Policy on Personal Data Processing of Limited Liability Company “LETTEROS”

PREAMBLE

This Policy on Personal Data Processing (hereinafter referred to as the Policy) defines the main principles, conditions, purposes, methods of processing, implemented data protection measures, and other information, as well as the rights of Internet users (hereinafter referred to as the User) during the use of the website https://letteros.com/ (hereinafter referred to as the Website), access to which is provided by Limited Liability Company “LETTEROS” (TIN: 7806587362; PSRN: 1217800087075, address: 191124, St. Petersburg, intra-city territory, Smolninskoe municipal district, Novgorodskaya St., bldg. 23, letter A, premises 14-H, hereinafter referred to as the Administrator, Operator), to ensure the observance and protection of the rights and freedoms of every person, and in particular, the right to privacy, personal and family secrets, and the protection of honor, dignity, and good name.

This Policy regulates the terms of confidentiality and personal data processing between the User and the Administrator when using the Website, as well as when concluding and executing contracts between them.

The Policy applies to all information, including personal data as understood by the current legislation of the Russian Federation, that the Administrator may receive from the User during their use of the Website.

This Policy applies to all Users who provide their personal data to the Administrator when using the Website, and whose personal data is processed by the Administrator.

Before using the Administrator’s Website, the User is obligated to familiarize themselves with the content of this document.

1. TERMS AND DEFINITIONS

1.1 For the purposes of this Policy, unless the context requires otherwise, the following terms have the meanings set forth below and are an integral part of it:

1.1.1 Personal Data (PD) – any information relating directly or indirectly to an identified or identifiable natural person.

1.1.2 Processing of Personal Data – any action (operation) or a set of actions (operations) with Personal Data, performed using automation tools or without their use. The Processing of Personal Data includes, but is not limited to, collection, recording, systematization, accumulation, storage, clarification (update, modification, extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion, destruction.

1.1.3 User – a personal data subject, a person who uses the Website.

2. GENERAL PROVISIONS

2.1 This Policy is developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, Federal Law No. 149-FZ of July 27, 2006, “On Information, Information Technologies, and Information Protection,” Federal Law No. 152-FZ of July 27, 2006, “On Personal Data,” and other federal laws.

2.2 The purpose of developing the Policy is to define the procedure for processing and protecting Users’ Personal Data, ensuring the protection of human and civil rights and freedoms when processing their Personal Data, including the protection of the right to privacy, personal and family secrets.

2.3 This Policy comes into effect from the moment of its approval and is valid indefinitely until it is replaced by a new Policy.

2.4 The Policy may be unilaterally changed and/or supplemented by the Website Administrator without any special notification (consent) of the Users. The current version of the Policy is posted on the Website.

2.5 All changes and additions to this Policy come into effect on the day following the posting of the new version of the Policy on the Website.

2.6 Continued use of the Website after the introduction of changes and/or additions to this Policy will mean the User’s acceptance and consent to such changes and/or additions.

2.7 If the User does not agree with the terms and provisions of the Policy and the rules for using the Website, they must immediately cease using the Website. Otherwise, the use of the Website will mean the User’s unconditional and unreserved consent to the terms of this Policy.

2.8 By providing Users with the opportunity to use the Website, the Administrator, acting reasonably and in good faith, assumes that the User:

has carefully familiarized themselves with the terms of this Policy before starting to use the Website;
possesses all necessary rights allowing them to register and log in to the Website and use its functionality;
by starting to use the Website, has expressed their consent to the terms of this Policy and has assumed the rights and obligations specified therein;
is aware that information transmitted by them to other Users cannot be independently deleted by them;
understands and realizes that in the process of using the Website, the information posted by the User about themselves may be accessible to other Users, and the Operator is not responsible for the actions of third parties;
regularly checks the terms of this Policy for changes and/or additions.

2.9 This Policy applies only to the Administrator and the Administrator’s Website. The Administrator does not control and is not responsible for the websites of third parties to which a visitor or user may navigate via links available on the Website.

