Personal Data Protection and Processing Policy of SimbirSoft LLC

Version No. 2

Legal, physical and mailing address: 4320071 Ulyanovsk, prospekt Narimanova, dom 1, str. 2. (INN 7325029206) (hereinafter, the Operator)

1. General Provisions

1.1.This Personal Data Protection and Processing Policy (hereinafter, the Policy) is drawn up in accordance with Clause 2 of Article 18.1 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (hereinafter, the Law on Personal Data), as well as other regulations on the protection and processing of personal data (hereinafter, PD), and defines the main principles, purposes, scope and categories of processed PD, categories of PD subjects (individuals), the procedure and conditions for processing, procedures aimed at identifying and preventing violations of the laws of the Russian Federation on personal data during their processing by the Operator.

1.2. The Operator shall ensure the protection of processed PD against unauthorized access and disclosure, unauthorized use or loss in accordance with the requirements of the Law on Personal Data.

1.3. The Operator shall have the right to make changes to this Policy. The new version of the Policy shall enter into force upon its approval by the CEO of the Operator, unless otherwise stipulated by the new version of the Policy.

1.4. The terms contained in Article 3 of the Law on Personal Data are used in this Policy with the same meaning.

1.5. This Policy includes, among other things, provisions related to PD processing using the Operator’s website.

1.6. This Policy is a publicly accessible document and is published on the Operator’s official website at https://www.simbirsoft.com.

2. Legal Grounds for PD Processing

2.1. The legal grounds for PD processing by the Operator are:

  • The Constitution of the Russian Federation;
  • The Labor Code of the Russian Federation;
  • The Civil Code of the Russian Federation;
  • The Tax Code of the Russian Federation;
  • Federal Law of July 27, 2006 No. 149-FZ "On Information, Information Technologies and Information Security";
  • Federal Law of February 8, 1998 No. 14-FZ "On Limited Liability Companies";
  • Federal Law No. 27-FZ of April 1, 1996 "On Individual (Personified) Accounting in the Compulsory Pension Insurance System";
  • Federal Law of December 2, 1990 No. 395-1 "On Banks and Banking Activities";
  • Federal Law of December 6, 2011 No. 402-FZ "On Accounting";
  • Articles of Association of the Operator;
  • contracts concluded between the Operator and PD subjects;
  • consent of PD subjects to PD processing.

3. Principles of PD Processing

3.1. PD shall be processed on a lawful and fair basis.

3.2. PD processing shall be restricted to the achievement of specific, predetermined and legitimate purposes. PD processing inconsistent with the purposes of PD processing is not permitted.

3.3. The merging of databases containing PD to be processed for purposes that are incompatible with one another is not permitted.

3.4. Only personal data that comply with the purposes of their processing shall be processed. The PD to be processed shall not be redundant in relation to the stated purposes of their processing.

3.5. In the course of personal data processing, it is necessary to ensure the accuracy of the personal data, their sufficiency and, if appropriate, their adequacy for processing purposes. The Operator shall take the required measures or ensure their adoption to delete or clarify incomplete or inaccurate data.

3.6. PD shall be stored in a form that allows identifying the PD subject for no longer than the purposes of PD processing require, unless the PD storage period is established by federal law, the contract to which the PD subject is a party, the beneficiary or the guarantor. The processed PD shall be destroyed or depersonalized upon achievement of processing purposes or when such purposes cease to be relevant, unless otherwise stipulated by federal law.

4. Purposes of PD Processing

4.1. PD shall be processed by the Operator for the following purposes:

4.1.1. Pursuing the statutory activities of the Operator, providing computer software development services, consulting services in this area and other related services;

4.1.2. HR recordkeeping and regulation of labor relations with the Operator’s employees, including training, promotion, provision of various types of benefits and compensations to employees, voluntary medical insurance of all types, ensuring personal safety of employees, controlling the quantity and quality of work performed, ensuring the safekeeping of property;

4.1.3. Voluntary medical insurance of employees' family members;

4.1.4. Accounting and tax accounting;

4.1.5. Attracting and selecting candidates (applicants) for employment with the Operator;

4.1.6. Preparing for conclusion, concluding, performing and terminating contracts with counterparties as part of the Operator's activities;

4.1.7. Collecting feedback, including processing requests and inquiries, and interacting with the Operator through the Operator’s websites;

