Privacy Policy

Personal Data Processing Policy

Version dated August 11, 2025

This Policy is developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, Federal Law No. 149-FZ of 27.07.2006 “On Information, Information Technologies and Information Protection,” Federal Law No. 152-FZ of 27.07.2006 “On Personal Data,” subordinate acts of the Russian Federation, as well as taking into account the requirements of the Law of the Republic of Kazakhstan “On Personal Data and Their Protection,” Regulation (EU) 2016/679 (GDPR), and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

The Policy defines the approach of the Sole Proprietor “Purtov Aleksandr Nikolaevich” (hereinafter — the IE, we, the Operator, and for GDPR purposes — the Controller) to personal data processing and the measures we implement to protect such data. The Policy applies to all personal data processed when using the platform https://bot-market.net (hereinafter — the Service).

1. Definitions

• User — a fully capable natural person (including a representative of a legal entity) using the Service.
• End User (subscriber) — a natural person whose data are processed by the User via the Service functionality.
• Controller / Operator (GDPR: Controller) — the Sole Proprietor “Purtov Aleksandr Nikolaevich” in respect of data of Users and website visitors.
• Processor (GDPR: Processor) — the Sole Proprietor “Purtov Aleksandr Nikolaevich” when processing End Users’ data on behalf of the User (under a Processing Instruction / DPA).
• Personal data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data.
• Pseudonymisation — processing in which data cannot be attributed to a specific data subject without additional information; the data remain personal.
• Anonymisation — irreversible alteration of data that prevents identification; such data are not personal.
• Cookies and similar technologies — cookies, SDKs, pixels, web beacons, etc.

Other terms are used as defined by Federal Law No. 152-FZ and the GDPR. The Policy is effective from its approval until replaced by a new version.

2. Legal Basis and Applicable Law

• RF: Constitution of the RF, Civil Code of the RF, Tax Code of the RF, Federal Laws 152-FZ, 149-FZ, and subordinate acts;
• EU: GDPR;
• RK: Law of the Republic of Kazakhstan “On Personal Data and Their Protection”;
• USA (California): CCPA/CPRA.

Legal bases for processing: performance of a contract (User Agreement/offer), data subject’s consent, compliance with legal obligations, and the Controller’s legitimate interests (security, fraud/abuse prevention, etc.).

RF data localisation. Recording, systematisation, and storage of personal data of RF citizens are performed in databases located within the territory of the RF; subsequent cross-border transfer is permitted subject to legal requirements.

Minors. RF — with the involvement of a legal representative in cases provided by law; EU — Art. 8 GDPR (age of consent 16, or 13–16 under Member State law).

3. Roles and Areas of Responsibility

For data of Service Users and website visitors, the IE acts as the Controller.

If a User collects and processes data of their clients/subscribers via the Service, the User is the Operator/Controller of such data and guarantees the lawfulness of processing and transparency for data subjects. The IE acts as a Processor strictly in accordance with the Processing Instruction (DPA), which forms an annex to the User Agreement.

4. Purposes of Processing

• Provision and maintenance of the Service; registration, authentication, billing and settlements; communications (including security and support);
• Analytics and product improvement, fraud/abuse prevention, information security;
• Marketing communications where there is a legal basis and with an option to opt out;
• Compliance with legal requirements (tax/accounting, responses to government requests).

5. Data Categories and Sources

Sources: data provided by the User in the Service interfaces/website; data collected automatically (logs, cookies/SDKs); support requests; participation in surveys/promotions.

Provided by the User (examples):

• First/last name (where required), e-mail, phone, messenger identifiers;
• Logins, credentials (hash), integration tokens;
• Details for invoicing/payments (partly via payment providers);
• Other data voluntarily provided in the profile/applications.

Collected automatically:

• IP address, HTTP headers, information about browser/device/OS;
• Cookie/SDK data, web beacons, counters;
• Technical logs, access time, URLs of requested pages;
• Messenger/social IDs (e.g., Telegram ID, VK ID, WhatsApp, Facebook Messenger) upon integration;
• Approximate geolocation (if enabled on the device).

Special categories and biometrics. Not processed by default. Processing is possible only where explicitly required by functionality and subject to separate written consent (RF) / a basis under Art. 9 GDPR — with separate notice.

