PRIVACY POLICY

UltraTrade Limited

This Privacy Policy (hereinafter referred to as the Policy) defines the policy regarding the processing of personal data and contains information on the implemented requirements for the protection of the Operator’s personal data.

1. Terms and Definitions

1.1. User—an individual using the Site or Mobile Application to obtain information about the Operator’s services, for the purpose of concluding and executing an agreement concluded with the Operator.

1.2. Counterparty—a legal entity or an individual entrepreneur with whom a compensated agreement has been concluded.

1.3. Operator—SmartTraining Limited, Artemisia House, Floor 3, 90 Akropoleos Avenue Strovolos, 2084 Cyprus.

1.4. Partner—an individual working under the Operator’s affiliate program for the purpose of cooperation in promoting the Operator.

1.5. Cookies—a fragment of data as part of an HTTP request, intended for storage on the User’s end device and used by the Operator to identify the User and process orders of the Owners.

1.6. Site—a set of programs for electronic computing machine information in the information and telecommunications network “Internet”, intended for display in a browser and accessed using a domain name.

1.7. Service - the Website, Mobile Application, databases, and other intellectual property objects with the use of which information is provided for receiving or managing services, services are rendered, and other functionality is provided for the purposes of fulfilling the concluded Agreement for the provision of services.

1.8. Registration data - a list of information determined by the Operator, specified during registration in the Service, and subsequently when changing them in the process of fulfilling the agreement concluded with the User.

1.9. Mobile applications - programs for the Operator's computer, installed by the User in the form of applications through mobile application aggregators.

1.10. Processing of personal data - any action (operation) or set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

2. General Provisions

2.1. The Policy governs the processing of personal data when the Operator carries out business activities, including the provision of services.

2.2. The Policy has been developed in accordance with the requirements of regulatory documents, taking into account the current requirements in the field of personal data protection.

2.3. The Operator's Counterparty is responsible for the compliance of personal data processing with the current regulatory legal acts and the agreement (in its area of ​​responsibility) of the following categories of personal data: 2.3.1. Subjects of personal data transferred to the Counterparty for processing. 2.3.2. Individual representatives acting on behalf of the Operator's Counteragent. 2.3.3. Own personal data, if the Operator's Counterparty is an individual entrepreneur. 2.4. The requirement for the security of personal data transferred between the Operator and the Counterparty is provided for by the agreement concluded between them in accordance with the current legislation. 2.5. Processing of personal data of a representative of the Operator's Counterparty is permitted if this follows from the essence of the agreement with the Counterparty. 2.6. In a situation where personal data are received from the personal data subject, the latter is responsible for indicating accurate personal data. 2.7. This Policy applies to personal data obtained both before and after the entry into force of this Policy. 2.8. The Operator is obliged to adhere to the following principles when processing personal data: 2.8.1. personal data must be processed on a lawful and fair basis; 2.8.2. personal data must be limited to achieving specific, predetermined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed; 2.8.3. combining databases containing personal data that are processed for purposes incompatible with each other is not allowed; 2.8.4. only personal data that meet the purposes of their processing are subject to processing; 2.8.5. the content and volume of the processed personal data must correspond to the stated purposes of processing. The processed personal data must not be excessive in relation to the stated purposes of their processing; 2.8.6.

When processing personal data, the accuracy of personal data, their sufficiency, and, where necessary, relevance in relation to the purposes of processing personal data must be ensured. The Company and the Management Company, in accordance with the rights and obligations established by the agreement and applicable law, must take the necessary measures or ensure their adoption to delete or clarify incomplete or inaccurate data; 2.8.7. personal data must be stored in a form that allows identifying the subject of personal data, no longer than required by the purposes of processing personal data, unless the storage period for personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficial acquirer or guarantor. The processed personal data are subject to destruction or depersonalization upon achieving the processing purposes or in the event of loss of need to achieve these purposes, unless otherwise provided by federal law. 2.9. This Policy is published on the Internet, and is also posted in the Operator's sales offices.

