1. Purpose and scope1.1 This document (hereinafter - the Policy) defines the purposes and general principles of personal data processing, as well as the implemented measures for the protection of the rights of personal data subjects in the Autonomous Non-Profit Organization "Online Education Development Platform for Children and Youth "National Open School" (hereinafter - ANO NOSH). (hereinafter - ANO NOSH).
1.2 The Policy applies to the Autonomous Non-Profit Organization "Online Platform for the Development of Education for Children and Youth "National Open School" (hereinafter - ANO NOSH).
1.3 The Policy applies to all visitors of the website
https://inspiral.ai.1.4 The requirements of the Policy are also taken into account and applied to other persons when it is necessary for them to participate in the processes of personal data processing, for example, in cases when ANO NOSH transfers personal data to contractors, partners and other counterparties on the basis of orders for personal data processing, other agreements and contracts.
1.5 Basic concepts used in the Policy:
personal data - any information relating to a directly or indirectly defined or identifiable natural person (subject of personal data);
personal data operator (operator) - a state authority, municipal authority, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data;
processing of personal data - any action (operation) or set of actions (operations) with personal data, performed with or without the use of means of automation. Processing of personal data includes, inter alia:
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- clarification (update, change);
- extraction;
- utilization;
- transfer (distribution, provision, access);
- depersonalization;
- blocking;
- deletion;
- destruction.
automated processing of personal data - processing of personal data by means of computer equipment;
dissemination of personal data - actions aimed at disclosure of personal data to an indefinite number of persons;
provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
blocking of personal data - temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data);
destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;
depersonalization of personal data - actions as a result of which it becomes impossible to determine, without the use of additional information, the belonging of personal data to a particular subject of personal data;
personal data information system - a set of personal data contained in databases and information technologies and technical means ensuring their processing; cross-border transfer of personal data - transfer of personal data to the territory of a foreign country to a foreign government authority, a foreign individual or a foreign legal entity.
2. Legal basis for personal data processing.
2.1 The Policy is developed mainly on the basis of the legislation of the Russian Federation in view of ANNO NOSH registration in the territory of the Russian Federation.
The following legal grounds are used as the legal basis for processing personal data in this Policy:
- Federal Law "On Amendments to the Federal Law "On Personal Data", certain legislative acts of the Russian Federation and recognizing as null and void part fourteenth article 30 of the Federal Law "On Banks and Banking" dated 14.07.2022 N 266-FZ (latest edition)
- Federal Law of 06.04.2011 No. 63-FZ "On Electronic Signature"; - Federal Law of 07.07.2003 No. 126-FZ "On Communications"; - Federal Law of 27.07.2006 No. 149-FZ "On Information, Information Technologies and Information Protection"; - Federal Law of 04.05.2011 No. 99-FZ "On Licensing of Certain Types of Activities"; - Federal Law of 06. 12.2011 No. 402-FZ "On Accounting"; - Federal Law of 04.1996 No. 27-FZ "On Individual (Personified) Accounting in the Mandatory Pension Insurance System"; - Federal Law of 22.10.2004 No. 125-FZ "On Archiving in the Russian Federation"; - Federal Law of 19. 12.2012 № 273-FZ "On Education in the Russian Federation"; - Federal Law of 22.05.2003 № 54-FZ "On the use of cash registers in cash settlements and (or) settlements with the use of electronic means of payment; - Federal Law of 12.01. 1996 No. 7-FZ "On Non-Profit Organizations"; - Federal Law of 08.02.1998 No. 14-FZ "On Limited Liability Companies"; - Law of the Russian Federation of 27.12.1991 No. 2124-1 "On Mass Media"; - Articles of Association of the Companies; - Contracts and Agreements of the Companies; - Consents of Personal Data Subjects
ANO NOSH processes personal data taking into account the requirements of the 152-FZ itself, its bylaws and normative and methodological documents of the state bodies of the Russian Federation authorized in the field of information security and protection of the rights of personal data subjects.
2.2 Where possible, the Policy also takes into account the provisions of other legislation applicable to ANO NOSH activities in the field of personal data processing, for example, the European General Data Protection Regulation (hereinafter - GDPR), or local legislation of certain countries to the extent that it does not contradict 152-FZ.
