Personal Data Processing Policy

1. General Provisions

1.1. This Personal Data Processing Policy (hereinafter — the “Policy”) of Individual Entrepreneur Dmitriy A. Bondarev (TIN 235301348589, OGRNIP 326508100181220, place of business: Moscow; hereinafter — the “Operator” or “IE”) defines the procedures and conditions of personal data processing, as well as measures to ensure data protection in the course of development and operation of the digital service (application).

1.2. This Policy is developed in accordance with the Constitution of the Russian Federation, Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, and other applicable legal acts of the Russian Federation regarding personal data.

1.3. This Policy applies to personal data processed by the Operator:

• during the early access phase (collection of requests for participation in the development and testing of the future application);
• during the operation of the application, when personal data is processed within the application's closed database. The databases used for the collection, recording, systematization, accumulation, storage, clarification (update, modification), and extraction of personal data of citizens of the Russian Federation are physically located within the territory of the Russian Federation on the servers of the hosting provider Hostkey LLC (hostkey.ru).

1.4. During the operation phase, the Operator provides the infrastructure and processing tools; however, access to user-generated content is provided exclusively to the users themselves in accordance with the functionality of the service, unless explicitly required otherwise by the legislation of the Russian Federation.

1.5. This Policy is a public document and is available online at: https://timewoven.ru/en/privacy.

2. Terms and Definitions

2.1. Terms such as “personal data”, “processing of personal data”, “operator”, “data subject”, “third parties”, “provision of personal data”, “distribution of personal data”, and “anonymization of personal data” are used in the meanings established by Article 3 of Federal Law No. 152-FZ.

2.2. “Digital service (application)” means the software product developed by the Operator intended for processing user data in a closed database with access restricted to the users themselves.

3. Operator's Status and Role

3.1. During the early access phase, the Operator acts as a Data Controller, determining the purposes and means of processing a limited set of personal data (contact information and participation interest).

3.2. During the application operation phase, the Operator:

• provides and maintains the server infrastructure (including server rental and administration via the hostkey.ru provider);
• defines the general technological and organizational framework for personal data processing within the application;
• does not routinely access user content unless such access is explicitly provided by the service functionality and/or required by law.

3.3. Access to personal data within the application is limited to the users themselves upon authentication and, when strictly necessary, to technical staff or contractors acting on behalf of the Operator in a minimal capacity required to ensure service operability and security, without regular viewing of user content.

3.4. The Operator and its contractors do not regularly view or edit user content and gain access to it only in exceptional cases explicitly provided by the legislation of the Russian Federation or the User Agreement (e.g., upon a specific user request or during security incident investigations).

4. Principles and Purposes of Processing

4.1. Personal data processing is based on the principles of lawfulness, fairness, data minimization, purpose limitation, accuracy, storage limitation, and security.

4.2. Purposes of processing during the early access phase:

• maintaining a list of individuals interested in early access and testing;
• communication with such individuals (confirming requests, sending updates, invitations, feedback surveys, etc.).

4.3. Purposes of processing during the application operation phase:

• user registration and authentication;
• providing application functionality related to the creation and processing of data within the closed service database;
• organization and accounting of payments for the service (subscriptions, access fees) through selected payment providers;
• sending project news, service, and marketing notifications via selected communication channels (email, messengers, push notifications, etc.), subject to the user's explicit consent;
• ensuring data safety, security, backups, and service recovery;
• fulfillment of contractual and legal obligations of the Operator.

5. Categories of Personal Data

5.1. During the early access phase, the Operator processes a minimal necessary set of data provided voluntarily by the subject:

• full name (or pseudonym, if permitted);
• communication method: email address and/or messenger identifier (e.g., username or unique ID in Telegram);
• other information voluntarily provided by the subject in the application text.

5.2. During the application operation phase, the following may be processed:

• account data (name/nickname, email, account identifier, technical identifiers, unique individual links, and one-time codes for authentication);
• content and data uploaded or processed by the user (texts, notes, files), including audio messages, photographs, and video files that may contain personal data of the user or third parties. When graphic files are uploaded, the System automatically removes hidden digital metadata (including coordinates and shooting parameters) to ensure additional privacy;
• technical data (IP address, browser/device data, cookie files, and other identifiers used for security and operability).

5.3. Within the user content, users may input information about their relatives (including deceased ones) and children. The user bears sole responsibility for the lawfulness of providing such information. Upon request from a child's legal representative, the Operator will, where technically feasible, delete or restrict access to the child's data uploaded by an adult user.

