This policy has been drawn up in accordance the Applicable legislation and the Regulation of the European Parliament and the Council (EU) No. 2016/679 "On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) dated April 27, 2016, as well as the California Consumer Privacy Act of 2018 (CCPA) which define the policy of individual entrepreneur Ispiryan Pailak Vachaganovich (hereinafter referred to as the Operator) regarding the processing of personal data and contains information about the requirements for the protection of personal data implemented by the Operator. This policy applies to all personal data processed through the Service which the Operator receives or can receive from the User. This policy is an integral part of the Operator's internal document which defines the general policy of the Operator regarding the processing of personal data and discloses general information about the requirements for the protection of personal data implemented by the Operator.
1. Gerneral Terms
1.1 The following terms and definitions for the purposes of this policy have the following meanings:
''Personal data'' is any information relating to a directly or indirectly identified or identifiable natural person ("personal data subject"); an identifiable natural person is a person who can be identified directly or indirectly, in particular, by reference to an identifier such as first name, last name, patronymic (if any), identification number, individual taxpayer number, SNILS (personal insurance policy number), bank details, year, month, date and place of birth, address, e-mail address, phone number, family, social, property status, education, profession, income, metadata that are transmitted to the Operator in the process of using the Service using the software installed on the User's device (including data location, HTTP headers, IP address, cookie data, information about the User's browser, technical characteristics of equipment and software used by the User, date and time of access to the Service, addresses of the requested pages of the Service and other similar information), one or several physical, physiological cultural, genetic, spiritual, economic, cultural factors or by referring to factors of social identity. For the purposes of this policy, personal data also includes information about the User, the processing of which is provided for by the Agreement governing the use of the Service. The operator collects only such personal data that is necessary for the execution of the Agreement.
''GDPR'' is the Regulation of the European Parliament and the Council (EU) No. 2016/679 "On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC'' (General Data Protection Regulation) dated April 27, 2016.
''CCPA'' is California Consumer Privacy Act of 2018.
“Applicable legislation” is the legislation of the country where the Contractor is registered or resides. In some cases, the applicable legislation may refer to the legislation of the country where the Client resides if such legislation establishes the precedence of its rules over this Agreement.
''Operator'', ''Controller'' is individual entrepreneur Ispiryan Pailak Vachaganovich processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data. The Operator is the Controller within the meaning of the GDPR.
''User'' is any natural person with full capacity to act (sui juris) (subject of personal data) including acting on behalf of and in the interests of a legal entity who may in the process of using the Service provide the Operator with the personal data, either independently or through a legal entity represented by him/her that has expressed consent with the terms and conditions set forth in the Agreement by signing it including electronically. In the context of this policy, the User also means persons whose personal data is processed by the Operator on behalf of the User contained in the Agreement. For minors under the age of 16, the Operator processes personal data solely based on the prior consent of the parents.
''Service'', ''Personal Data Information System'' is a software called “Mythic Store” intended for ordering and providing services to the Administration, familiarization with information about the services and about the Administration, access to which the Administration temporarily provides to the User at https://mythic-store.com/. It is a complex object the creation of which was organized by the Administration. Includes databases, program codes, know-how, algorithms, design elements, fonts, logos, as well as text, graphic and other materials, information, texts, graphic elements, images, photos, audio and video materials and other results of intellectual activity. The exclusive rights to the Service and any of its components belong to the Administration as the copyright holder or licensee based on the law, agreement, or other transaction.
''Аgreement'' is a license agreement/contract, transaction, user agreement, or other agreement between the User and the Operator, governing the use of the Service and containing the User's order to the Operator to process personal data.
''Processing of personal data'', ''Personal data processing'' are actions (operations) with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.
''Processor'' is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of and at request of the Controller.
''Recipient'' is a natural or legal person, government agency, authority, or other body to which personal data is disclosed, regardless of whether they are third parties or not. However, public authorities that may receive personal data as part of a specific investigation in accordance with EU law or the law of a member state are not considered recipients; the processing of such data by such public authorities must comply with the applicable data protection regulations depending on the purposes of the processing.
