Personal Data Processing Policy
1. General Provisions
This Personal Data Processing Policy has been prepared in accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter — the Personal Data Law) and defines the procedure for processing personal data and the measures taken by LLC “RID-Cosmetics” (hereinafter — the Operator) to ensure the security of personal data.
1.1. The Operator considers respect for human and civil rights and freedoms in the processing of personal data, including the protection of the right to privacy, personal and family confidentiality — as one of its fundamental obligations and essential conditions of its activities.
1.2. This Personal Data Processing Policy (hereinafter — the Policy) applies to all information that the Operator may obtain regarding visitors of the website rchcosmetics.com.

2. Key Terms Used in This Policy
2.1. Automated processing of personal data — processing of personal data using computer technology.
2.2. Blocking of personal data — temporary suspension of the processing of personal data (unless processing is required to clarify personal data).
2.3. Website — a collection of graphic and informational materials, as well as computer programs and databases, accessible on the Internet at rchcosmetics.com
2.4. Personal data information system — a set of personal data contained in databases and the IT solutions and technical means ensuring their processing.
2.5. Depersonalization of personal data — actions making it impossible to determine, without additional information, whether personal data belongs to a specific User or any other data subject.
2.6. Processing of personal data — any action (operation) or combination of actions (operations) performed with or without automation tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
2.7. Operator — a state body, municipal body, legal or physical person independently or jointly organizing and/or performing the processing of personal data, and determining the purposes of processing, the composition of personal data, and the actions performed with personal data.
2.8. Personal data — any information relating directly or indirectly to an identified or identifiable User of the website rchcosmetics.com.
2.9. Personal data permitted by the data subject for dissemination — personal data to which the data subject has granted access to an unlimited number of persons by providing consent in accordance with the Personal Data Law.
2.10. User — any visitor of the website rchcosmetics.com.
2.11. Provision of personal data — actions aimed at disclosing personal data to a certain person or a defined group of persons.
2.12. Distribution of personal data — any actions aimed at disclosing personal data to an indefinite group of persons or providing access to personal data (including publication in media, posting online, or otherwise making accessible).
2.13. Cross-border transfer of personal data — transfer of personal data to the territory of a foreign state, to a foreign authority, foreign individual, or foreign legal entity.
2.14. Destruction of personal data — any actions resulting in the irreversible destruction of personal data without the possibility of further restoration, including destruction of the physical media containing such data.

3. Rights and Obligations of the Operator
3.1. The Operator has the right to:
  • receive accurate information and/or documents containing personal data from the data subject;
  • continue processing personal data without the consent of the data subject if the latter withdraws consent, provided such grounds are permitted under the Personal Data Law;
  • independently determine the scope and measures necessary to ensure compliance with obligations established by the Personal Data Law, unless otherwise stipulated by law.
3.2. The Operator is obliged to:
  • provide the data subject, upon request, with information regarding the processing of their personal data;
  • organize personal data processing in accordance with applicable Russian law;
  • respond to requests and inquiries from data subjects or their legal representatives in accordance with the Personal Data Law;
  • provide the authorized data protection authority with the required information within 10 days of receiving a request;
  • publish or otherwise ensure unrestricted access to this Policy;
  • take legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, and other unlawful actions;
  • cease transfer (distribution, provision, access) of personal data, terminate processing, and destroy personal data in the cases established by the Personal Data Law;
  • fulfill other obligations established by the Personal Data Law.
4. Rights and Obligations of Data Subjects
4.1. Data subjects have the right to:
  • obtain information about the processing of their personal data, except as restricted by federal laws. The information provided may not contain personal data relating to other individuals unless lawful grounds exist for disclosure;
  • request clarification, blocking, or destruction of their personal data if the data is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the declared purposes;
  • require prior consent for the processing of personal data for marketing purposes;
  • withdraw consent to the processing of personal data or require cessation of such processing;
  • lodge complaints with the authorized data protection authority or in court regarding unlawful actions or inaction of the Operator;
  • exercise any other rights provided by Russian law.
4.2. Data subjects are obliged to:
  • provide accurate personal data to the Operator;
  • notify the Operator of any clarification (updating, modification) of their personal data.
4.3. Individuals who provide the Operator with inaccurate information or information about third parties without their consent bear liability under Russian law.

