1. Purpose of the Policy

‍

1.1. This document defines the policy of Altus Capital LLC (hereinafterreferred to as the Company) regarding processing of personal data and ensuringtheir security and the terms of use of websites owned, used or administered bythe Company (hereinafter referred to as the Policy or the User Agreement).Personal Data (hereinafter - PD or Personal Data) means any information relatingto a directly or indirectly defined or identifiable individual (subject of PD).

‍

1.2. This Policy is developed in accordance with the requirements of theFederal Law of 27.07.2006 #152-FZ "On Personal Data" (hereinafter -Federal Law #152), as well as other regulations of the Russian Federation inthe field of Personal Data.
‍

1.3. The Companyshall process Personal Data in accordance with this Policy, other localregulations and laws of the Russian Federation.

‍

‍

‍

2. General Provisions

‍

2.1. One of the conditions of Company's activities realization is to ensure necessary and sufficient level of information security of Company's assets, which includes PD and processes, within which they are processed.

‍

2.2. Ensuring lawful processing of PD and security of processed PD is one of the Company's top priorities.

‍

2.3. The Policy defines the principles and conditions for collecting, processing, storing and protecting the Personal Data of website visitors, current and potential clients and consumers of products, as well as other subjects of Personal Data that may come into contact with the Company, and is designed to protect the human and citizen rights and freedoms when processing their Personal Data, including protection of the rights to privacy, personal and family secrets.

‍

2.4. This Policy shall be binding on all employees of the Company.

‍

2.5. Employees of the Company whose job duties involve access to Personal Data processed by the Company shall be familiarized with this Policy when hired and/or transferred to the relevant position/role, against their signature.

‍

‍

‍

3. Principles of Personal Data Processing  

‍

3.1.   The Company considers it of primary importance to ensure lawful and fair processing of Personal Data, respect for the confidentiality and security of Personal Data processing.

‍

3.2. Processing of Personal Data in the Company is based on the following principles: 



• Processing of Personal Data on a lawful and fair basis;
• Personal Data processing shall be limited to achieving particular, pre-determined and lawful purposes;
• correspondence of the contents and volume of processed PD to the declared objectives of their processing, absence of redundancy of processed PD in relation to the objectives of their processing;
• inadmissibility of combining databases containing PD, processed for purposes incompatible with each other; 
• ensuring the accuracy of PD, their sufficiency and, if necessary, relevance in relation to the PD processing objectives;  
• storing PD in a form, allowing PD subject identification, for not longer than it is required by the PD processing objectives, unless the PD storage term is prescribed by the Russian Federation legislation, an agreement, a party to which, a beneficiary or a guarantor under which a PD subject is a beneficiary.

‍

‍

‍

4. Composition of Personal Data Processed

‍

4.1. Personal Data may be processed in the Company solely for the purposes for which it was obtained. Subject of Personal Data may be informed about Processing of Personal Data in the Policy, in the text of his/her consent to Processing of Personal Data, or in any other way.

In particular, the Company may process the following Personal Data for the specified purposes:

• to ensure the normal and safe operation of the sites, as well as to analyze the use of the websites: technical device data of the website users (including user device identifiers, information on the use of sites), automatically collected by web analytics systems used on the sites and described in the Policy;
• for interaction with current and potential customers and users of services in the framework of contacting by inquiries, promotion of services, processing appeals regarding the quality of services: full name, contact mobile and office phone numbers, e-mail addresses, information about employment (including the name and address of the workplace, position) and other data that can be provided by filling feedback forms on websites, communication channels, providing business cards and by other means; 
• for registering for events organized by the Company, reminding about them and notifying about changes in the events for which the subject of PD is already registered: name, contact numbers of mobile and office phones, e-mail addresses, information about employment (including the name and address of the place of work, position);
• for finding and hiring candidates for employment: name, age, education, employment and work experience, skills and professional competencies, and other information that may be provided by candidates in resumes and communications with the Company, including by filling out forms on websites;
• fore stablishing contacts with potential counterparties, ensuring communications on conclusion of contracts, conclusion, amendment and termination of contracts with acting counterparties, due diligence checks of counterparties: last name, first name, middle name, place of work, position, information about the basis of authority (number and date of power of attorney).
   

The Company does not process information related to race, ethnicity, political views, religious or philosophical beliefs, intimate life, as well as biometric Personal Data. The Company prohibits making decisions based solely on the automated processing of Personal Data that produce legal consequences with respect to the subjects or otherwise affect their rights and legitimate interests. The Company does not distribute PDs and does not put them in publicly available sources without PD subjects' consent.

‍

‍

‍

5. Using cookies and other web analytics tools

Cookies are small files generated and stored by your browser when you visit the Company's websites. Cookies are stored on your device for a maximum of 6 months and allow us to track the quality and usage characteristics of websites and to optimize online marketing activities. 

Visiting and using the websites by default involves the generation and storage of cookies. However, the user may delete cookies from the device at any time through the settings of the browser used. The user can also refuse to accept cookies, but this does not guarantee that all functions of the websites will work (e.g. remembering the visitor's language preferences).

The following types of web analytics tools are used on the Company's websites:

• Technical and functional cookies
  These are files generated by the site engines and are used to ensure that the sites run smoothly and to remember user-selected settings (such as language controls and pop-up banners).
  ‍
• Marketing and analytical cookies
  Yandex.Metrika and Google Analytics services are used to collect and statistically analyze data related to the use of websites. The information obtained through the services does not allow us to identify users.

‍

‍

6. Basis for processing Personal Data in the Company

‍

6.1. Processing of Personal Data in the Company shall be carried out in the following cases:

‍

• Processing of Personal Data shall be carried out upon consent of the subject of Personal Datato process his/her Personal Data; 
• Personal Data is processed with consent to process PD, permitted by the subject for dissemination, subject to the terms and prohibitions for processing PD, permitted by the subject for dissemination, which may be established by the subjects of PD;  
• the processing is necessary to perform the functions and obligations imposed on the Company by the applicable laws; 
• the processing of Personal Data is necessary for execution of an agreement, where PD subject is a party or a beneficiary or guarantor, in particular, this User Agreement, as well as for executing an agreement at the initiative of a PD subject or an agreement, under which PD subject will be a beneficiary or guarantor; 
• Personal Data processing is necessary to protect PD subject's life, health or other vital interests, if PD subject's consent cannot be obtained; 
• Personal Data processing is necessary for exercise of rights and legitimate interests of the Company or third parties or for achievement of public objectives, provided it does not violate rights and freedoms of the subject of Personal Data 
• Personal Data subject to be published or disclosed in accordance with the Federal Law is processed. 

‍

‍

7. General procedure of Personal Data processing  

‍

7.1. Processing of Personal Data by the Company is carried out both with and without the use ofautomated means. The Company also processes Personal Data in mixed ways.

‍

7.2. Should the Company receive a subject's Personal Data from a third party, the Company shall notify the subject of Personal Data and advise them of the source of their Personal Data, their rights as regards the Personal Data being processed, the purposes and legal basis for processing such Personal Data, and their intended users, unless otherwise provided for by the law.

‍

7.3. The Company may entrust the processing of Personal Data to a third party, unless otherwise provided for by the laws of the Russian Federation. In this case:



• Processing by a third party of Personal Data provided to the Company by the subject of Personal Data (his/her legal representative) may be carried out only with the consent of the subject of Personal Data (his/her legal representative), if such consent is required in accordance with the requirements of FL #152;

• Personal Data can only be processed by a third party based on an agreement that specifies a list of actions (operations) that will be performed with Personal Data, and the processing objectives, as well as provisions to ensure the security of Personal Data, including requirements not to disclose or distribute Personal Data without the consent of the subject of Personal Data, unless otherwise provided for by the Russian Federation legislation, and requirements in accordance with Art. 19 of FL № 152.
  ‍

Such third parties may include, in particular, the Company's counterparties (in particular, those that provide support services for the information systems used), as well as public authorities in cases provided by law. Companies are also entitled to receive Personal Data from such third parties. 

Data collected by web analytics systems used may also be received and processed by third party providers of such systems (in particular, Yandex LLC, Google LLC),including those located in other countries. In this case, the processing of Personal Data is carried out within the framework of providing web sites to users for the performance of the User Agreement.

