Privacy policy

1. General Provisions

1.1. This Privacy Policy of MСС Dopoluchkino LLC (hereinafter referred to as the «Policy») has been developed in order to ensure the processing of Personal Data (hereinafter referred to as «PD») by Microcredit Company Dopoluchkino Limited Liability Company (Primary State Registration Number 1155260008078, legal address: office 410, house 1, Karbolitovskaya street, Kemerovo, 650000; hereinafter referred to as the «Company») with consideration to the legitimate rights and interests of PD Subjects in accordance with the requirements of the legislation when processing and protecting PD.

1.2. The Policy contains a description of the following aspects:

1.2.1. purposes and legal grounds for PD Processing;

1.2.2. categories and methods of PD Processing;

1.2.3. principles of PD Processing;

1.2.4. procedure and conditions for PD Processing;

1.2.5. information about the processing of user data;

1.2.6. rights and obligations of PD Subjects and the Company;

1.2.7. measures aimed at ensuring the security of PD Processing.

1.3. This Policy is a public document, which is posted on the public resources of the Company and enters into effect from the moment it is posted in the public domain.

1.4. Reviewing of the Policy is carried out in case of any changes in the legislation of the Russian Federation regarding PD, based on the results of an analysis of the relevance, sufficiency and effectiveness of the measures used to ensure information security as well as on the results of other control measures, but no less than once a year.

1.5. Responsibility for the relevance of the Policy and the implementation of the provisions set forth in the Policy shall be incumbent upon the person responsible for organizing the PD Processing, appointed on the basis of the order of the Company.

1.6. Responsibility for the general implementation of PD security measures shall be incumbent upon the person responsible for ensuring the security of PD in Information Systems, appointed on the basis of the order of the Company.

1.7. Responsibility for compliance with security measures by the Company’s employees when processing Personal Data shall also be incumbent upon the heads of the relevant structural units.

1.8. Persons guilty of violating the norms governing the receipt, processing, storage and security of PD processed by the Company shall bear responsibility under the legislation of the Russian Federation.

2. Purposes and Legal Grounds for PD Processing

2.1. The Company processes PD for the following purposes:

2.1.1. provision of consumer credit (loan);

2.1.2. carrying out activities preceding the conclusion of a loan agreement;

2.1.3. provision of microfinance services to individuals;

2.1.4. fulfillment of agreement commitments;

2.1.5. making settlements with customers;

2.1.6. implementation of labor relations with the Company’s employees;

2.1.7. documenting information in order to counter the legalization (laundering) of proceeds of crime and the financing of terrorism;

2.1.8. handling complaints, applications, claims;

2.1.9. ensuring the repayment of overdue debts;

2.1.10 fulfillment of its obligations and works pursuant to concluded civil law contracts;

2.1.11. provision of information at the request of the relevant services and public authorities in cases provided for by the current legislation;

2.1.12. accounting records maintenance;

2.1.13. enforcement of court orders, acts of other public authorities or officials;

2.1.14. carrying out administrative and economic activities;

2.1.15. improving the quality of the Service and its content;

2.1.16. providing information of a notification or marketing nature, including information about new financial products, services, ongoing promotions and events.

2.2. Legal grounds for PD Processing are the following:

2.2.1. the Constitution of the Russian Federation;

2.2.2. the Civil Code of the Russian Federation;

2.2.3. the Tax Code of the Russian Federation;

2.2.4. the Labor Code of the Russian Federation;

2.2.5. Federal Law of July 02, 2010 No. 151-FZ «On Microfinance Activities and Microfinance Organizations»;

2.2.6. Federal Law of July 27, 2006 No. 152-FZ «On Personal Data»;

2.2.7. Federal Law of August 07, 2001 No. 115-FZ «On Countering the Legalization of Illegal Earnings (Money Laundering) and the Financing of Terrorism»;

