PRIVACY AND PERSONAL DATA PROCESSING POLICY OF BULLTECH LLC

Controller details

Personal data controller: Bulltech Limited Liability Company (Bulltech LLC)

OGRN: 1237700375010

INN / KPP: 7735199709 / 773501001

Legal address: 124536, Moscow, internal city territory Municipal District Savelki, Zelenograd, Yunyosti St., bld. 8, premises 1/4

Actual address: 124536, Moscow, Zelenograd, Yunyosti St., bld. 8, floor 9, office 902

Tel.: +7 (499) 113-22-66

E-mail: info@bulltech.ru

I. PURPOSE OF THIS POLICY

This Privacy and Personal Data Processing Policy (the “Policy”) sets out how personal data are processed and protected, as well as rules on confidentiality and processing of other data that may be collected when using the website https://bulltech.ru (the “Website”) and when interacting with Bulltech LLC (the “Controller”, “Company”, “we”).

The Policy is developed and applied in accordance with the legislation of the Russian Federation, including Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” (“152-FZ”), and other applicable regulations.

The Policy applies to:

1. visitors to the Website;
2. persons submitting enquiries via the Website forms, by phone, e-mail or other channels;
3. clients/counterparties and their representatives;
4. applicants/candidates submitting CVs/portfolios (including via the general contact form).

By using the Website and/or sending data to the Controller, the User confirms that they have read this Policy.

The Controller may update the Policy. A new version takes effect from the time it is published on the Website, unless a different effective date is stated in the new version.

II. TERMS AND DEFINITIONS

Personal data — any information relating directly or indirectly to an identified or identifiable natural person.

Data subject — the natural person to whom the personal data relate.

Controller — the entity that organises and/or carries out processing of personal data and determines the purposes of processing. Under this Policy — Bulltech LLC.

Processing of personal data — any action (operation) or set of actions (operations) performed on personal data, including: collection, recording, organisation, accumulation, storage, rectification (update, change), retrieval, use, transfer (provision, access), anonymisation, blocking, erasure, destruction.

Confidentiality of personal data — a mandatory requirement not to disclose personal data to third parties without the data subject’s consent or another lawful basis.

Cookies — small files or similar technologies stored on the user’s device and used for the proper operation of the Website and/or analytics.

III. PRINCIPLES OF PERSONAL DATA PROCESSING

• Processing is carried out on a lawful and fair basis.
• Processing is carried out only for specific, predefined and lawful purposes.
• Only data necessary for the stated purposes are processed (data minimisation).
• The Controller takes measures to ensure accuracy and relevance of personal data (including rectification/updates where necessary).
• Confidentiality and security of personal data are ensured (organisational and technical measures).
• Retention periods do not exceed what is necessary to achieve the purposes of processing, unless a longer period is established by law or contract.

IV. DATA WE MAY COLLECT

Data you provide to us

The Controller may process:

1. name/full name (if provided);
2. phone number;
3. e-mail address;
4. company/position (if provided);
5. content of the enquiry/message;
6. files/attachments you upload via forms (including briefs, specifications, presentations, portfolios, CVs and other materials).

Technical data and Website usage data

When you visit the Website, the Controller may automatically receive:

1. IP address;
2. information about the browser/device/OS (type, version, language);
3. date and time of access;
4. information about actions on the Website (views, navigation, events);
5. cookies and similar technologies.

V. LEGAL BASES FOR PROCESSING

The Controller processes personal data where at least one of the following applies:

• Consent of the data subject (for example, when submitting a form, uploading files/CVs, or consenting to analytics cookies).
• Processing necessary for the conclusion and/or performance of a contract, or for actions at the data subject’s request prior to conclusion of a contract.
• Performance of duties provided for by law.
• Legitimate interests of the Controller (for example, ensuring security and operability of the Website), provided that the rights and freedoms of the data subject are not infringed.

VI. PURPOSES OF PERSONAL DATA PROCESSING

The Controller processes personal data for the following purposes:

• Enquiries and communication: reviewing requests, preparing responses, consultations, clarifying project/enquiry details.
• Negotiations and contractual relations: preparing and agreeing terms, concluding and performing contracts, project cooperation.
• Review of candidate materials: CVs/portfolios and communication regarding potential employment/cooperation (including where a CV is submitted via the general contact form).
• Website operability, security and improvement: protection against abuse, error analysis, improving user experience and visit statistics.

