Original Group — investment in technology

1. This document defines the policy of "Original" JSC (hereinafter referred to as the Company) in the field of personal data processing and confidentiality of the website www.original-group.ru hereinafter referred to as the Site) Visitors.
2. This Policy has been developed in accordance with the current legislation of the Russian Federation on personal data.
3. The Policy applies to all processes carried out by the Company and related to the processing of personal data, both with the use of automation tools, including on the Internet, and without the use of such tools. Such processes may include, among other things, collection, recording, systematization, accumulation, storage, correction (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction of personal data.
4. By voluntarily providing the requested personal data on the Site, the Visitor agrees to their collection and processing for the purposes and methods provided for in this Policy. The visitor can use the Site without providing any personal information.
5. The Company automatically receives and stores non-personal information received using the browser in the server logs. These may include IP address, browser type, cookie information and the requested page address. The Company may use this data to collect information about the actions of Visitors on the Site, to improve the quality of its content and capabilities. The Company does not in any way associate this non-personal data with any personal information received from Visitors.
6. The Company does not verify the accuracy of the personal data provided by the Visitor, relying on the Visitor's fair practice and reasonableness.

1. The main goal of this Policy is to ensure the protection of the Visitors information on the Site, including personal data, from unauthorized access and disclosure. Also, the goal of the Policy is the due performance the Company's obligations to Visitors.
2. The company carries out processes related to the personal data processing for the following purposes:
   1. When providing services - in order to properly fulfill the Company's obligations to the Visitors, properly provide services, accept and process orders for the provision of such services, as well as in any other cases related to this action.
   2. When communicating with Visitors - in order to timely communicate with Visitors and provide them with any necessary reliable and complete information related to the activities of the Company.
   3. When receiving feedback from Visitors - for the purpose of obtaining information about the loyalty and satisfaction of Visitors, its further research and processing, as well as for the purpose of conducting research of any categories.

1. Personal information: Visitor's name and surname, phone number, e-mail; Visitor messages and requests.
2. Non-personal information: IP address, browser type, cookie information, address of the requested page.

The processing of personal data is carried out on the basis of the following principles:

1. Legitimate and equitable basis for the personal data processing.
2. Personal data processing in accordance with specific, predetermined and legitimate purposes.
3. Preventing the unification of databases containing personal data, the processing of which is carried out for purposes incompatible with each other.
4. Compliance of the content and volume of personal data with the stated processing purposes.
5. Accuracy, sufficiency, relevance and reliability of personal data.
6. The legitimacy of technical measures aimed at personal data processing.
7. Reasonableness and expediency of personal data processing.
8. Legitimate and reasonable storage period for personal data.

1. The personal data processing is allowed in the following cases:
   1. The personal data processing is carried out with the consent of the Visitor to the processing of their personal data.
   2. The personal data processing is necessary for the administration of justice, the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings.
   3. The personal data processing is necessary for the execution of the Agreement, to which the Visitor is a party.
   4. The personal data processing is necessary to protect the life, health or other vital interests of the Visitor, if it is impossible to obtain the consent of the Visitor.
   5. The personal data processing is necessary to exercise the rights and legitimate interests of the Company or third parties, or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the Visitor.
   6. The personal data processing is carried out for statistical or other research purposes, subject to the mandatory depersonalization of the data. An exception is the personal data processing in the promotion of goods and services in the market with direct contacts to a potential consumer via communication and within the framework of the Company's activities.
   7. The personal data processing is carried out, if the access to an unlimited number of persons is provided by the Visitor, or at his request.
   8. The personal data processing subject to publication or mandatory disclosure is carried out in accordance with the legislation of the Russian Federation.
2. The Company processes personal data using own resources. In the event that the Company transfers the personal data processing to third parties, the Company bears responsibility to the Visitor for the actions of such third parties. Third parties process personal data in accordance with this Policy and are responsible to the Company.

1. Personal data collection
   Automated personal data collection is carried out when the Visitor sends a request through the Site. The content of information required for sending a request is specified in clause 3.1. of this Policy.
2. Personal data storage and use.
   Personal data of Visitors is stored exclusively on properly protected electronic media and processed using automated systems, except for cases when manual processing of personal data is required in accordance with the legislation of the Russian Federation.
3. Personal data transfer.
   The Company guarantees that the personal data of Visitors is transferred to third parties only in the manner prescribed by this Policy.
   In other cases, the personal data of the Visitor is not distributed or transferred to third parties.
   In the case of the consent of the Visitor or when specified by the Visitor, it is possible to transfer the User's personal data to third parties, but representing only the contractors of the Company.
   It is possible to provide personal data of Visitors at the request of state bodies, which is carried out in the manner prescribed by the legislation of the Russian Federation.