2.2.8. Federal Law of August 12, 1995 No. 144-FZ «On Operational-search Activities»;

2.2.9. Federal Law of February 08, 1998 No. 14-FZ «On Limited Liability Companies»;

2.2.10 Federal Law of December 21, 2013 No. 353-FZ «On Consumer Credit (Loan)»;

2.2.11. Federal Law of December 30, 2004 No. 218-FZ «On Credit Histories»;

2.2.12. Federal Law of July 3, 2016 No. 230-FZ «On the Protection of the Rights and Legal Interests of Natural Persons in the Course of Activities to Repay Overdue Debts and on Amending the Federal Law on Microfinance and Microfinance Organizations»;

2.2.13. Federal Law of October 26, 2002 No. 127-FZ «On Insolvency (Bankruptcy)»;

2.2.14. Federal Law of December 06, 2011 No. 402-FZ «On Accounting»;

2.2.15. Federal Law of 27 July 2010 No. 224-FZ «On Combating Insider Information Misuse and Market Manipulation and on Amendments to Certain Legislative Acts of the Russian Federation»;

2.2.16. the Charter of MСС Dopoluchkino LLC;

2.2.17. other laws and regulations.

3. Categories and Methods of PD Processing

3.1. The Company processes PD of the following categories of PD Subjects:

3.1.1. individuals (borrowers, investors) (subjects) who are in contractual and other civil law relationship with the Company;

3.1.2. employees (subjects) who are in labor relationship with the Company;

3.1.3. unknown third parties from whom a criminal threat emanates or may emanate;

3.1.4. individuals who have applied to the Company with an application;

3.1.5. counterparties (representatives of legal entities);

3.1.6. applicants for vacant positions.

3.2. The categories of PD processed by the Company are determined with consideration to the purposes of PD Processing specified in Clause 3.1 of the Policy. The Company does not process PD that do not comply with the principle of sufficiency to achieve the purposes of processing and are excessive in relation to the purposes of processing.

3.3. The Company does not process:

3.3.1. special categories of PD;

3.3.2. Biometric PD of all categories of PD Subjects specified in Clause 3.1 of the Policy, except for the Company’s employees and representatives of legal entities (counterparties).

3.4. The Company does not provide cross-border transfer of PD.

3.5. The Company processes PD using the following methods:

3.5.1. automated processing with transfer through the Company’s internal network;

3.5.2. automated processing with transfer over the Internet network;

3.5.3. processing without the use of automation tools.

4. Principles of PD Processing

4.1. The PD Processing is carried out by the Company on the basis of the following principles:

4.1.1. legality of the purposes and methods of PD Processing;

4.1.2. integrity of the Company as a PD Processor, which is achieved by complying with the requirements of the legislation of the Russian Federation regarding the PD Processing;

4.1.3. achievement of specific predefined purposes of PD Processing;

4.1.4. compliance of the purposes of PD Processing with the purposes predefined and declared during the collection of PD;

4.1.5. compliance of the composition and volume of the processed PD as well as the methods of PD Processing with the declared purposes of PD Processing;

4.1.6. reliability of PD, its sufficiency for the purposes of PD Processing, impermissibility of PD Processing that is excessive to the purposes of PD Processing;

4.1.7. when processing PD, ensuring the accuracy of PD, its sufficiency, and, if necessary, relevance to the purposes of PD Processing. The Company shall take all necessary measures and ensure the adoption of such measures in order to delete or clarify incomplete or inaccurate data;

4.1.8. impermissibility of combining databases that contain PD, the processing of which is carried out for the purposes incompatible with each other;

4.1.9. storage of PD in a form that allows to identify the PD Subject no longer than it is required by the purpose of PD Processing.

4.2. The employees of the Company who are admitted to the PD Processing shall be obliged to:

4.2.1. be aware of and strictly comply with the provisions of:

4.2.1.1. the legislation of the Russian Federation regarding PD;

4.2.1.2. this Policy;

4.2.1.3. local regulations of the Company concerning the PD Processing.