3. Categories of personal data subjects

3.1. The Operator processes personal data of the following categories of personal data subjects: 3.1.1. The Operator’s employees, dismissed employees, candidates for vacant positions, similar categories, the processing of which is provided for by labor legislation (hereinafter referred to as the Operator’s Employees). 3.1.2. Users. 3.1.3. Partners. 3.1.4. Representatives of the Operator’s Counterparties.

4. Purposes and grounds for processing personal data

4.1. The personal data of the Operator's Employees are processed on the basis of subparagraphs 2, 7 of paragraph 1 of Article 6 of the Federal Law of 27.07.2006 N 152-FZ "On Personal Data", for the purpose of enforcing the provisions of the Labor Code of the Russian Federation, for the purpose of enforcing the provisions of the employment contract, as well as regulatory legal acts related to the Labor Code of the Russian Federation. 4.2. The personal data of Users and Partners are processed in accordance with subparagraphs 1 and 5 of paragraph 1 of Article 6 of the Federal Law of 27.07.2006 N 152-FZ "On Personal Data" for the purpose of familiarization with the operator's services, the intention to conclude an agreement, and the execution of the agreement. 4.3. Personal data of the Counterparty's representatives are processed in accordance with subparagraphs 5, 7 of paragraph 1 of Article 6 of the Federal Law of 27.07.2006 N 152-FZ "On Personal Data" for the purpose of concluding and executing the agreement concluded with the Counterparty. 4.4. Personal data may be used for other purposes if this is mandatory in accordance with the provisions of the legislation of the Russian Federation. 4.5. The processing of personal data is limited to achieving specific, predetermined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.

5. Composition of information about personal data subjects

5.1. The Operator processes the following categories of personal data of Employees: last name, first name, patronymic, year of birth, gender, age, profession, income, social status, employment, passport details; data on the military ID (for those liable for military service), certificate of assignment of a TIN, insurance pension certificate, files containing materials on advanced training and retraining, certification, official investigations; other data, the processing of which is provided for by labor legislation and the contract concluded with the employee.

5.2. The Operator processes the following categories of personal data of Users: last name, first name and patronymic, month, date and place of birth, passport details, gender, signal account (in the operator's system), trading account (in the operator's system), training account (in the operator's system), e-mail address, registration address.

5.3. The Operator processes the following categories of personal data of Partners: last name, first name and patronymic, partner status, partner account details.

5.4. The Operator processes personal data of representatives of counterparties: last name, first name, patronymic (if any), position, and other information stipulated by the agreement with the Counterparty.

5.5. When subjects of personal data use the Operator's Website and Mobile Applications, the Operator processes data stipulated by international protocols for exchanging data via the Internet, including (but not limited to): IP address, MAC address, device ID, IMEI, MEID, Cookies data, information about the browser, operating system, and access time.

5.6. The storage period of personal data is determined by the agreement or the nature of another basis for processing.

5.6.1. The processing period for the PD of Employees is no more than 30 days from the date of loss of the grounds for processing.

5.6.2. The processing period for the PD of Users is until termination of the agreement, in the event of debt - 3 years, while processing for the purpose of debt collection is carried out only on tangible media in accordance with the established procedure.

5.6.3. The processing period for the personal data of Applicants is until the service is performed.

5.6.4. The period of processing of personal data of counterparties, until the termination of the contract, storage of tangible media containing personal data of representatives of counterparties - until the expiration of the limitation period.

5.6.5. To ensure the storage of personal data on tangible media, premises equipped with means of protection are determined in accordance with the order of
the enterprise. Storage of completed documents containing personal data is carried out in an archive or in a separate room (cabinet).

5.6.6.Storage of tangible media of personal data is carried out separately for each category of personal data subjects.
6. Use of ISPD

6.1. The operator processes personal data in personal data information systems.

6.2. In the event of transfer of personal data for processing to a third party, where the processing of personal data is assumed, the concluded agreement provides for the obligation to protect personal data in accordance with applicable law.
7. User Rights

The personal data subject has the right to:
7.1. Request changes to the provided personal data, delete them.

