Privacy Notice

Last updated December 2020

This Privacy Notice (hereinafter the Notice) is used by Joint-Stock Company Positive Technologies located at 8 Preobrazhenskaya Square, office 60, Preobrazhenskoye District, Moscow, 107061, Russian Federation (hereinafter «the Company,» «we,» or «us») in relation to the websites, services, social media accounts, and other products (services) of the Company through which we collect personal data and which refer to the Notice. The Notice does not apply to the Company’s websites that do not refer to the Notice or which contain a link to a document other than the Notice relating to the processing of personal data.

In this Notice we openly explain all methods of personal data processing when using the Company’s websites. Positive Technologies is an expert in protecting a wide variety of devices, infrastructures, and data. Therefore, we understand the importance of a proper approach to data privacy and security and adhere to the principle of comprehensive and complete protection of our users’ personal data.

The Notice was developed by the Company in compliance with Federal Law No.152-FZ On Personal Data of July 27, 2006 (hereinafter the Law). As an international company, we take into account provisions of other regulatory acts on personal data, including the General Data Protection Regulation (GDPR).

1. General information

1.1. Personal data are any information that refers directly or indirectly to a particular or designated individual. For instance, a person’s last name, first name, middle name, or patronymic, his or her job title, company name, email address, phone number, and other information shall be deemed personal data.

Technical information shall be deemed personal data too, if it can be attributed to an individual. This includes IP address, type of operating system, type of device (computer, cell phone, tablet), browser type, geolocation, web form fill-in, and Internet provider.

If we cannot relate the information to the individual in any way, we will not treat this information as personal data.

1.2. You understand that we process only those personal data that we have received from you, as from an individual using our web-sites, products, social network accounts, and services (hereinafter Services).

1.3. This Notice defines the Company’s policy of processing and protection of personal data and is available at https://www.ptsecurity.com/ww-en/privacy-policy/. The Company also provides unrestricted access to the Notice to any person who has personally contacted the Company.

1.4. The primary goal of the Company is to ensure protection of the individuals’ rights and freedoms during processing of personal data, including protection of one’s right to personal and family privacy, clear and strict compliance of requirements of the Russian law on personal data, first of all.

1.5. This Notice applies to all personal data on individuals processed by the Company, as well as to processes related to personal data processing. The Company may process personal data with or without automated data processing tools. The processes may include, without limitation, collection, recording, systematization, accumulation, storage, changing (updating, modification), electronic copying, extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and erasure of personal data.

1.6. The Company processes personal data, including data storage, on servers located in the Russian Federation.

1.7. The Company has the right to update this Notice as necessary. The Notice must be revised in case of significant changes in the international or national legislation on personal data. If we process personal data, we undertake to notify you of any such changes by email.

1.8. The Company does not check validity of personal data or the legal capacity of the person providing such data. You guarantee that all data are valid, up-to-date, and compliant with the legislation of the Russian Federation.

2. Purposes of personal data processing

The Company shall be guided by sufficiency, reasonableness, and feasibility when processing personal data. We carry out processes related to personal data processing in cases and for purposes listed in this section.

2.1. When you access our Services. Personal data are processed in order to ensure proper performance of obligations by the Company, proper provision of services, receipt and processing of requests for such services, registration on the Services, identification of a Service user, recovery of Service password, and in any other cases related to such actions. Your use of the Services shall mean unconditional acceptance of this Notice and personal data processing conditions stated herein. If you disagree with this Notice, stop using the Services immediately.

2.2. When you participate in events held by the Company and register as a participant. Participation in events held by the Company shall mean unconditional acceptance of this Notice and personal data processing conditions stated therein. If the Subject of personal data disagrees with this Notice, he or she must stop participating in events immediately.

2.3. When we contact you to receive feedback and to provide you with any accurate and complete information related to the Company’s activities. Including, but not limited to, provision of information of the Services and services, mail distribution of information on Services and services, events and promotional activities arranged by the Company or authorized third parties, or both. The Company shall have the right to use the phone number and/or email you provide to contact you.

2.4. When we receive your feedback for the following purposes:

• Receiving information on loyalty and satisfaction with Services and services, for further review and processing of that information
• Analysis to improve quality of Services and services
• Performance of any type of study

2.5. To ensure protection and confidentiality of your personal data. By processing personal data, we ensure operability and security of Services, confirm actions you perform, prevent fraud, cyberattacks, and other abuse, and perform investigation of such cases.

2.6. When we consider candidates for vacant positions, including consideration of a candidate, for a specific vacant job position, making a decision on hiring or refusing to hire, and creating a candidates pool.

