Personal Data Processing Policy

This Personal Data Processing Policy was last updated on April 11, 2025 and applies to citizens and legal permanent residents of Russia.

This Personal Data Processing Policy (hereinafter referred to as the “Policy”) is issued and applied by PORTNOV VADIM NIKOLAEVICH (hereinafter referred to as the “Operator”, “We”) in accordance with the Federal Law of the Russian Federation “On Personal Data” and defines the main provisions implemented by the Operator in the processing of personal data. The purpose of this Policy is to comply with the requirements of the legislation on the protection of personal data, which is based on the Constitution of the Russian Federation and international treaties of the Russian Federation and consists of the Federal Law “On Personal Data” and other federal laws and regulations that define the cases and specifics of the processing of personal data.

Terms and definitions

Personal data is any information related to a directly or indirectly identified or identifiable physical person (subject of personal data);

The operator is PORTNOV VADIM NIKOLAEVICH, TIN 212902106829, who independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed with personal data;

Processing of personal data is any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data;

Automated processing of personal data is the processing of personal data using computer technology;

Personal data dissemination – actions aimed at disclosing personal data to an indefinite circle of persons; Personal data provision – actions aimed at disclosing personal data to a specific person or a specific circle of persons; Personal data blocking – temporary cessation of processing personal data (except for cases where processing is necessary to clarify personal data); Personal data destruction – actions that make it impossible to restore the content of personal data in the personal data information system and (or) that destroy the tangible media of personal data;

Personal data anonymization is an action that makes it impossible to identify the personal data of a specific personal data subject without using additional information.

A personal data information system is a collection of personal data stored in databases and the information technologies and technical means used to process them.

Cross-border transfer of personal data is the transfer of personal data to a foreign government agency, a foreign individual, or a foreign legal entity in a foreign country.

Principles of processing personal data

  1. Processing of personal data is carried out on a lawful and fair basis.
  2. Processing of personal data is limited to achieving specific, predetermined and lawful goals. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed.
  3. The combination of databases containing personal data that is processed for purposes that are incompatible with each other is excluded.
  4. Only personal data that meets the purposes of processing is processed.
  5. The content and scope of the processed personal data correspond to the stated purposes of processing. The processed personal data are not excessive in relation to the stated purposes of processing.
  6. When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance in relation to the purposes of processing personal data are ensured. The Operator takes the necessary measures or ensures that they are taken to delete or clarify incomplete or inaccurate data.
  7. Personal data is stored in a form that allows the personal data subject to be identified, for no longer than is necessary for the purposes of processing personal data, unless a longer period of storage is required by federal law or a contract in which the personal data subject is a party, beneficiary, or guarantor. Personal data is destroyed or anonymized once the purposes of processing have been achieved or if it is no longer necessary to achieve those purposes, unless otherwise required by federal law.

Conditions for processing personal data

Personal data processing is carried out in compliance with the principles and rules provided for by Federal laws.

Personal data processing is carried out in the following cases:

  1. personal data processing is carried out with the consent of the subject of personal data to the processing of his personal data;
  2. processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or by law, for the implementation and performance of the functions, powers and duties assigned by the legislation of the Russian Federation to the Operator;
  3. processing of personal data is necessary for the exercise of justice, the execution of a court order, an act of another body or official, which must be executed in accordance with the legislation of the Russian Federation on enforcement proceedings;
  4. processing of personal data is necessary for the execution of a contract, the party to which or the beneficiary or guarantor of which is the subject of personal data, as well as for the conclusion of a contract at the initiative of the subject of personal data or a contract in which the subject of personal data will be the beneficiary or guarantor;
  5. processing of personal data is necessary to protect the life, health, or other vital interests of the subject of personal data, if it is impossible to obtain the subject of personal data’s consent;
  6. processing of personal data is necessary to exercise the rights and legitimate interests of the Operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated;
  7. processing of personal data is carried out for statistical or other research purposes, except for the purposes specified in Article 15 of the Federal Law “On Personal Data”, provided that personal data is anonymized;
  8. processing of personal data, access to which is granted to an unlimited number of persons by the subject of personal data or at his request;
  9. processing of personal data subject to publication or mandatory disclosure in accordance with federal law.

The operator may entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of a contract concluded with that person, including a state or municipal contract, or by issuing an appropriate act by a state or municipal authority. The person who processes personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing provided for by the Federal Law on Personal Data.