‍

7.4. The Company may transfer Personal Data across borders in cases stipulated by the laws of the Russian Federation, agreements with foreign companies and this User Agreement, including to the countries, which do not provide adequate protection of the rights of Personal Data subjects. At the same time, contracts with third parties shall include provisions to ensure adequate protection of the rights of Personal Data subjects (including provisions to ensure confidentiality and security of Personal Data).

‍

7.5. The Company shall process employees' Personal Data, posted on the Company's web-sites, based on employees' consent to process Personal Data, authorized for distribution solely for the purposes of establishing business contacts related to the Company's activities, and promoting the Company's services. Subsequent distribution of Personal Data of the Company's employees for other purposes is not allowed.

‍

7.6. The Company shall work to promptly identify and make changes to the processed Personal Data in order to ensure their accuracy, reliability and relevance, including with respect to the purposes of processing Personal Data.

‍

7.7. Changes to Personal Data shall be made by an authorized employee of the Company only on the basis of duly submitted original documents or certified copies thereof. If the subject of Personal Data provides/changes his/her Personal Data when subscribing to information and advertising communications on the Company's websites, the subject of Personal Data shall be directly responsible for the accuracy of the data.

‍

7.8.   In case of identifying inaccurate Personal Data by the subject of Personal Data and upon the application of the subject of Personal Data or his/her legal representative, or at their request or at the request of the authorized body for the protection of the rights of Personal Data subjects, the Company shall ensure their blocking from the moment of such application or receipt of the said request for the period of inspection, if blocking of Personal Data does not violate the rights and legitimate interests of the subject of Personal Data or third parties.

‍

7.9. If it is confirmed that the PD is inaccurate based on the information provided by the subject of PD or his/her representative, or by an authorized body for the protection of PD subjects' rights, or other necessary documents, the Company shall provide PD clarification within the period specified in FL#152 from the date of such information and unblock them.

‍

7.10. If the fact of inaccuracy of PD is not confirmed on the basis of information provided by the subject of PD or his/her representative or by an authorized body for the protection of the rights of PD subjects, or other necessary documents, the Company shall remove their blocking.

‍

7.11.  When collecting Personal Data, recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of Personal Data of PD subjects, including citizens of the Russian Federation, shall be performed using databases located in the Russian Federation.

‍

‍

‍

8. Ensuring security of Personal Data

‍

8.1. The Company has adopted a set of legal, organizational and technical measures to ensure the security of Personal Data aimed at preventing unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as other unlawful actions with them, including by third parties, in accordance with the requirements of FL#152 and its bylaws.

‍

8.2. The Company's Personal Data security measures include, but are not limited to, the following:

• Recording the categories and list of Personal Data processed in the Company, the categories of subjects whose Personal Data are processed, the retention period and the procedure for destroying such Personal Data; 
• keeping records of PD machine-readable media and information systems of the Company, where PD are processed; 

• Determination of the necessary security level of PD processed in the Company's information systems;  
• Determination of PD security threats in the course of their processing in the Company's information systems;
• Determination and implementation, prior to the introduction of new PD processing processes and new PD information systems, of technical and organizational measures ensuring PD protection;
• Carrying out and documenting assessment of harm, which could be caused to PD subjects incase of violation of FL #152, correlation of this harm and measures taken by the Company;
• Establishing the rules for access to Personal Data processed in information systems, as well as registration and record-keeping of actions taken with Personal Data in information systems; 
• Application of information protection means which have passed the conformity assessment procedure in accordance with the established procedure;
• Detecting the facts of unauthorized access to PD and other incidents, taking measures to eliminate and mitigate the consequences;
• Restoring PD modified or destroyed as a result of unauthorized access to it;
• Registering the positions of the Company's employees whose access to PD processed both with and without the use of automation tools is necessary to perform their official(labor) duties; 
• Ensuring that the Company's employees, who directly process PD, are familiarized against their signature with the provisions of the Russian Federation PD legislation, including PD protection requirements, this Policy and other local acts of the Company regarding the processing and protection of PD; and training the Company's employees;  
• Monitoring and evaluating the efficiency of applied PD security measures prior to commissioning the PD information system;
• Regular internal control/audit of compliance of PD processing and security with the current legislation of the Russian Federation in the sphere of PD processing and security. 
  ‍

8.3. The Company has appointed persons responsible for organizing PDprocessing and ensuring PD security.

‍

‍

‍

9. Terms of Processing Personal Data

‍

9.1. Processing timeframes shall be determined in accordance with the requirements of the Russian Federation legislation, Company's internal regulations, terms of agreements, concluded with PD subjects, and terms of consent to PD processing.

