Personal Data Processing Policy

1. General Provisions

1.1. This Personal Data Processing Policy (hereinafter — the "Policy") has been developed in accordance with Federal Law No. 152-FZ of 27.07.2006 "On Personal Data" (hereinafter — "152-FZ", the "Law"), Order of Roskomnadzor No. 179 of 28.10.2022 "On Approval of the Requirements for Confirming the Destruction of Personal Data", Order of Roskomnadzor No. 180 of 28.10.2022 "On Approval of the Form and Procedure for Submitting a Notification on the Processing (or Intention to Process) of Personal Data" and other regulatory legal acts of the Russian Federation in the field of personal data.

1.2. The Policy defines the procedure for processing of personal data by the Limited Liability Company "FORTUNA TECHNOLOGIES" (hereinafter — the "Operator", the "Company"), operating under the commercial designations "Copydefend" and "Копидефенд", and the measures to ensure the security of the personal data being processed.

1.3. The Policy applies to the personal data of the following categories of Data Subjects:

registered users of the website https://copydefend.com — rights holders and their representatives;
persons who submitted enquiries via the feedback forms on the website;
persons in respect of whom the Operator (acting as a representative of the rights holder or as an assignee) conducts pre-trial or court work in connection with the protection of exclusive rights (persons who received a claim);
visitors of the website https://copydefend.com, including the foreign-language version;
employees of the Operator, job applicants, former employees of the Operator;
counterparties of the Operator, representatives of counterparties.

1.4. The current version of the Policy is published in open access at https://copydefend.com/privacy. The English version is published at https://copydefend.com/en/privacy. In case of any discrepancy between the Russian and the English versions, the Russian version prevails.

1.5. Use of the Copydefend website, submission of an application through the website forms or registration in a personal account means that the user has familiarised themselves with the terms of this Policy. Processing of personal data that, in accordance with the Law, requires a separate Consent of the Data Subject is carried out only after obtaining such Consent in the manner provided for by this Policy.

2. Information about the Operator

Full name	Limited Liability Company "FORTUNA TECHNOLOGIES" (Общество с ограниченной ответственностью "ФОРТУНА ТЕХНОЛОДЖИС")
Short name	LLC "FORTUNA TECHNOLOGIES" (ООО "ФОРТУНА ТЕХНОЛОДЖИС")
Commercial designations	Copydefend, Копидефенд
PSRN (OGRN)	1212300034154
TIN (INN)	2301104399
KPP	230101001
Legal and actual address	353440, Krasnodar Krai, municipal district of resort city Anapa, Anapa, Shevchenko Street, 3, premises 8 (353440, Краснодарский край, муниципальный округ город-курорт Анапа, г. Анапа, ул. Шевченко, д. 3, помещение 8)
Phone	+7 (800) 555-34-64
Email for enquiries from Data Subjects	info@copydefend.com
Email of the legal entity (as listed in the operators' register)	info@fortuna-technologies.com
Website	https://copydefend.com
Registration in the register of personal data operators	Registration number 23-22-020215; date of registration of notification — 2022-09-08; basis of inclusion — Order of Roskomnadzor No. 278 of 28.11.2022; basis of latest update — Order of Roskomnadzor No. 265 of 27.06.2025

Information on the inclusion of the Operator in the register of operators carrying out the processing of personal data is available on the personal data portal of Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media) at https://pd.rkn.gov.ru/operators-registry/operators-list/?id=23-22-020215.

3. Person Responsible for the Organisation of Personal Data Processing

In accordance with Article 22.1 of the Law, the Operator has appointed a person responsible for the organisation of personal data processing:

Full name	Knaub Kirill Alekseyevich (Кнауб Кирилл Алексеевич)
Position	General Director
Email	info@copydefend.com
Phone	+7 (800) 555-34-64
Postal address for written enquiries	353440, Krasnodar Krai, Anapa, Shevchenko Street, 3, premises 8

All requests of Data Subjects related to the exercise of their rights provided for by the Law shall be addressed to the responsible person using the contacts specified above.

4. Key Terms Used in the Policy

For the purposes of this Policy, the terms have the meanings defined by Article 3 of the Law:

Personal Data (PD) — any information relating directly or indirectly to an identified or identifiable natural person (Data Subject).
Operator — LLC "FORTUNA TECHNOLOGIES".
Data Subject — a natural person whose Personal Data is being processed.
Processing of Personal Data — any action (operation) or set of actions (operations) performed on Personal Data with or without the use of automation means, including collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), depersonalisation, blocking, deletion, destruction of Personal Data.
Automated Processing of Personal Data — processing by means of computer equipment.
Dissemination of Personal Data — actions aimed at disclosing Personal Data to an indefinite range of persons.
Provision of Personal Data — actions aimed at disclosing Personal Data to a particular person or a particular range of persons.
Blocking of Personal Data — temporary cessation of Processing of Personal Data (except where processing is necessary to clarify the Personal Data).
Destruction of Personal Data — actions as a result of which it becomes impossible to restore the content of Personal Data in the personal data information system and/or as a result of which the material carriers of Personal Data are destroyed.
Depersonalisation of Personal Data — actions as a result of which it becomes impossible, without the use of additional information, to determine the belonging of Personal Data to a particular Data Subject.
Personal Data Information System (PDIS) — the totality of Personal Data contained in databases and the information technologies and technical means ensuring their processing.
Cross-Border Transfer of Personal Data — transfer of Personal Data to the territory of a foreign state, to a foreign state authority, a foreign natural person or a foreign legal entity.
Consent to the Processing of Personal Data — a free, specific, informed and conscious expression of the will of the Data Subject to the processing of their Personal Data.
Website — the Operator's website at https://copydefend.com and its subdomains.
User — any natural person visiting the Operator's Website.