3. List of processed personal data

3.1. Depending on the web form you are filling out, we may process the following personal data:

3.1.1. General personal data: full name, position, company name, email address, phone number.

3.1.2. Other personal data: gender, date and place of birth, personal photo, citizenship, information about the place of residence and registration, identity documents, information about the position held, working conditions, basic and additional education, professional experience and skills, information on seniority, medical insurance, military registration, marital status and family, information about medical restrictions for work, suitability for the position (work performed), violations and penalties, awards and rewards, and the employment expiration.

3.2. Other information processed by the Company:

3.2.1. Data about technical devices: IP address, type of operating system, type of device (computer, cell phone, tablet), browser type, geolocation, web form fill-in, and Internet provider.

3.2.2. Information received automatically when accessing Services, including Internet sites using cookies. Cookies are text fragments automatically saved in the memory of your Internet browser using our website. This allows the website to access saved data on your computer and retrieve it when necessary. We use cookies to remember the language you use to access the website. Next time you visit our website, we will be able to take into account your preferences regarding the use of our website. Most Internet browsers save cookies automatically, but you can always change your browser settings and stop saving cookies.

3.2.3. Information obtained as a result of your actions, including the data on submitted comments, inquiries, replies, and questions.

4. Principles of personal data processing

Sufficiency is the main principle we follow when processing personal data. Your personal data will not be processed unless really necessary.

When processing personal data, we are also governed by the following principles:

4.1. Lawfulness and fairness of personal data processing.

4.2. Processing of personal data in compliance with specific, predetermined and legitimate purposes.

4.3. Prevention of merging of databases containing personal data processed for incompatible purposes.

4.4. Processing of only personal data that comply with the purposes of their processing.

4.5. Compliance of personal data content and volume with the stated processing purpose.

4.6. Accuracy, sufficiency, adequacy, and reliability of personal data.

4.7. Legitimacy of technical measures aimed at personal data processing.

4.8. Reasonableness and feasibility of personal data processing.

4.9. Storage of personal data in a format allowing to identify the individual is allowed only for the time required for their processing, or for as long as the individual’s consent is valid.

4.10. Processed personal data shall be destroyed or anonymized immediately in cases listed in the Notice.

5. Processing personal data

5.1. Personal data collection

Personal data can be collected in the following ways:

• You provide personal data by filling in forms, including online forms on the Services.
• Data are collected automatically using technologies and services, such as web protocols, cookies, web markers launched only when you fill in your data.
• You provide personal data in writing, including the use of communication means.

5.2. Storage and use of personal data.

• Personal data shall be stored only on properly secured media, including electronic media, and processed with or without automated data processing tools.
• If the Company uses automated personal data processing, it shall make sure to use databases located in the Russian Federation.

5.3. Handover of personal data

• The Company may provide your personal data to third parties, including, but not limited to, consultants, partners, providers under agreements, contractors, and agents (hereinafter Consultants) with your consent. Exceptions are cases when data are provided to ensure compliance with agreement terms and conditions, regulatory requirements, to prevent or stop illegal actions on your part, or to protect the interests of the Company and third parties.
• Personal data are provided to Consultants to achieve the goals stated earlier, and data transfer shall be based on the agreement with the respective Consultant. Consultants undertake to use personal data strictly in compliance with this Notice to achieve the stated purposes and to provide services under an agreement.

5.4. Destruction of personal data

The Company destroys personal data in the following cases:

• Threat to security of Services
• The purpose of personal data processing are achieved, or it is no longer necessary to achieve it.
• You violated the Notice.
• Personal data storage period has expired.
• The agreement has expired or was terminated.
• At your request or if the individual revokes the consent for personal data processing.

6. Your rights

6.1. You have the right to receive information on processing of your personal data, including the following:

• Confirming the fact of your personal data processing
• Legal basis for your personal data processing
• Purposes and methods the Company uses to process your personal data
• What personal data of yours we process and where we get it from
• Time of your personal data processing, including storage time
• Procedure for exercising the rights provided for by the legislation of the Russian Federation
• Information on actual or planned cross-border data transfer
• Information on persons to whom your personal data may be provided under an agreement with the Company or in compliance with the legislation of the Russian Federation
• Name of the entity or full name and address of the individual processing personal data, if such entity or individual is tasked or will be tasked with processing
• Other information provided for by the legislation of the Russian Federation.

You have the right to receive such information any number of times. For this, send a request to the Company as provided for by Section 11 of the Notice.

7. Obligations of the Company

7.1. As required by the Law, the Company undertakes to do the following:

7.1.1. At your request, provide information on your personal data processing listed in Item 6.1 of the Notice, or a justified refusal.

7.1.2. Take necessary and sufficient measures to fulfill obligations provided for by the Law.

7.1.3. At your request, update processed personal data, block or remove it if it’s incomplete, outdated, obtained illegally or not required for the stated purpose of processing.

7.1.4. Ensure that personal data are processed with due diligence. If personal data cannot be processed with due diligence, the Company shall erase or ensure erasure of personal data within 10 (ten) business days after discovering that data was processed without due diligence.