3. RIGHTS AND OBLIGATIONS OF THE PARTIES

3.1 The Operator has the right to:

Independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations provided for by the legislation of the Russian Federation regarding Personal Data;
Entrust the processing of Personal Data to another person with the User’s consent, unless otherwise provided by federal law, on the basis of an agreement concluded with that person;
In the event of the User withdrawing consent to the processing of Personal Data, the Operator has the right to continue processing Personal Data without the User’s consent if there are legal grounds for doing so.

3.2 The Operator is obligated to:

Organize the processing of Personal Data in accordance with the requirements of the legislation of the Russian Federation;
Respond to inquiries and requests from Users in accordance with the requirements of the legislation of the Russian Federation;
Report necessary information to the authorized body for the protection of User rights (Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor)) upon the request of this body in accordance with current legislation.

3.3 The User has the right to:

Receive information concerning the processing of their Personal Data;
Demand that the Operator clarify their Personal Data, block it, or destroy it if the Personal Data is incomplete, outdated, or inaccurate.
In case of inaccuracies in the personal data, the User may update it independently by sending a notification to the Operator’s email address m@letteros.com with the subject line “Personal Data Update”.
Refuse the Operator’s processing of the User’s Personal Data by sending a corresponding request to the address m@letteros.com with the subject line “Withdrawal of consent to personal data processing”.
In such a case, the User is obligated to stop using the Website;
Take measures provided by law to protect their rights.

3.4 The User is obligated to:

Provide reliable, complete, and current information on all matters requested on the Website;
Strictly comply with all requirements of the legislation of the Russian Federation;
Fulfill the requirements and observe the terms of this Policy and other documents posted on the Website;
Not use obscene language, erotic, offensive images and texts, information and statements that contain threats, provoke cruelty, hatred, disrespect, or may lead to illegal actions, as well as other information and statements that do not comply with generally accepted norms of morality and ethics;
Not commit actions that may restrict access to the Website.

3.5 The failure to include any of the rights and (or) obligations of the Operator and/or the User, established by current legislation and other regulatory legal acts, in this Policy cannot be considered as a waiver of the exercise of these rights or the performance of these obligations.

3.6 Control over the execution of the requirements of this Policy is carried out by the authorized person responsible for organizing the processing of personal data at the Operator.

3.7 Responsibility for violating the requirements of the legislation of the Russian Federation and the Society’s regulatory acts in the field of personal data processing and protection is determined in accordance with the legislation of the Russian Federation.