VII. DATA CONTENT BY PURPOSE AND RETENTION PERIODS

Enquiries via forms

Data processed: name/full name (if provided), phone, e-mail, enquiry content, attachments, company/position (if provided).

Retention period: for the duration of handling the enquiry and subsequent communication, and for a reasonable period to record the interaction history and protect the Controller’s rights and legitimate interests, unless a longer period is required by law or contract.

Negotiations and contracts

Data processed: contact details, information about representatives of counterparties (name, position, contacts), correspondence and contract/project documents, other necessary information.

Retention period: for the term of the contract and thereafter — for periods provided by the legislation of the Russian Federation and rules on archival/accounting storage (where applicable).

CVs/portfolios of candidates

Data processed: information provided by the candidate (name, contacts, experience, education, skills, links/files, etc.).

Retention period: until the purposes of processing are achieved (review of candidacy and/or possible further contact within a talent pool), or until withdrawal of consent by the candidate where processing is based on consent, and for a period necessary to protect the Controller’s rights and legitimate interests, unless a longer period is required by the legislation of the Russian Federation.

Technical data, cookies, analytics

Data processed: IP, cookies, browser/device information, actions on the Website.

Retention period: as determined by the purpose and settings of the systems used, but no longer than necessary for the purposes of processing.

VIII. COOKIES AND WEB ANALYTICS (YANDEX METRICA)

What cookies are and how they work

Cookies are small text files (or similar technologies, including localStorage/pixels) that the Website may store in the browser or on the user’s device when visiting.

On subsequent visits the browser automatically sends stored cookies back to the Website (or to the service that set them). This helps recognise the browser/device, save settings (for example, language/consents), ensure pages work correctly, and collect statistics on how the Website is used without re-entering data each time.

Cookies do not run programs by themselves and are not viruses. They may contain identifiers and technical parameters that allow the Website/services to link actions within one session or across visits.

Why we use cookies and what they help with

Cookies help to:

• ensure Website operation (navigation, page loading, protection against failures/abuse);
• remember user choices (for example, interface settings);
• understand which pages and sections are useful, where errors occur and what to improve (analytics and statistics);
• where advertising/marketing tools are used on the Website — show more relevant messages/ads and limit repeat impressions.

What cookies may “track” (examples)

Depending on the type of cookies, the following may be recorded:

• technical data: IP address, device/browser/OS type, language, date and time of visit;
• actions on the Website: pages viewed, clicks, navigation, session duration, referral source, events (for example, form submission);
• settings and preferences: selected language/region, saved display parameters, consent state (for example, consent to analytics cookies).

Classification of cookies

By purpose (type)

• Strictly necessary (essential) — required for technical operation of the Website and its functions. Without them the Website may not work correctly.
• Performance / analytics — help collect aggregate statistics and understand how the Website is used (popular pages, errors) to improve the Website.
• Functional — remember user choices and improve convenience (for example, language/region, settings).
• Targeting / advertising (marketing) — used to personalise ads/communications, measure campaign effectiveness, limit repeat impressions, and may share information with advertising partners (if such tools are connected).

By retention period

• Session — deleted after the browser is closed;
• Persistent — stored until expiry or until deleted by the user/browser.

By source of placement

• First-party cookies — set by the domain of the Website the user visits;
• Third-party cookies — set by external services used on the Website (for example, analytics).

Third-party cookies and their role

The Website may use third-party services (for example, web analytics systems). Such services may set third-party cookies and collect technical/behavioural data to produce statistics and reports.

We do not control how third-party services process data outside the scope of services provided to us; processing by such parties is governed by their own policies.

Web analytics: Yandex.Metrica

We use Yandex.Metrica web analytics to analyse traffic and improve the Website. Technical data (including cookies, IP address, device/browser information and actions on the Website) may be processed to generate statistics and reports.

Analytics cookies are used where the user has given consent via the Website interface (for example, cookie banner/settings), if such functionality is implemented. Strictly necessary cookies are used to ensure Website operation.

Advertising (marketing) cookies

Advertising/marketing cookies may be used to:

• show more relevant advertising messages;
• measure advertising campaign effectiveness;
• limit repeat impressions;
• send signals to advertising partners (if such tools are connected).

Such cookies (if used) are set and applied only with the user’s consent, except where use is permitted by law without consent.

How to manage cookies

The user may restrict or disable cookies in browser settings and delete previously stored cookies.

