PERSONAL Data Processing POLICY

1. GENERAL PROVISIONS

1.1. This document sets out the policy (hereinafter referred to as the Policy) of PRADO LLC (hereinafter referred to as the Company) regarding the processing of personal data.

1.2. This Policy has been developed and approved in accordance with the requirements of Article 18.1 of Federal Law No. 152-FZ of 27.07.2006 On Personal Data, and applies to all personal data processed by the Company.

1.3. The purpose of this Policy is to ensure the protection of human and civil rights and freedoms when processing personal data, as well as to protect the interests of the Company.

1.4. This Policy defines the purposes, principles, and conditions for processing the personal data of employees and other individuals whose personal data is processed by the Company, and also sets out the measures implemented to ensure the security of personal data during processing.

2. BASIC TERMS AND DEFINITIONS

Automated processing of personal data means processing personal data using computer technology.

Biometric personal data means information that describes a person's physiological and biological characteristics, based on which it is possible to identify the individual, and which is used by the operator to verify the identity of the personal data subject.

Blocking of personal data means the temporary suspension of personal data processing (except where processing is required to clarify the data).

Personal data security means the state of protection of personal data, ensuring confidentiality, integrity, and availability when processed within personal data information systems.

A personal data information system is a set of personal data databases, information technologies, and technical means that enable the processing of such data with or without the use of automation tools.

Confidentiality of personal data means the mandatory requirement for the Company or any other person with access to personal data to prevent its disclosure without the consent of the personal data subject or other lawful grounds.

Processing of personal data means any action (operation) or set of actions (operations) carried out with or without automation tools, including collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalisation, blocking, deletion, and destruction of personal data.

Publicly available personal data means data to which an unlimited number of persons have access with the consent of the personal data subject or which, under federal law, is not subject to confidentiality requirements.

Depersonalisation of personal data means an action that makes it impossible to identify the personal data subject without the use of additional information.

Operator means a state or municipal body, legal entity, or individual who independently or jointly with others organises and/or carries out the processing of personal data, and determines the purposes, scope, and means of processing.

Provision of personal data means an action intended to disclose personal data to a specific person or group of persons.

Personal data means any information relating directly or indirectly to an identified or identifiable natural person (the personal data subject). Special categories of personal data include data relating to race, nationality, political opinions, religious or philosophical beliefs, health status, and intimate life.

The Company's website means a collection of software and other information accessible via the Internet.

Cross-border transfer of personal data means the transfer of personal data to the territory of a foreign state, a foreign authority, or a foreign individual or legal entity.

Destruction of personal data means actions which make it impossible to restore the content of personal data in a personal data information system and/or which destroy the physical media containing personal data.

3. PURPOSES OF PERSONAL DATA PROCESSING

3.1. The Company processes personal data for the following purposes:

- concluding and executing contracts and agreements with personal data subjects;

- providing information about the Company, its product range, promotions, and events;

- communicating with personal data subjects;

- sending news updates to personal data subjects;

- ensuring the operation, security, and improvement of the Company's websites;

- and for other purposes not prohibited by federal law or international treaties of the Russian Federation.

4. CATEGORIES OF PERSONAL DATA AND SUBJECTS

4.1. Personal data includes any information relating directly or indirectly to an identified or identifiable individual processed by the Company for the purposes specified above.

4.2. The Company does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, or criminal record, unless otherwise required by Russian law.

4.3. The Company processes personal data of the following categories of subjects:

- individuals who have expressed an intention to conclude contracts or agreements with the Company;

- individuals who have concluded contracts or agreements with the Company;

- individuals whose personal data has been made publicly available by them, provided processing does not violate their rights and complies with legal requirements;

- other individuals who have given consent for the Company to process their personal data, or whose data processing is necessary for the Company to perform its duties, functions, or powers under an international treaty or Russian law.

5. BASIC PRINCIPLES OF PERSONAL DATA PROCESSING

5.1. Personal data processing by the Company is based on the following principles:

- legality of the purposes and methods of processing;

- compliance of processing purposes with those specified at the time of data collection;

- relevance and sufficiency of the scope and methods of processing for the stated purposes;

- accuracy of personal data and prohibition of processing data that is excessive or irrelevant to the purposes declared at the time of collection;

- prohibition of processing personal data incompatible with the purposes of collection;

- prohibition of combining databases containing personal data processed for incompatible purposes;

- storage of personal data for no longer than required for the purposes of processing, unless otherwise specified by federal law or a contract to which the personal data subject is a party, beneficiary, or guarantor;

- destruction or depersonalisation of personal data once processing purposes have been achieved or when processing is no longer required, unless otherwise provided by law or contract;

- ensuring confidentiality and security of processed personal data.