''Third party'' is a natural or legal person, government body, agency, or other body other than the data subject, controller, processor, as well as persons authorized to process personal data under the direct supervision of the controller or processor.
''Automated processing of personal data'' is the processing of personal data using computer technology.
''Non-automated processing of personal data'', ''Processing of personal data without the use of automation'' is the processing of personal data contained in the personal data information system or extracted from such a system in cases when such actions are with personal data as the use, refinement, dissemination, destruction of personal data in relation to each of the personal data subjects is performed with the direct participation of a person.
''Distribution of personal data'' are actions aimed at the disclosure of personal data to an indefinite circle of persons.
''Provision of personal data'' are actions aimed at transferring personal data to a specific person or a specific circle of persons.
''Blocking of personal data'' is a temporary termination of the processing of personal data (unless the processing is necessary to clarify personal data).
''Destruction of personal data'' are actions as a result of which it is impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.
''Anonymization of personal data'' are actions as a result of which it is impossible to determine whether personal data belongs to a specific owner without using additional information. Within the meanings of the GDPR it's called “pseudonymisation”.
''Use of personal data'' are actions (operations) with personal data committed for the purpose of making decisions, transactions, or other actions that give rise to legal consequences related to the subjects of personal data or otherwise affect their rights and freedoms or the rights and freedoms of other persons.
''Sale of personal data'' are actions as a result of which information and databases with personal data of persons are transferred from the operator to third parties by completing a transaction.
''Publicly available personal data'' is personal data access to an unlimited circle of persons to which is granted with the consent of the subject or to which, in accordance with federal laws, the requirement of confidentiality does not apply.
''Confidentiality of personal data'' is a requirement upon a person who has access to personal data not to allow its distribution without the consent of the subject or other legal basis.
''Statistics'' is information about the use of the Service, as well as the viewing by the Users of individual elements of the Service (web pages, frames, content, etc.), collected using Counters, cookies, beacons, and other similar technologies.
''Cookies'', ''cookie'' is a small piece of data sent by the web server and stored on the User's device. Cookies contain small pieces of text and are used to store information about how browsers work. They allow you to store and receive identification information and other information on computers, smartphones, phones, and other devices. Cookie specifications are described in RFC 2109 and RFC 2965. Other technologies are used for the same purposes, including data stored by browsers or devices, identifiers associated with devices, and other software. In this policy, all of these technologies are referred to as "cookies".
''Web beacons'' are images in electronic form (single-pixel (1x1) or empty GIF images). Web beacons can help the Operator recognize certain types of information on the User’s device, for example, cookies, the time and date of viewing the page, and the description of the page where the web beacon is located.
''Counter'' is part of the Service, a computer program that uses a piece of code that is responsible for analyzing cookies, collecting statistical and personal data of Users. Personal data is collected in anonymized form.
''IP-address'' is a number from the numbering resource of a data network built based on the IP protocol (RFC 791) which uniquely identifies a terminal (computer, smartphone, tablet, other device) when providing telematic communication services, including Internet access, other device or means of communication included in the information system and owned by the User.
''HTTP header'' is a row in the HTTP message that contains a colon-separated name-value pair. The HTTP header format follows the common ARPA network text message header format described in RFC 822.
''Token'' is a unique set of characters that identifies the User in accounts of third-party web services. The token allows an authorized connection to the Service using authorization through third-party web services (for example, Microsoft Authenticator, Google Authorization, social networks, Google Play, Apple AppStore etc.).
1.2 All other terms and definitions found in the text of this policy are interpreted by the Parties in accordance with applicable law, current recommendations (RFC) of international standardization bodies on the Internet, and the usual rules for the interpretation of relevant terms on the Internet.
1.3 Terms and definitions used in this Agreement can be used both in the singular and in the plural, depending on the context, the terms can be spelled both in uppercase and lowercase letters.
1.4 The names of the headings (articles), as well as the design of this document, are intended only for the convenience of using the text of the Agreement and have no literal legal value.
1.5 This policy has been developed in accordance withthe Applicable legislation of the Operator regarding the processing of personal data. This policy also takes into account the mandatory requirements of the Regulation of the European Parliament and of the Council (EU) of April 27, 2016 No. 2016/679 " On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” (GDPR) for Users located in the European Union, as well as the California Consumer Privacy Act (CCRA) for users located in California, USA.
1.6 This policy defines the procedure and conditions for the processing of personal data by the Operator, including the procedure for transferring personal data to third parties, the features of manual processing of personal data, the procedure for accessing personal data, the system for protecting personal data, the procedure for organizing internal control and liability for violations in the processing of personal data, and also other issues.
1.7 This policy takes effect from the moment it is approved by the Operator and is valid indefinitely until it is replaced with a new policy.
1.8 The Operator has the right to make changes to this policy without the consent of the User. All changes to the policy are made by the regulatory act of the Operator.
1.9 This policy applies to all stages of the processing of personal data performed using the Service without using automation tools. The Operator does not control and is not responsible for websites owned by third parties which the User can access by clicking on the links posted on the Service.
2.1 The User's personal data is processed on the basis and in pursuance of the Agreement governing the use of the Service, and other transactions, agreements, or contracts concluded between the User and the Operator, or based on the User's separate consent to such processing.
2.2 The User's personal data is processed by the Operator only if the User reached the age of 12 (or such greater age required in country of the User’s location to be authorized to use the Services without parental approval). In case the User is under 12 years old, then the obligatory consent of the legal representatives of the User is required, otherwise the Operator upon detecting a discrepancy in age with the required one shall remove the User from the Service.
3.1 The Operator processes only the personal data necessary for using the Service or executing transactions, agreements, and contracts with the User, except for cases when the legal norms of the Applicable legislationthe European Union, or the United States of America provide for the mandatory storage of personal information for a period specified by law.
3.2 When processing personal data, the Operator does not combine databases containing personal data which is to be processed for incompatible purposes.
3.3 The Operator processes the personal data of the User for the following purposes:
4.1. The Operator processes personal data necessary for the execution of the Agreement or another transaction with the User.
4.2. Personal data authorized for processing in accordance with this policy and provided by Users who are physical persons using the Service by filling in the appropriate input fields when using the Service may include the following information:
4.3. Personal data processed in accordance with this policy and automatically transferred to the Operator in the process of using the Service including the software installed on the User's device may include the following information:
4.4. In accordance with this policy, the Operator processes the personal data of persons belonging to the following categories of personal data owners:
5.1. The Operator has the right to process the personal data of the User without notice to the authorized body for the protection of the rights of personal data subjects in accordance with the requirements of the Applicable legislation.5.2. The Operator processes the User's personal data using the personal data information system without using automation tools in accordance with the laws, statutes, codes, rules, regulations, and requirements of the Applicable legislationthat establish requirements for ensuring the security of personal data during its processing and for observing the rights of personal data subjects. Such actions with personal data as the use, refinement, distribution, destruction of personal data of the User are performed with the direct participation of the Operator's employees in accordance with the requirements of the Applicable legislation.
5.3. The Operator processes and stores the User's personal data for a period determined in accordance with the Agreement on the use of the Service, or about which the Operator informed the User upon receipt of the User's consent to the processing of the personal data in another way (in a check-box, an SMS message, in email, etc.).
5.4. Concerning the personal data of the User, its confidentiality is maintained, except for cases when the User voluntarily provides information about himself/herself for general access to an unlimited circle of persons.
5.5. The Operator has the right to transfer the User's personal data to the processor, recipient, third parties in the following cases:
5.6. The Processors can be:
5.7. In the event personal data of a User located in the EU is leaked, the Operator without undue delay and if possible no later than 72 hours after he/she becomes aware of this, notifies the competent supervisory EU authority about the leak of personal data, except in cases when this leak of personal data is unlikely to turn into risks for the rights and freedoms of individuals.
5.8. In case a violation of personal data protection can create a high degree of risk for the rights and freedoms of individuals, the Operator notifies the User about the leakage of personal data without unreasonable delay. A communication to the data subject is not required if any of the following conditions are met: (a) The Operator has taken appropriate technical and organizational protective measures to personal data affected by the leak, including measures that display personal data in an incomprehensible form for any person who does not have the right to access it, including cryptographic protection; (b) the Operator has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects is no longer able to get realized; (c) a disproportionate effort is required. In this case, instead, a communication is made to the public or a similar measure is taken by which the data subjects are informed.
