Personal Data Processing Policy

Edition of 02.05.2026 · version 2026-05-02

1. General provisions

1.1. This Personal Data Processing Policy (the “Policy”) is prepared in accordance with Federal Law No. 152-FZ of 27.07.2006 “On Personal Data” (the “Law”) and sets out the procedure for processing personal data and the measures taken by the Operator to ensure their security in respect of users of the website located on the Internet at www.taroruna.com (the “Website”).

1.2. The operator of personal data is:

  • Self-employed individual Anvarli Anvar Aligeydarovich
  • INN (taxpayer number): 614677509890
  • Website: www.taroruna.com
  • Email for enquiries: support@taroruna.com

1.3. The Operator places the observance of the rights and freedoms of individuals when processing their personal data, including the protection of the rights to privacy and to personal and family confidentiality, above the other goals of its activity.

1.4. This Policy applies to all personal data of data subjects that the Operator may obtain in connection with the use of the Website, and covers both registered users (account holders) and users who use the Website without registration (together, the “User”).

1.5. The current edition of this Policy is made freely available by the Operator on the Website at a permanent address. By using the Website, the User can learn how the Operator processes personal data; personal data is processed on the grounds set out in Section 6 of this Policy.

2. Key definitions

The following key terms are used in this Policy:

  • 2.1. Personal data — any information relating directly or indirectly to an identified or identifiable natural person (data subject).
  • 2.2. Processing of personal data — any action (operation) or set of actions performed on personal data with or without the use of automation, including collection, recording, systematisation, accumulation, storage, updating, retrieval, use, transfer (provision, access), blocking, deletion and destruction.
  • 2.3. Operator — the person who independently organises and (or) carries out the processing of personal data and determines the purposes and content of processing, identified in Section 1 of this Policy.
  • 2.4. Automated processing — processing of personal data using computer technology.
  • 2.5. Blocking — temporary suspension of the processing of personal data (except where processing is necessary to update them).
  • 2.6. Destruction — actions that make it impossible to restore the content of personal data in an information system and (or) that result in the destruction of the physical media of personal data.
  • 2.7. Cross-border transfer — the transfer of personal data to the territory of a foreign state, to a foreign authority, a foreign natural person or a foreign legal entity.
  • 2.8. Cookie — a small piece of data stored in the User’s browser; the use of cookies is governed by a separate Cookie Policy published on the Website.

3. Principles of personal data processing

  • 3.1. The Operator processes personal data on a lawful and fair basis.
  • 3.2. Processing is limited to the achievement of specific, predetermined and lawful purposes. Processing of personal data that is incompatible with the purposes of its collection is not permitted.
  • 3.3. It is not permitted to combine databases containing personal data whose processing is carried out for purposes incompatible with one another.
  • 3.4. Only personal data that meets the purposes of its processing is processed. The content and volume of the personal data processed correspond to the stated purposes and are not excessive in relation to them.
  • 3.5. Personal data is stored no longer than required by the purposes of processing, unless a storage period is established by law or contract. Personal data is subject to destruction or anonymisation once the purposes of processing are achieved or the need to achieve them is lost.

4. Legal grounds for processing

4.1. Depending on the purpose of processing, the legal grounds for processing personal data are: the data subject’s consent to the processing of their personal data; a contract to which the subject is a party or a beneficiary (including the user agreement and public offer published on the Website); the exercise of the rights and legitimate interests of the Operator, provided that the rights and freedoms of the data subject are not thereby infringed; as well as federal laws and other regulatory acts establishing the Operator’s obligations.

4.2. The specific legal ground applicable to each purpose of processing is set out in Section 6 of this Policy.

5. Rights of the data subject

5.1. The data subject has the right to obtain information concerning the processing of their personal data. Upon the subject’s request, the Operator provides:

  • confirmation of the fact that the Operator processes personal data;
  • the legal grounds and purposes of processing;
  • the purposes and methods of processing applied by the Operator;
  • the personal data relating to the subject that is being processed, and the source from which it was obtained, unless a different procedure is provided by law;
  • the periods of processing of personal data, including the storage periods;
  • information on any cross-border transfer of personal data;
  • information on persons to whom personal data may be transferred, or on persons processing data on behalf of the Operator;
  • information on the procedure for the subject to exercise the rights provided by the Law;
  • other information provided for by the Law.

5.2. The subject has the right to demand the clarification of their personal data, its blocking or destruction where it is incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing, and to take measures provided by law to protect their rights.

5.3. The subject has the right at any time to withdraw consent to the processing of personal data and to demand the cessation of processing by sending the relevant request to the Operator.

5.4. The subject has the right to appeal the Operator’s actions or inaction to the authorised body for the protection of the rights of data subjects (Roskomnadzor) or in court.

5.5. The information referred to in clause 5.1 is provided to the subject or their representative within ten business days of the request being made or received. This period may be extended by no more than five business days, where the Operator sends a reasoned notice stating the grounds for the extension.