6. Processing Conditions, Sharing, and Security

Personal data are treated as confidential and protected by technical and organisational measures in accordance with Federal Law No. 152-FZ (Arts. 18, 18.1, 19) and the GDPR principles (Arts. 5, 24–32). Data transfer over networks is performed via secure protocols (e.g., HTTPS/TLS).

Retention periods. We store data no longer than necessary for the purposes of processing or as required by law. Criteria include: the term of the contract; statutes of limitation/financial reporting periods; security and abuse prevention. Upon request, we provide details of retention by data category.

Recipients/categories of recipients. Hosting and cloud providers; e-mail/SMS/push providers; payment/crypto providers; analytics; support/error-tracking services; legal advisers. Transfers are made where there is a legal basis and data protection agreements (including DPA/SCCs where necessary).

Incidents/data breaches.

• EU (GDPR): notification to the supervisory authority without undue delay and, where feasible, not later than 72 hours; notification to data subjects where there is a high risk.
• RF: initial notice to the competent authority within 24 hours; additional notice within 72 hours following the investigation.

Together with the User, we take measures to prevent and mitigate harm from incidents. Disclosure to competent authorities is performed within the limits of the law.

7. Access Within the Organization

• Access to data is granted only to authorised personnel on a need-to-know basis;
• The list of authorised persons is kept up to date;
• Access by third parties without the data subject’s consent is prohibited, except as provided by law;
• An employee’s access is revoked upon termination/role change, with return of media;
• Where the IE acts as Processor (see Roles), the terms of the Processing Instruction (DPA) apply.

8. Data Subject Rights

RF/RK: the right to receive information about processing; to request rectification, blocking, or deletion of inaccurate/outdated/excessive data; and other rights under law.

GDPR (EU): rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), not to be subject to a decision based solely on automated processing, including profiling (Art. 22), and the right to lodge a complaint with a supervisory authority.

California (CCPA/CPRA): rights to access/disclosure of categories/sources/purposes/recipients; deletion; correction; limitation on the use of “sensitive PI”; opt-out of sale/sharing; non-discrimination.

Requests: [email protected]. We respond without undue delay and within the time limits established by applicable law.

DPO/responsible person: [email protected].

EU representative (GDPR Art. 27): will be published upon appointment; requests from EU data subjects may also be addressed to the representative.

9. Cookies and Similar Technologies

• We use necessary cookies for the operation of the Service;
• Functional/analytics/marketing cookies and SDKs — where there is a legal basis;
• In the EU — prior consent via a banner; settings are available in “Cookie Management”;
• The list of cookies/SDKs used and their purposes is provided in a separate Cookie Policy.

10. Cross-Border Transfers

Data may be transferred outside the data subject’s jurisdiction where there is a legal basis and sufficient safeguards (adequacy, standard contractual clauses, or other mechanisms). Information on specific mechanisms is available upon request.

11. Consent to Processing

• Consent is given freely, specifically, and in an informed manner, including electronically (checkbox/button) with a simple electronic signature (SES) under the User Agreement;
• Processing necessary for performance of a contract does not require separate consent (GDPR Art. 6(1)(b));
• Consent may be withdrawn at any time in the same manner or by contacting [email protected]; withdrawal does not affect the lawfulness of processing prior to withdrawal.

12. Final Provisions

We may update the Policy; the current version is available at: https://bot-market.net/policy/. Material changes may be accompanied by notice in the Service or by e-mail.

Applicable law: as to relations with Users in the RF — RF law; in the RK — RK law; for data subjects in the EU — GDPR; for California residents — CCPA/CPRA. The specific applicable law and jurisdiction may be determined by contract and conflict-of-laws rules.

For questions regarding the Policy and the exercise of rights, please contact: [email protected].

13. Details

Sole Proprietor: Purtov Aleksandr Nikolaevich

INN: 120701968934    OGRNIP: 322784700108619

Registered address: 424028, Республика Марий Эл, г. Йошкар-Ола, ул. Йывана-Кырли, д. 31А

E-mail: [email protected]

Appendix — Table of Purposes and Retention Periods

Note: specific periods and criteria are clarified upon request and/or in contractual documentation (including the DPA/Processing Instruction).