Disabling cookies may cause some Website functions to work incorrectly.

IX. PROCESSING PROCEDURE, ACCESS, PROCESSING BY PROCESSORS

The Controller processes personal data by automated and non-automated means.

Access to personal data is granted only to authorised employees of the Controller to the extent necessary for their duties.

The Controller may engage processors (contractors/providers) to process personal data where necessary to achieve the purposes of processing (for example, hosting/infrastructure, corporate e-mail, web analytics), provided such parties maintain confidentiality and security of data and limit processing to the purposes of the engagement.

The Website may contain links to third-party websites/services or use third-party services for certain functions (including analytics, communications and other service features). If the user visits a third-party resource or interacts with a third-party service, processing on that resource/service is governed by its own documents (policies and terms). The Controller does not control and is not responsible for how such third parties process data outside the scope of processing engagement described in Section IX.3 of this Policy.

X. DISCLOSURE TO THIRD PARTIES AND CROSS-BORDER TRANSFERS

The Controller does not disclose personal data to third parties without lawful grounds, except where:

1. transfer is required by law;
2. transfer is necessary for performance of a contract/provision of services;
3. the data subject has given consent.

The Controller does not carry out cross-border transfer of personal data. If cross-border transfer becomes necessary, it will be carried out only on lawful grounds and in compliance with the requirements of the legislation of the Russian Federation.

XI. MEASURES TO PROTECT PERSONAL DATA

The Controller implements legal, organisational and technical measures to protect personal data in accordance with Articles 18.1 and 19 of 152-FZ.

Protection measures (where applicable) may include:

1. role-based access control and need-to-know principle;
2. access logging and monitoring;
3. use of secure data transfer protocols (HTTPS/TLS);
4. backups;
5. software updates and vulnerability management;
6. internal policies and staff training.

XII. LOCALISATION AND STORAGE OF DATA

The Controller ensures compliance with the requirements of the legislation of the Russian Federation on localisation of personal data of citizens of the Russian Federation — to the extent and in cases provided by applicable law.

The Controller stores personal data no longer than necessary to achieve the purposes of processing, unless a different period is established by law or contract.

XIII. CESSATION OF PROCESSING AND ERASURE OF DATA

Personal data shall be destroyed or anonymised when the purposes of processing are achieved or when the need to achieve such purposes ceases, unless otherwise provided by law.

Upon withdrawal of consent, the Controller ceases processing and destroys personal data within the time limits provided by the legislation of the Russian Federation, unless there are other lawful grounds to continue processing.

XIV. RIGHTS OF THE DATA SUBJECT

The data subject has the right to:

• obtain information about processing of their personal data;
• request rectification, blocking or erasure of personal data where grounds exist;
• withdraw consent to processing of personal data (where processing is based on consent);
• challenge the Controller’s actions or inaction before Roskomnadzor or a court;
• challenge decisions based solely on automated processing (where such decisions are applied).

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. The Controller may continue processing where other lawful grounds provided for by 152-FZ exist.

XV. HOW TO CONTACT US

For questions regarding personal data processing and privacy you may send a request:

1. E-mail: info@bulltech.ru
2. Postal address: 124536, Moscow, Zelenograd, Yunyosti St., bld. 8, floor 9, office 902
3. Phone: +7 (499) 113-22-66

We recommend that the request include: full name, contact for response, substance of the request, and information that helps identify interaction with the Controller (for example, date/topic of enquiry, e-mail/phone indicated in the form).

The Controller may request additional information necessary to identify the applicant and prevent unlawful disclosure of personal data to third parties.

The Controller reviews enquiries and sends responses within the time limits established by the legislation of the Russian Federation.

To expedite handling, we recommend sending enquiries to info@bulltech.ru with one of the following subject lines: “Withdrawal of consent to personal data processing”, “Update of personal data”, “Data subject request”.

Withdrawal of consent to personal data processing is carried out by sending a request to the Controller as described in Sections XV.1–XV.5 of this Policy. The Controller ceases processing and takes further steps with personal data in the manner and within the time limits established by the legislation of the Russian Federation, unless other lawful grounds for continued processing exist.

XVI. FINAL PROVISIONS

This Policy remains in effect indefinitely until replaced by a new version.

The current version of the Policy is published on the Website.

If any provision of the Policy is held invalid, the remaining provisions continue to apply.