Measures for the proper organization of processing and ensuring the security of personal data

Ensuring the security of personal data by the Operator is achieved, in particular, by the following methods:

  1. Designation of a person responsible for the organization of processing personal data, whose rights and obligations are determined by the Operator’s local acts;
  2. Implementation of internal control and/or audit of compliance with the processing of personal data with the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, and the Operator’s local acts;
  3. familiarization of the Operator’s employees who are directly involved in the processing of personal data with the provisions of the Russian Federation’s legislation on personal data, including the requirements for the protection of personal data, local regulations regarding the processing of personal data, and/or training of these employees;
  4. identification of threats to the security of personal data during their processing in personal data information systems;
  5. implementation of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, which are necessary to meet the requirements for the protection of personal data.
  6. assessing the effectiveness of measures taken to ensure the security of personal data before the personal data information system is put into operation;
  7. accounting for machine (material) carriers of personal data;
  8. identifying cases of unauthorized access to personal data and taking appropriate measures; restoring personal data that has been modified or destroyed due to unauthorized access;
  9. establishing rules for accessing personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system;
  10. Control over compliance with the requirements for ensuring the security of personal data and the levels of protection of personal data information systems.

The responsibilities of the Operator’s employees who are directly involved in the processing of personal data, as well as their liability, are defined in the Operator’s local acts. Employees of the Operator who are guilty of violating the regulations governing the processing and protection of personal data shall be subject to material, disciplinary, administrative, civil, or criminal liability in accordance with the procedures established by federal laws.

Restrictions on the scope of this Policy

This Policy does not apply to the following situations:

  1. The processing of personal data by individuals for personal and family purposes, provided that the rights of the subjects of personal data are not violated.
  2. The organization of storage, acquisition, registration, and use of documents containing personal data from the Russian Federation’s Archive Fund and other archival documents in accordance with the legislation on archival affairs in the Russian Federation.
  3. The processing of personal data classified as state secrets.
  4. Providing information about the activities of courts in the Russian Federation by authorized bodies in accordance with the Federal Law “On Providing Access to Information about the Activities of Courts in the Russian Federation”.

Regulatory Legal Acts

This Policy is developed in accordance with the provisions of the following regulatory legal acts:

  1. The Code of Administrative Offences of the Russian Federation;
  2. The Federal Law “On Information, Information Technologies and Information Protection”;
  3. The Federal Law “On Personal Data”;
  4. The Federal Law “On Amendments to Certain Legislative Acts of the Russian Federation in Terms of Clarifying the Procedure for Processing Personal Data in Information and Telecommunication Networks”;
  5. Requirements for the protection of personal data during their processing in personal data information systems (approved by By Decree of the Government of the Russian Federation);
  6. Regulation on the specifics of personal data processing carried out without the use of automation tools (approved by the Government of the Russian Federation). By Decree of the Government of the Russian Federation);
  7. Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems (approved by order of the Federal Service for Technical and Export Control of the Russian Federation);
  8. The composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to meet the requirements for personal data protection established by the Government of the Russian Federation for each level of security (approved by the Order of the Federal Security Service of the Russian Federation).

Personal data processing parameters

The operator processes personal data through the website located at the network address https://portnovnotes.ru/.

The operator processes personal data in comments.

  1. If the subject of personal data leaves a comment on the website, the operator collects the data specified in the comment form, as well as the IP address of the visitor and the user-agent data of the browser in order to determine spam.
  2. An anonymized string created from the email address (“hash”) Gravatar service may be provided to determine whether the data subject uses it. Gravatar privacy policy is available here: https://automattic.com/privacy/. After the comment is approved, the commenter’s profile picture becomes visible publicly in the context of his comment.

The operator processes personal data in media files.

  1. If the data subject uploads photos to the site, he should possibly avoid uploading images with EXIF metadata, as they may contain the data subject’s GPS location. Visitors can extract this information by downloading images from the website.

The operator processes personal data in cookies. For more information, please refer to the cookie policy.

In some cases, the operator shares the data it processes.

  1. If the personal data subject requests a password reset, your IP will be included in the reset email.

The retention period for different personal data subjects may vary.

  1. If a personal data subject leaves a comment, the comment itself and its metadata are stored indefinitely. This is done in order to identify and approve subsequent comments automatically, instead of placing them in a queue for approval.
  2. For personal data subjects who have registered on our website, we store the personal information they provide in their profile. All users can view, edit, or delete their profile information at any time (except for their username). The website administration can also view and modify this information.