4.1.8. Organizing internships for students with the Operator.

5. PD Scope and Subjects

5.1. PD categories of the Operator’s employees: last name, first name, patronymic (including previous last name, first name, patronymic, if any); day, month, year of birth; gender, place of birth; passport details (series, number, subdivision code, name of the issuing authority, date of issue), details of the identity document outside the Russian Federation, information on citizenship, address of the place of residence (registration, actual residence address); profession, position, information on education, professional retraining and/or advanced training (name of the educational institution, year of graduation, qualification, specialty, details of the educational document); information on foreign language proficiency; mobile phone number; e-mail address; individual insurance account number (if any); details of the compulsory/voluntary health insurance certificate of the insured person (if any); Taxpayer Identification Number; details of the civil registry certificate; marital status; image (photo, video), family members and information on the family members (close relatives); information on employment and details of the employment record book, information on military registration status (reserve category, military rank, category of eligibility for military service, information about removal from military registration) and details of military registration documents; information about temporary disability, information contained in employment agreements, contracts and addenda thereto; information about vacations; income details; current account number and bank card number; information about employment (experience); information about business trips to achieve the purposes specified in Clauses 4.1.2, 4.1.4. of the Policy.

5.2. PD categories of family members of the Operator's employees: last name, first name, patronymic, year of birth, date of birth, degree of relationship to achieve the purposes specified in Clause 4.1.2 of the Policy and last name, first name, patronymic, year of birth, date of birth, passport details, details of the birth certificate of children, phone number, details of the voluntary medical insurance certificate of the insured person (if any) to achieve the purpose specified in Clause 4.1.3 of the Policy.

5.3. PD categories of the Operator’s dismissed employees: last name, first name, patronymic (including previous last name, first name, patronymic, if any); day, month, year of birth; gender, place of birth; passport details (series, number, subdivision code, name of the issuing authority, date of issue), details of the identity document outside the Russian Federation, information on citizenship, address of the place of residence (registration, actual residence address); profession, position, information on education, professional retraining and/or advanced training (name of the educational institution, year of graduation, qualification, specialty, details of the educational document); information on foreign language proficiency; mobile phone number; e-mail address; individual insurance account number (if available); details of the compulsory/voluntary health insurance certificate of the insured person (if any); Taxpayer Identification Number; details of the civil registry certificate; marital status; image (photo, video), family members and information on the family members (close relatives); information on employment and details of the employment record book, information on military registration status (reserve category, military rank, category of eligibility for military service, information on removal from military registration) and details of military registration documents; information contained in employment agreements, contracts and addenda thereto; information on temporary disability, information on vacations; income details; current account number and bank card number; information on employment (work experience); information on business trips to achieve the purposes specified in Clauses 4.1.2, 4.1.4. of the Policy.

5.4. PD category of candidates (applicants) for employment with the Operator: last name, first name, patronymic (including previous last name, first name, patronymic, if any); day, month, year of birth; mobile phone number; e-mail address; information on education, professional retraining and/or advanced training (name of educational institution, year of graduation, qualification, specialty), marital status, sex, information on foreign language proficiency; information on work experience for achieving the purposes specified in Clause 4.1.5 of the Policy.

5.5. PD category of individuals: counterparties/representatives of counterparties: last name, first name, patronymic, INN, SNILS, passport details (series, number, name of the issuing authority, date of issue, subdivision code), address of residence (registration, actual residence address), position held, contact details (phone number, e-mail address), payment details, bank card number for achieving the purposes specified in Clause 4.1.1, Clause 4.1.4, Clause 4.1.6.

5.6. PD categories of users of the Operator’s websites: last name, first name, patronymic, date of birth, passport details (series, number, name of the issuing authority, date of issue, subdivision code), address of place of residence (registration, actual residence address), phone number, e-mail address, electronic user data (cookies) for achieving the purposes specified in Clause 4.1.6., Clause 4.1.7 of the Policy.

5.7. PD category of students undergoing internship with the Operator: last name, first name, patronymic, place of study, specialty, year of study, faculty, group, passport details (series, number, name of the issuing authority, date of issue, subdivision code), residential address (registration, actual residence address) for achieving the purpose specified in Clause 4.1.8 of the Policy.

5.8. The Operator shall not process special categories of PD related to race, nationality, political views, religious or philosophical beliefs, intimate life, or state of health.

5.9. Biometric categories of personal data and personal data permitted for distribution shall be processed by the Operator subject to the consent of the personal data subject obtained in accordance with the requirements of the laws of the Russian Federation.

6. Procedure and Conditions for PD Processing and Storage

6. 1. The Operator shall process PD in accordance with the requirements of the laws of the Russian Federation.