2.3 In individual cases of personal data processing, in order to resolve possible contradictions between different laws of individual countries, the procedure and principles of personal data processing in ANNOSH may be regulated and detailed in addition to the Policy in special sections of ANNOSH documents (e.g., contracts, agreements) related to such individual cases and serving as Data Processing Agreements (hereinafter - DPA) in GDPR terminology.
2.4 ANO NOSH, which is engaged in the processing of personal data of citizens of the Russian Federation, is registered in the register of the Authorized Body of the Russian Federation for the Protection of the Rights of Personal Data Subjects (hereinafter - Roskomnadzor) as operators of personal data. Any person may obtain information on operators via the Internet by searching the register at https://inspiral.ai. The register shall contain information on the operator as provided for by the legislation of the Russian Federation in relation to the respective Company, including:
2.4.1. full name and location of the personal data operator;
2.4.2. information on the persons responsible for organizing the processing of personal data;
2.4.3. contact information for inquiries;
2.4.4. information on the location of databases of personal data information systems;
2.4.5. information on personal data processing and security measures;
2.4.6. information on trans-border transfer of personal data;
2.4.7. other information on personal data operators stipulated by 152-FZ.
3. Purposes of personal data collection
3.1 The content and scope of processed personal data shall be determined based on the purposes of processing. Personal data that are redundant or incompatible with the following main purposes shall not be processed:
3.1.1. conclusion of labor relations with natural persons, recruitment;
3.1.2. conclusion, prolongation of contractual relations;
3.1.3. identification of parties to contracts, agreements, transactions;
3.1.4. fulfillment of contractual obligations, including provision of services, performance of works, granting rights to use software products, delivery of goods;
3.1.5. use of websites and other information resources by legal entities and individuals in accordance with their rules of use, license agreements;
3.1.6. registration, identification and personalization of users of websites, applications and other information resources; providing access to resources and functions available only to registered users; improving user experience, software products, improving the quality of services provided and work performed by ANO NOSH;
3.1.7. communicating with individuals and legal entities to send them notices, responses to inquiries, mailings and informational messages, as well as marketing messages to promote software products, goods, works and services of ANO NOSH and partner organizations;
3.1.8. acting as a payment agent in accordance with the legislation of the Russian Federation; 3.1.9. carrying out activities to provide additional education;
3.1.10. Participation of individuals in referral, bonus and loyalty programs of ANO NOSH and partner organizations;
3.1.11. Protection of legitimate interests of the Company, its partners and clients; countering illegal or unauthorized actions, fraud when clients and users use ANO NOSH software products, goods, works and services, ensuring information security;
3.1.12. organization of access control on the territory of buildings and offices, ensuring safety of property and security of personnel and visitors of the Companies;
3.1.13. Organizing conferences, seminars, webinars, and other public events for the benefit of ANO NOSH, partner organizations, and professional communities;
3.1.14. providing internships, internships at the Companies, training at partner educational institutions;
3.1.15. Providing a social package, financial assistance, compensation and benefits to the Companies' employees;
3.1.16. conducting research on the subject matter of the Companies' activities, use of software products, goods, works and services to develop new software products, expand the range of services, works, goods, quality control;
3.1.17. Collection, processing of analytical and statistical data on the subject of ANO NOSH activities, use of information resources, software products, goods, works and services;
3.1.18. Compliance with applicable labor, accounting, pension and other laws of the Russian Federation;
3.1.19. compliance with other legislation applicable to the activities of ANO NOSH, including international or local legislation of the countries in respect of whose citizens CORE or individual Companies operate.