9.2. Consents to process Personal Data provided by a subject of Personal Data when filling out forms on the Company's web-sites shall be valid for 3 years from the last time the subject of Personal Data used the relevant form. If consent to the processing of Personal Data is withdrawn in accordance with the procedure set out in Clause 10 of this Policy, it shall automatically expire.

‍

‍

‍

10. Rights of Personal Data Subjects

‍

10.1. The Company will help to execute legal rights of Personal Data subjects and respond to requests and applications from such subjects, including providing them with information related to processing their Personal Data, in accordance with the Russian Federal legislation.

10.2. Subject of PD shall be entitled to: 

• Obtain information regarding the processing of his/her PD based on the request and inaccordance with the procedure provided by FL#152; 
• Demand clarification of his/her Personal Data, their blocking or deletion in case Personal Data are incomplete, outdated, unreliable, illegally obtained or are not necessary for the stated processing purpose, as well as to take statutory steps to protect his/her rights;  
• Refuse to process Personal Data for direct contacts (including, for the purposes ofpromoting goods, works, services), if Personal Data of subjects are processed for such purposes; 
• Withdraw their consent to the processing of their PD; 
• Complain against wrongful acts and omissions in processing his PD to an authorizedagency for PD subjects' rights protection or to a court;  
• Defend his/her rights and legitimate interests, including for the compensation of losses and/or moral damage in a judicial proceeding; 
• Exercise other rights provided for by the laws of the Russian Federation.

10.3. Subjects of Personal Data may send all inquiries concerning the processing of their Personal Data:

• to e-mail: info@ufgwm.com from the e-mail address specified by the subject of PD when filling out forms on web-sites, or
• The Company's postal address: 127051, Moscow, Tsvetnoy Bulvar, 2, floor 3, room II, room 1 (in case of change of address, the information will be posted on the Company's website: www.ufgwm.com/ru/ufg, English version of the website - ufgwm.com).

‍

10.4. If there are subscriptions to receive information and advertising communications, in addition to the above methods, the subject of PD may request to unsubscribe from such communications by activating the automatic function "Unsubscribe" at the link present in the email containing the communication. In this case, the sending of communications to the e-mail address from which the function was activated will cease.

10.5. The Company shall respond to requests from Data Subjects within the time limits set forth in FL# 152. If circumstances arise which require additional information, in cases stipulated by FL#152, the Company has the right to extend the term of response to subject of PD by up to 5 working days subject to sending to subject of PD motivated notification of reasons for such extension.

10.6. Personal Data subject's representative (including a lawyer) shall be submitted to the PD subject in accordance with the procedure provided by the current legislation of the Russian Federation and to the extent prescribed by the order of the subject of the PD, provided one of the following duly executed documents is available:

• an original notarized power of attorney from the representative of the subject of PD;  

• PD subject's application written in the presence of the Company employee and certified by the Company employee who accepted the application (or notarized if the application was not prepared in the presence of the Company’s employee).
  ‍

10.7. If a person, who applied to the Company with a request to provide PD, is not authorized to receive information related to PD, the Company shall refuse to provide such information to the person with the relevant notice to that person of the refusal.

‍

‍

‍

11. Final Provisions

‍

11.1. This Policy shall be approved by order of the CEO of the Company and shall be posted on the Company's public web sites at: https://www.ufgwm.com/ru/politika-po-obrabotke-personalnyh-dannyh. This is the English translation of the approved Policy.

11.2. The responsibility for monitoring compliance with this Policy shall be vested in the person responsible for organizing the processing of Personal Data in the Company.

‍

11.3. The Policy shall be reviewed and updated if the laws of the Russian Federation regarding the processing and security of Personal Data change, as well as if the Company's Personal Data processing processes change, but at least once every three (3) years.

‍

11.4. Any amendments and/or additions to this Policy shall become effective on the date of publication of the new version of the document approved by the Company’s CEO.

11.5. Matters not regulated by this Policy shall be resolved in accordance with the laws of the Russian Federation.

‍

Version of the Policy dated October 4, 2022

‍

Previous versions of the Policy may be provided upon the request.