Version of May 28, 2025

This Personal data processing and protection policy (hereinafter referred to as the Policy) is applied by Positive Technologies JSC and/or its affiliated entities (hereinafter referred to as Positive or we) to Positive’s websites, services, events, and other products (services) (hereinafter referred to as the Services).

The use of any of the Services may be governed by additional terms that may amend and/or supplement the Policy, and/or have special conditions regarding personal data as specified in the relevant documents of such Services.

As experts in the protection of devices, infrastructure, and data, we understand the importance of a proper approach to data privacy and security and adhere to the principle of comprehensive and complete protection of our users' personal data.

1. Policy scope

1.1. The personal data operator under the Policy is Positive Technologies JSC, located at at building 8, office 60, Preobrazhenskaya Square, Moscow, Preobrazhenskoye municipal district, 107 061, Russia, or its affiliated entity providing the relevant Service. You can find information about which legal entity provides a particular Service in the terms of use or other documents of the respective Service.

1.2. Your use of the Services signifies unconditional agreement with the Policy and the terms of personal data processing specified therein. If you do not agree with this Policy, you must immediately stop using the Services.

1.3. In this Policy, we openly describe all methods and conditions of personal data processing when using the Services. You can familiarize yourself with Positive’s general policy on the processing and ensuring the security of personal data here.

1.4. Educational institutions with specialist training programs The policy was developed by Positive in accordance with Federal Law No. 152-FZ dated 27.07.2006 "On personal data" (hereinafter referred to as the Law).

2. What is personal data?

2.1. Personal data is any information that refers directly or indirectly to an identified or identifiable individual. The concept of personal data is contextual. This means that depending on the situation, the same data may or may not be considered personal.

2.2. Some examples of personal data are: first name, last name, patronymic name, email address, phone number.

2.3. Personal data may also include technical information if it can be attributed to you: IP address, type of operating system, type of device (computer, cell phone, tablet), browser type, geolocation, web form entries, online service provider, and bank details.

3. Purposes of personal data processing by Positive

Please note that the actual list of personal data processed by Positive is determined based on the established relationship between Positive and you.

Objective — List of personal data — Processing period:

3.1. To provide you with our Services* — Last name, first name, phone number, email address, messenger and social media identifiers, information about your position, department, and current place of employment, personal identifiers, data about technical devices**, information automatically received from the Services, including through the use of cookies***, information obtained as a result of your actions, including details about comments, requests, reviews, and questions you have submitted — For the duration of your use of the respective Service, and after the end of its use—for the duration of the statute of limitations, i.e. for 3 (three) years after you stop using such Service.

3.2. To send you advertising and other communications about Positive’s Services and its partners through various channels — Last name, first name, middle name, phone number, email address, messenger identifiers, information about your position, department, and current place of employment — For the duration of your consent to receive advertising mailings.

3.3. For feedback with you — Last name, first name, patronymic, phone number, email address, messenger IDs, information about comments, requests, reviews, and questions you have sent — During the statute of limitations, i.e. within 3 (three) years from the moment of sending you the last message (call) or from the moment of receiving your message if we were unable to contact you.

3.4. For interaction with you regarding employment — Last name, first name, patronymic, phone number, email address, messenger and social network IDs, work experience, education details, professional qualities, photo, date of birth or age, gender, and other information included in your resume — During the validity period of the consent to process personal data that you provided on the Service when responding to a job vacancy.

3.5. For conducting research, collecting information about satisfaction with the Services, improving the quality of the Services — Last name, first name, phone number, email address, messenger IDs, information about position, department, and current place of employment, personal identifiers, data on technical devices (equipment)**, information automatically received from the Services, including through the use of cookies***, information obtained as a result of your actions, including details about submitted comments, requests, feedback, and questions — For the duration of your use of the respective Service.

3.6. To protect the Services, rights, and legal interests of Positive and our users/contractors/partners**** — Last name, first name, phone number, email address, messenger and social network IDs, information about position, department, and current place of employment, personal identifiers, data on technical devices (equipment)**, information automatically received from the Services, including through the use of cookies***, information obtained as a result of your actions, including details about submitted comments, requests, feedback, and questions — For the periods established by the legislation of the Russian Federation, necessary to protect the Services, rights, and legal interests of Positive and our users/contractors/partners.

*Providing you with our Services includes the proper fulfillment of Positive’s obligations to you, proper service delivery, registration in the Services, password recovery for the account in the Services, as well as any other cases related to such actions.
** Data on technical devices (equipment) includes IP address, type of operating system, type of device (personal computer, mobile phone, tablet), type of browser, geographic location, fact of filling out a web form, provider—internet service provider.
*** Cookies are pieces of text that are automatically saved in your browser’s memory through our website. This allows the Services to access and retrieve the saved information on your computer when necessary. We use cookies to remember your preferences in the Services. Most browsers save cookies automatically, but you can always change your browser settings and stop saving cookies. You can read more about our use of cookies in Section 9 of our Policy.
**** These situations include ensuring the functionality and security of the Services, confirming your actions, preventing fraud, cyberattacks, and other abuses, as well as investigating such cases.

