following organizational and technical measures:
- appointment of employees responsible for organizing the processing and protection of personal data;
- restriction of the composition of persons having access to personal data;
- familiarization of the subjects with the requirements of the federal legislation and regulatory documents of the Operator for the processing and protection of personal data;
- organization of accounting, storage and circulation of information carriers;
- Identification of threats to the security of personal data during processing, the formation of threat models based on them;
- development of a personal data protection system based on the threat model;
- checking the readiness and effectiveness of using information protection tools;
- delineation of users; access to information resources and software and hardware information processing tools;
- registration and recording of actions of users of information systems of personal data;
- use of anti-virus and means of restoring the system of personal data protection;
- application of firewall, intrusion detection, security analysis and cryptographic protection of information in necessary cases;
- the organization of an access regime to the territory of the Operator, the protection of premises with technical means for processing personal data.
6. FINAL PROVISIONS
6.1. Other rights and obligations of the Operator as a personal data operator are determined by the legislation of the Russian Federation in the field of personal data. Employees of the Operator who are guilty of violating the rules governing the processing and protection of personal data bear material, disciplinary, administrative, civil or criminal liability specified by federal laws.

Publication date: October 2, 2018