4.2.2. process Personal Data solely and exclusively within the scope of their official duties;

4.2.3. report the actions of other persons that may result in violating the provisions of the Policy;

4.2.4. not to disclose PD processed by the Company;

4.2.5. report known facts of violation of the provisions of the Policy to the person responsible for organizing the PD Processing in the Company.

4.3. The security of PD in the Company is ensured by the implementation of agreed measures aimed at preventing (neutralizing) and eliminating threats to the security of PD, minimizing possible damage, as well as measures to restore data and the performance of PD Information Systems in case of threat materializing.

5. Procedure and Conditions for PD Processing

5.1. Before starting PD Processing, the Company has notified the relevant government body authorized for the protection of the PD Subjects’ rights of its intention to process PD. The Company shall update the information specified in such notification in good faith and within the appropriate timeframe.

5.2. PD Processing is carried out with the consent of the PD Subject, except for cases provided by the legislation of the Russian Federation.

5.3. The Company ensures the reception and processing of applications and requests from PD Subjects or their representatives, and/or monitors the receipt and processing of such applications and requests.

5.4. Consent to the PD Processing can be withdrawn by submitting to the Company a relevant written application by the PD Subject or its representative by power of attorney that provides an opportunity to specify that this document has been signed by the PD Subject or its representative by duly certified power of attorney.

5.4.1. In the event that such application is satisfied, the Company shall either terminate the PD Processing or ensure the termination of such PD Processing (in case the PD Processing is carried out by another person acting on behalf of the Company) and, in case the storage of PD is no longer required for the purposes of the PD Processing, shall destroy PD or ensure its destruction (in case the PD Processing is carried out by another person acting on behalf of the Company) within a period not exceeding thirty (30) days from the date of receipt of the said withdrawal, unless otherwise provided by the agreement to which the PD Subject is a party, beneficiary, or guarantor, or any other agreement between the Company and the PD Subject, or in case the Company is not entitled to process PD without the consent of the PD Subject on the grounds provided for by the Federal Law «On Personal Data» or other federal laws.

5.4.2. In the event that it is impossible to destroy the PD after the expiration of the period specified in Parts 3-5 of Article 21 of the Federal Law «On Personal Data», the Company shall block such PD or ensure their blocking (in case the PD is processed by another person acting on behalf of the Company) and shall ensure the destruction of PD within a period of not more than six (6) months after the expiration of the period specified by the legislation of the Russian Federation.

5.5. PD shall neither be disclosed to third parties, nor otherwise distributed without the PD Subject’s consent, unless otherwise provided by the legislation of the Russian Federation.

5.6. Representatives of public authorities (including regulatory, supervisory, law enforcement and other authorities) get access to PD processed in the Company in the volume and manner specified by the legislation of the Russian Federation.

5.7. In order to confirm the accuracy of the information specified by the PD Subject while filling out a loan application as well as to obtain the information necessary to make a decision on issuing a loan to the PD Subject, the Company has the right to send requests to credit history bureaus solely and exclusively with the mandatory consent of the PD Subject. The Company has the right to independently choose a specific credit history bureau to send relevant requests.

5.8. The storage period for responses to applications (requests) is three (3) years from the date of expiration of the period established for preparing a response.

5.9. The Company processes its employees’ PD during the term of the employment agreement. The Company processes the dismissed employees’ PD within the period specified by Clause 5, Part 3, Article 24, Part One of the Tax Code of the Russian Federation of July 31, 1998 No. 146 FZ, by Part 1, Article 29 of the Federal Law of December 06, 2011 No. 402-FZ «On Accounting» and other laws and regulations.

5.10. In case of refusal to hire, the information provided by applicants for vacant positions is destroyed within thirty (30) days after the Company has made the relevant decision.

5.11. Pursuant to Part 10 of Article 6 of Federal Law No. 218-FZ of December 30, 2004 «On Credit Histories», the consent of the credit history subject to receive credit reports on credit history of this subject, given to the Company, is considered valid for six (6) months from the date of its execution. In the event that the loan agreement has been concluded during the specified period, the specified consent of the credit history subject remains valid for the entire term of the loan agreement.

5.12. Pursuant to Part 12 of Article 6 of the Federal Law of December 30, 2004 No. 218-FZ «On Credit Histories», the Company shall be obliged to store a copy of the credit history subject’s consent to receive a credit history for five (5) years after the expiration of the loan agreement; in the event that the loan agreement has not been concluded, the consent to receive a credit history shall be stored for three (3) years from the date of expiration of such consent; the storage of the credit histories subjects’ consents should be organized in such a form, including electronic, that provides an opportunity to check their integrity and reliability.

5.13. Pursuant to Federal Law No. 115-FZ of August 07, 2001 «On Countering the Legalization of Illegal Earnings (Money Laundering) and the Financing of Terrorism», the Subject’s PD obtained as a result of identification shall be stored for at least five (5) years from the date of termination of relationship with the PD Subject.

6. Processing of User Data

6.1. The Company processes user data of the Website visitors and users of the Mobile Application for the following purposes:
— to prevent fraud and increase security;
— to manage accounts and identify users;
— to implement functions of the Mobile Application;
— to personalize the services;
— to analyze the quality of the services;
— to improve the quality, content, and promotion of the services;
— to conduct retargeting.

6.2. The Company processes the following user data:
— approximate location;
— user name;
— email address;
— approximate location;
— user identifiers;
— phone number;
— actions performed in the Application;
— Internet search history;
— Application error reporting;
— Application diagnostic information;
— device identifiers or other identifiers;
— information about the user’s device (including name and version of the operating system, cookies, IP address, information about the browser used (browser type and version) and language, date and time of access to the website, Internet addresses of web pages visited by the user, subject of information posted on the Internet resources of the Company visited by the user, number of web pages viewed, length of time spent on the website, list of accounts attached to the device, user’s User Agent, source of advertising traffic, session identifier, time of authorization / registration, token, time of each token check in relation to systems, version of the mobile application, date / time of using the service).

6.3. The Company processes (including the collection, recording, systematization, accumulation, storage, use, transfer (provision, access), deletion, destruction) user data.

6.4. The processing of user data is carried out using the following third-party analytical services: Google Tag Manager, Google Analytics, Firebase Analytics, Yandex.Metrika, Appsflyer, UserX, Vk.com, Mail.ru, Amplitude, Mytarget, Microsoft Clarity, Juicy Score.

6.5. The list of user data collected and transmitted to Juicy Score includes: — user name; — email address (login of the email service — a set of characters in the email address preceding the @ symbol); — approximate location; — user identifiers; — phone number (first 6 digits of phone number following the country code); — device identifiers or other identifiers; — actions performed in the Application; — information about the user’s device.

6.6. User data is collected and processed solely and exclusively with the consent of the User of the Website / Mobile Application in a secure manner, including using modern encryption methods.

6.7. The Company does not sell user data, i.e., it does not transfer user data to third parties with the purpose of obtaining financial income.

6.8. The User can at any time limit the collection of user data in the browser settings concerning the use of cookies.

6.9. The User has the right to contact the Company to delete a personal account by sending a corresponding request for deletion by email support@dopoluchkino.ru via the feedback form (https://dopoluchkino.ru/feedback) or by phone (Customer Support Service: 8-800-600-00-05). The rules for deleting a personal account can be found on the Company’s website at https://dopoluchkino.ru/documents/account

6.10. User data is anonymized and does not contain any personal or other data related to the identity of the user in any way whatsoever. All screen fields of the transmitted screenshots that may contain personal data as well as financial and other user data shall be hidden.

6.11. The Company shall take all necessary organizational and technical measures in order to secure personal and confidential user data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties. Ensuring the security of user data is achieved by applying the organizational and technical measures specified in Section 8 of the Policy.

7. Rights and Obligations of Personal Data Subjects and the Company

7.1. Rights and Obligations of the PD Subject

7.1.1. The PD subject, in case its right is not restricted pursuant to the federal laws, has the right at any time to receive information regarding the Processing of its PD, including information containing:

7.1.1.1. confirmation of the fact of the PD Processing by the Company;

7.1.1.2. legal grounds and purposes of the PD Processing;

7.1.1.3. purposes and methods of the PD Processing used by the Company;

7.1.1.4. name and location of the Company, information about persons (excluding the Company’s employees) who have access to PD or to whom PD may be disclosed on the basis of an agreement with the Company or on the basis of federal law;

7.1.1.5. processed PD related to the relevant PD Subject, the source of their receipt, unless another procedure for submitting such PD is provided by federal law;

7.1.1.6. terms of the PD Processing, including the terms of their storage;

7.1.1.7. the procedure for exercising by the PD Subject its rights provided for by the Federal Law «On Personal Data»;

7.1.1.8. information about the completed or anticipated cross-border transfer of PD;

7.1.1.9. the name or surname, first name, patronymic and address of the person processing PD on behalf of the Company, in case that the processing is or will be entrusted to such person;

7.1.1.10 information on how the Company fulfills its obligations specified by Article 18.1 of the Federal Law «On Personal Data»;

7.1.1.11. other information provided for by the Federal Law «On Personal Data» or other federal laws.

7.1.2. The PD Subject has the right to require the Company to specify its PD, block or destroy it in case the PD is incomplete, outdated, inaccurate, illegally obtained or is unnecessary for the stated purpose of the PD Processing, as well as to take measures provided by the legislation to protect its rights.

7.1.3. In the event that the PD Subject believes that the Company processes its PD in violation of the requirements of the Federal Law or otherwise violates its rights and freedoms, the PD Subject has the right to appeal against the actions or inaction of the Company either to the public authority authorized to protect the PD Subjects’ rights or in court.

7.1.4. The information specified in Clause 7.1.1 of the Policy is provided to the PD Subject or its representative within ten (10) working days from the date of the application or receipt by the Company of the request of the PD Subject or its representative. The specified period may be extended, but not more than for five (5) working days. In this case, the Company shall send a reasoned notification to the PD Subject indicating the reasons for extending the period for providing the requested information.

7.1.4.1. The request shall contain the number of the main document proving the identity of the PD Subject or its representative, information on the date of issue of such document and the issuing authority, information confirming the participation of the PD Subject in relations with the Company (agreement number, date of conclusion of the agreement, conditional verbal designation and/or other information), or information that otherwise confirms the fact of the PD Processing by the Company, the signature of the PD Subject or his representative. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

7.1.4.2. The Company shall provide information to the PD Subject or its representative in the form in which the relevant application or request has been sent, unless otherwise specified in the application or request.

7.1.5. In the event that the information in Clause 7.1.1 of the Policy, as well as the processed PD, has been provided to the PD Subject for review at its request, the PD Subject has the right to re-apply to the Company or send to it a second request in order to obtain the information specified in Part 7 of Article 14 of the Federal Law «On Personal Data», and familiarization with such PD no earlier than thirty (30) days after the initial application or the initial request, unless a shorter period is specified by federal law, a regulatory legal act adopted in accordance with it, or an agreement, to which the PD Subject is either a party or a beneficiary or a guarantor.

7.1.6. The PD Subject has the right to re-apply or send a repeated request in order to obtain the information specified in Clause 7.1.1 of the Policy, as well as in order to familiarize itself with the processed PD before the expiration of the period specified in Clause 7.1.5 of the Policy, in case such information and/or processed PD have not been provided to it for review in full as a result of consideration of the initial request. A repeated request, along with the information specified in Paragraph 7.1.4.1 of the Policy, shall contain the rationale for sending such a repeated request.

7.1.7. The Company has the right to refuse the PD Subject in fulfilling a repeated request that does not meet the conditions provided for in Paragraphs 7.1.4.1 and 7.1.5 of the Policy, indicating evidence of the relevancy of such refusal.