3.2 The main categories of personal data subjects whose data is processed by ANO NOSH include:
3.2.1. visitors and users of ANO NOSH websites, applications and information resources;
3.2.2. individuals who are or have been in labor and civil law relations with ANO NOSH, their close relatives, referrers, and individuals who intend to enter into such relations, such as candidates for vacant positions;
3.2.3. individuals who are or have been in labor and civil law relations with ANO NOSH counterparties, as well as individuals who intend to enter into such relations;
3.2.4. individuals undergoing internships and practicums at ANO NNOSH from educational institutions;
3.2.5. individuals listed in various state registries, databases, publicly available and other sources that are legally obtained and used as data sources in the provision of services and products;
3.2.6. individuals who have contacted ANO NOSH with requests, messages, applications, complaints, proposals using contact information or means of collecting feedback;
3.2.7. individuals participating in interviews, surveys, analytical and marketing research on the subject of the Company's activities;
3.2.8. participants of events organized by ANO NOSH or partner organizations;
3.2.9. visitors to ANO NOSH offices;
3.2.10. participants and founders of the Companies.
3.3. For the above categories of subjects may be processed in accordance with the purposes of processing:
3.3.1. personal information (surname, first name, patronymic);
3.3.2. contact information (phone numbers, e-mail addresses, pseudonyms.
3.3.4. professional activity (place of work; position);
3.3.5. information about contracts and agreements, their statuses; information about participation in partnership and bonus programs; referral promo codes; information about products and services used;
3.3.6. recommendations and feedback;
3.3.7. information on accruals and deductions of funds, remunerations in other forms; information on purchases made, orders for goods and services; information on payments within the platform;
3.3.8. photo and video images; speech information (voice recording) not used to identify the data subject; 3.3.9. electronic user data (user IDs, network addresses, cookies, device IDs, screen size and resolution, information about hardware and software, such as browsers, operating system, installed applications, language settings, time zone, time and statistics on the use of applications and information resources of CORE, user actions in services, sources of transitions
3.3.10. hobbies and hobbies; personal interests; tastes and preferences; subscriptions to mailing lists;
3.4 The processing of personal data at ANO NOSH is carried out in a mixed way: with or without the use of automation tools.
3.5 Actions with personal data include: collection; recording; updating, systematization; accumulation; storage; clarification (update, modification); extraction; use; transfer (distribution, provision, access); depersonalization; blocking; deletion, destruction.
3.6 During processing, the accuracy of personal data, their sufficiency and relevance to the purposes of personal data processing shall be ensured. If inaccurate or incomplete personal data are detected, they may be clarified and updated. In cases where the actualization of personal data is outside the area of responsibility of ANO NOSH, the processing may be suspended until the actualization is completed. Obligations and responsibility for timely updating of personal data for individual cases of processing may be established by agreements or local acts of ANNOSH.
3.7 Processing and storage of personal data is carried out for no longer than required by the purposes of personal data processing, if there are no legal grounds for further processing, for example, if the federal law or an agreement with the subject of personal data does not establish an appropriate storage period.
3.8 Processed personal data shall be destroyed or depersonalized when the following conditions occur:
3.8.1. achievement of the purposes of personal data processing or the maximum retention period - subject to destruction or depersonalization within 30 days;
3.8.2. loss of necessity to achieve the purposes of personal data processing - within 30 days;
3.8.3. provision by the personal data subject or his/her legal representative of confirmation that the personal data are illegally obtained or are not necessary for the stated purpose of processing - within 7 days; 3.8.4. impossibility to ensure the lawfulness of personal data processing - within 10 days;
3.8.5. revocation of the personal data subject's consent to personal data processing, if the personal data retention is no longer required for the purposes of personal data processing - within 30 days;
3.8.6. revocation of the personal data subject's consent to use personal data for contacting potential customers for promotion of software products, goods, works and services - within 2 days;
3.8.7. expiration of the limitation period for the legal relations within the framework of which the personal data is or was processed;
3.8.8. liquidation (reorganization) of ANO NOSH, if the processing was carried out exclusively in the interests of this Company and there is no legal successor.
3.9. In case of trans-border transfer of personal data, prior to the commencement of such transfer, make sure that the foreign state, on whose territory the transfer will be carried out, provides adequate protection of the rights of personal data subjects or this foreign state is a party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
3.10. Cross-border transfer to the territory of foreign states that do not ensure adequate protection of the rights of personal data subjects may be carried out in cases provided for by the 152-FZ and GDPR.