4. How we process your data

4.1. Principles. Minimizing the amount of data is the main principle we strictly adhere to when processing personal data: we do not collect, store, or otherwise process it unless it is absolutely necessary.

We also follow the principles of personal data processing established by the current legislation of the Russian Federation, including the following:

• Legality and fairness of personal data processing
• Processing of personal data only in accordance with specific, pre-determined, and lawful purposes
• Prohibition of combining personal data databases processed for incompatible purposes
• Accuracy, adequacy, relevance, and reliability of personal data (as far as it depends on us*)

* Positive does not verify the accuracy of the provided personal data or the legal capacity of the person who provided it. By submitting personal data to us, you warrant that it is accurate, current, and does not violate the laws of the Russian Federation.

4.2. Methods. We may process personal data both with and without the use of automation tools, as well as perform mixed processing of your personal data. Processing may include collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, retrieval, use, transfer (provision, access, dissemination), anonymization, blocking, deletion, and destruction of personal data.

4.3. Collection. When collecting personal data of Russian citizens, we ensure the recording, systematization, accumulation, storage, clarification (updating, modification) of their personal data using databases located on the territory of the Russian Federation.
We may collect personal data in the following ways:

• Providing your personal data when filling out forms in the Services
• Automatic collection of information using technologies and services: web protocols, cookies, web beacons, which are activated only when you enter your data
• Providing your personal data in written form, including via communication means

4.4. Storage. We store personal data exclusively on properly secured media, including electronic ones. We are entitled to combine personal data into an information system and process it using other software tools. The handling of personal data information systems is carried out according to the generally accepted algorithm (collection, systematization, accumulation, storage, clarification, use, blocking, destruction, etc.).

4.5. Positive may engage third parties to process your personal data by instructing them to do so and/or by transferring your personal data to third parties without instructing them to process it. Engagement of third parties can only be carried out to achieve the purposes of personal data processing specified by us, and provided that such parties ensure the confidentiality and security of personal data during processing.

Such parties may include, in particular, Positive’s partners, including its affiliates, consultants, contractors (including organizations that own servers, individuals who make calls, send SMS messages, any other types of mailings and notifications, individuals who conduct surveys and research), subcontractors, and agents. The actual composition of third parties engaged by Positive to process personal data is determined based on the established relationships between Positive and you.

4.6. Cross-border transfer. To achieve the purposes specified in the Policy, we may transfer your personal data to countries other than the one in which it was collected. This may be necessary, for example, in situations where the event/research you want to participate in is organized by a foreign company. When conducting cross-border transfers, we protect your data in accordance with the Policy and the current legislation of the Russian Federation.

4.7. Distribution. Distribution means the disclosure of data to an indefinite number of persons. For example, if you register for a public event organized by us, which you plan to attend offline (in person), we may publish photo and video recordings from this event (possibly including your participation) on our Services.
On the Services, we post photographs of our team members or partners, contact information of the management, and other data with the consent of these individuals or on another legal basis. Copying, publishing on other internet resources, inclusion in mailing databases, and other actions with this data may be restricted by both the legislation of the Russian Federation and the individuals themselves.

4.8. Destruction. By default, we destroy personal data once the purposes of its processing have been achieved or when it is no longer needed to achieve those purposes. Additionally, we may destroy personal data in the following cases:

• Threat to security of Services
• If you violate the Policy
• When the personal data storage period has expired
• You submitted a request for the destruction of your personal data or withdrew your consent for the processing of your personal data

Even if we receive a request from you to destroy personal data, we may continue to store and otherwise process it if necessary to comply with the requirements of current Russian legislation or if we have other grounds for processing this personal data (for example, an agreement concluded with you).

5. Your rights
The main rules for handling personal data and your rights as a data subject are detailed in the Law, which you can find here. For your convenience, we provide a brief description of the main rights provided by the Law:

• Right to know — you have the right to learn more details about how Positive processes your personal data (Art. 18, 18.1 of the Law). We detail this in our Privacy Policy (https://global.ptsecurity.com/policies/privacy-policy).
• Right to access — you have the right to ask us which personal data we process about you (Art. 14 of the Law).
• Right to rectification and deletion — you can ask us to correct inaccurate, incomplete, or outdated data, as well as to delete it (Clause 3, Art. 20 of the Law).
• Right to withdraw consent — you may withdraw your consent to the processing of personal data at any time you deem necessary (Part 2, Article 9 of the Law).