5.9. The Operator shall take the necessary organizational and technical measures to protect the User’s personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, distribution, as well as from other unlawful actions of third parties.
5.10. The Operator together with the User takes all necessary measures to prevent losses or other negative consequences caused by the loss or unauthorized disclosure of the User’s personal data.
5.11. The Operator has the right to transfer personal data to the bodies of inquiry and investigation, other authorized bodies on the grounds stipulated by laws, statutes, codes, rules, regulations, and requirements.
5.12. When collecting personal data, the Operator records, systematizes, accumulates, stores, clarifies (updates, changes), extracts personal data of Users in accordance with the requirements of the Applicable legislation or GDPR. 5.13. The Operator stops processing the personal data of the Users (which is processed with their consent) upon expiration of the User's consent to the processing or upon withdrawal of the User's consent to the processing of the personal data, as well as in the event of unlawful processing of personal data or the liquidation of the Operator.
6.1. The right to access the personal data of the User is reserved only to the Operator’s and/or the Processor's employees who are allowed by their work duties to work with the User's personal data based on a list of persons authorized to work with personal data which is approved by the Operator and/or the Processor.
6.2. The list of employees who have access to personal data shall be maintained by the Operator and/or the Processor in an up-to-date state.
6.3. Access to the personal data of the User by third parties who are not employees of the Operator and/or the Processor is prohibited without the consent of the User, except for cases established by laws, statutes, codes, rules, regulations, and requirements.
6.4. The access of the Operator’s and/or the Processor's employee to the personal data of the User ceases from the date of termination of the employment relationship or from the date the employee loses the right to access the personal data of the User in connection with changed job duties, position or other circumstances in accordance with the procedure established by the Operator and/or the Processor. In the event of termination of employment, all media with the User’s personal data that were at the disposal of the dismissed employee of the Operator and/or the Processor are transferred to a higher-ranking employee in the manner established by the Operator and/or the Processor.
7.1. The User may at any time change, update, supplement, or delete the personal data provided to them or part thereof using the Service interface.
7.2. If the Operator independently identifies the fact of incompleteness or inaccuracy of the User’s personal data, the Operator shall take all possible measures to update personal data and make appropriate corrections.
7.3. If it is impossible to update incomplete or inaccurate personal data of the User, the Operator takes measures to delete it.
7.4. If it becomes known that the processing of the User's personal data is unlawful, the processing by the Operator shall stop and the personal data shall be deleted.
7.5. If the Service interface is inoperative or the Service does not have a function for changing, updating, supplementing, or deleting the personal data by the User, as well as in any other cases, the User has the right to demand in writing from the Operator the clarification of his/her personal data, its blocking or destruction if personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated processing purpose.
7.6. The Operator makes the necessary changes to the personal data that are incomplete, inaccurate, or irrelevant in a period not exceeding seven business days from the date the User provides information confirming that the personal data is incomplete, inaccurate, or outdated.
7.7. The Operator destroys the User’s personal data illegally obtained or not necessary for the stated processing purpose within a period not exceeding seven business days from the date the User submits information confirming that such personal data is illegally obtained or is not necessary for the stated processing purpose.
7.8. The Operator notifies the User of the changes made and measures taken and takes reasonable measures to notify third parties to whom the personal data of this User was transferred.
7.9. User's rights to change, update, supplement, or delete personal data may be limited in accordance with the requirements of laws, statutes, codes, rules, regulations, and requirements. Such restrictions, in particular, may provide for the Operator's obligation to save personal data changed, updated, supplemented, or deleted by the User for a period specified by laws, statutes, codes, rules, regulations and requirements and to transfer such personal data in accordance with the established procedure to state authorities.
8.1. The User has the right to receive information from the Operator regarding the processing of their personal data, including:
8.2. The Operator provides free of charge the opportunity to familiarize yourself with the personal data processed and stored in the Operator’s information system within thirty calendar days from the date of receipt of a written request from the User.
