PRIVACY AND PERSONAL DATA PROCESSING POLICY

when using 6ID services


1. GENERAL PROVISIONS
1.1.
This Privacy Policy and Personal Data Processing Policy (hereinafter referred to as the “Policy”) has been developed in accordance with the Constitution of the Russian Federation, Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter referred to as “152-FZ”), Federal Law No. 149-FZ dated July 27, 2006 “On Information, Information Technologies and Information Protection,” Law of the Russian Federation No. 2300-1 dated February 7, 1992 “On Consumer Protection,” as well as other regulatory legal acts of the Russian Federation in the field of personal data protection.
1.2.
This Policy applies to all information, including personal data as defined by applicable law (hereinafter referred to as “Personal Data”), that Atasora Limited Liability Company (Atasora LLC) State Registration Number (OGRN): 1245200032956, Taxpayer Identification Number (INN): 5260498203, registered address: 13a Bolshaya Pecherskaya St., Nizhny Novgorod, Nizhny Novgorod Region, 603000, Russian Federation) and/or its affiliated entities, including those belonging to the same group of persons (hereinafter referred to as “6ID,” “We,” or the “Operator”), may obtain about you in the course of your use of:
  • the website https://6id.ru and all of its subdomains (hereinafter referred to as the “Website”);
  • the “6ID” mobile application (hereinafter referred to as the “Application”);
  • any other products, services, software programs, and/or online platforms developed and/or administered by the Operator (hereinafter collectively referred to together with the Website and the Application as the “Services”).
1.3.
The Operator may also receive Personal Data from its partners (hereinafter referred to as the “Partners”), whose websites, software, products, or services you use (for example, advertisers, clinics, cosmetologists, and brands cooperating with the Operator), as well as from other sources, including publicly available sources (in accordance with Article 6 of 152-FZ).
The transfer of Personal Date from Partners to the Operator is possible only in cases established by applicable law and is carried out on the basis of agreements (instructions) between the Operator and the relevant Partner, obligating the Partner to ensure the lawful collection and transfer of data.
1.4.
The use of any of the Services may be governed by additional terms and conditions (terms of use, offers, license agreements), which may amend and/or supplement this Policy and/or establish special conditions regarding Personal Date, posted in the relevant sections of such Services.
In the event of any conflict between this Policy and the special terms of a specific Service, the special terms shall prevail.
1.5.
By using the Services, the User unconditionally accepts the terms of this Policy, including the personal data processing periods specified herein.
If the User disagrees with the terms of the Policy, the User must immediately cease using the Services.
1.6.
The current version of the Policy is publicly available on the Internet at: https://6id.ru/_privacy.
The Operator has the right to amend the Policy unilaterally. The new version shall enter into force upon its publication unless otherwise provided by the revised version itself.
The User undertakes to monitor changes independently.
The Policy shall be reviewed at least once a year, as well as in the event of changes to the legislation of the Russian Federation or by decision of the Company’s General Director.
1.7. The Operator
To ensure your use of the Services, your Personal Date is collected and used by the Operator — Atasora LLC.
Information about which specific affiliated entity (if involved) provides a particular Service or participates in data processing is communicated to the User in the terms of use of the relevant Service or in special agreements with such entity.
Unless otherwise specified in the terms of a particular Service, Atasora LLC is the primary operator responsible for compliance with the legislation of the Russian Federation.
2. PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING
2.1.
Personal data processing within the Company is carried out in accordance with the following principles established by the legislation of the Russian Federation:
  • personal data processing is carried out lawfully and fairly;
  • personal data processing is limited to the achievement of specific, predetermined, and legitimate purposes;
  • personal data processing incompatible with the purposes of collecting personal data is prohibited;
  • combining databases containing personal data processed for purposes incompatible with each other is prohibited;
  • only personal data that meet the purposes of their processing shall be processed;
  • the content and volume of processed personal data shall correspond to the stated purposes of processing and shall not be excessive in relation to those purposes;
  • when processing personal data, their accuracy, sufficiency, and, where necessary, relevance to the purposes of processing shall be ensured. The Company shall take the necessary measures to delete or clarify incomplete and/or inaccurate data;
  • personal data shall be stored in a form allowing identification of the data subject for no longer than required by the purposes of processing unless a storage period is established by federal law or an agreement;
  • processed personal data shall be destroyed upon achieving the purposes of processing or if such purposes are no longer necessary unless otherwise provided by federal law.
2.2. Personal Data Localization
The collection, recording, systematization, accumulation, and storage of personal data of citizens of the Russian Federation shall be carried out exclusively using databases located within the territory of the Russian Federation (Article 18 of 152-FZ).
2.3. Confidentiality
The Operator undertakes not to disclose or distribute personal data to third parties without the data subject’s consent unless otherwise provided by federal law.
Access to personal data is granted only to authorized employees of the Operator who have undertaken confidentiality obligations and have acknowledged this Policy in writing.
2.4. Cross-Border Transfer
The Operator does not conduct cross-border transfers of personal data.
If it becomes necessary to use foreign services that ensure the technical functioning of the Service, the Operator undertakes to notify Roskomnadzor in advance and obtain the data subjects’ consent for such transfer in accordance with the procedure established by law.
The procedure for cross-border transfer is described in detail in Section 8 of this Policy.
2.5. Legal Grounds for Processing
Personal data are processed on the following grounds:
  • the consent of the personal data subject to the processing of their personal data;
  • the conclusion and performance of an agreement (User Agreement) to which the subject is a party;
  • the exercise of the Operator’s or third parties’ rights and legitimate interests;
  • the processing of personal data subject to publication or mandatory disclosure in accordance with federal law;
  • other grounds provided for by 152-FZ.
2.6. Processing Methods
Personal data may be processed both with and without the use of automation tools.
When processing personal data without the use of automation tools, the requirements established by Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008, shall be observed.
2.7. Separate Types of Consent
For the processing of special categories of personal data (including biometric data), the Operator obtains separate, explicit consent from the User.
For the processing of cookies and statistical data, the Operator obtains consent in accordance with the procedure provided for in Section 6.
2.8. Transfer of Data to Third Parties
The Operator has the right to transfer the User’s personal data only to those third parties that ensure the technical functioning of the Service and that have undertaken confidentiality and security obligations in accordance with the requirements of 152-FZ.
The list of such parties and the purposes of the transfer are specified in Section 7.
The transfer of data to government authorities shall be carried out exclusively on the grounds and in accordance with the procedure established by the legislation of the Russian Federation.
3. PURPOSES, LEGAL GROUNDS, AND SCOPE OF PERSONAL DATA PROCESSED
Purpose of Processing: User registration and identification, creation and maintenance of an Account, including an Beauty Passport
Categories of data subjects: Registered Users
Personal data processed:
  • Full name (or pseudonym)
  • Username
  • Mobile phone number
  • Date of birth (if voluntarily provided)
  • Additional information about the User (if voluntarily provided)
Legal basis:
  • Consent to personal data processing
  • Agreement (User Agreement)
Processing and storage period:
Until the User deletes their Account.
Purpose of Processing: Performance of the agreement, provision of customer and technical support, sending notifications related to the use of the Service
Categories of data subjects: Registered and unregistered Users
Personal data processed:
  • Full name
  • Phone number
  • Email address
  • Correspondence with support services
  • Request and inquiry data
Legal basis:
  • Agreement
  • Legitimate interests of the Operator
Processing and storage period:
For the duration of the agreement and for 3 years thereafter (to protect interests in the event of disputes).
Purpose of Processing: Improving the quality of the Service, analytics and statistics, analysis of user activity, detection of errors and violations
Categories of data subjects: Website visitors, Application users
Personal data processed:
  • Anonymized activity data
  • Usage statistics
  • IP address
  • Device type
  • Cookies
  • Data from Yandex.Metrica and other analytics systems
Legal basis:
  • Legitimate interests of the Operator
  • Consent to data processing (for cookies)
Processing and storage period:
  • Cookies: up to 12 months or until consent is withdrawn
  • Anonymized analytics: indefinitely
Purpose of Processing: Providing the core functionality of the Digital Cosmetic Bag and the Beauty Passport
Categories of data subjects: Registered Users
Personal data processed:
  • Data on scanned products
  • Product ingredient information
  • Information about procedures
  • Visit records
  • Notes
Legal basis:
  • Consent to personal data processing
  • Agreement
Processing and storage period:
Until the Account is deleted.
Purpose of Processing: Processing special categories of personal data (photos, health data) for personalization of recommendations, compatibility analysis, and improvement of algorithms
Categories of data subjects: Users who have provided separate consent
Personal data processed:
  • Facial/skin photographs
  • Skin condition data (skin type, concerns, sensitivity)
  • Health data obtained, with the User’s consent, from Apple Health/Google Fit (activity, sleep, heart rate, etc.)
Legal basis:
  • Separate explicit consent for the processing of special categories of personal data (Article 10 of 152-FZ)
Processing and storage period:
Until withdrawal of the relevant separate consent or deletion of the Account.
Purpose of Processing: Informing Users about news, promotions, and events (subject to separate consent for marketing communications)
Categories of data subjects: Users subscribed to communications
Personal data processed:
  • Email address
  • Phone number
Legal basis:
  • Separate consent to receive marketing information
Processing and storage period:
Until consent to receive communications is withdrawn.
Purpose of Processing: Payment processing (when purchasing paid features/subscriptions)
Categories of data subjects: Users making purchases
Personal data processed:
Data required to process payments (processed by the distribution platform; the Operator does not store payment card data).
Legal basis:
  • Agreement
  • Legitimate interests of the Operator
Processing and storage period:
In accordance with the requirements of payment systems and applicable law.
Purpose of Processing: Interaction with partners (following partner links, participating in loyalty programs)
Categories of data subjects: Users following partner links
Personal data processed:
  • Anonymized click-through data
  • IP address
Legal basis:
User consent (expressed by clicking the relevant link).
Processing and storage period:
In accordance with partners’ policies.
Purpose of Processing: Ensuring security and preventing fraud
Categories of data subjects: All Users
Personal data processed:
  • Device data
  • IP address
  • Session data
  • Activity logs
Legal basis:
Legitimate interests of the Operator.
Processing and storage period:
For the period necessary to ensure security.
Purpose of Processing: Compliance with legal requirements (for example, tax accounting)
Categories of data subjects: Users who have made paid transactions
Personal data processed:
  • Full name
  • Taxpayer Identification Number (TIN), where necessary
  • Payment information
Legal basis:
Law (Tax Code, 152-FZ).
Processing and storage period:
For the periods established by applicable law.
4. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
4.1.
The processing of special categories of personal data (photographs, health data) is permitted exclusively upon obtaining separate explicit consent from the User in accordance with Article 10 of 152-FZ.
4.2.
The User provides such consent by activating the relevant checkbox within the Service interface when uploading photographs, enabling synchronization with health applications, or completing questionnaires containing skin condition information.
The text of the separate consent is available at: http://6id.ru/_data-consent.
4.3.
The User has the right to withdraw consent to the processing of special categories of personal data at any time by sending a notification to: privacy@6id.ru.
Withdrawal of consent results in the termination of the processing of the relevant data and may make certain Service functions unavailable (personalized recommendations, photo analysis), but does not terminate the validity of the primary consent to personal data processing.
4.4.
Biometric personal data (facial photographs) are processed exclusively for the purposes specified in Section 3 and are not used to identify individuals in public spaces.
Photographs uploaded to the Beauty Passport may be accessible to the User and, at the User’s discretion, to specialists to whom the User grants access.
4.5.
The Operator takes the necessary measures to protect special categories of personal data against unauthorized access, destruction, modification, and dissemination.
4.6.
Important notice: The 6ID Service is not a medical organization and does not provide medical services.
Data relating to skin condition and health processed within the Service are used exclusively for analytical and informational purposes within the functionality of the Service and shall not be considered a medical opinion or diagnosis.
5. PROCESSING OF MINORS’ DATA
5.1.
The Service may be used by individuals who have reached the age of 14.
Individuals aged 14 to 18 are required to obtain the consent of their legal representatives to use the Service and to process their personal data.
5.2.
The Operator does not knowingly collect personal data from individuals under the age of 14 without parental consent.
If the Operator becomes aware of the processing of a minor’s data without the appropriate consent, the Operator shall take measures to delete such data.
5.3.
The User is responsible for the accuracy of the information provided regarding their age and for obtaining the consent of their legal representatives.
6. COOKIES AND ANALYTICAL SERVICES
6.1.
The Website and the Application use cookies and similar technologies to ensure the proper functioning of the Service, collect aggregated statistics, improve service quality, and personalize content.
6.2.
Cookies are divided into the following categories:
  • Technical (mandatory) — necessary for the functioning of the Service, ensuring security and access to core features. The processing of such cookies is carried out based on the legitimate interests of the Operator and does not require the User’s consent.
  • Analytical/statistical — collect anonymized information about User behavior on the Website, the number of visits, and traffic sources. They are used to improve the operation of the Service. Processing is carried out based on the User’s consent.
6.3.
Upon the User’s first visit to the Website, a banner requesting consent to the use of non-essential cookies is displayed.
The User may configure cookie settings or refuse their use (except for technically necessary cookies). Refusal to use cookies may result in limited Service functionality.
6.4.
The User may change cookie settings at any time in their browser or use the settings available within the Service interface (as implemented).
7. PROCEDURE AND CONDITIONS FOR TRANSFERRING PERSONAL DATA TO THIRD PARTIES
7.1.
The Operator has the right to transfer the User’s personal data to third parties only in the following cases:
  • The User has consented to such transfer;
  • The transfer is necessary for the User to use the functionality of the Service (for example, sending an SMS verification code through an authorization service);
  • The transfer occurs within the framework of services provided by the Operator’s contractors ensuring the technical functioning of the Service, provided that they have undertaken confidentiality and security obligations;
  • The transfer is required by Russian or other applicable legislation in accordance with established procedures.
7.2.
Third parties that may be entrusted with the processing of personal data (where necessary) include:
  • Authentication and database hosting services: Supabase (or another hosting provider, provided that data storage is ensured within the territory of the Russian Federation);
  • SMS authentication services: StreamTelecom (or another mobile network operator);
  • Analytics services: Yandex LLC (Yandex.Metrica) and other statistical data collection systems;
  • Application distribution platforms: App Store, Google Play, RuStore, and others — to the extent necessary for distributing the Application and processing payments;
  • Advertising and affiliate program partners — in anonymized form or to the extent necessary to enable link transitions.
7.3.
The Operator enters into data processing agreements with such parties containing requirements regarding confidentiality and ensuring the security of personal data during processing.
Such agreements specify:
  • the list of actions (operations) to be performed with personal data by the third party;
  • the list of personal data;
  • the purposes of processing;
  • the third party’s obligation to maintain confidentiality and ensure the security of personal data;
  • the third party’s obligation to notify the Operator of cases of unlawful processing.
7.4.
The Operator is responsible to the personal data subject for the actions of persons entrusted with the processing of personal data.
7.5.
The transfer of data to authorized state authorities (the Federal Security Service, the Ministry of Internal Affairs, Roskomnadzor, tax authorities, etc.) is carried out on the grounds and in accordance with the procedure established by the legislation of the Russian Federation.
8. CROSS-BORDER TRANSFER OF PERSONAL DATA
8.1.
As of the date of publication of this Policy, the Operator does not carry out cross-border transfers of personal data.
8.2.
Should a decision be made that cross-border transfer is necessary, the Operator undertakes to comply with the following requirements:
  • Obtain the explicit consent of the personal data subject for such transfer;
  • Ensure that the foreign state to whose territory the transfer is made provides adequate protection of the rights of personal data subjects (is included in the list approved by Roskomnadzor);
  • Submit a notification to Roskomnadzor regarding the intention to carry out a cross-border transfer before such transfer begins;
  • Obtain information from the foreign recipient regarding the measures taken to protect the transferred personal data.
8.3.
Cross-border transfer may be prohibited or restricted for the purpose of protecting the foundations of the constitutional order, morality, health, rights, and legitimate interests of citizens, ensuring national defense, and safeguarding state security.
9. PERIODS OF PROCESSING AND DESTRUCTION OF PERSONAL DATA
9.1.
The User’s personal data are processed throughout the entire period of use of the Service (while the Account exists) until the Account is deleted or the relevant consent is withdrawn.
9.2.
Personal data shall be stored in a form enabling the identification of the data subject for no longer than required by the purposes of processing, unless otherwise established by federal law or an agreement.
9.3.
Personal data shall be destroyed within the following timeframes:
  • upon achievement of the processing purposes or loss of the need to achieve them — within 30 days;
  • upon withdrawal by the data subject of consent to personal data processing (if further storage is no longer required for processing purposes) — within 30 days;
  • upon the data subject providing confirmation that the personal data were unlawfully obtained or are not necessary for the stated processing purpose — within 7 days;
  • upon detection of unlawful processing and inability to ensure its lawfulness — within 10 days;
  • upon the data subject’s request to cease processing personal data — within 10 days;
  • upon expiration of limitation periods for legal relationships within which the processing was carried out — upon expiration of the relevant periods.
9.4.
Upon expiration of storage periods or the occurrence of other lawful grounds, personal data shall be destroyed or anonymized unless otherwise provided by law.
9.5.
The Operator ensures the destruction of personal data in a manner that excludes the possibility of restoring the content of such personal data.
10. RIGHTS OF THE PERSONAL DATA SUBJECT
As a personal data subject, the User has the following rights:
10.1.
The right to obtain information regarding the processing of their personal data.
Such information shall be provided in an accessible form and shall not contain personal data relating to other data subjects.
10.2.
The right to rectify (update or amend) personal data if such data are incomplete, outdated, or inaccurate.
10.3.
The right to withdraw consent to the processing of personal data at any time.
10.4.
The right to block or destroy personal data if they were unlawfully obtained or are not necessary for the stated processing purpose.
10.5.
The right to appeal the actions (or inaction) of the Operator to the authorized body for the protection of personal data subjects’ rights (Roskomnadzor) or in court.
10.6.
The right to protect their rights and legitimate interests, including compensation for damages and/or moral harm through judicial proceedings.
10.7.
Other rights provided for by Federal Law No. 152-FZ.
11. OBLIGATIONS OF THE OPERATOR
The Operator shall:
11.1.
Provide the personal data subject, upon their request, with information concerning the processing of their personal data or provide a reasoned refusal on lawful grounds.
11.2.
Upon the data subject’s request, clarify, block, or delete the personal data being processed in cases provided for by applicable law.
11.3.
Maintain records of requests submitted by personal data subjects.
11.4.
Not disclose or distribute personal data without the data subject’s consent unless otherwise provided by law.
11.5.
If personal data are obtained from a source other than the data subject, provide the data subject with the relevant information prior to the commencement of processing.
11.6.
Explain to the data subject the legal consequences of refusing to provide personal data where the provision of such data is mandatory under the law.
11.7.
Cease processing and destroy personal data in cases provided for by Federal Law No. 152-FZ.
11.8.
Take the necessary legal, organizational, and technical measures to protect personal data.
11.9.
Notify Roskomnadzor in the event of unlawful or accidental transfer of personal data resulting in a violation of the rights of data subjects, in accordance with the procedure and within the timeframes established by law.
11.10.
Fulfill other obligations established by the legislation of the Russian Federation.

12. PROCEDURE FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT
12.1.
To exercise the rights specified in Section 10, the User shall submit a request to the Operator in writing to the following postal address:
Atasora LLC
13a Bolshaya Pecherskaya St.
Nizhny Novgorod, Nizhny Novgorod Region, 603000
Russian Federation
or electronically via email at: support@6id.ru.