7.1.8. The PD Subject has the right to withdraw its consent to the PD Processing at any time. Withdrawal of consent to the PD Processing is carried out by submitting an application in writing to the Company in accordance with Clause 5.4 of the Policy.

7.2. Rights and Obligations of the Company

7.2.1. The Company shall be obliged to provide the PD Subject, upon its request, with the information specified in Paragraph 7.1.1 of the Policy.

7.2.2. When collecting PD, including through the Internet information and telecommunication network, the Company shall ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of the PD of citizens of the Russian Federation using databases located on the territory of the Russian Federation except for cases provided by the Federal Law «On Personal Data».

7.2.3. When processing PD, the Company is obliged to ensure the implementation of the measures specified in Articles 18.1 and 19 of the Federal Law «On Personal Data».

7.2.4. The Company shall bear other obligations specified by the Federal Law «On Personal Data».

7.2.5. With the consent of the PD Subject, the Company has the right to entrust the PD Processing to another person, unless otherwise provided by the legislation of the Russian Federation, on the basis of an agreement concluded with this person, the condition of which is confidentiality or non-disclosure of PD.

7.2.6. The Company has the right to transfer the Subject’s PD to the persons specified in the Subject’s consent to the PD Processing provided to the Company by the PD Subject.

7.2.7. The Company has the right to transfer the Subject’s PD to any other persons not specified in the Subject’s consent to the PD Processing, in case the transfer of the Subject’s PD to these persons is based on the purposes provided for in Paragraph 3.1 of the Policy.

7.2.8. In case of withdrawal of consent, the Company has the right to continue the PD Processing for the purpose of fulfilling the concluded agreement, contract, fulfilling the legal requirements and/or executing a court order by the Company, as well as for protecting its interests, in case the rights of third parties are not thereby violated.

7.2.9. As part of exercising its right to verify the accuracy of the information provided by the PD Subject, the Company has the right to verify and clarify the data provided by the PD Subject by means of oral or written appeals to the PD Subject’s employer and other persons, whose contact details have been provided to the Company by the PD Subject.

8. Measures Aimed at Ensuring the Security of PD Processing

8.1. In order to ensure the security of PD, the Company has implemented the following organizational and technical security measures:

8.1.1. a person responsible for organizing the PD Processing has been appointed;

8.1.2. a person responsible for ensuring the security of PD has been appointed;

8.1.3. a policy regarding the PD Processing has been adopted;

8.1.4. internal organizational documents on the PD Processing have been developed and approved, establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation and at eliminating the consequences of such violations;

8.1.5. internal control and audit of compliance of the PD Processing is carried out;

8.1.6. assessment of the harmful consequences that may be inflicted to PD Subjects has been carried out;

8.1.7. employees involved in the PD Processing have been familiarized with legislative and internal organizational documents on the PD Processing and security of PD;

8.1.8. documents have been published that define the policy regarding the PD Processing and implemented requirements for the security of PD;

8.1.9. security threats to PD have been identified;

8.1.10 the PD security tools are used, including anti-virus software, firewall devices, alarms, video surveillance, access control systems, safes, lockers and other technical security means;

8.1.11. secure storage of media containing PD;

8.1.12. record-keeping of persons admitted to work with PD is maintained;

8.1.13. a security policy and access control system to information resources and databases containing PD has been implemented;

8.1.14. user authorization and authentication are carried out;

8.1.15. record-keeping of machine storage media containing PD is implemented;

8.1.16. a set of measures has been implemented to ensure an internal regime aimed at restricting and controlling access to PD;

8.1.17. backup tools are used to restore information resources containing PD;

8.1.18. detecting means that identify facts of unauthorized access to PD are used.

8.2. Measures aimed at ensuring the security of PD while processing it in the PD Information Systems are taken pursuant to the Company’s local regulations specifying the security of PD while processing it in the PD Information Systems of the Company.