4. Processing as a subcontractor and involvement of subcontractors
4.1 ANO NOSH, in addition to acting as personal data controllers, may act as persons who process personal data on behalf of other personal data controllers on the basis of contracts and other agreements. Such cases include, for example, the following:
4.1.1. granting customers rights to use software products;
4.1.2. providing clients with services related to data processing; 4.1.3. performing joint processing with third-party organizations within the framework of ANO NOSH partnership.
4.2 When necessary, ANO NOSH may engage third-party organizations in the processing of personal data as subcontractors, provided that the processing principles are followed and there is an appropriate contract or agreement with them. Such cases include, for example, the following:
4.2.1. provision of software products, goods, work and services jointly by different Companies, as well as with third-party organizations, technological and other partners;
4.2.2. organization of ANO NOSH partner network for distribution of software products, goods, works and services on the market; 4.2.3. use of third-party services, computing resources, applications and infrastructure for information processing, communication with users of software products, works and services, purchasers of goods.
4.3 The processing of personal data on the basis of contracts and other agreements, orders for personal data processing is carried out in accordance with the terms of these contracts, agreements with the persons to whom the processing is entrusted or who entrusted the processing on legal grounds. Such agreements may define, in particular:
4.3.1. purposes, conditions, actions with personal data, terms of personal data processing;
4.3.2. the roles, functions and obligations of the parties, including confidentiality and information security measures;
4.3.3. rights and responsibilities of the parties regarding the processing of personal data.
4.4 In cases where the applicable law is the GDPR, which presupposes the existence of DPA agreements between processing parties, the following documents may fulfill the role of the DPA after the inclusion of specific sections with the terms and conditions of personal data processing:
4.4.1. software license/sublicense agreements;
4.4.2. contracts and agreements that include assignments for data processing;
4.4.3. agreements on confidentiality, information security;
4.4.4. rules for the use of information resources, user agreements;
4.4.5. regulations, provisions, agreements on data processing, service level.
5. Obtaining the subject's consent to the processing of his/her personal data
5.1 In cases of processing not stipulated by the current legislation or the agreement with the data subject, the processing is carried out after obtaining the consent of the personal data subject. A mandatory case of obtaining prior consent is, for example, contact with a potential customer for marketing purposes, when promoting goods, software products, works and services on the market.
5.2 Consent may be expressed in the form of the personal data subject's performance of conclusory actions, for example:
5.2.1. accepting the terms of the offer agreement, license agreement, rules of use of information resources and software products of ANO NOSH;
5.2.2. continuing to use applications, services, information resources, websites of ANO NOSH, interacting with their user interfaces after notifying the user about data processing;
5.2.3. granting necessary permissions to the mobile application when requested at the time of installation or use; 5.2.4. marking, filling in appropriate fields in forms, blanks;
5.2.5. maintaining electronic correspondence that refers to processing;
5.2.6. entering the territory after familiarizing with the warning signs and placards;
5.2.7. other actions performed by the subject, from which it is possible to judge his/her will.
5.3 In certain cases stipulated by the legislation of the Russian Federation, the consent shall be executed in writing, specifying the information stipulated by the 152-FZ, as well as in accordance with other applicable requirements, standard forms.
5.4 In cases of processing of personal data received not from the subject directly, but from other persons on the basis of an agreement or an instruction for processing, the obligation to obtain the subject's consent may be imposed on the person from whom the personal data were received.
5.5 If the data subject refuses to provide the necessary and sufficient amount of his/her personal data, ANO NOSH will not be able to perform the necessary actions to achieve the processing purposes. For example, in such a case, the user's registration in the software product may not be completed, services under the contract may not be rendered, work may not be performed, goods may not be delivered, a job applicant's resume will not be considered, etc.
6. Processing of electronic user data, including cookies
6.1 ANO NOSH, for the purposes of personal data processing set out in the Policy, may collect electronic user data on its websites automatically, without the need for user participation and without the need for the user to perform any actions to send the data.
6.2 The validity of electronic data collected in this way is not verified by ANO NOSH, the information is processed "as is" as it came from the client device.
6.3 Visitors and users of ANO NOSH websites may be shown pop-up notices about the collection and processing of cookie data with a link to the Policy and buttons to accept the terms of processing or close the pop-up notification.