12.2.
The request must contain:
  • the surname, first name, and patronymic (if applicable) of the personal data subject;
  • information confirming the subject’s relationship with the Operator (Account number, telephone number, email address, or other identifiers);
  • the subject’s signature (for written requests) or other information allowing identification of the individual (for example, a scanned copy of a passport for identity verification);
  • the content of the request;
  • the preferred method for receiving a response (postal address or email address).
12.3.
If the request is submitted by the subject’s representative, it must include a document confirming the representative’s authority.
12.4.
The Operator shall review the request and provide a response within ten (10) business days from the date of receipt.
If additional verification is required, the period may be extended by no more than five (5) business days, with notification provided to the data subject.
12.5.
Refusal to provide information may be made only in cases provided for by law (for example, if the request contains inaccurate information, it is impossible to identify the data subject, the request concerns data relating to a third party, etc.).
12.6.
Consent to the processing of personal data may be withdrawn by sending a notification using the methods specified in Clause 12.1.
Upon receipt of such withdrawal, the Operator shall cease processing personal data and destroy them within a period not exceeding thirty (30) days, except where the Operator is entitled to continue processing without consent (for example, for the performance of an agreement or compliance with legal requirements).
13. MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA
13.1.
The Operator takes the necessary legal, organizational, and technical measures to protect personal data against unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination, and other unlawful actions.
13.2.
The Company has appointed persons responsible for organizing personal data processing and ensuring the security of personal data (by order of the General Director).
13.3.
To ensure the security of personal data, the Company implements the following measures:
  • systematic assessment of threats to personal data security during processing;
  • determination of the level of personal data protection in accordance with Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012;
  • differentiation of access to information systems and physical media;
  • registration and logging of user actions within information systems;
  • prevention of malware implementation;
  • use of secure communication channels for data transmission;
  • backup and restoration of technical means and databases;
  • control of physical access to premises where personal data are processed;
  • incident detection and response;
  • improvement of employees’ knowledge in the field of personal data processing and protection;
  • internal audits to verify compliance of personal data security measures with the requirements of this Policy and applicable legislation;
  • assessment of the effectiveness of implemented measures and continuous improvement of the protection system.
13.4.
Employees of the Company who are granted access to personal data undertake obligations to ensure the confidentiality and security of the personal data being processed.
Failure to comply with the requirements of this Policy shall result in liability in accordance with the legislation of the Russian Federation.
14. FINAL PROVISIONS
14.1.
This Policy is a publicly available document and shall be published on the Company’s official website.
14.2.
The Policy shall be reviewed at least once a year, as well as in the following cases:
  • amendments to the legislation of the Russian Federation concerning personal data processing;
  • receipt of instructions from authorized authorities;
  • a decision of the Company’s General Director;
  • changes to the purposes, principles, or conditions of personal data processing.
14.3.
If any provision of this Policy is declared invalid or unenforceable, the remaining provisions shall remain in full force and effect.
14.4.
Compliance with the requirements of this Policy shall be monitored by persons responsible for organizing personal data processing and ensuring the security of personal data.
14.5.
In all matters not covered by this Policy, the Operator and the User shall be governed by the legislation of the Russian Federation, including Federal Law No. 152-FZ.
14.6.
The current version of the Policy is permanently available at:
https://6id.ru/_privacy
15. CONTACT INFORMATION
Operator: Atasora Limited Liability Company
OGRN: 1245200032956
INN: 5260498203
Registered address: 13a Bolshaya Pecherskaya St., Nizhny Novgorod, Nizhny Novgorod Region, 603000, Russian Federation
Person responsible for organizing personal data processing:
Email: support@6id.ru
For user inquiries regarding personal data:
Email: support@6id.ru
Postal address: Atasora LLC
13a Bolshaya Pecherskaya St., Nizhny Novgorod, Nizhny Novgorod Region, 603000, Russian Federation (with the note: “Regarding Personal Data Matters”)
For technical support inquiries:
Email: support@6id.ru

Made on
Tilda