6. CONDITIONS FOR PERSONAL DATA PROCESSING

6.1. Personal data is processed in accordance with Federal Law No. 152-FZ of 27 July 2006 On Personal Data.

6.2. The Company processes personal data both with and without the use of automation tools.

6.3. The Company may include personal data in publicly available sources only with the written consent of the subject.

6.4. The Company does not process biometric personal data.

6.5. The Company does not carry out cross-border transfers of personal data.

6.6. Decisions based solely on automated processing that result in legal consequences for the personal data subject or otherwise affect their rights and legitimate interests are not made.

6.7. Where written consent is not required by law, consent may be provided by the personal data subject or their representative in any form that confirms its receipt.

6.8. The Company may entrust personal data processing to another party with the consent of the subject, unless otherwise provided by federal law, based on an agreement with that party (the operator's instruction). The Company requires that any party processing personal data on its behalf complies with the principles and rules set out in Federal Law No. 152-FZ.

6.9. Access to personal data processed by the Company may be provided to state authorities (including regulatory, supervisory, law enforcement, and other bodies) as specified by Russian law.

7. RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS

7.1. A personal data subject has the right to:

- receive information about the processing of their personal data in the manner, form, and timeframe established by personal data legislation;

- request that their personal data be clarified, blocked, or deleted if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose;

- take legal action to protect their rights;

- withdraw consent to the processing of their personal data.

7.2. A personal data subject is obliged to provide complete, accurate, and reliable information about their personal data.

8. RIGHTS AND OBLIGATIONS OF THE COMPANY

8.1. The Company has the right to:

- process the personal data of a subject in accordance with the stated purpose;

- require that the personal data subject provide accurate personal data necessary to conclude and perform contracts, provide services, identify the subject, or in other cases provided by law;

- restrict a subject's access to their personal data if required by anti-money laundering and counter-terrorism laws, or if access would violate the rights and legitimate interests of third parties, or in other cases provided by Russian law;

- process publicly available personal data;

- process personal data required by law to be published or disclosed;

- clarify, block, or delete personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose;

- entrust personal data processing to another party with the consent of the subject.

8.2. In accordance with Federal Law No. 152-FZ, the Company is obliged to:

- provide the subject, upon request, with information about the processing of their personal data, or lawfully refuse;

- clarify, block, or delete personal data at the subject's request if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose;

- keep records of requests from personal data subjects;

- notify the subject about the processing of their data if it was obtained from other sources, except as provided by law;

- terminate processing and destroy personal data within thirty days of achieving the processing purpose, unless otherwise provided by contract or law;

- terminate processing and destroy personal data within thirty days of receiving a withdrawal of consent, unless otherwise provided by contract or law.

The Company undertakes, and requires any party with access to personal data, not to disclose it to third parties or disseminate it without the subject's consent, unless required by law.

9. MEASURES TO PROTECT PERSONAL DATA

9.1. When processing personal data, the Company implements the necessary legal, organisational, and technical measures to protect it from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, and other unlawful actions.

9.2. Measures include:

Legal measures:

- Instructing all employees on current personal data legislation;

- Applying legal mechanisms to minimise harm to data subjects;

- Developing, adopting, and complying with internal regulations on personal data.

Organisational measures:

- Regular training for employees on preventing harm to data subjects;

- Hiring qualified personnel;

- Assigning responsibility for clarifying this Policy to those responsible for processing.

Technical measures:

- Preventing leaks of confidential information by allocating dedicated premises for processing and storage;

- Ensuring information security and uninterrupted operation of technical means;

- Providing physical protection of Company facilities;

- Ensuring the safety of employees while performing their duties and maintaining a healthy working environment;

- Promptly restoring personal data altered or destroyed by unauthorised access;

- Constant monitoring to maintain compliance with Government Decree No. 1119 of 1 November 2012 On Requirements for the Protection of Personal Data During Processing in Personal Data Information Systems.

10. COMPANY LIABILITY

10.1. Compliance with this Policy and applicable personal data processing requirements is monitored by persons appointed by orders of the Company's executive bodies.

10.2. The Company, its officials, and its employees are liable for non-compliance with the principles and conditions of personal data processing, and for the disclosure or unlawful use of personal data, as provided by Russian law.

11. FINAL PROVISIONS

11.1. This Policy is an internal document of the Company, is publicly available, and is published on the Company's website.

11.2. This Policy comes into force upon approval by the executive body.

11.3. This Policy is subject to revision following amendments to Russian personal data legislation, or based on an assessment of the relevance, adequacy, and effectiveness of the Company's data protection measures.

12. FEEDBACK

12.1. Contact details for personal data subjects to raise questions relating to personal data:

Postal address: 426008, Udmurt Republic, Izhevsk, Pushkinskaya St., 268, Office 2028