6.4 Such notices mean that when visiting and using websites, information resources and web applications, information (e.g. cookie data) may be stored in the browser on the user's device, allowing to further identify the user or device, remember the session or save some user settings and preferences specific to these particular sites. Such information, once saved to the browser and until the expiration date or deletion from the device, will be sent with each subsequent request to the site on whose behalf they were saved, together with that request, for processing on the ANO NOSH side.
6.5 The processing of cookie data is necessary for the correct operation of the sites, in particular, their functions related to the access of registered users of ANO NOSH software products, services, works and resources; personalization of users; improving the efficiency and convenience of work with the sites, as well as other purposes provided for in the Policy.
6.6 In addition to processing cookies set by ANO NOSH sites themselves, users and visitors may be set cookies relating to third-party sites, for example, where third-party components and software are used on ANO NOSH sites. The processing of such cookies is governed by the policies of the respective sites to which they relate and may change without notice to users of the ANOSH sites. Such instances may include the placement of cookies on the sites:
6.6.1. visit counters, analytical and statistical services, such as Yandex.Metrica or Google Analytics to collect statistics on traffic to publicly accessible pages of websites;
6.6.2. widgets of auxiliary services for collecting feedback, organizing chats and other types of communication with users;
6.6.3. contextual advertising systems, banner and other marketing networks;
6.6.4. authorization buttons on websites with the help of social network accounts;
6.6.5. other third-party components used on its websites.
6.7. Acceptance by the user of the terms of processing cookies or closing the pop-up notification in accordance with the Policy is considered as consent to the processing of cookie data on ANO NOSH sites.
6.8 If the user does not agree to the processing of cookies, he must accept the risk that in this case the functions and features of the site may not be fully available, and then follow one of the following options:
6.8.1. to make an independent setting of his browser according to the documentation or help for it so that it permanently does not allow the acceptance and sending of cookies for any websites or for a specific website or a website of a third-party component;
6.8.2. switch to the browser's special "incognito" mode for the use of cookies before closing the browser window or before switching back to normal mode;
6.8.3. leave the site to avoid further processing of cookies.
6.9. The User can independently, through the built-in tools of browsers for handling cookie data, manage the stored data, including deleting or viewing information about the cookies set by the sites, including:
6.9.1. website addresses and paths to the websites where cookies will be sent;
6.9.2. names and values of parameters stored in cookies; 6.9.3. expiration dates of cookies.
7. Confidentiality and security of personal data
7.1 Confidentiality is ensured for personal data at ANO NOSH in accordance with applicable laws, local acts of the Companies, terms of concluded agreements and contracts, except for cases:
7.1.1. if personal data is publicly available, contained in publicly available sources of personal data or authorized by the subject for dissemination;
7.1.2. if the information is subject to mandatory disclosure to third parties, including public authorities, in accordance with applicable laws.
7.2 ANO NOSH takes necessary and sufficient legal, organizational and technical measures to ensure the security of personal data to protect them from unauthorized (including accidental) access, destruction, modification, blocking of access and other unauthorized actions. Such measures include, in particular:
7.2.1. appointing individuals or legal entities responsible for organizing the processing and ensuring the security of personal data in specific Companies;
7.2.2. issuing local acts on personal data processing and information security and familiarizing employees with them;
7.2.3. training of employees on personal data processing and information security issues;
7.2.4. ensuring physical security of premises and processing means, access control, security, video surveillance; 7.2.5. limitation and delimitation of access of employees and other persons to personal data and processing means, monitoring of actions with personal data;
7.2.6. determination of threats to personal data security during their processing in personal data information systems, formation of threat models on their basis;
7.2.7. application of security tools (anti-virus tools, firewalls, means of protection against unauthorized access, means of cryptographic protection of information), including, where necessary, those that have undergone the conformity assessment procedure in accordance with the established procedure;
7.2.8. accounting and storage of data carriers, excluding their theft, substitution, unauthorized copying and destruction;
7.2.9. backup copying of information to enable its recovery;
7.2.10. exercising internal control over compliance with the established procedure, checking the effectiveness of measures taken, responding to incidents;
7.2.11. verification of the existence of clauses on confidentiality and security of personal data in the contracts, inclusion of clauses on confidentiality and security of personal data in the contracts, if necessary;
7.2.12. other measures in accordance with local acts of ANNOSH.