6. Purposes of processing, categories of data and storage periods

The Operator processes personal data to the extent and on the terms set out below:

Registration and account management

  • Purpose: creating and maintaining the User’s account, providing access to Website features
  • Categories of data: first and last name, email address, authentication data (in protected form), language and regional settings (language, time zone), date and place of birth (when completing the profile), technical data
  • Subjects: registered users
  • Legal ground: performance of the user agreement (contract); the subject’s consent — where applicable
  • Storage period: for the term of the account
  • Cessation of processing (destruction): destruction within up to 30 days after account deletion, unless another legal basis for storage exists

Provision of paid services

  • Purpose: processing payment, providing access to paid features, supporting settlements
  • Categories of data: email address, payment identifier, status, amount and payment parameters, tariff details
  • Subjects: payers
  • Legal ground: performance of the contract; fulfilment of obligations established by law
  • Storage period: for the periods established by law for tax, accounting and claim-related obligations
  • Cessation of processing (destruction): cessation of processing and destruction (anonymisation) after the statutory storage periods expire

Provision of readings, consultations and automated responses of the service

  • Purpose: provision of the Website’s informational and entertainment services
  • Categories of data: date, time and place of birth, content of correspondence, history of enquiries
  • Subjects: registered users and users without registration
  • Legal ground: performance of the agreement (contract); the subject’s consent — where applicable
  • Storage period: service processing logs — 14 days; history within the account — for the term of the account
  • Cessation of processing (destruction): destruction upon expiry of the period or upon account deletion

Guest computations (calculations without server-side storage)

  • Purpose: providing the calculation result on the User’s device
  • Categories of data: data entered by the User locally
  • Subjects: users without registration
  • Legal ground:
  • Storage period: data entered by the User is not transferred to the application server to perform the calculation; technical analytics of visits and interaction is described separately in the “Analytics” scenario
  • Cessation of processing (destruction): the User deletes the data on their own device

Website analytics

  • Purpose: ensuring the operability of the Website, improving the user interface, diagnostics and prevention of failures
  • Categories of data: IP address, cookie/browser identifiers, information about the device, browser, operating system and screen, page address and referral source, technical interface interaction events
  • Subjects: users without registration and registered users
  • Legal ground: the Operator’s legitimate interest
  • Storage period: in accordance with the Cookie Policy
  • Cessation of processing (destruction): cessation upon expiry of cookie storage periods, on changing browser settings or the provider’s settings

Communication

  • Purpose: sending service (transactional) messages and handling support enquiries
  • Categories of data: email address, content of the enquiry, technical metadata
  • Subjects: users and persons who submitted an enquiry
  • Legal ground: performance of the contract; the Operator’s legitimate interest
  • Storage period: for the period of handling the enquiry and protecting the parties’ rights
  • Cessation of processing (destruction): destruction upon achievement of the purpose of processing

Security and prevention of abuse

  • Purpose: ensuring the security of the Website and accounts, preventing fraud and abuse, diagnostics and error resolution
  • Categories of data: IP address, browser information (user-agent), authentication events, technical logs
  • Subjects: users without registration and registered users
  • Legal ground: the Operator’s legitimate interest; fulfilment of obligations established by law
  • Storage period: for the period dictated by technical necessity and security requirements
  • Cessation of processing (destruction): destruction (anonymisation) upon expiry of the period of necessity

7. Special categories of personal data

7.1. The Operator does not request, and does not intend the Website for the processing of, special categories of personal data, in particular data concerning health, racial or ethnic origin, political views, religious or philosophical beliefs, or intimate life.

7.2. The Operator asks Users not to enter such information into the Website’s forms or into correspondence and does not carry out its purposeful collection.

8. Transfer of personal data to third parties

8.1. For the operation of the Website, personal data may be received and (or) processed by providers of hosting and data storage services, providers of analytics services, payment operators (aggregators), providers of service communication and technical contractors.

8.2. Some of these persons process personal data on behalf of the Operator in compliance with confidentiality and data-security requirements; others act as independent recipients on the basis of a contract, requirements of law, or another applicable ground.

8.3. The Operator does not sell personal data.

9. Cross-border transfer of personal data

9.1. In certain cases, the processing of personal data may be carried out using information systems and technical providers located both within and outside the territory of the Russian Federation.

9.2. When carrying out such processing, the Operator takes the measures provided for by the applicable legislation of the Russian Federation.

10. Automated processing

10.1. Some of the responses, materials and results provided on the Website are generated automatically using software algorithms.

10.2. Such responses and materials are of an informational and entertainment nature and do not constitute legally significant decisions producing legal consequences for the User.

11. Ensuring the security of personal data

11.1. The Operator takes the necessary legal, organisational and technical measures to protect personal data against unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, and against other unlawful actions in relation to personal data.

11.2. Access to the personal data processed is granted on a limited basis.

12. Withdrawal of consent, cessation of processing and destruction

12.1. Requests to withdraw consent, to cease processing, or to clarify, block or destroy personal data are sent to the Operator’s email address: support@taroruna.com.

12.2. Withdrawal of consent does not entail the cessation of processing where the Operator has another legal basis for processing (in particular, performance of a contract or fulfilment of an obligation established by law).

12.3. Periods applied by the Operator:

  • upon detection of inaccurate personal data (on the basis of information provided by the subject or their representative confirming such inaccuracy) — clarification of personal data within no more than 7 business days from the date such information is provided;
  • upon withdrawal of consent or achievement of the purpose of processing — cessation of processing and destruction of personal data within no more than 30 days, unless another legal basis for storage exists;
  • upon receipt of a demand to cease processing — review and action within no more than 10 business days (with a possible extension of no more than 5 business days upon a reasoned notice), unless there is a legal basis to continue processing;
  • upon detection of unlawful processing of personal data — cessation of the unlawful processing within no more than 3 business days, and destruction of personal data within no more than 10 business days; where destruction within that period is impossible — blocking of personal data with subsequent destruction within no more than 6 months.

13. Final provisions

13.1. The Operator may amend this Policy. The current edition applies until replaced by a new edition and is published on the Website with the edition date and version indicated. Information on the use of cookies is available in the Cookie Policy.

13.2. This edition of the Policy: of 02.05.2026, version 2026-05-02.

Privacy Policy | Taroruna | Taroruna