1. Protection measures.
   To protect the personal data of Visitors from illegal or accidental access, collection, storage, use, transfer, blocking or destruction, as well as from other similar actions, the Company takes technical and organizational and legal measures, of which this Policy is a part.
2. Confidentiality of the information provided.
   The Company undertakes and obliges third parties, in the event of transferring the right to process the Visitor's personal data to them, to comply with the confidentiality regime with respect to the Visitor's personal data and not to use personal data without the Visitor's consent, except as provided for in this Policy.

1. The Visitor always has the right to receive information about the processing of personal data about him, including containing:
   1. confirmation of the fact of personal data processing;
   2. the legal basis for the personal data processing;
   3. the purposes and methods of personal data processing used by the Company;
   4. the name and location of the Company, information about persons (except for employees of the Company) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Company or in accordance with the legislation of the Russian Federation;
   5. the processed personal data relating to the relevant Visitor, the source of their receipt, unless another procedure for submitting such data is provided for by the legislation of the Russian Federation;
   6. terms of processing personal data, including the terms of their storage;
   7. the procedure for the exercise by the Visitor of the rights provided for by the legislation of the Russian Federation;
   8. information on the performed or expected cross-border data transfer;
   9. name or surname, first name, patronymic name and address of the person processing personal data on behalf of the Company, if the processing is entrusted or will be entrusted to such a person;
   10. other information provided for by the legislation of the Russian Federation.
2. The visitor has the right to receive the information specified in article 8.1. of this Policy an unlimited number of times.
3. If the Visitor believes that the Company is processing his personal data in violation of the requirements of the Federal Law "On Personal Data" or otherwise violates his rights and freedoms, the Visitor has the right to appeal against the actions or inaction of the Company to the authorized body for the protection of the rights of subjects of personal data or in court.

In accordance with the requirements of the Federal Law "On Personal Data", the Company is obliged to:

1. provide the Visitor, at his request, with information regarding his personal data processing and specified in clause 8.1. of this Policy, or provide the Visitor with a reasonable refusal;
2. in the event that the personal data of the Visitor was received by the Company not from the Visitor, the Company is obliged to notify the Visitor about this in any way before processing such data and provide him with data about the person who provided such personal data;
3. take measures necessary and sufficient to ensure the fulfillment of the obligations stipulated by this Policy and the Federal Law "On Personal Data";
4. when processing personal data, take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
5. at the request of the Visitor, correct the processed personal data, block or delete if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;
6. keep a records Register of Visitors' requests, in which Visitors' requests for obtaining personal data, as well as the facts of providing personal data on these requests, should be recorded;
7. ensure the legitimacy of the personal data processing. If it is impossible to ensure the legitimacy of the personal data processing, the Company, within a period not exceeding ten working days from the date of detection of the illegal personal data processing, is obliged to destroy such personal data or ensure their destruction;
8. if the Visitor revokes his consent to his personal data processing, stop personal data processing and destroy personal data within a period not exceeding thirty days from the date of receipt of the said revocation. The Company is obliged to notify the Visitor about the destruction of personal data.

1. The Company is obliged to make sure that the foreign state, to whose territory the transfer of personal data is carried out, provides adequate protection of the rights of the Visitor, before the start of the cross-border personal data transfer
2. Cross-border personal data transfer on the territory of foreign states that do not provide adequate protection of the rights of subjects of personal data can be carried out in the following cases:
   1. the presence of written consent of the Visitor for the cross-border personal data transfer;
   2. stipulated by international treaties of the Russian Federation;
   3. provided for by federal laws, if it is necessary in order to protect the foundations of the constitutional system of the Russian Federation, ensure the country's defense and state security, as well as ensure the security of the stable and safe transport complex operation, protect the interests of the individual, society and the state in the field of the transport complex from acts of unlawful interference;
   4. execution of the contract to which the Visitor is a party;
   5. protecting the life, health, and other vital interests of the Visitor or other persons if it is impossible to obtain consent in writing by the Visitor.

1. The actions of this Policy relate exclusively to the Site and do not apply to actions, mobile applications and Internet sites of third parties.

1. The Policy comes into force from the moment it is approved by the General CEO of the Company and is valid indefinitely, until it is replaced by a new Policy.
2. This version of the Policy is the current version and is a public document. The company has the right to make any changes to the Policy at any time. In the event that changes are made to the Policy, the Company is obliged to notify the Users of this by posting a new version at the same address, but no later than 10 days before the relevant changes take effect.