6. 2. PD shall be processed with the consent of PD subjects to the processing of their PD, as well as without such consent in the cases provided for by the laws of the Russian Federation.

6.3. When processing personal data using the Operator's website, the website user shall provide consent to their processing by filling in the fields of the forms intended for entering personal data on the Operator's website and checking the corresponding box after reading this Policy.

6.4. The Operator shall perform mixed processing of PD, both automated and non-automated.

6.5. Access to PD shall be granted to the employees of the Operator who need personal data in connection with the performance of their official duties. The procedure for obtaining access to PD includes familiarization of the employee with the provisions of the applicable laws of the Russian Federation on personal data, including the requirements for the protection of personal data, with the Operator's internal documents regulating the processing and protection of PD, as well as obtaining a written obligation from the employee not to disclose PD. Upon dismissal of an employee who has access to PD, documents and other media containing PD shall be transferred to their immediate supervisor, and the employee's access to PD information systems shall be terminated.

6.6. The disclosure or distribution of PD to third parties is not permitted without the consent of the PD subject, unless otherwise stipulated by federal law.

6.7. The transfer of PD to the authorized state bodies and organizations shall be carried out in accordance with the requirements of the laws of the Russian Federation.

6.8. The Operator shall collect, record, systematize, accumulate, store, clarify (update, change), retrieve, use, transfer (distribute, provide, access), block, delete and destroy PD using a mixed method of personal data processing.

6.9. When collecting PD, including through the Internet, the Operator shall ensure the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of PD with the use of databases located in the Russian Federation.

6.10. The Operator shall ensure that the content and scope of processed PD conforms to the stated processing purposes and, if necessary, takes measures to eliminate their redundancy in relation to the stated processing purposes.

7. PD Processing and Storage Period

7.1. The period for PD processing shall not exceed the period required to achieve the purpose of PD processing, unless otherwise provided for by the laws of the Russian Federation or a written agreement with the PD subject.

7.2. PD shall be stored in a form that allows identifying the PD subject for no longer than the purposes of PD processing require, and they are subject to destruction upon achievement of the processing purposes or when such purposes cease to be relevant.

7.3. Documents containing PD shall be stored and placed in compliance with the requirements of applicable laws of the Russian Federation.

7.4. PD of subjects may be received, further processed and transferred for storage both in paper and electronic form.

7.5. PD recorded in paper form shall be stored in lockable cabinets or in locked rooms with limited access rights.

7.6. PD of subjects processed using automation tools for different purposes shall be stored in different folders.

7.7. Processed PD shall be destroyed upon achievement of the purposes of processing or when such purposes cease to be relevant, unless otherwise stipulated by the applicable laws.

8. Ensuring Confidentiality of Personal Data

8.1. Information pertaining to PD shall be confidential and protected by the laws of the Russian Federation.

8.2. Persons admitted to PD processing shall undertake not to disclose confidential information.

8.3. The Operator shall take the necessary and sufficient legal, organizational and technical measures to protect PD from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions involving PD.

9. Procedures aimed at identifying and preventing violations of the laws of the Russian Federation on personal data

9.1. To identify violations, the following procedures are provided for:

  • internal control over the compliance of PD processing with the requirements of the Law on Personal Data and the regulations adopted in accordance therewith, the requirements for PD protection, the Operator’s Policy and other local regulations of the Operator;
  • assessment of harm that may be caused to PD subjects;
  • familiarization of employees directly engaged in PD processing with the laws of the Russian Federation on PD (including requirements for personal data protection), internal local regulations of the Operator on PD processing;
  • preventing the merging of databases containing PD to be processed for purposes that are incompatible with one another;
  • ensuring PD accuracy during PD processing, their sufficiency and, if appropriate, their adequacy for processing purposes;
  • detecting the facts of unauthorized access to PD and taking appropriate measures.

9.2. To prevent and eliminate the consequences of such violations, procedures are provided for:

  • adopting local regulations on the PD processing;
  • organizing the processing of PD in information systems (PDIS), including actions for systematization, accumulation, use, storage, transfer, as well as destruction, blocking in accordance with the requirements of the Law on Personal Data;
  • appointing a person responsible for organizing the PD processing;
  • appointing persons responsible for ensuring the security of processed PD;
  • informing the Operator's employees who process PD without the use of automation tools about the fact that they are processing PD, the processing of which is carried out without the use of automation tools, the categories of PD processed, as well as about the specifics and rules of such processing established by the regulations of federal executive bodies, executive authorities of the constituent entities of the Russian Federation, as well as local regulations of the Operator;
  • arranging for the receipt of PD personally from the PD subject, their legal representatives or third parties in accordance with the requirements of the Law on Personal Data;
  • implementing legal, organizational and technical measures to ensure the security of PD necessary to comply with the requirements for PD protection, compliance with which is ensured by the levels of PD security established by the Government of the Russian Federation, including:

1. identification of current threats to PD security when processing them in PDIS and development of measures and activities to protect PD;

2. establishing rules for accessing PD processed in PDIS, as well as ensuring registration and recording of all actions performed with PD in PDIS;

3. setting individual access passwords for employees in PDIS in accordance with their job duties;

4. use of information security tools that have undergone the compliance assessment procedure in accordance with the established procedure;

5. use of antivirus software;

6. compliance with the conditions ensuring the safety of PD and excluding unauthorized access to them;

7. detection of facts of unauthorized access to personal data and taking measures;

8. recovery of PD modified or destroyed as a result of unauthorized access to them;

9. protection of machine-readable media on which personal data are stored and/or processed (hereinafter, the machine-readable media of personal data);

10. detection (prevention) of intrusions;

11. control (analysis) of PD security;

12. identification of incidents (one event or a group of events) that may lead to failures or disruption of PDIS functioning and/or the emergence of threats to PD security, and response to them;

13. ensuring the security of the premises where personal data are processed and personal data storage media are stored, preventing the possibility of uncontrolled entry or stay in such premises by persons who do not have the right to access them;

14. ensuring the safety of personal data storage media;

15. ensuring that the doors of the premises are permanently locked and opened only for authorized access, as well as sealing the premises at the end of the working day, or equipping the premises with appropriate technical devices that give a warning of unauthorized opening of the premises;

16. publication of the Operator’s Personal Data Protection and Processing Policy on the Operator's website on the Internet.

10. Basic Rights of the PD subject and Obligations of the Operator

10.1. Basic rights of the PD subject.10.1.1. The subject has the right to access their PD and the following information:

  • confirmation of PD processing by the Operator;
  • legal grounds and purposes of PD processing;
  • purposes and methods of PD processing used by the Operator;
  • the name and location of the Operator, information on persons (except for the Operator's employees) who have access to PD or to whom PD may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
  • PD processing period, including their storage period;
  • the procedure for the exercise by the PD subject of the rights provided for by law;
  • name or last name, first name, patronymic and address of the person processing PD on behalf of the Operator, if the processing is entrusted or will be entrusted to such a person;
  • information on the methods of performance by the Operator of the obligations established by Article 18.1 of the Law on Personal Data;
  • other information provided for by the Law on Personal Data or other federal laws.

10.1.2. The subject has the right to communicate with the Operator and submit requests;

10.1.3. The subject has the right to challenge the actions or omissions of the Operator;

10.1.4. The PD subject has the right to demand that the Operator clarify, block or destroy their PD if the PD are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of the processing, as well as to take measures provided for by law to protect their rights. 10.2. Obligations of the Operator.

The Operator shall:

  • when processing PD, provide the PD subject with the information provided for by the Law on Personal Data;
  • if, in accordance with the Law on Personal Data, the provision of PD and/or obtainment by the Operator of consent to PD processing is mandatory, explain the legal consequences of refusal to provide its PD to the PD subject and/or consent to their processing;
  • in cases where PD were not obtained from the PD subject, provide the PD subject with the following information (except for cases provided for by the Law on Personal Data):

1. name or last name, first name, patronymic and address of the Operator or its representative;

2. purpose of personal data processing and its legal grounds;

3. list of personal data;

4. intended PD users;

5. The rights of the personal data subject established by the Law on Personal Data;

6. source of personal data.

  • publish or otherwise provide unrestricted access to the document defining its policy in relation to PD processing, to information on the requirements for PD protection;
  • take the necessary legal, organizational and technical measures or ensure their taking to protect PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions with respect to PD;
  • respond to requests and inquiries of PD subjects, their representatives and the authorized body for the protection of the rights of PD subjects in the manner and within the time limits stipulated by the Law on Personal Data;
  • other obligations stipulated by the Law on Personal Data.

11. Modification and destruction of PD, requests from PD subjects

11.1. In case of confirmation of the fact of inaccuracy of PD or unlawfulness of PD processing, PD shall be updated by the Operator, or their processing shall be terminated accordingly.

11.2. The fact of inaccuracy of PD or the unlawfulness of their processing may be established either by the PD subject or by the competent state authorities of the Russian Federation.