5.4. The specific list of data categories is further detailed in the User Agreement and associated documents.

5.5. The Operator does not process biometric personal data within the meaning of Art. 11 of Federal Law No. 152-FZ. Audio messages and photographs uploaded by users are processed exclusively in an automated manner for the purposes of voice-to-text translation (transcription) and visual content grouping within the application interface. These actions are not aimed at establishing the identity (biometric identification) of the data subjects and are carried out without human intervention. The Operator also does not process special categories of personal data (concerning race, political opinions, or health).

6. Legal Basis for Processing

6.1. The legal grounds for processing are:

• consent of the personal data subject;
• necessity to enter into and perform a contract between the Operator and the subject;
• compliance with the Operator's legal obligations under the laws of the Russian Federation;
• other grounds provided by applicable personal data legislation.

6.2. Early access processing is based on explicit, voluntary consent provided when submitting the request form.

6.3. Application processing is based on the acceptance of the public offer (User Agreement) and this Policy during registration.

7. Processing Conditions and Procedures

7.1. Processing is carried out using automated and non-automated means.

7.2. Early access data is stored in the Operator's designated information systems for the duration necessary to achieve the processing purposes.

7.3. Application data is stored and processed on the servers of the hosting provider hostkey.ru under a formal agreement.

7.4. If the User accesses the Service while located outside the Russian Federation, the User acknowledges and agrees that they independently and voluntarily initiate the cross-border transfer of their personal data to the Operator in the Russian Federation. The Operator ensures storage and primary processing of such data within the territory of the Russian Federation.

7.5. Server and application maintenance, as well as troubleshooting, are performed primarily by analyzing event logs and configuration files. Routine viewing of user content is strictly prohibited and permitted only in exceptional cases required to restore service operability or protect the rights of data subjects. Any such access is mandatorily recorded in an immutable security audit log protected from editing and deletion (append-only mode).

7.6. The Operator does not disclose or distribute personal data to third parties without consent, except when explicitly required by the laws of the Russian Federation.

7.7. Processing may be delegated to third-party contractors (hosting providers, developers, payment providers) under strict confidentiality and security agreements. Contractors access data strictly on a need-to-know basis and do not routinely access user content.

7.8. The Operator performs cross-border transfers of personal data, including when sending service notifications and responding to requests from users located abroad. Prior to such transfer, the Operator undertakes to submit the required notification to the authorized personal data protection authority in accordance with Article 12 of Federal Law No. 152-FZ.

8. Rights of Data Subjects

8.1. Data subjects have the rights provided by the laws of the Russian Federation, including the right to:

• receive information regarding the processing of their data;
• request clarification, blocking, or destruction of incomplete, outdated, or unlawfully obtained data;
• withdraw their consent to data processing;
• appeal the actions or inactions of the Operator to the authorized supervisory body or in court.

8.2. Subjects may exercise their rights by contacting the Operator using the details in Section 10 or via the application’s account settings (once launched).

9. Data Protection Measures

9.1. The Operator implements necessary legal, organizational, and technical measures to protect personal data from unauthorized access, destruction, modification, blocking, copying, or distribution.

9.2. These measures include:

• restricting staff and contractor access strictly to a need-to-know basis;
• utilizing authentication mechanisms based on unique individual links and/or one-time codes without storing plain-text passwords;
• using a centralized identity and access management system that restricts technical staff from exporting user content;
• implementing technical data isolation principles (the “Safe” concept), restricting direct human access to raw user media and audio files via software and hardware controls;
• utilizing automated machine learning algorithms for primary data processing without human intervention;
• automatic deletion of hidden digital metadata (EXIF data) upon image upload;
• regular data backups and integrity monitoring;
• utilizing security tools provided by the hostkey.ru infrastructure;
• signing binding confidentiality agreements with all third-party processors.

9.3. The Operator appoints a designated Data Protection Officer and approves necessary local regulatory acts.

10. Contact Information

10.1. For inquiries regarding personal data processing, the personal data subject may contact the IE via:

• postal address: 6 Serova St., Apt. 85, Zhukovsky, Moscow Region, 140185, Russian Federation;
• email address: privacy@timewoven.ru.

10.2. Requests should include the subject's full name, contact details, a description of the request, and the specific demand (e.g., update, block, delete).

11. Policy Updates

11.1. The Operator reserves the right to amend this Policy. The date of the last update is indicated upon modification. The new version becomes effective immediately upon its publication on the website.

11.2. Prior to the full application launch, the Operator will update the Policy to reflect the precise functionality, data scope, and any operational changes.