5. Categories of Data Subjects

The Operator processes Personal Data of the following categories of Data Subjects:

5.1. Registered users — rights holders and their representatives who have created an account in the author's personal cabinet on the website via the "Connect to the service" form.

5.2. Applicants from feedback forms — persons who have submitted enquiries via the website forms: "Contact us", "Order search and fixation", "Full cycle with no investment", "Discuss pre-trial settlement", "Partnership application".

5.3. Persons in respect of whom work on the protection of exclusive rights is conducted (persons who received a claim) — natural persons or representatives of legal entities in respect of whom the Operator (acting as a representative of the rights holder or as an assignee) conducts pre-trial or court work. They obtain access to case materials through the "Online case information" page and interact within it via the pop-up forms "I have a licence" and "Submit an enquiry".

5.4. Third parties mentioned in case materials — authors of works, rights holders, representatives of the parties whose Personal Data is contained in the documents transferred to the Operator by applicants (contracts, powers of attorney, passport data, etc.).

5.5. Website visitors — persons who have not submitted applications and are not registered, but who interact with the website.

5.6. Partners — law firms — persons who have submitted a partnership application through the "Partnership application" form.

5.7. Employees of the Operator, job applicants, former employees of the Operator — for the purposes of HR and accounting records.

5.8. Counterparties, representatives of counterparties — for the purposes of preparation, conclusion and performance of civil-law contracts.

6. Purposes of Processing Personal Data on the Website

In this section, for each purpose of collection and processing of Personal Data on the Operator's website, the following are specified: categories of Data Subjects, list of Personal Data, legal basis, methods of processing, period of processing and Retention Period. The procedure for the destruction of Personal Data is established by Section 11 of this Policy.

6.1. Registration and servicing of the account in the author's personal cabinet (form "Connect to the service", /join)

Categories of Data Subjects	5.1 (registered users)
List of Personal Data	Full name; email address; phone number; TIN (INN) (for documents); links to portfolio; profile photo (when uploaded); payment details (upon conclusion of a contract). At the initial registration application via the "Connect to the service" form, additionally: type of author, links to own publications, links to detected infringements.
Legal basis	Clause 1 Part 1 Article 6 of 152-FZ — Consent of the Data Subject; Clause 5 Part 1 Article 6 of 152-FZ — conclusion and performance of a service contract (from the moment of conclusion of the cooperation contract).
Methods of processing	Mixed processing (with and without the use of automation means): collection via a web form, storage in a database, processing by the Operator's personnel, transfer to persons carrying out processing on behalf of the Operator (see Section 12 — Transfer of Personal Data to third parties).
Period of processing	During the validity of the account and 3 years after the completion of work on the last case.
Retention Period	Coincides with the period of processing. The Consent Register entry is retained for an additional 3 years after the cessation of processing in accordance with clause 9.4.

6.2. Handling of enquiries via the "Contact us" form (/contact)

Categories of Data Subjects	5.2 (applicants from feedback forms)
List of Personal Data	First and last name; phone number; email address; text of the enquiry (may contain additional Personal Data voluntarily provided by the applicant).
Legal basis	Part 1 Article 9 of 152-FZ — Consent of the Data Subject.
Methods of processing	Automated processing: collection via a web form, storage in a database, recording of the fact of Consent in the Consent Register (see Section 9 — Legal bases of processing. Consent Register), forwarding of the enquiry by email to info@copydefend.com, processing by personnel for the preparation of a response.
Period of processing	1 year from the moment of receipt of the enquiry.
Retention Period	Coincides with the period of processing. The Consent Register entry is retained for an additional 3 years after the cessation of processing in accordance with clause 9.4.

6.3. Handling of applications for the "Order search and fixation" service (/search/connect)

Categories of Data Subjects	5.2 (applicants from feedback forms); indirectly — 5.4 (third parties mentioned in case materials), if the applicant acts on behalf of a partner and provides information about the partner
List of Personal Data	Name; phone or messenger identifier; email address (at the applicant's option); name of the represented party; links to the rights holder's publications and to detected infringements (may contain Personal Data of third parties); role of the applicant (author / studio / lawyer).
Legal basis	Part 1 Article 9 of 152-FZ — Consent of the Data Subject; upon subsequent conclusion of a contract — Clause 5 Part 1 Article 6 of 152-FZ.
Methods of processing	Automated processing: collection via a web form, storage in a database, recording of the fact of Consent in the Consent Register (see Section 9 — Legal bases of processing. Consent Register), processing by personnel for the preparation of a commercial offer.
Period of processing	1 year from the moment of receipt of the application if no contract is concluded.
Retention Period	Coincides with the period of processing. The Consent Register entry is retained for an additional 3 years after the cessation of processing in accordance with clause 9.4.

6.4. Handling of applications for the "Full cycle with no investment" service (/full-cycle/connect)

Categories of Data Subjects	5.2 (applicants from feedback forms); indirectly — 5.4 (third parties mentioned in case materials)
List of Personal Data	Name; phone or messenger identifier; email address (at the applicant's option); name of the represented party; links to portfolio and to detected infringements; text of the enquiry (may contain additional Personal Data voluntarily provided by the applicant); attached documents (within the limits set on the website). Attached documents may contain additional Personal Data: passport data, contracts with third parties, powers of attorney.
Legal basis	Part 1 Article 9 of 152-FZ — Consent of the Data Subject; upon conclusion of an assignment of claim contract — Clause 5 Part 1 Article 6 of 152-FZ; for Personal Data of third parties contained in the transferred documents — Clause 5 Part 1 Article 6 of 152-FZ (performance of a contract to which the Data Subject is a party); Clause 7 Part 1 Article 6 of 152-FZ (protection of rights and legitimate interests of the Operator or third parties).
Methods of processing	Automated and mixed processing: collection via a web form, temporary storage of attached files (no more than 30 days with automatic deletion), forwarding by email, processing by personnel, upon conclusion of an assignment contract — transfer to operational handling.
Period of processing	1 year from the moment of receipt of the application if no contract is concluded. Upon conclusion of a contract — until closure of the last case under the assignment contract (full performance of obligations under the agreement or court act, including receipt of compensation in full) and 5 years after the closure of the case (document retention period for tax accounting in accordance with Article 23 of the Tax Code of the Russian Federation).
Retention Period	Coincides with the period of processing. The Consent Register entry is retained for an additional 3 years after the cessation of processing in accordance with clause 9.4.

6.5. Handling of applications for the "Discuss pre-trial settlement" service (/mediation/contact)

Categories of Data Subjects	5.2 (applicants from feedback forms); with high probability — 5.4 (third parties mentioned in case materials), since the applicant describes a dispute and may provide Personal Data of the other party
List of Personal Data	First name; last name; email address; phone number; role in the dispute (author / claim recipient / other); text of the enquiry (may contain additional Personal Data voluntarily provided by the applicant); attached documents (within the limits set on the website). Attached documents may contain additional Personal Data: passport data, contracts with third parties, powers of attorney.
Legal basis	Part 1 Article 9 of 152-FZ — Consent of the Data Subject; upon conclusion of a contract — Clause 5 Part 1 Article 6 of 152-FZ; for Personal Data of third parties contained in the description and documents — Clause 7 Part 1 Article 6 of 152-FZ (protection of rights and legitimate interests of the Operator or third parties).
Methods of processing	Automated and mixed processing: collection via a web form, temporary storage of attached files (no more than 30 days with automatic deletion), forwarding by email, processing by personnel, upon conclusion of a contract — transfer to operational handling.
Period of processing	1 year from the moment of receipt of the application if no contract is concluded. Upon conclusion of a contract — until closure of the last case (full performance of obligations under the agreement or court act, including receipt of compensation in full) and 5 years after the closure of the case (document retention period for tax accounting in accordance with Article 23 of the Tax Code of the Russian Federation).
Retention Period	Coincides with the period of processing. The Consent Register entry is retained for an additional 3 years after the cessation of processing in accordance with clause 9.4.

6.6. Handling of the "Partnership application" submission (/sudebnoe-predstavitelstvo/contact)

Categories of Data Subjects	5.6 (partners — law firms)
List of Personal Data	First name; last name; email address; phone number; information on experience in intellectual property; description of motivation; attached documents (within the limits set on the website — may contain information on diplomas, extracts).
Legal basis	Part 1 Article 9 of 152-FZ — Consent of the Data Subject; upon conclusion of a partnership contract — Clause 5 Part 1 Article 6 of 152-FZ.
Methods of processing	Automated and mixed processing: collection via a web form, temporary storage of attached files (no more than 30 days with automatic deletion), forwarding by email, processing by personnel for the evaluation of the partnership application.
Period of processing	1 year from the moment of receipt of the application if no partnership contract is concluded. Upon conclusion of a partnership contract — during the validity of the contract and 5 years after its termination.
Retention Period	Coincides with the period of processing. The Consent Register entry is retained for an additional 3 years after the cessation of processing in accordance with clause 9.4.

6.7. Granting the person who received a claim access to case materials and interaction within the case (page "Online case information", /case)

Categories of Data Subjects	5.3 (persons in respect of whom work on the protection of exclusive rights is conducted — persons who received a claim); 5.4 (third parties mentioned in case materials)
List of Personal Data	Upon authorisation: TIN (INN) (10 or 12 digits) — for identification; case identifier; IP address and User-Agent — recorded automatically. When using the "Submit an enquiry" form: email address; contact phone; text of the enquiry, including Personal Data of third parties voluntarily provided by the Data Subject. When using the "I have a licence" form: user identifier in a photo bank or other service; email address; contact phone; attached documents confirming the licence (may contain Personal Data of the Data Subject and/or third parties).
Legal basis	Part 1 Article 9 of 152-FZ — Consent of the Data Subject, expressed by a single tick in the authorisation form on the /case page (covering processing of Personal Data upon authorisation, when submitting an enquiry via the "Submit an enquiry" pop-up, and when submitting information via the "I have a licence" pop-up); Clause 7 Part 1 Article 6 of 152-FZ — protection of the rights and legitimate interests of the rights holder; Clause 3.1 Part 1 Article 6 of 152-FZ — execution of a court act or an act of another authority or official (for persons whose cases have entered enforcement proceedings).
Methods of processing	Automated and mixed processing: collection via a web form; comparison of the entered TIN (INN) with data previously available in the Operator's database; issue of temporary session access; recording of the fact of visits (IP address, User-Agent) for the purposes of proving the fact of receipt of pre-trial demands; receipt and handling of enquiries from the Data Subject via pop-up forms; temporary storage of attached files (no more than 30 days with automatic deletion).
Period of processing	During the case review. The TIN (INN), enquiry data and related documents — until the closure of the case (full performance of obligations under the agreement or court act, including receipt of compensation in full) and 3 years after closure of the case (limitation period under the Civil Code of the Russian Federation). Attached documents ("I have a licence") — no more than 30 days from the moment of receipt, deleted automatically.
Retention Period	Coincides with the period of processing. The recording of visits (IP address, User-Agent) — 1 year from the moment of the visit. The Consent Register entry is retained for an additional 3 years after the cessation of processing in accordance with clause 9.4.

6.8. Informational and service notifications for registered users

Categories of Data Subjects	5.1 (registered users)
List of Personal Data	Email address; name; account identifier.
Legal basis	Clause 1 Part 1 Article 6 of 152-FZ — Consent expressed upon registration; Clause 5 Part 1 Article 6 of 152-FZ — performance of the service contract.
Methods of processing	Automated mailing via the SMTP service smtp.yandex.ru (Yandex 360 for Business).
Period of processing	Until deletion of the account or withdrawal of Consent.
Retention Period	Coincides with the period of processing. The Consent Register entry is retained for an additional 3 years after the cessation of processing in accordance with clause 9.4.

7. Information on the Processing of Personal Data in Accordance with the Purposes Stated in the Register of Personal Data Operators

The Operator is included in the register of operators carrying out the processing of personal data, maintained by Roskomnadzor, under registration number 23-22-020215 (date of registration of notification — 2022-09-08). The information given in this section corresponds to the information declared by the Operator in the current notification on the processing of personal data and is publicly available in accordance with Part 4 of Article 22 of the Law.

According to the notification, the Operator processes Personal Data for the following purposes:

7.1. Purpose No. 1 — Maintenance of HR and accounting records

Categories of Data Subjects	Employees; job applicants; dismissed employees
Categories of Personal Data	Full name; year of birth; month of birth; date of birth; place of birth; marital status; social status; income; sex; email address; address of place of residence; address of registration; phone number; SNILS (insurance individual account number); TIN (INN); citizenship; identity document data; data of a document identifying the person outside the Russian Federation; bank card details; settlement account number; personal account number; profession; position; information on labour activity (including work experience, data on current employment with the name and settlement account of the organisation); attitude to military service, military registration information; education information
Legal basis	Processing of Personal Data is carried out with the Consent of the Data Subject (Clause 1 Part 1 Article 6 of 152-FZ); Processing of Personal Data is necessary for the performance of a contract to which the Data Subject is a party or a beneficiary or guarantor, and for the conclusion of a contract on the initiative of the Data Subject (Clause 5 Part 1 Article 6 of 152-FZ)
List of actions	Collection, systematisation, storage, clarification (updating, modification), use, transfer (provision, access), deletion, destruction
Method of processing	Mixed, with transfer over the internal network of the legal entity, with transfer over the Internet

7.2. Purpose No. 2 — Preparation, conclusion and performance of a civil-law contract

Categories of Data Subjects	Counterparties; clients; website visitors
Categories of Personal Data	Full name; date of birth; place of birth; sex; email address; address of registration; phone number; TIN (INN); citizenship; identity document data; data of a document identifying the person outside the Russian Federation; bank card details; settlement account number; personal account number; profession
Legal basis	Processing of Personal Data is carried out with the Consent of the Data Subject (Clause 1 Part 1 Article 6 of 152-FZ); Processing of Personal Data is necessary for the performance of a contract to which the Data Subject is a party or a beneficiary or guarantor, and for the conclusion of a contract on the initiative of the Data Subject (Clause 5 Part 1 Article 6 of 152-FZ)
List of actions	Collection, systematisation, storage, clarification (updating, modification), use, transfer (provision, access), deletion, destruction
Method of processing	Mixed, with transfer over the internal network of the legal entity, with transfer over the Internet

7.3. Purpose No. 3 — Promotion of goods, works, services on the market

Categories of Data Subjects	Clients; website visitors
Categories of Personal Data	Full name; email address; phone number; TIN (INN); profession
Legal basis	Processing of Personal Data is carried out with the Consent of the Data Subject (Clause 1 Part 1 Article 6 of 152-FZ)
List of actions	Collection, systematisation, storage, use, deletion, destruction
Method of processing	Automated, with transfer over the internal network of the legal entity, with transfer over the Internet

7.4. Purpose No. 4 — Protection of property rights transferred to the Operator under an assignment of claim (cession) contract, including the fixation of infringement, conduct of correspondence and pre-trial settlement

Categories of Data Subjects	Other categories of Data Subjects whose Personal Data is being processed; individual entrepreneurs who have infringed copyrights, whose Personal Data is processed in the framework of protection of property rights transferred under an assignment contract
Categories of Personal Data	Full name; sex; email address; address of registration; phone number; TIN (INN); citizenship
Legal basis	Processing of Personal Data is necessary for the exercise of the rights and legitimate interests of the Operator or third parties or for the achievement of socially significant goals, provided that the rights and freedoms of the Data Subject are not violated (Clause 7 Part 1 Article 6 of 152-FZ)
List of actions	Collection, systematisation, storage, clarification (updating, modification), use, transfer (provision, access), deletion, destruction
Method of processing	Mixed, with transfer over the internal network of the legal entity, with transfer over the Internet

7.5. Purpose No. 5 — Execution of a court act

Categories of Data Subjects	Other categories of Data Subjects whose Personal Data is being processed; individual entrepreneurs whose Personal Data is processed in the framework of execution of court acts related to the infringement of exclusive rights
Categories of Personal Data	Full name; date of birth; sex; email address; address of place of residence; address of registration; phone number; TIN (INN); citizenship
Legal basis	Processing of Personal Data is necessary for the exercise of the rights and legitimate interests of the Operator or third parties or for the achievement of socially significant goals, provided that the rights and freedoms of the Data Subject are not violated (Clause 7 Part 1 Article 6 of 152-FZ)
List of actions	Collection, systematisation, storage, clarification (updating, modification), use, transfer (provision, access), deletion, destruction
Method of processing	Mixed, with transfer over the internal network of the legal entity, with transfer over the Internet

7.6. Mapping of the purposes stated in the operators' register to the purposes of Personal Data processing on the Website

The purposes declared by the Operator in the notification on the processing of Personal Data cover the purposes of Personal Data processing on the Operator's website described in Section 6 as follows:

Purpose (Section 6)	Purpose in the operators' register (Section 7)
6.1. Registration and servicing of the account in the author's personal cabinet (form "Connect to the service")	7.2 (Purpose No. 2 — civil-law contract)
6.2. "Contact us" form	7.2 (Purpose No. 2 — at the pre-contractual negotiations stage)
6.3. "Order search and fixation" form	7.2 (Purpose No. 2 — at the pre-contractual negotiations stage)
6.4. "Full cycle with no investment" form	7.2 (Purpose No. 2 — pre-contractual negotiations); after conclusion of the assignment contract — 7.4 (Purpose No. 4)
6.5. "Discuss pre-trial settlement" form	7.2 (Purpose No. 2) and 7.4 (Purpose No. 4) — depending on the stage
6.6. "Partnership application" form	7.2 (Purpose No. 2)
6.7. "Online case information" page and pop-up forms within it ("I have a licence", "Submit an enquiry")	7.4 (Purpose No. 4) and 7.5 (Purpose No. 5)
6.8. Service notifications for registered users	7.2 (Purpose No. 2)

The processing of Personal Data of employees of the Operator, job applicants and former employees is carried out within the framework of Purpose No. 1 (Section 7.1) and is not described in this Policy in the part concerning purposes of processing on the Website, since the collection of Personal Data of employees through public forms of the Website is not carried out.

8. Methods of Processing Personal Data

8.1. The Operator processes Personal Data using the following methods:

With the use of automation means — collection via web forms and software interfaces, storage in databases (Yandex Managed MongoDB), storage of files in object storage (Yandex Object Storage), transmission via the SMTP service (Yandex 360), internal integrations with the Operator's CRM system.
Without the use of automation means — handling of enquiries and applications by the Operator's employees, maintenance of case materials in the Operator's office, preparation of procedural documents on paper carriers.

8.2. For most categories of Personal Data, the Operator applies mixed processing.

8.3. The Operator does not carry out targeted processing of special categories of Personal Data (Article 10 of the Law) and biometric Personal Data (Article 11 of the Law). In the event of incidental receipt of such data as part of documents transferred by Data Subjects through the website forms, processing does not go beyond the purposes specified in Section 6 of the Policy.

9. Legal Bases of Processing Personal Data. Consent Register

9.1. The Operator processes Personal Data on the following legal bases:

Clause 1 Part 1 Article 6 of the Law — Consent of the Data Subject;
Clause 2 Part 1 Article 6 of the Law — processing is necessary to achieve the purposes provided for by an international treaty of the Russian Federation or by law;
Clause 3 Part 1 Article 6 of the Law — processing is carried out in connection with the participation of the person in constitutional, civil, administrative, criminal proceedings, or proceedings in commercial (arbitrazh) courts;
Clause 3.1 Part 1 Article 6 of the Law — processing is necessary for the execution of a court act, an act of another authority or official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
Clause 5 Part 1 Article 6 of the Law — processing is necessary for the conclusion and performance of a contract to which the Data Subject is a party;
Clause 7 Part 1 Article 6 of the Law — processing is necessary for the exercise of the rights and legitimate interests of the Operator or third parties or for the achievement of socially significant goals, provided that the rights and freedoms of the Data Subject are not violated;
Part 1 Article 9 of the Law — Consent expressed by ticking a box in an electronic form on the Website in cases where such Consent is required.

9.2. The specific legal basis for each purpose of processing is specified in Sections 6 and 7 of this Policy.

9.3. Consent Register. The fact of receipt by the Operator of Consent from the Data Subject to the Processing of Personal Data is recorded in a dedicated register (an electronic collection in the Operator's database), containing:

identifier of the form or other point of collection through which Consent was obtained;
identifiers of the Data Subject (email address, phone number, TIN (INN) — depending on the set of form fields);
date and time of ticking the form;
IP address and user device identifier (User-Agent);
version of this Policy in force at the moment of obtaining Consent;
the text of the Consent shown to the Data Subject at the moment of ticking;
the fact and date of withdrawal of Consent (if any).

9.4. The Consent Register is retained by the Operator throughout the period of Processing of Personal Data of the relevant Data Subject and for 3 years after the cessation of processing. The said period is set by analogy with the retention period for the act on destruction of Personal Data established by Order of Roskomnadzor No. 179 of 28.10.2022.

9.5. The Consent Register serves as evidence of receipt of the Consent of the Data Subject to the Processing of Personal Data in case of requests from the Data Subject, from the authorised body for the protection of the rights of Data Subjects (Roskomnadzor) or from other authorised bodies.

10. Periods of Processing and Retention of Personal Data

10.1. The specific periods of processing and Retention Periods for each purpose of processing are specified in Sections 6 and 7 of this Policy.

10.2. General principles for determining the periods:

Personal Data is processed no longer than required by the purposes of processing (Part 7 Article 5 of the Law);
upon achievement of the purposes of processing, Personal Data is destroyed in accordance with Section 11 of this Policy;
the Consent Register is retained for 3 years after the cessation of Processing of Personal Data of the relevant Data Subject;
financial and accounting documents — at least 5 years from the end of the tax period (Article 23 of the Tax Code of the Russian Federation);
documents on cases in which the Operator acts as a party or representative — for the limitation period established by the Civil Code of the Russian Federation.

11. Procedure and Conditions for the Destruction of Personal Data

11.1. Personal Data shall be destroyed in the following cases:

achievement of the purpose of Processing of Personal Data;
expiration of the term of the Consent of the Data Subject to the Processing of Personal Data or its withdrawal, where processing is carried out solely on the basis of Consent and no other legal basis for the continuation of processing exists;
loss of the need to achieve the purposes of processing;
upon request of the Data Subject or of the authorised body for the protection of the rights of Data Subjects in case of detection of unlawful processing.

11.2. Time limits for destruction:

upon achievement of the purposes of Processing of Personal Data or loss of the need to achieve them — within a period not exceeding 30 days from the date of achievement of the purpose or loss of the need (Part 7 Article 5 of the Law);
in case of withdrawal of Consent to the Processing of Personal Data, where no other legal basis for processing exists — within a period not exceeding 30 days from the date of receipt of the withdrawal (Part 5 Article 21 of the Law);
in case of detection of unlawful Processing of Personal Data — within a period not exceeding 10 working days from the date of detection (Part 3 Article 21 of the Law);
in case of confirmation of the fact of inaccuracy of Personal Data — processing is blocked during the verification period, after which the Personal Data is clarified or destroyed within a period not exceeding 7 working days (Part 1 Article 21 of the Law).

11.3. Methods of destruction:

electronic Personal Data in databases — programmatic deletion of records with subsequent purging from backup copies under the rotation cycle (see clause 11.5);
files in object storage and in temporary directories — programmatic deletion using the appropriate software functions;
documents on paper carriers — shredding using a shredder.

11.4. Documenting the fact of destruction. In accordance with Order of Roskomnadzor No. 179 of 28.10.2022 "On Approval of the Requirements for Confirming the Destruction of Personal Data", the fact of destruction of Personal Data is confirmed by:

an act on destruction of Personal Data — for all cases of processing;
an extract from the event registration log of the personal data information system — additionally for cases of automated processing.

The act on destruction of Personal Data drawn up by the Operator contains:

(a) the name of the Operator and its address;
(b) the name (or full name) and address of the person carrying out the Processing of Personal Data on behalf of the Operator (if such processing was entrusted to such a person);
(c) the full name (if any) of the Data Subject or Subjects, or other information relating to a particular natural person whose Personal Data was destroyed;
(d) the full name (if any), position of the persons who destroyed the Personal Data of the Data Subject, and their signatures;
(e) the list of categories of destroyed Personal Data of the Data Subject or Subjects;
(f) the name of the destroyed material carrier of Personal Data (where Personal Data was destroyed on a material carrier);
(g) the method of destruction of Personal Data;
(h) the reason for destruction of Personal Data;
(i) the date of destruction of Personal Data of the Data Subject or Subjects.

11.5. Backup copies. When Personal Data is deleted from the Operator's primary databases, the corresponding records in backup copies are destroyed within the standard backup rotation cycle, not exceeding 35 days. Until the end of the rotation cycle, the deleted Personal Data may remain in backup copies; however, it is not used by the Operator for processing.

11.6. Storage of supporting documents. The act on destruction of Personal Data and the extract from the event registration log are retained by the Operator for 3 years from the moment of destruction of Personal Data (clause 8 of Order of Roskomnadzor No. 179 of 28.10.2022).

11.7. The organisation of destruction of Personal Data and the drafting of the acts are entrusted to the person responsible for the organisation of Personal Data processing (Section 3 of this Policy).

12. Transfer of Personal Data to Third Parties

12.1. The Operator transfers Personal Data to the following third parties on the basis of agreements for the entrustment of Processing of Personal Data or statutory obligations. The Operator proceeds from the assumption that the said parties ensure the processing and storage of Personal Data on the territory of the Russian Federation in accordance with the applicable legislation and the terms of the provided services.

Third party	Role	Categories of transferred PD	Location	Legal basis
LLC "Yandex" (Yandex Cloud — Compute, Object Storage, Managed MongoDB)	Person carrying out processing on behalf of the Operator: hosting of the web application, storage of databases and files	All Personal Data processed in the Operator's system	Russian Federation (ru-central1 zones)	Agreement for the entrustment of Processing of Personal Data (on the terms of the Yandex Cloud offer accepted by the Operator)
LLC "Yandex" (Yandex 360 for Business, SMTP service smtp.yandex.ru)	Person carrying out processing on behalf of the Operator: sending transactional and service emails	Email addresses, names, content of notifications	Russian Federation	Agreement for the entrustment of Processing of Personal Data (on the terms of the Yandex 360 offer accepted by the Operator)
LLC "Yandex" (Yandex Metrica, counter No. 89091226)	Person carrying out processing on behalf of the Operator: website attendance statistics	Cookies (_ym_*, yandexuid); Metrica ClientID; IP address; URLs of visited pages; device and browser data (User-Agent); behavioural data (clicks, transitions)	Russian Federation	User's Consent via cookie banner; Yandex Metrica User Agreement
LLC "Yandex" (Yandex SmartCaptcha)	Person carrying out processing on behalf of the Operator: protection of forms from automated requests	IP address; captcha token	Russian Federation	Terms of use of Yandex SmartCaptcha

12.2. The list of third parties given in clause 12.1 corresponds to the actual state of Processing of Personal Data in the Operator's system as at the date of entry into force of this version of the Policy. In case of changes to the composition of third parties, the Operator updates this Policy.

12.3. In other cases, the transfer of Personal Data to third parties is carried out solely with the Consent of the Data Subject or on the basis of statutory obligations of the Operator provided for by federal law.

13. Localisation of Personal Data on the Territory of the Russian Federation

13.1. In accordance with Part 5 of Article 18 of the Law, the Operator ensures recording, systematisation, accumulation, storage, clarification (updating, modification) and extraction of Personal Data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

13.2. The Operator's databases and file storage containing Personal Data of citizens of the Russian Federation are located in the ru-central1 zone of the Yandex Cloud cloud infrastructure, located on the territory of the Russian Federation.

13.3. Backup copies of databases and files are also located on the territory of the Russian Federation.

14. Cross-Border Transfer of Personal Data

14.1. Cross-Border Transfer of Personal Data of citizens of the Russian Federation by the Operator is not carried out.

14.2. If it becomes necessary to carry out Cross-Border Transfer of Personal Data, the Operator undertakes to comply with the requirements of Article 12 of the Law, including:

to notify the authorised body for the protection of the rights of Data Subjects (Roskomnadzor) of the intention to carry out Cross-Border Transfer;
to obtain separate written Consent of the Data Subject to the Cross-Border Transfer — for transfers to states that do not provide adequate protection of the rights of Data Subjects.

Prior to obtaining such Consent and/or sending the notification to Roskomnadzor, Cross-Border Transfer is not carried out.

15. Cookies and Analytics Services

15.1. The Operator's website uses cookies and similar data storage technologies for the purposes of:

ensuring the correct operation of the website;
preserving user preferences;
ensuring security and prevention of automated requests;
analysis of attendance and improvement of the website.

15.2. Analytics cookies (Yandex Metrica) are set and used by the Operator only after obtaining the user's Consent through the cookie banner on the website. Prior to obtaining Consent, the Yandex Metrica counter is not initialised.

15.3. List of data collected by Yandex Metrica:

visitor's IP address;
ClientID (unique browser identifier in Metrica);
User-Agent;
URLs of visited pages;
referrer;
user actions on the page (clicks, transitions, goal achievement);
device parameters (type, screen resolution, operating system).

15.4. The user may withdraw Consent to the use of analytics cookies at any time in the following ways:

through the cookie banner settings on the website;
by clearing cookies in the browser;
by installing browser extensions that block trackers.

15.5. A detailed description of the data processing by Yandex Metrica is available in the Yandex Metrica User Agreement at https://yandex.ru/legal/metrica_termsofuse/.

16. Measures to Ensure the Security of Personal Data

16.1. The Operator takes legal, organisational and technical measures to ensure the security of Personal Data in accordance with Articles 18.1, 19 of the Law, Decree of the Government of the Russian Federation No. 1119 of 01.11.2012 "On Approval of the Requirements for the Protection of Personal Data during Processing in Personal Data Information Systems" and Order of FSTEC of Russia No. 21 of 18.02.2013.

16.2. Organisational measures:

appointment of a person responsible for the organisation of Personal Data processing (Section 3 of this Policy);
approval and application of this Policy and other local regulatory acts of the Operator on the processing and protection of Personal Data;
familiarisation of the Operator's employees who directly process Personal Data with the provisions of the legislation of the Russian Federation on Personal Data, the local regulatory acts of the Operator, and training of such employees;
differentiation of employee access rights to Personal Data in accordance with their job duties;
maintenance of the Consent Register (Section 9 of this Policy);
maintenance of a log of enquiries from Data Subjects;
assessment of harm that may be caused to Data Subjects in the event of a breach of the Law;
internal control of compliance of Personal Data processing with established requirements.

16.3. Technical measures:

use of the secure HTTPS (TLS) protocol for all connections to the website;
protection against automated attacks (CSRF tokens, request rate limiting, Yandex SmartCaptcha);
storage of user passwords in the form of cryptographically strong hashes;
encryption of connections to database management systems and object storage;
regular updates of software and elimination of identified vulnerabilities;
encrypted backups of data;
network segmentation, use of firewalls;
monitoring of attempts of unauthorised access to Personal Data;
identification of threats to the security of Personal Data during their processing in personal data information systems;
application of information protection means that have undergone the procedure of conformity assessment in the established manner.