11.3. Upon the written request of the PD subject or their representative, the Operator shall provide information on the PD processing of the said subject in accordance with the requirements of the applicable laws of the Russian Federation.

Such a request shall contain the number of the main identity document of the PD subject and their representative and a document confirming the representative's rights to obtain such data, information on the date of issue of the said document and the issuing authority, information confirming the participation of the PD subject in relations with the Operator (date of conclusion of the agreement, the symbolic designation and/or other information), or information otherwise confirming the fact of PD processing by the Operator, the signature of the PD subject or their representative.

11.4. If the request of the PD subject does not reflect all the necessary information or the subject does not have the rights of access to the requested information, a reasoned refusal shall be sent to the subject.

11.5. Upon achieving the purposes of PD processing, as well as in case of withdrawal of the Consent by the PD subject, the Operator shall terminate PD processing and destroy PD in the manner and within the time limits stipulated by the applicable laws of the Russian Federation.

12. Use of Cookies

12.1. Cookies are used on the website to improve the quality of the interaction of visitors with the Website, allowing the Website to memorize visitors during their first visit or during repeated visits. In some cases, cookies are used to personalize information on the Site based on location.

12.2. The Operator uses cookies that are necessary for the movement of visitors on the Website or for the operation of certain basic functions. Cookies are used to improve the functionality of the Website, for example, by saving the visitor’s settings. The Operator also uses cookies to improve the operation of the Website in order to improve the quality of the interaction of visitors with the Website.

Consent to the processing of personal data of users who applied through the website By submitting information through the feedback form, the site user undertakes to accept this Consent to Personal Data Processing (hereinafter, the Consent). Acceptance of the Consent shall be a click on the "Submit" button on any page of the website with a feedback form.

The Consent has been developed in accordance with the Personal Data Protection and Processing Policy of SimbirSoft LLC. The user grants their consent to SimbirSoft LLC (Primary State Registration Number (OGRN) 1027301167563, Taxpayer Identification Number (INN) 7325029206), registered office: Ulyanovsk, prospekt Narimanova, dom 1, stroenie 2, to mixed processing, both with and without the use of automation tools, of the following personal data:

  • first name, last name, patronymic;
  • e-mail address;
  • contact phone number.
  • other data (if provided by the visitor at their own discretion)

Consent to personal data processing is given for the following purposes:

  • collecting feedback, including processing requests and inquiries, and interacting with the Operator through the Operator’s websites
  • The visitor agrees to the collection, recording, systematization, accumulation, storage, specification (update, change), transfer (provision, access), retrieval, use, blocking, deletion, destruction.

This Consent shall enter into force upon its acceptance and remain in effect until the purpose of processing is achieved or its withdrawal.

The Consent may be withdrawn by sending a written application to SimbirSoft LLC to the address specified at the beginning of this Consent.

The user confirms that he/she AGREES to the processing of the personal data provided in the feedback form in accordance with the terms of this Consent to the Personal Data Processing and the Personal Data Protection and Processing Policy of SimbirSoft LLC.

Tell us your idea
Send us an email or give us a call, we’d love to chat
about your most ambitious idea: +1 617 982 1723
Upload a file up to 10MB
File selected
Required extensions: .txt, .doc, .docx, .odt, .xls, .xlsx, .pdf, .jpg, .jpeg, .png

Maximum file size: 10 MB
Оставьте свои контакты
SimbirSoft регулярно расширяет штат сотрудников.
Отправьте контакты, чтобы обсудить условия сотрудничества.
Написать нам
Расскажите, какие задачи сейчас на вашем проекте.
Проконсультируем и предложим подходящих специалистов, а также сориентируем по ставкам на аутстаф.
Middle
TeamLead
Senior
TechLead
Upload a file up to 10MB
File selected
Required extensions: .txt, .doc, .docx, .odt, .xls, .xlsx, .pdf, .jpg, .jpeg, .png

Maximum file size: 10 MB
Экспресс-консультация
Заполните все поля формы.
Эксперт свяжется с вами в течение рабочего дня.
File selected
Можно прикрепить один файл в формате: txt, doc, docx, odt, xls, xlsx, pdf, jpg, jpeg, png.

Размер файла до 10 Мб.
Порекомендуйте друга — получите вознаграждение!
Прикрепить резюме, до 10Мб
Файл выбран
Можно прикрепить один файл в формате: txt, doc, docx, odt, xls, xlsx, pdf, jpg, jpeg, png.

Размер файла до 10 Мб.