5. Principles of Personal Data Processing
5.1. Processing is carried out on lawful and fair grounds.
5.2. Processing is limited to achieving specific, predetermined, and lawful purposes.
5.3. Combining databases containing personal data processed for incompatible purposes is not permitted.
5.4. Only personal data relevant to the purposes of processing shall be processed.
5.5. The scope and content of personal data must correspond to the declared purposes; excessive processing is not allowed.
5.6. Accuracy, sufficiency, and relevance of personal data shall be ensured. The Operator takes necessary measures to delete or clarify incomplete or inaccurate data.
5.7. Personal data shall be stored in a form allowing identification of the data subject no longer than required for the purposes of processing unless a longer storage term is required by law or contract. Upon achieving the purposes of processing or loss of necessity, the personal data shall be destroyed or anonymized unless otherwise provided by law.

6. Purposes of Personal Data Processing
Purpose
Informing the User by sending email messages.
Personal Data Processed
  • surname, first name, patronymic
  • email address
  • telephone numbers
Legal Grounds
  •  founding documents of the Operator
  • agreements concluded between the Operator and the data subject
Types of Processing
  • collection, recording, systematization, accumulation, storage, destruction, and depersonalization
  • sending informational emails to the User’s email address
7. Conditions for Personal Data Processing
7.1. Processing is carried out with the consent of the data subject.
7.2. Processing is required for purposes defined by international treaties or laws of the Russian Federation.
7.3. Processing is necessary for administering justice or executing judicial acts.
7.4. Processing is required for performance of a contract involving the data subject, or for concluding a contract upon the initiative of the data subject.
7.5. Processing is necessary for exercising the rights and legitimate interests of the Operator or third parties, provided it does not violate the rights and freedoms of the data subject.
7.6. Processing is carried out in respect of personal data made publicly accessible by the data subject.
7.7. Processing is carried out for personal data subject to mandatory disclosure under federal law.
8. Procedure for Collecting, Storing, Transferring, and Other Processing of Personal Data
The Operator ensures the security of personal data through legal, organizational, and technical measures required for full compliance with applicable data protection legislation.
8.1. The Operator ensures the confidentiality and security of personal data and takes all possible measures to prevent unauthorized access.
8.2. Personal data shall not be transferred to third parties except as required by law or where the data subject has granted consent for such transfer.
8.3. In case of inaccurate personal data, the User may update the information by emailing the Operator at cosmetics@osetr.com with the subject “Update of Personal Data”.
8.4. The processing period is determined by the purposes for which the data was collected unless otherwise required by law or contract.
A User may withdraw consent at any time by emailing cosmetics@osetr.com with the subject “Withdrawal of Consent to Personal Data Processing”.
8.5. Data collected by third-party services (payment systems, communication services, etc.) is stored and processed by such providers under their user agreements and privacy policies. The Operator is not responsible for the actions of third parties.
8.6. Restrictions imposed by the data subject on the transfer or processing of personal data permitted for dissemination do not apply when processing is carried out for state, public, or other legally significant interests.
8.7. The Operator ensures confidentiality of personal data.
8.8. Personal data is stored in a form allowing identification of the data subject no longer than necessary for processing purposes, unless otherwise required by law or contract.
8.9. Processing may be terminated upon achieving processing purposes, expiration of consent, withdrawal of consent, or discovery of unlawful processing.

9. List of Actions Performed by the Operator with Personal Data
9.1. The Operator performs collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
9.2. The Operator may carry out automated processing of personal data, including receiving and/or transmitting such data via information and telecommunication networks.

10. Cross-Border Transfer of Personal Data
10.1. Before commencing cross-border data transfer, the Operator must notify the authorized data protection authority of its intention (separately from the general notification on personal data processing).
10.2. Prior to such notification, the Operator must obtain necessary information from the foreign authorities, individuals, or legal entities to whom the transfer is planned.

11. Confidentiality of Personal Data
The Operator and any persons having access to personal data must not disclose or distribute such data to third parties without the consent of the data subject unless required by federal law.

12. Final Provisions
12.1. The User may obtain any clarifications regarding the processing of their personal data by contacting the Operator via email at cosmetics@osetr.com.
12.2. Any changes to this Policy will be reflected in this document. The Policy remains effective until replaced by an updated version.
12.3. The current version of the Policy is publicly available at: rchcosmetics.com/privacy.