17. Rights of Data Subjects

In accordance with Articles 14, 15, 17, 18, 20, 21 of the Law, the Data Subject has the right to:

17.1. Obtain information on the processing of their Personal Data, including:

confirmation of the fact of Processing of Personal Data by the Operator;
legal bases and purposes of processing;
methods of processing applied;
name and location of the Operator, information on persons (except for employees of the Operator) who have access to Personal Data or to whom Personal Data may be disclosed;
processed Personal Data relating to the Data Subject, the source of its receipt;
periods of Processing of Personal Data, including Retention Periods;
the procedure for the exercise by the Data Subject of their rights;
information on the cross-border transfer of Personal Data carried out or intended;
name or full name and address of the person carrying out Processing of Personal Data on behalf of the Operator.

17.2. Demand clarification, blocking or destruction of Personal Data where it is incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the declared purpose of processing.

17.3. Withdraw Consent to the Processing of Personal Data in the manner provided for by Section 19 of this Policy.

17.4. Object to processing of Personal Data for the purposes of promotion of goods, works, services on the market.

17.5. Appeal against the actions or inactions of the Operator to Roskomnadzor or in court.

17.6. Exercise other rights provided for by the legislation of the Russian Federation.

18. Procedure for the Exercise of the Rights of the Data Subject

18.1. Requests from Data Subjects shall be addressed to the person responsible for the organisation of Personal Data processing using the contacts specified in Section 3 of this Policy.

18.2. In accordance with Part 3 of Article 14 of the Law, the request of the Data Subject must contain:

the number of the principal identity document of the Data Subject or their representative, information on the date of issue of such document and the issuing authority;
information confirming the participation of the Data Subject in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and/or other information), or information otherwise confirming the fact of Processing of Personal Data by the Operator;
signature of the Data Subject or their representative.

The request may be sent in the form of an electronic document signed by an electronic signature in accordance with the legislation of the Russian Federation.

18.3. The deadline for the Operator's response is no later than 10 working days from the date of receipt of the request of the Data Subject. The said period may be extended by the Operator by no more than 5 working days with notification to the Data Subject of such extension and the reasons for it (Part 1 Article 20 of the Law).

18.4. In case of a request received from the authorised body for the protection of the rights of Data Subjects (Roskomnadzor), the Operator provides a response within a period not exceeding 10 working days from the date of receipt of the request. The period may be extended by no more than 5 working days with notification to Roskomnadzor (Part 4 Article 20 of the Law).

19. Withdrawal of Consent to the Processing of Personal Data

19.1. The Data Subject is entitled to withdraw Consent to the Processing of Personal Data at any time in the following ways:

by email — by sending a message marked "Withdrawal of Consent to the Processing of Personal Data" to info@copydefend.com;
by post — by sending an application to the address: 353440, Krasnodar Krai, Anapa, Shevchenko Street, 3, premises 8, LLC "FORTUNA TECHNOLOGIES", to the person responsible for the organisation of Personal Data processing.

19.2. Upon receipt of the withdrawal of Consent, the Operator:

ceases the Processing of Personal Data that was carried out solely on the basis of the withdrawn Consent;
destroys the Personal Data in accordance with Section 11 of this Policy within a period not exceeding 30 days from the date of receipt of the withdrawal (Part 5 Article 21 of the Law), provided that no other legal basis for further Processing of Personal Data exists.

19.3. Cases of continued processing after withdrawal of Consent. In accordance with Part 2 Article 9 of the Law, the Operator is entitled to continue Processing of Personal Data without the Consent of the Data Subject where grounds provided for by Clauses 2–11 Part 1 Article 6, Part 2 Article 10, Part 2 Article 11 of the Law exist, in particular:

for performance of the Operator's obligations arising from a contract with the Data Subject — until the obligations are performed in full;
for compliance with the requirements of the legislation of the Russian Federation (including tax, accounting and archive legislation) — within the periods established by legislation;
for the exercise and protection of the rights and legitimate interests of the Operator or third parties — for the limitation period established by the Civil Code of the Russian Federation.

In such cases, the Operator notifies the Data Subject of the reasons for the continued processing and the periods after which the Personal Data will be destroyed.

20. Minor Data Subjects

20.1. The Operator does not carry out targeted collection of Personal Data of minor persons.

20.2. Use of the Operator's services, including registration in the author's personal cabinet, presupposes that the user has attained the age of majority in accordance with the legislation of the Russian Federation or has the Consent of a legal representative.

20.3. If it becomes known to the Operator that the Personal Data of a minor person is being processed in its personal data information systems without the Consent of their parent or other legal representative, the Operator destroys such Personal Data in accordance with Section 11 of this Policy.

20.4. A parent or other legal representative of a minor person is entitled to send the Operator a request for clarification, blocking or destruction of the Personal Data of the minor using the contacts specified in Section 3.

21. Changes to the Policy

21.1. The Operator is entitled to make changes to this Policy. The new version of the Policy enters into force from the moment of its publication at https://copydefend.com/privacy, unless otherwise provided by the new version. The English version is published at https://copydefend.com/en/privacy.

21.2. The Operator is entitled to notify registered users of material changes to the Policy by email, through the website interface or by other available means.

22. Contacts for Enquiries

Email for enquiries from Data Subjects	info@copydefend.com
Postal address for written enquiries	353440, Krasnodar Krai, Anapa, Shevchenko Street, 3, premises 8, LLC "FORTUNA TECHNOLOGIES", to the person responsible for the organisation of Personal Data processing
Phone	+7 (800) 555-34-64
Website	https://copydefend.com

For the single Consent text applicable to all forms of the Copydefend website, see /en/consent.