8. Rights of personal data subjects
8.1 The subject of personal data has the right to withdraw consent to the processing of personal data by sending a corresponding request to the Company or authorized representatives of ANO NOSH in other countries, by mail or personally.
8.2 The personal data subject has the right to receive information regarding the processing of his/her personal data, including information containing:
8.2.1. confirmation of the fact of processing of personal data by CORE Companies;
8.2.2. legal grounds and purposes of personal data processing;
8.2.3. the purposes and methods of personal data processing applied in ANO NOSH;
8.2.4. the name and location of ANO NOSH, information about persons (except employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract, agreement with the Company or on the basis of federal law;
8.2.5. personal data being processed relating to the respective personal data subject, the source of their obtaining, unless another procedure for the presentation of such data is provided for by federal law;
8.2.6. the terms of personal data processing, including the terms of their storage;
8.2.7. the procedure for exercising by the personal data subject of the rights provided for by the 152-FZ;
8.2.8. information on realized or supposed trans-border data transfer;
8.2.9. the name or surname, first name, patronymic and address of the person who processes personal data on behalf of CORE Companies, if the processing is or will be entrusted to such person;
8.2.10. other information stipulated by the 152-FZ or other federal laws.
8.3 The subject of personal data has the right to demand from ANO NOSH to clarify his/her personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as to take measures provided for by applicable law to protect his/her rights.
8.4 If the personal data subject believes that ANO NOSH processes his/her personal data in violation of the requirements of the 152-FZ or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal the actions or omissions to Roskomnadzor, other authorized supervisory authority or in court.
8.5 The subject of personal data has the right to protect his/her rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
9. Roles and Responsibilities
9.1 The rights, duties and responsibilities of ANO NOSH are determined by the applicable legislation, agreements of the Companies.
9.2 Responsibility of the Company's employees involved in the processing of personal data by virtue of their functional duties for the proper processing and misuse of personal data is established in accordance with the terms and conditions of the agreement concluded between the Company and the employee, non-disclosure obligations, and local acts of the Company.
9.3 Control over the fulfillment of the Policy requirements in each ANO NOSH is generally carried out by those responsible for the organization of personal data processing in the respective Company, or by separate structural subdivisions and authorized persons in accordance with the local acts of specific Companies.
9.4 The responsibility of persons involved in the processing of personal data on the basis of instructions for the proper processing and misuse of personal data is established in accordance with the terms of the contract, confidentiality agreement or other agreement concluded between ANO NOSH and the counterparty.
9.5 In certain cases, as required by applicable law, such as GDPR or local laws regarding the processing of personal data in individual countries, ANO NOSH may appoint representatives in the European Union or in those countries. In such cases, rights, duties and responsibilities will be allocated in accordance with contracts, agreements between such representatives and ANOOSH, and contact details of the representatives will be included in the Policy.
9.6 Persons guilty of violating the norms governing the processing and information security of personal data bear material, disciplinary, administrative, civil or criminal liability in accordance with the procedure established by applicable legislation, local acts, and agreements of ANO NOSH.
10. Publication and updating of the Policy
10.1 The Policy is developed by the persons responsible for organization of personal data processing at ANNOSH and is put into effect after approval by ANNOSH.
10.2 The Policy is a publicly available document and provides for the possibility for any person to familiarize themselves with its current version, including existing translations into foreign languages, by publishing it on the Internet at .
10.3 Web forms, forms, standard forms for the collection of personal data shall obligatorily contain notices to users on the processing of personal data in accordance with the Policy with a link to it.
10.4. The Policy is valid indefinitely after approval and until it is replaced by a new version. ANO NOSH has the right to make changes to the Policy without notifying any persons. The Policy is reviewed annually to keep it current and updated as necessary.
10.5 Proposals and comments for changes to the Policy can be sent to https://inspiral.ai.