POLICY ON CONFIDENTIAL DATA PROCESSING

This Policy governs the procedure of collection and processing of personal data of individuals by Limited Liability Company Makar Offroad (OGRN [Primary State Registration Number]1176658041812, INN [Taxpayer Identification Number] 6686094201, hereinafter referred to as the "Operator") by the means of automation tools via the Internet.

General Provisions

1. For the purposes of this document the following terms are used:

1.1. Personal data are any information directly or indirectly relating to a specific or defined individual (the subject of personal data).

1.2. Operator is LLC Makar Offroad, the person that independently organizes and (or) performs the processing of personal data, as well as determines the purposes of personal data processing, the content of personal data to be processed, actions (operations) performed with personal data.

1.3. Customer is an individual, who is going to purchase vehicles or other goods sold by the Operator, and applying to the Operator via Internet website http://makaroffroad.ru to be consulted.

1.4. Website is a set of computer programs and other information contained in the information system accessible via the Internet by domain names and (or) by web addresses that allow to identify Internet websites used by the Operator to provide Customer with a consultation. Website address: http://makaroffroad.ru.

1.5. Personal data processing is any action (operation) or a set of actions (operations) performed, with or without the use of automation tools, with personal data, including the collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

1.6. Automated processing of personal data is the processing of personal data by means of computers.

1.7. Provision of personal data is the actions aimed at disclosing personal data to a specific person or a certain group of persons.

1.8. Blocking of personal data is the temporary suspension of personal data processing (except for the cases when processing is required to clarify personal data).

1.9. Destruction of personal data is the actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the physical media of personal data are destroyed.

1.10. Personal data information system is a set of personal data contained in databases and information technologies and technical means ensuring their processing.

1.11. Cookies are pieces of data sent by the website and stored on a computer, mobile phone or another device, from which the Customer visits the website, used to store data about the Customer's activities on the website.

2.By sending the Request to the Operator by means of the Website the Customer agrees to the terms of this policy and also agrees to the processing of his/her personal data by the Operator in cases where the provisions of the current legislation require such consent.

Personal data

3. When processing the personal data the Customer is entitled to:

3.1 Receive information concerning the processing of his/her personal data, including information containing:

3.1.1. Confirmation of personal data processing;

3.1.2. Legal grounds and purposes for personal data processing;

3.1.3. Objectives and methods used for personal data processing;

3.1.4. Information about the name and location of a person processing the personal data, information about persons (except for the employees of the Operator) who has access to the personal data or who the personal data may be disclosed to under the contract with the Operator or in accordance with the current legislation;

3.1.5. Processed personal data relating to the relevant subject of personal data, its source, unless a different procedure for submitting such data is provided for by the current legislation;

3.1.6. Period for personal data processing, including the period for their retaining;

3.1.7. Procedure for the exercise by the Customer of the rights provided for by the current legislation;

3.1.8. Information on completed or intended cross-border data transfer;

3.1.9. Name or last name, first name, patronymic, and address of the person processing the data at the instruction of the Operator, if the processing is entrusted to or will be entrusted to such person;

3.1.10. Other information required by the current legislation.

3.2. Require the Operator to clarify his/her personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated processing purpose as well as to take measures provided for by the law to protect his/her rights.

3.3. Appeal against the actions or inaction of the Operator to the authorized body for the protection of the rights of personal data subjects or in court, if the Customer believes that the Operator processes his/her personal data in violation of the current legislation or otherwise violates his/her rights and freedoms.

3.4. Protection of his/her rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.

4. When processing the personal data the Operator undertakes to:

4.1. Provide the Customer, at his/her request, with the following information:

4.1.1. Confirmation of personal data processing;

4.1.2. Legal grounds and purposes for personal data processing;

4.1.3. Objectives and methods used for personal data processing;

4.1.4. Its name and location address, information about persons (except for the employees of the Operator), who have access to personal data or who the personal data may be disclosed to under the contract with the Operator or in accordance with the current legislation;

4.1.5. Processed personal data of the Customer, its source, unless a different procedure for submitting such data is provided for by the current legislation;

4.1.6. Period for personal data processing, including the period for their retaining;

4.1.7. Procedure for the exercise by the Customer of the rights provided for by the current legislation;

4.1.8. Information on completed or intended cross-border data transfer;

4.1.9. Name or last name, first name, patronymic, and address of the person processing the data at the instruction of the Operator, if the processing is entrusted to or will be entrusted to such person

4.1.10. Other information, required by the current legislation.

4.2. Ensure that measures are taken to prevent unauthorized access to the personal data of the Customer.

4.3. Publish or otherwise provide unlimited access to the document defining the personal data processing policy, as well as to the information about the implemented requirements for the protection of personal data.