8.3. In case the Operator refuses to provide information on the availability of personal data about the User or personal data to the User upon his/her request or upon receipt of a request from the User, the Operator shall provide in writing a reasoned response, which is the basis for such a refusal, within a period not exceeding thirty calendar days from the date of receipt of the User's request.
8.4. The operator provides the opportunity to send a request to delete personal data (information about which was received by the User) by sending a request to the email address [email protected].
8.5. If the User sends a request, in accordance with clause 8.4, the Operator shall delete personal data within thirty calendar days from the receipt of such a written request from the User.
9.1. The security of personal data during its processing in the information system is ensured by a personal data protection system that neutralizes current threats defined by the Applicable legislation.
9.2. The personal data protection system used by the Operator includes legal, organizational, technical, and other measures to ensure the security of personal data, defined taking into account current threats to the security of personal data and information technologies used in information systems.
9.3. With regard to personal data (which the User has given consent to being processed by the Processor) the Operator has the right to attract the Processor based on an agreement, ensuring the security of such personal data when being processing in the information system.
9.4. When processing personal data in the information system, the Operator ensures:
9.5. In order to comply with security requirements and implement a personal data security system, the Operator has developed a private model of security threats to the personal data information system.
9.7. The Operator drew up an act determining the level of protection of personal data during the processing in the personal data information system.
9.8. The Operator, based on the level of personal data security determined by him when processing it in the personal data information system without using automation, developed and implemented a set of measures to protect and ensure the security of personal data.
9.9.The Operator uses hardware and software for processing and protecting personal data, and also maintains a register of personal data protection means.
9.10. The Operator keeps a journal of accounting and storage of removable storage media containing personal data.
9.11. Technical means ensuring the functioning of the personal data information system are located in premises owned by the Operator based on ownership or other property rights (rent, use, etc.).
9.12. All employees of the Operator authorized to work with personal data, as well as those associated with the operation and maintenance of the personal data information system, are familiar with the requirements of this policy, as well as with the Operator’s internal documents regulating the procedure for working with personal data.
9.13. The Operator has organized the process of training employees in the use of personal data protection equipment managed by the Operator. The training is held by employees with constant access to personal data, and employees associated with the operation and maintenance of the personal data information system and personal data protection facilities.
9.14. The internal documents of the Operator established that employees must immediately inform the appropriate official of the Operator about the loss, damage, or shortage of information carriers containing personal data, as well as about attempts to unauthorized disclosure of personal data, its reasons, and conditions.
10.1. The User decides to provide his/her personal data and agrees to its processing freely, voluntarily, of his/her own free will, and in his/her interest.
10.2. Consent to the processing of personal data provided by the User is specific, informed, and conscious.
10.3. In case the User's personal data is processed on the basis and in pursuance of the Agreement governing the use of the Service, and other transactions, agreements or contracts concluded between the User and the Operator using the Service, such processing of the User's personal data does not require separate consent in accordance with the Applicable legislation or GDPR.
10.4. In case the User's personal data is processed based on a separate consent to such processing, expressed directly when using the Service by clicking on the appropriate button, by ticking the indicator of the corresponding check-box, sending an SMS message or email, such consent to the processing of personal data is provided by the User in the form of an electronic document signed with a simple electronic signature in accordance with the Agreement governing the use of the Service.
10.5. Consent to the processing of personal data may be revoked by the User following the procedure established by laws, statutes, codes, rules, regulations, and requirements.
11.1. If the User starts using the Service it means his/her acceptance of the terms of this policy. If the User disagrees with the terms of this policy, he/she should immediately stop using the Service.
11.2. The Applicable legislationshall apply to this policy and the relationship between the User and the Operator arising out of and in connection to this policy. GDPR shall also apply to Users located in the European Union. CCPA shall apply to Users located in California,USA.
11.3. This policy is always publicly available at the following link: https://mythic-store.com/en/agreement
11.4. The User can send all suggestions or questions regarding this policy to the Operator’s customer support service by sending an electronic message to the following email address: [email protected]. Е-mail address for Users located in the European Union is the following: [email protected].