4. LIST OF PROCESSED PERSONAL DATA AND PURPOSES OF PROCESSING

4.1 The Operator is entitled to collect the following categories of User Personal Data:

Purpose	Details of Personal Data Processing
1. Improving the quality of visitor interaction with the Website: – Conducting analysis and improving the operation of the Website; – Increasing the effectiveness of using the Website; – Providing the ability to use the Website’s functionality.	Categories of Processed PD: – Electronic data (HTTP-headers, IP-address, cookies, web beacons/pixel tags, browser identifier data, information about hardware and software, browser type and version on the device; device type and display resolution; traffic source; language of the operating system and browser; data on user actions on the Internet). Categories of PD Subjects: – Website visitors. Legal Basis for PD Processing: – Consent of interested parties to the processing of their PD. Methods of Processing and Actions with PD: – Mixed method (using automation tools and without using automation tools) by performing the following actions: collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (provision, access), blocking, deletion, destruction. PD Processing Periods: – Specified in Section 5 of the Policy.
2. Preparation, conclusion, and execution of a contract	Categories of Processed PD: – Surname, first name, patronymic, contact email address, contact phone number. Categories of PD Subjects: – Website visitors, counterparties, representatives of counterparties. Legal Basis for PD Processing: – Constitution of the Russian Federation, Civil Code of the Russian Federation, consent of interested parties to the processing of their PD, contracts concluded between the operator and the personal data subject. Methods of Processing and Actions with PD: – Mixed method (using automation tools and without using automation tools) by performing the following actions: collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (provision, access), blocking, deletion, destruction. PD Processing Periods: – During the entire term of the contract, as well as for 5 years from the date of termination (expiration) of the contract, until the goals of personal data processing are achieved, or until the consent is withdrawn (whichever occurs first).
3. Communication with the user (website visitor): – Information mailing list; – Processing user requests; – Registration of a personal account.	Categories of Processed PD: – Surname, first name, patronymic, year, month, and date of birth, email address, phone number, links to social media pages, company name. Categories of PD Subjects: – Website visitors. Legal Basis for PD Processing: – Consent of interested parties to the processing of their PD. Methods of Processing and Actions with PD: – Mixed method (using automation tools and without using automation tools) by performing the following actions: collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (provision, access), blocking, deletion, destruction. PD Processing Periods: – For 5 years from the date of providing consent, until the goals of personal data processing are achieved, or until the consent is withdrawn (whichever occurs first).
4. Formation of a personnel reserve and employment	Categories of Processed PD: – Surname, first name, patronymic; gender; citizenship; date of birth; city of residence, contact details; information on education, work experience, qualifications; other personal data reported by candidates in resumes and cover letters, links to social media pages. Categories of PD Subjects: – Applicants for vacant positions. Legal Basis for PD Processing: – Consent of interested parties to the processing of their PD. Methods of Processing and Actions with PD: – Mixed method (using automation tools and without using automation tools) by performing the following actions: collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (provision, access), blocking, deletion, destruction. PD Processing Periods: – For 1 year from the date of providing consent, until employment or until the consent is withdrawn (whichever occurs first).
5. Promotion of works, services on the market	Categories of Processed PD: – Surname, first name, email address, phone number. Categories of PD Subjects: – Website visitors, counterparties. Legal Basis for PD Processing: – Consent of interested parties to the processing of their PD, legislation of the Russian Federation. Methods of Processing and Actions with PD: – Mixed method (using automation tools and without using automation tools) by performing the following actions: collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (provision, access), blocking, deletion, destruction. PD Processing Periods: – For 5 years from the date of providing consent, until the goals of personal data processing are achieved, or until the consent is withdrawn (whichever occurs first).

5. POLICY ON COOKIE FILES

5.1. During the User’s visit to the Website and the use of its functionality, passive collection of technical information from the user devices of PD subjects may occur using various technologies and methods. This is necessary due to the specifics of the functioning of the “Internet” network and accessing information resources located on this network.

5.2. The collection of technical information and its subsequent use are necessary to ensure uninterrupted access of PD subjects to the Website and their use of the Website’s functionality, as well as to ensure information security when visiting the Website and using its functionality.

5.3. PD subjects may refuse to accept the Website’s authentication cookies by using their Internet browser settings. However, this may lead to some inconveniences when using the Website.

5.4. Description and Blocking of Cookies:

Cookie File Type	Purpose and Duration	How to Block
Cookies necessary for the Website to perform essential functions and tasks.	These are proprietary cookies, set by the Website and can only be read by the Website. These cookies are absolutely necessary for the proper functioning of the Website. They ensure its security and the correct display of content.	The cookies that the Operator uses for this purpose are automatically deleted from the user’s device one month after the last visit to the Website.
Cookies that improve the Website’s operation and record user preferences.	These are proprietary cookies, set by the Website and can only be read by the Website¹³⁶. These cookies allow us to improve the Website’s operation and make it more convenient. For example, they can help us determine whether your browser can execute small programs (scripts) on the Website that expand its functionality.	The cookies that the Operator uses for this purpose are automatically deleted from the user’s device after the browser is closed.
Cookies and technologies that expand the Website’s functionality.	Yandex.Metrica Cookie files (LLC “YANDEX,” 119021, Moscow, Lva Tolstogo St., 16). The Operator uses third-party analytical services, and the providers of these services set cookie files on behalf of the Operator to inform the Operator about which sections of the Website are popular. Such cookies are used to add functions provided by third-party providers to our Website. Without them, some features of the Website will be unavailable to visitors. Such a provider is: Yandex.Metrica, https://yandex.ru/legal/confidential/.	Some cookies created for this purpose are automatically deleted from the user’s device after the browser is closed. Others can be stored up to 24 (twenty-four) months from the User’s last visit to the Website.