7.2. Request notification of all persons who were previously provided with incorrect or incomplete personal data.

7.3. Send the Operator requests regarding the processing of his personal data within the limits of the Operator.

7.4. Exercise other rights provided for by applicable law.
8. Information on the implemented requirements for the protection of personal data

8.1. When processing personal data, the Operator takes the necessary legal, organizational and technical measures and ensures their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data, which include, in particular (but are not limited to):
8.1.1. Appointment of a person responsible for the processing of personal data. 8.1.2. Limitation of the composition of employees who have access to personal data. 8.1.3. Software identification of Users, employees of the Operator and accounting of their actions. 8.1.4. Implementation of anti-virus control and other measures against malicious software and mathematical influence. 8.1.5. Use of backup and information recovery tools. 8.1.6. Updating the software if there are security patches from manufacturers.

8.1.7. Implementation of encryption when transferring personal data on the Internet. 8.1.8. Taking measures related to admission of only appropriate persons to locations where technical means are installed. 8.1.9. Use of technical means of protecting the premises in which the technical means of personal data information systems are located and locations where tangible media of personal data are stored. 8.2. The operator ensures the security of personal data, in particular: 8.2.1. taking into account the potential harm to the personal data subject, the volume and content of the personal data being processed, the type of activity in the implementation of which the personal data are processed, the relevance of threats to the security of personal data 8.2.2. application of technical measures in accordance with the threats to the security of personal data when processing them in personal data information systems. 8.2.3. application of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems, necessary to meet the requirements for the protection of personal data, the implementation of which ensures the levels of protection of personal data established by the Government of the Russian Federation; 8.2.4. application of information security tools that have undergone the established procedure for assessing the conformity of information security tools; 8.2.5. assessment of the effectiveness of measures taken to ensure the security of personal data before starting work in the personal data information system, carried out by the Company; 8.2.6. accounting for machine-readable media of personal data, if used; 8.2.7. procedures related to the detection of facts of unauthorized access to personal data and taking measures; 8.2.8. restoration of personal data modified or destroyed due to unauthorized access to them; 8.2.9. establishment of rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system; 8.2.10. control over the measures taken to ensure the security of personal data and the level of protection of personal data information systems.

9. Use of anti-virus protection tools

9.1. Only licensed anti-virus tools purchased from suppliers of the said tools are allowed for use.

9.2. Installation and configuration of anti-virus control tools on workstations and servers of the KVS is performed by the information security administrator or persons under an agreement containing the relevant conditions.

9.3. Anti-virus tools must be updated automatically. The anti-virus software may operate with updates no older than 72 hours.

9.4. Anti-virus control of all disks and files of workstations must be performed weekly.

9.5. An anti-virus monitor must be launched in resident mode on each workstation and server.

9.6. Any information received via telecommunication channels and on removable media is subject to mandatory anti-virus control.

9.7. The installed software must be pre-checked for viruses.
10. Working with password protection

10.1. Personal passwords must be generated by special software tools of the administrative service.

10.2. The password must be at least 8 characters long.

10.3. The password must contain upper and lower case letters, numbers and special characters.

10.4. The password must not include: − easily calculated combinations of characters; − keyboard sequences of characters and symbols; − commonly accepted abbreviations; − abbreviations; − telephone numbers, car numbers; − other combinations of letters and characters associated with the user; − when changing the password, the new combination of characters must differ from the previous one by at least 2 characters. 10.5. It is allowed to use a single password for access by the access subject to various information resources. 10.6. A complete scheduled change of user passwords must be carried out regularly, at least once a month. 10.7. A complete unscheduled change of passwords for all users must be performed in the event of termination of the powers of security tool administrators or other employees who, by virtue of their job description, have been granted powers to manage password protection. 10.8. A complete unscheduled change of passwords must be performed in the event of a compromise of the personal password of one of the ISPDN administrators. 10.9. In the event of a compromise of a user's personal password, access to information from this account must be immediately restricted until a new user account or password takes effect. 10.10. When working with password protection, users are prohibited from: − disclosing their personal password and other identifying information to anyone; − providing access from their account to information stored in the ISPDN to third parties; − writing down passwords on paper, a file, electronic and other information carriers, including on objects. 10.11. The user may only store their password on paper in a personal safe sealed by the password owner. 10.12. When entering a password, the user must ensure that it cannot be intercepted by third parties or technical means. 10.13. Compromise shall mean: − physical loss of the medium containing the information; − transmission of identification information via open communication channels; − penetration of an unauthorized person into the premises where the medium containing the password information or algorithm is physically stored, or there is a suspicion of such penetration (alarm activation, damage to NSD control devices (seal impressions), damage to locks, etc.); − visual inspection of the medium containing the identification information by an unauthorized person; − interception of the password during distribution of identifiers;