For any questions related to personal data, you can contact us as outlined in Section 7 of the Policy.

6. Information on personal data protection

All personal data you provide is confidential by default. The protection of personal data processed by Positive is ensured through legal, organizational, and technical measures that are necessary and sufficient to meet the requirements of the legislation of the Russian Federation in the field of personal data protection. However, we always strive to protect your data to the maximum extent and apply more measures than required by law. Some of these measures are listed below:

• We have appointed a person responsible for the processing of personal data. You can contact this person via email: privacy@ptsecurity.com;
• We restrict access to your personal data and provide it only to our employees or partners who need it to achieve the purposes for which we process your data.
• We conduct regular risk assessments related to the processing of personal data and take measures to eliminate or minimize them.
• We conduct internal investigations to identify instances of unauthorized access to personal data if there is suspicion that it has occurred.
• We regularly monitor and analyze the security of Positive’s network infrastructure.
• We familiarize Positive’s employees with the provisions of the Russian Federation’s legislation on personal data, including the requirements for personal data protection, Positive’s local acts on personal data processing issues, and conduct their regular training.
• We organize security measures for premises where personal data carriers are located, preventing uncontrolled access to these premises or the presence of unauthorized persons.

7. Requests from subject of personal data

7.1. You can send your inquiries to Positive, including those regarding the use of your personal data:

• In written form to the address: 8 Preobrazhenskaya Square, Moscow, 107 061
• In the form of an electronic document via email: privacy@ptsecurity.com

7.2. Your inquiry must contain the following information:

• Number of your ID
• Date of ID issue, issuing authority
• Information confirming your relationship with us
• Your signature

7.3. Positive commits to reviewing the received inquiry and sending a response to the specified address within 10 (ten) business days, provided that the inquiry pertains to the processing of your personal data by Positive. If, for any reason, we need a bit more time to respond, we will send you a message explaining the cause of the delay.

8. Notification of terms and conditions for processing technical data, metric services

8.1. We may use captcha in our Services. They are necessary for verifying requests and blocking bots on our websites, making the use of our Services more convenient for our users.

8.2. In order for the captcha services to work, we may instruct their owners to collect and process technical data about your device, its activity, and digital fingerprint (token, browser features, referrer, time zone, and more). This data is collected only when you use our Services that have a captcha service widget installed. Captcha services use only technical data solely for the purpose of functioning and maintaining the captcha service on our site, as well as for improving the captcha service within the legitimate interest of its owner. The technical data collected by the captcha services does not allow anyone to identify you personally.

8.3. We select captcha services carefully, and they must comply with all the requirements of the Russian laws on the collection, storage, and other processing of user data.

8.4. If you have any questions or concerns regarding the captcha services used on our websites, please contact us using the information provided on the site. A list of captcha services and links to detailed terms of their operation may be provided on our websites and/or upon request.

8.5. Additionally, Yandex. Metrica may be used for collecting and statistically analyzing data related to the use of the Services. The data collected by Yandex. Metrica can be received and processed by the provider of this service (Yandex LLC). You can familiarize yourself with the list of data collected using Yandex. Metrica here.

9. Cookie processing

• Essential — these cookie files are essential for the functioning of our websites and cannot be disabled. Typically, they are activated only in response to actions you take, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block these cookies or alert you about their usage, but some parts of our websites may not work or may not work correctly as a result.
• Operational — these cookies allow us to count visits and traffic sources so we can measure and improve the performance of our websites. Thanks to them, we know which pages are the most or least popular and see how visitors move around the websites.
• Targeting — these cookies are set via our websites by our advertising partners. They may be used by these companies to build a profile of your interests and show you relevant ads on other websites. If you do not allow these cookies, you will not experience our targeted advertising across different websites.
• Functional — these cookies enable enhanced functionality and personalization, such as for online chats and videos. They can be set by us or by third-party providers whose services are featured on our pages. If you do not allow these cookies, some or all of these features may not function properly.

To opt out of using the relevant cookies, you can use the functionality provided in our Services. You can also use your browser settings to disable the use of cookies. Detailed instructions on how to disable cookies are available via the following external links:

• Yandex Browser
• Google Chrome
• Safari
• Microsoft Edge
• Mozilla Firefox

10. Policy limitation and modification

10.1. You are required to reasonably and responsibly handle the public posting of your personal data, including in the Services when leaving reviews and comments.

10.2. Positive is not responsible for the actions of third parties who gain access to your personal data due to your own fault.

10.3. Positive reserves the right to make changes to the Policy as necessary. The Policy must be reviewed in the event of significant changes to international or national legislation in the field of personal data. The current version of this Policy can be found at: https://global.ptsecurity.com/policies/privacy-policy.