5.5. If a visitor does not want to receive cookie files, they can set up their browser to receive notifications each time an attempt is made to send cookie files or to reject all cookie files. Existing cookie files can also be deleted. All this must be done directly in the browser.

5.6. If a visitor wants to restrict or block cookie files placed on their device, they can do this using the browser settings according to the instructions in the browser’s Help. Instructions on how to do this in a mobile device browser should be provided in the device’s manual.

6. PROCEDURE FOR OBTAINING (COLLECTING) PERSONAL DATA

6.1 Согласие на обработку Персональных данных предоставляется Пользователем в электронной ил6.1. Consent to the processing of Personal Data is provided by the User in electronic or simple written form and is specific, informed, conscious, and unambiguous.

6.2. Processing of User Personal Data without their consent is carried out in cases:

at the request of authorized state bodies in cases provided for by the legislation of the Russian Federation;
if their processing is carried out for the purpose of concluding and executing a contract, one of the parties to which is the User themselves;
in other cases provided for by law.

6.3. The Operator does not obtain or process User Personal Data regarding their race, nationality, political views, religious or philosophical beliefs, or intimate life.

6.4. The User guarantees that the Personal Data they provide to the Operator is reliable^.The Operator is not responsible for the unreliability of the Personal Data and other information provided by the Users.

7. GROUNDS FOR PERSONAL DATA PROCESSING

7.1. The Operator processes Personal Data and other information provided by the User if at least one of the following conditions is met:

processing is carried out with the User’s consent;
processing is necessary for the conclusion, execution, modification, or termination of contracts concluded between the Administrator and the User;
processing is carried out in connection with participation in legal proceedings or for the execution of an act subject to execution in accordance with enforcement proceedings legislation;
processing is necessary for the exercise of the rights and legitimate interests of the Administrator, other Users, or third parties;
processing is necessary for the performance of the functions, powers, and duties assigned to the Administrator by the legislation of the Russian Federation.

7.2. The processing of Personal Data is carried out based on the principles of:

legality of the purposes and methods of Personal Data processing;
limitation of Personal Data processing to the achievement of specific, predefined, and lawful purposes;
inadmissibility of Personal Data processing incompatible with the purposes of Personal Data collection;
correspondence of the purposes of Personal Data processing to the purposes predefined and declared when collecting Personal Data, as well as the Operator’s powers;
correspondence of the scope and nature of the processed Personal Data and the methods of Personal Data processing to the purposes of Personal Data processing.

8. PROTECTION OF USERS’ PERSONAL DATA

8.1. The protection of User Personal Data is carried out at the expense of the Administrator in the manner established by the legislation of the Russian Federation.

8.2. The Operator takes all possible and necessary legal, technical, and organizational measures to protect the User’s Personal Data from unlawful or accidental access, destruction, modification, blocking, copying, as well as from other unlawful actions.Such measures include, in particular:

Legal Measures:

Development of local acts establishing requirements and procedures for personal data processing;
Refusal of any methods of personal data processing that do not comply with legal requirements.

Organizational Measures:

Appointment of a person responsible for organizing personal data processing and a person responsible for ensuring the security of personal data in personal data information systems;
Limitation of the composition of the Operator’s employees who have access to personal data and organization of a permission system for access to them;
Familiarization of the Operator’s employees directly engaged in personal data processing with the provisions of personal data legislation and the Operator’s local acts on personal data processing matters;
Regulation of personal data processing processes at the Operator;
Organization of accounting for material carriers of personal data and their storage, ensuring the prevention of theft, substitution, unauthorized copying, and destruction;
Restriction of access of unauthorized persons to the Operator’s premises, preventing their presence in premises where work with personal data is conducted and technical means for their processing are located, without control by the Operator’s employees.

Technical Measures:

Use of information protection tools that have passed the conformity assessment procedure to neutralize current threats;
Assessment of the effectiveness of the measures taken to ensure the security of personal data;
Implementation of a permission system for the access of the Operator’s employees to personal data processed in information systems and to hardware-software and software information protection tools;
Detection of malicious software (application of antivirus programs) on all nodes of the Operator’s information network that provide the corresponding technical capability;
Monitoring of third-party intrusions into the Operator’s information system;
Periodic monitoring of the actions of employees involved in personal data processing, and investigation of facts of violation of personal data security requirements.

8.3. When collecting personal data of citizens of the Russian Federation, the Operator ensures the recording, systematization, storage, clarification (update, modification), and extraction of personal data of citizens of the Russian Federation using databases located on the territory of Russia.

8.4. The Operator does not carry out cross-border transfer of Users’ personal data. The processing of Users’ personal data is carried out using databases located on the territory of the Russian Federation.

8.5. In the manner prescribed by current legislation, the User’s Personal Data may be transferred to third parties to achieve the purposes specified in Section 4 of this Policy.

9. STORAGE AND DESTRUCTION OF INFORMATION

9.1. Storage of Personal Data means the existence of records in information systems and on material carriers.

9.2. Storage of User Personal Data may be carried out for as long as necessary to fulfill the purposes for which they were collected, unless otherwise provided by federal laws of the Russian Federation or this Policy.

9.3. The Operator closes access to and prohibits the use of Personal Data that is no longer required for using the Website, supporting Users, improving the quality of service, and other operational purposes. Such data is used exclusively for compliance with these requirements, ensuring security, and detecting and preventing cases of fraud.

9.4. Destruction of User Personal Data implies the termination of any access to the Personal Data.

9.5. When User Personal Data is destroyed, the Administrator’s employees cannot access the subject’s Personal Data in the Website’s information systems.

9.6. The operation of destroying Personal Data is irreversible.

10. PERSONAL DATA PROCESSING PERIODS

10.1. The Operator ceases processing Personal Data:

upon achievement of the processing goals or in case the need to achieve these goals is lost;
if there are no other legal grounds for processing Personal Data provided for by the legislation of the Russian Federation;
upon expiration of the User’s consent to the processing of Personal Data or in case of withdrawal of such consent, if there are no other legal grounds for processing provided for by the legislation of the Russian Federation;
in case of detection of unlawful Personal Data processing, if it is impossible to ensure the lawfulness of the processing;
in other cases provided for by law.

10.2. The Operator undertakes to destroy the User’s Personal Data or ensure their destruction within the period provided for by the legislation of the Russian Federation.

11. USER INQUIRIES

11.1. Users have the right to send their inquiries to the Administrator, including inquiries regarding the use of their Personal Data, by sending a message:

in simple written form to the address: at the legal address.
in electronic form to the Administrator’s email address: m@letteros.com.

11.2. The inquiry must contain:

the number of the main identity document of the personal data subject or their representative, information about the date of issue of the specified document and the issuing authority;
information confirming the personal data subject’s participation in relations with the Operator (contract number, contract date, conditional verbal designation and (or) other information), or information otherwise confirming the fact of Personal Data processing by the Operator;
the signature of the personal data subject or their representative.

11.3. The Operator provides the information specified in Part 7 of Article 14 of the Law on Personal Data to the personal data subject or their representative in the form in which the corresponding appeal or inquiry was sent, unless otherwise specified in the appeal or inquiry.

11.4. If the appeal (inquiry) of the personal data subject does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data, or the subject does not have the rights to access the requested information, a reasoned refusal is sent to them.

11.5. The Administrator undertakes to review and send a response to the received User inquiry within the time limits established by law.

12. ADMINISTRATOR INFORMATION:

Limited Liability Company “LETTEROS”

TIN: 7806587362

PSRN: 1217800087075 225

Address: 195027, St. Petersburg, Yakornaya St., bldg. 13, letter A, premises/internal premises 8-H/16, office 409

E-mail: m@letteros.com

Publication Date: 08.12.2025

Effective Date: 08.12.202