- deliberate transfer of information to an unauthorized person.

10.14. Actions to be taken when a password is compromised:

- the compromised password is immediately disabled, and a backup or new password is entered in its place;

- all participants in the information exchange are immediately notified of the compromise. The password is added to special lists containing compromised passwords and accounts.
11. Non-automated processing of personal data

11.1. The following measures are taken to ensure the security of personal data during non-automated processing: 11.1.1. all actions related to the processing of personal data are carried out only by the Operator’s employees authorized by the order of the sole executive body to work with personal data, and only to the extent necessary for these persons to perform their work function; 11.1.2. an agreement is concluded with a third party carrying out non-automated processing of personal data on behalf of the operator, which includes the terms and conditions for taking appropriate measures to protect personal data. 11.1.3. personal data is processed in compliance with the procedure stipulated by Government Resolution No. 687 of 15.09.2008 “On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools”.

12. Confidentiality

12.1. The operator and other persons who have gained access to personal data are obliged not to disclose to third parties or distribute personal data without observing the principle based on the consent of the subject of personal data, except in cases stipulated by current legislation.
13. Destruction (anonymization) of personal data

13.1. Destruction (anonymization) of the personal data of the Subject is performed in the following cases: 13.1.1. upon achievement of the purposes of their processing or in case of loss of need to achieve them within a period not exceeding thirty days from the moment of achievement of the purpose of processing the personal data, unless otherwise provided by the agreement to which the personal data subject is a party, or by other agreement between the Operator and the personal data subject (his representative, employer); 13.1.2. in case of detection of unlawful processing of personal data or lawful revocation of personal data within a period not exceeding ten working days from the moment of detection of such case; 13.1.3. in case of expiration of the storage period for personal data, determined in accordance with the legislation of the Russian Federation and the organizational and administrative documents of the Operator; 13.1.4. in case of an order of the authorized body for the protection of the rights of personal data subjects, the prosecutor's office of Russia or a court decision.

14. Transfer to third parties

14.1. The Operator does not perform cross-border processing of personal data. When storing personal data using contractors' ISPD, the Operator uses databases located on the territory of the Russian Federation.

14.2. The Operator may transfer personal data to other persons, hosting providers, analytics services, other persons for the purpose of fulfilling the agreement concluded with the User.

14.3. The Operator has the right to transfer personal data to inquiry and investigation bodies,
other authorized bodies on the grounds stipulated by the current legislation of the Russian Federation.
15. Exceptions to processing

15.1. The Operator does not process special categories of personal data, including
biometric data.

15.2. The Operator does not have processes related to decision-making solely on the basis of automated processing of personal data.

15.3. The Operator does not provide unlimited access to personal data to third parties.

15.4. The Operator does not make proactive contacts for informational and advertising purposes.
16. Final Provisions

16.1. The processing period for personal data processed by the Operator may be determined (redefined) by the organizational and administrative documents of the Operator in accordance with the provisions of the Federal Law "On Personal Data".

16.2. This Policy is subject to change, supplementation in the event of the emergence of new legislative acts and special regulatory acts on the processing and protection of personal data, as well as by decision of the Operator.

16.3. Control over compliance with the requirements of this Policy is carried out by the person responsible for organizing the processing of personal data.

16.4. Issues not regulated by this Policy are regulated by the current legislation of the Russian Federation.

16.5. The Operator may issue other local acts clarifying individual principles
of personal data processing.