5. The objective of collecting and processing the personal data of the Customer is to consult him/her regarding the conclusion of a commercial concession contract (franchise contract) and conclusion of such contract.

6. Personal data of the Customer are stored on electronic devices and processed by means of automation tools of personal data processing.

7. The Operator collects and processes the following personal data of the Customer:

7.1. Last name, first name, patronymic;

7.2. Phone number;

8. Personal data of the Customer are destroyed in the following cases:

8.1. After three years from the date of the last Customer's appeal to the Operator.

8.2. In case the Customer withdraws his/her consent to the processing of his/her personal data.

9. The destruction of the Customer's personal data is carried out without the possibility of their subsequent recovery.

10. Only persons who have direct relation to the consulting of the Customer regarding the conclusion of the commercial concession contract (franchise agreement) and its execution have access to the personal data of the Customer. Otherwise, the Operator does not distribute the personal data of the Customer, nor provide the access to it to third parties without the prior consent of the Customer, except for the cases of personal data provision at the request of authorized state bodies in accordance with the current legislation.

11. The Operator takes the following measures to prevent unauthorized access to the Customer's personal data:

11.1. Assigns employees responsible for organizing personal data processing;

11.2. Applies organizational and technical measures to ensure the security of the Customer's personal data, namely:

11.2.1. Identifies threats to the security of personal data during their processing in the personal data information systems;

11.2.2. Organizes a security regime for the premises where the information system is located that prevents the possibility of uncontrolled entry or stay in these premises of persons who do not have the right to access these premises;

11.2.3. Ensures the safety of personal data media;

11.2.4. Approves the list of persons having access to personal data necessary to perform their official (employment) duties;

11.2.5. Uses information security measures to prevent unauthorized access to personal data;

11.2.6. Evaluates the effectiveness of measures taken to ensure the security of personal data;

11.2.7. Ensures the detection of unauthorized access to personal data and the taking of measures;

11.2.8. Restores personal data modified or destroyed due to unauthorized access to them (if technically possible to restore them);

11.2.9. Establishes the rules for access to personal data, processed in the personal data information system;

11.2.10. Controls the measures taken to ensure the security of personal data and the level of security of the personal data information systems.

12. The Customer is entitled to require the Operator to clarify (update) his/her personal data, to block or destroy them if personal data are incomplete, outdated, inaccurate, illegally obtained or not required for the stated purpose of processing, as well as to withdraw his/her consent to the processing of personal data by sending the appropriate request and (or) claim in writing by registered mail with acknowledgement of receipt with acknowledgement of receipt or its provision by hand at the location of the Operator. The specified request/claim shall contain the number of the main document certifying the identity of the Customer or his/her representative, information about the date of issue of the specified document and the issuing authority, the residence address of the Customer, information confirming the participation of the Customer in relations with the Operator (contract number, contract date, conditional verbal designation and (or) other information), or information that otherwise confirms the fact of processing of the Customer's personal data, the claim to clarify, block, or destroy the Customer's personal data or a notice of withdrawal of consent to the processing of personal data, the signature of the Customer or his/her representative. The Operator is obliged to give a reasoned response concerning the Customer's request/claim within 30 calendar days from the date of its receipt.

Cookies

13. The Operator can use the following types of cookies:

13.1. Strictly necessary cookies. These cookies are required for browsing through the Website and using the requested services. Cookies of this type are used during the Customer's registration and logging into the system. Without them the services requested by the Customer become unavailable. These cookies are primary and can be either permanent or temporary. Without this type of cookies, the Website doesn't work properly.

13.2. Performance cookies. These cookies collect statistical information about the use of the Website. These cookies do not receive personal information of the Customer. All information collected by these cookies is statistical and anonymous. The purposes of the use of these cookies:

13.2.1. Obtaining website usage statistics;

13.2.2. Evaluation of the effectiveness of advertising campaigns. These cookies can be either permanent or temporary, and can also be classified as first-party and third-party cookies.

13.3. Functionality cookies. This type of cookies is used to store the information provided by the Customer (such as user name, language or location). These cookies use anonymous information and do not track the browsing activity of the Customer on other websites. The purposes of the use of these cookies:

13.3.1. Storing of data on any service previously provided to the Customer;

13.3.2. Improving the quality of interaction with the Website as a whole by storing the preferences chosen by the Customer.
These cookies can be either permanent or temporary, and can also be classified as first-party and third-party cookies.

13.4. Advertising cookies. This type of cookies is used to manage advertising materials throughout the website, limit the number of times an advertisement is viewed by the user and to evaluate the effectiveness of advertising campaigns. Advertising cookies are placed by third parties, for example, by advertisers and their agents. These cookies are connected with advertisements on the website provided by third-party companies. They can be both permanent and temporary.

14. Cookies can be blocked or deleted and their effect can also be limited in the settings of the browser used by the Customer.