The personal data subject is provided with technical means to manage their personal data.

  1. If the personal data subject has an account on the website or has left comments, they can request an export file of their personal data, which we will store about them, including the data they have provided. The personal data subject can also request the deletion of this data, which does not include data that we are required to store for administrative, legal, or security purposes.

In some cases, the operator may send the processed data.

  1. The personal data subject’s comments may be checked by a third party, an automatic spam detection service. To do this, please visit the service first.

The operator processes personal data in newsletters.

  1. This includes, but is not limited to, transactional emails and marketing emails. The operator sends only those emails to which the subject of personal data has explicitly or implicitly subscribed (registration, order of products, etc.).
  2. When registering, the operator collects the email address, name, current location of the subject of personal data, as well as the current web address from which the subject of personal data registered.
  3. The operator sends emails through a service called Amazon SES and the Yandex mail server.
  4. Once the personal data subject receives an email from us, we track whether the email is opened in the email client, whether the link in the email is clicked, and the current location of the personal data subject.

The operator processes personal data in surveys.

  1. When the personal data subject votes in a survey, we collect the data provided in the voting form, including the IP address and browser user agent string, to help detect spam and ensure the functionality of the survey.
  2. If the personal data subject has an account and logs in to the website and votes, we will also collect their user ID.
  3. If the personal data subject votes, the vote and its metadata will be stored indefinitely. This is done so that we can recognize and count votes for each poll.

The operator processes personal data during electronic commerce through the store on the website.

1. The operator processes the following personal data:

  • Products viewed by the subject of personal data: to show the subject of personal data the products they have recently been interested in.
  • Country/region: to analyze the possibility of making a sale.
  • Delivery address: to estimate the cost of delivery before placing an order and then send the ordered products.
  • Location, IP address, and browser type: to confirm the possibility of making a sale, as well as to calculate and confirm the cost of delivery.
  • Cookies: to track what is added to the cart before a future order is placed.

2. If the data subject wishes to place an order with us, they will be required to provide information, including their name, billing address, shipping address, email address, phone number, credit card information or payment details, as well as additional information about their account, such as their username and password. We use this information for the following purposes:

  • sending information about the data subject’s invoice and order;
  • responding to the data subject’s requests, including refund requests and claims;
  • processing payments and combating fraud;
  • creating a personal data subject’s account in our store;
  • complying with legal requirements (such as calculating taxes);
  • improving the range of our store;
  • sending promotional messages to the personal data subject (if they agree to receive them).

3. If the personal data subject creates an account, we store their name, address, email address, and phone number to automatically fill out the form when they place orders in the future.

4. We usually store personal data for as long as it is necessary for the purposes for which we collect and use it. The only exceptions are when we are required to continue storing this information due to legal requirements. For example, we store order information for 20 years. This includes the name, email address, billing address, and shipping address of the personal data subject.

5. We also store personal data subject’s comments and feedback.

Some members of the operator’s team have access to personal data.

6. Administrators and store managers have access to the following data:

  • Order details: the name of the items ordered, the time of the order, the payment address, and the delivery address.
  • Customer details: name, email address, payment details, and information related to delivery.

Our team needs access to this information to fulfill orders, process refunds, and provide support to the data subject.

In some cases, the operator shares information related to e-commerce and order processing on the website with third parties.

We transfer information about the subject’s orders to our partners, who help us fulfill your orders and provide services. These include:

  • Production offices of furniture factories that process accepted orders.
  • Logistics offices of transportation companies that deliver ordered products.
  • Third parties and companies that provide installation and service services for ordered products.

The operator processes personal data in payments.

When processing payments, some personal data of the data subject is transferred to the organization conducting the payment. This includes information necessary to process or execute the payment, such as the total order value and payment details.

Final Provisions

This Policy is approved by the sole executive body of the Operator.

The Operator has the right to make changes to this Policy.

The new version of the Policy comes into force as soon as it is approved and posted on the Operator’s website https://portnovnotes.ru/en/personal-data-processing-policy/, unless otherwise specified in the new version of the Policy.

This Policy is mandatory for compliance and review by all employees of the Operator.

Other rights and obligations of the personal data operator are determined by the legislation of the Russian Federation in the field of personal data.

Contact information of the operator

Contact page and for sending reports of violations: https://portnovnotes.ru/en/contact-2/.

We recommend that you read:

Cookie Policy
Scroll to Top