7.1.5. If the agreement with you expires or if you revoke your consent for personal data processing, we stop processing your personal data and erase it within 30 (thirty) business days of receipt of your revocation. Exception can be made when processing continues by virtue of legislation of the Russian Federation.

8. Information on personal data protection

8.1. All personal data you provide shall be confidential by default. Protection of personal data processed by the Company is ensured by implementation of legal, organizational, and technical measures necessary and sufficient to ensure compliance with requirements of the Russian Federation legislation on personal data protection. However, we always strive to ensure maximum protection of your data and apply more measures to protect personal data than required by legislation. Below are some of the measures the Company takes to protect personal data.

8.2. Legal measures:

8.2.1. Development of local Company regulations to fulfill requirements of the Russian legislation, including this Notice, and placing it at https://www.ptsecurity.com/ww-en/privacy-policy/.

8.2.2. Refusal to use any personal data processing methods which do not fit for the purpose predetermined by the Company.

8.3. Organizational measures:

8.3.1. Appointing a person responsible for arrangement of personal data processing. You can contact this person using the following email: privacy@ptsecurity.com.

8.3.2. Limiting the number of Company employees having access to personal data, and arranging a system of permits for access.

8.3.3. Regular assessment of risks related to personal data processing.

8.3.4. Internal investigations to identify any facts related to unauthorized access to personal data/

8.3.5. Using encryption when processing personal data/

8.3.6. Monitoring and security assessment of the Company’s network infrastructure/

8.3.7. Educating Company employees on provisions of the Russian Federation legislation on personal data, including personal data protection requirements, local regulations of the Company on personal data protection; training the employees.

8.3.8. Arranging security of premises storing media with personal data to prevent unauthorized access or presence of individuals who have no right to access such premises

8.3.9. Arranging trainings for Company employees in various aspects of personal data processing

8.4. The Company undertakes, and obligates third parties if they are given the right to process personal data, to maintain confidentiality of personal data and not use personal data without a legal basis for its processing.

9. Cross-border data transfer

9.1. We are an international company. Therefore, for purposes stated in this Notice, we may transfer your personal data to countries other than where it was originally obtained. This is called cross-border data transfer. Before cross-border data transfer, the Company shall ensure that the country to which personal data are transferred will ensure adequate protection of your rights as a subject of personal data. In case of cross-border personal data transfer, we protect your data in compliance with the Notice.

9.2. Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of your rights may be carried out in the following cases:

• We have your written consent for the cross-border transfer of your personal data.
• The transfer is provided for by international treaties of the Russian Federation.
• The transfer is provided for by federal laws if it is necessary in order to protect the constitutional foundations of the Russian Federation, ensure the country’s defense and state security, and ensure stable and secure functioning of the transport system, protect the interests of individuals, society, and the state in the transportation field from unlawful interference.
• To fulfill an agreement to which you are a party.
• To protect your life, health, and other vital interests of yours or the interests of others when it is impossible to obtain your written consent.

10. Limited effect of the Notice

10.1. You must also be reasonable and responsible when placing your personal data where it can be publicly available, including feedback and comments on the Services.

10.2. The Company shall not be responsible for any actions of third parties who gain access to your personal data as a result of your actions.

11. Inquiries of the subject of personal data

11.1. You have the right to send inquiries to the Company, including inquiries regarding the use of your personal data:

11.1.1. In writing to 8 Preobrazhenskaya Square, Moscow, 107061.

11.1.2. Electronically by emailing to privacy@ptsecurity.com.

11.2. Your inquiry must contain the following information:

11.2.1. Number of your ID

11.2.2. Date of ID issue, issuing authority

11.2.3. Information confirming your participation in dealings with the Company

11.2.4. Your signature

11.3. The Company undertakes to process your inquiry and respond within 30 (thirty) calendar days of inquiry receipt.

11.4. All correspondence received by the Company (both written and electronic inquiries) is considered restricted information and will not be disclosed without your written consent.

12. Notification of technical data processing

This website may use CAPTCHA services (hereinafter Services or Service). We use these Services to verify requests and block bots on our website, as well as to make the use of our website more convenient.

In order for the Services to work, we may instruct their owners to collect and process technical data about your device, its activity, and digital fingerprint (token, browser features, referrer, time zone, and more). This data is only collected when you use our website or its pages on which the Service widget is installed. The Services only use technical data and only for the purpose of operating the Service on our website, as well as for the legitimate interest of the Service owner to improve the Service.

The technical data collected by the Services does not allow us to identify you personally. We select Services carefully, and they must comply with all the requirements of the Russian Federation law on the collection, storage, and other processing of user data.

If you have any questions or concerns about the Services used on our website, please contact us using the contact information provided on the website. Services and links to their detailed descriptions may be later published on our website and/or are available on request.

13. Contact information and details of the Company: