PRIVACY POLICY

Personal Data Processing Policy for Website Visitors

Effective Date: January 22, 2026

1. GENERAL PROVISIONS
1.1. This Policy regarding the processing of personal data of website visitors (hereinafter referred to as the "Policy") has been developed in accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data," Article 152.2 of the Civil Code of the Russian Federation, Order of Roskomnadzor No. 140 dated June 19, 2025, and other regulatory legal acts of the Russian Federation. It defines the purposes, content, and procedures for processing personal data; measures aimed at ensuring the protection of processed personal data from unauthorized access, disclosure, unlawful use, or loss; as well as procedures aimed at identifying and preventing violations of Russian Federation legislation in the field of personal data at LLC "Green Solution" (INN 6501212624, OGRN 1096501008471), located at: Detskaya Street, 4, Yuzhno-Sakhalinsk, Sakhalin Oblast, 693020, Russian Federation (hereinafter referred to as the "Operator").
1.2. The Operator is registered in the Roskomnadzor register since July 27, 2017 (https://pd.rkn.gov.ru). Registration Number: 27-17-003528.
1.3. This Policy applies to the website "Mega Palace Hotel" with the domain name megapalacehotel.com (hereinafter referred to as the "Website"). The Website may contain links to other websites provided by third parties. This Policy does not extend to third-party websites that website visitors may access via links available on the Website. The Operator does not control and is not responsible for third-party websites, nor for the protection and confidentiality of any information that a website visitor, as a personal data subject, provides. Website visitors should exercise reasonable caution and review the relevant privacy policy of any website they visit.
1.4. This Policy defines the main issues related to the processing of personal data (hereinafter referred to as "PD") by the Operator using automation tools in information and telecommunication networks, or without using such tools, if the processing of PD without using such tools corresponds to the nature of actions performed with PD using automation tools — that is, it allows searching for PD recorded on a tangible medium and contained in card indexes or other systematic collections of PD, and/or accessing such PD, in accordance with a specified algorithm.
1.5. The purpose of this Policy is to implement legislative requirements in the field of processing and protection of PD, and is aimed at ensuring the protection of the rights and freedoms of individuals and citizens in the processing of their PD, including the protection of the right to privacy, personal and family life.

2. KEY DEFINITIONS AND TERMS


3. PURPOSES OF PROCESSING WEBSITE VISITORS' PERSONAL DATA
3.1. Establishing feedback with website visitors when they submit questions regarding the provision of services by the Operator and the use of the Website, and processing these questions.
3.2. Providing website visitors with effective customer and technical support when problems arise related to the use of the Website.
3.3. Conducting traffic monitoring, processing preferences, and collecting statistical information about Website visits.

4. COLLECTION AND PROCESSING OF PERSONAL DATA
4.1. Categories of PD permitted for processing under this Policy, which are provided by the website visitor by completing the corresponding registration form on the Website: • First name; • Email address; • Phone number; • Information about the source from which the website visitor arrived at the Website (referral tag).
4.2. Legal basis for processing PD: • Based on the informed consent of the website visitor, expressed including by placing a special mark (checkbox) in the corresponding field of the registration form on the Website; • In cases where processing of PD is necessary for the Operator to carry out and fulfill functions, powers, and obligations imposed by legislation of the Russian Federation to transfer information to authorized state authorities of the Russian Federation.
4.3. The decision to provide PD with consent to their processing is made by the website visitor freely, at their own will, and in their own interest. Consent to PD processing is specific, subject-matter, informed, conscious, and unambiguous. Consent to PD processing is given by the website visitor separately from other information.
4.4. Consent to PD processing is valid for the period necessary to achieve the purposes of processing, but no longer than three years, and may be withdrawn by the website visitor by sending a corresponding request to the Operator's email address: office@megapalacehotel.ru. The Operator's processing time for a withdrawal request is 3 business days.
4.5. In case of withdrawal of consent to PD processing, the Operator has the right to continue processing PD without the consent of the data subject if grounds specified in paragraphs 2–11 of Part 1 of Article 6, Part 2 of Article 10, and Part 2 of Article 11 of Federal Law No. 152-FZ dated July 27, 2006 exist.
4.6. List of actions performed with website visitors' PD: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), depersonalization, blocking, deletion, destruction.
4.7. Methods of processing website visitors' PD: mixed, with transmission of received information via the Operator's internal network, with transmission via the Internet.
4.8. Processing of Preferences and Website Visit Statistics
4.8.1. Confidential personal information is collected automatically in connection with activity on the Website by the website visitor. When visiting the Website, all account logins are recorded.
4.8.2. Processing of depersonalized data of website visitors is carried out using metric programs Yandex.Metrica and VK Pixel (cookie files). The use of these services is necessary for the Operator to promptly analyze Website visits, internal and external Website traffic, depth of views, and activity of website visitors.
4.8.3. If a website visitor, for any reason, does not wish for services installed on the Website to access their personal information, the visitor may, at their own discretion, log out of their account and clear cookies via their browser. Disabling cookies may result in inability to access parts of the Website requiring authorization.
4.9. The Operator is not entitled to transfer information relating to a website visitor's PD to third parties without the written consent of the data subject, except in cases where such information is transferred upon request of authorized state authorities of the Russian Federation in accordance with Russian legislation.
4.10. The Operator does not carry out cross-border transfer of website visitors' PD obtained via the Website.
4.11. Storage of website visitors' PD is carried out in a form that allows identification of the data subject, for the period necessary to achieve the purposes of processing, but no longer than three years. The storage period of PD entered into the PDIS corresponds to the storage period of paper originals.
4.12. Processing of website visitors' PD is terminated by the Operator: • Upon detection of unlawful processing of PD (termination period — 3 business days from the date of detection of such fact); • Upon achievement of the purposes of their processing (except in cases provided for by legislation of the Russian Federation); • Upon expiration of the PD processing period (three years); • Upon request by the website visitor to the Operator to terminate PD processing, or upon withdrawal by the website visitor of consent to processing of their PD (except in cases provided for by legislation of the Russian Federation).
4.13. Depersonalization of PD is applied to: • Protect PD from unauthorized access and possible abuse; • Enable the use of large datasets for state purposes and technology development without risk of disclosing identity; • Ensure transparency and control over the processing of such data within the framework of the law.
4.14. Methods that may be used in the process of depersonalizing PD: • Identifier introduction method — replacing part of the information (PD values) with identifiers and creating a correspondence table (directory) of identifiers to original PD; • Composition or semantics modification method — changing the composition or semantics of PD, including by replacing with results of statistical processing or removing part of the information (PD values); • Decomposition method — splitting the PD array into several parts with subsequent separate storage; • Shuffling method — rearranging individual records, as well as groups of records, in the PD array; • Decomposition of PD subject to depersonalization — implemented by dividing the array of PD subject to depersonalization into a specified number of parts with subsequent separate storage.
4.15. PD obtained as a result of depersonalization may be processed using or without using automation tools, are not subject to disclosure or provision to third parties who process PD using additional information that allows direct or indirect identification of a specific natural person.
4.16. When processing depersonalized PD in the PDIS, the Operator ensures compliance with password protection of the PDIS, antivirus policy, rules for working with removable media (if used), backup rules, and access rules to premises where PDIS elements are located.
4.17. In case of detection of unlawful processing of PD upon request of the data subject or upon request of the data subject, the Operator blocks unlawfully processed PD relating to this data subject, or ensures their blocking (if PD processing is carried out by another person acting on behalf of the Operator) from the moment of such request or receipt of the specified request for the verification period.
4.18. In case of detection of inaccurate PD upon request of the data subject or upon request of the data subject, the Operator blocks PD relating to this data subject, or ensures their blocking (if PD processing is carried out by another person acting on behalf of the Operator) from the moment of such request or receipt of the specified request for the verification period, if blocking of PD does not violate the rights and legitimate interests of the data subject or third parties.
4.19. Upon confirmation of the fact of inaccuracy of PD, the Operator, based on information provided by the data subject, is obliged to clarify the PD or ensure their clarification (if PD processing is carried out by another person acting on behalf of the Operator) within seven business days from the date of submission of such information and remove the blocking of PD.
4.20. In case of detection of unlawful processing of PD carried out by the Operator or a person acting on behalf of the Operator, the Operator, within a period not exceeding three business days from the date of such detection, terminates the unlawful processing of PD or ensures termination of unlawful processing of PD by a person acting on behalf of the Operator.
4.21. If ensuring the lawfulness of PD processing is impossible, the Operator, within a period not exceeding ten business days from the date of detection of unlawful processing of PD, destroys such PD or ensures their destruction. The Operator notifies the data subject of the elimination of violations or destruction of PD, and in case the data subject's request or the request of an authorized body for protection of data subject rights was sent through the authorized body for protection of data subject rights, also notifies said body.
4.22. Upon achievement of the purposes of PD processing or in case of loss of necessity to achieve these purposes, the Operator terminates PD processing or ensures its termination (if PD processing is carried out by another person acting on behalf of the Operator) and destroys PD or ensures their destruction (if PD processing is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of achievement of the purpose of PD processing, if the Operator is not entitled to process PD without the consent of the data subject on grounds provided for by federal laws, or depersonalizes PD, unless otherwise provided by current legislation of the Russian Federation.
4.23. Employees of the Operator who violate the requirements of Federal Law "On Personal Data" and normative legal acts adopted in accordance therewith shall bear material, disciplinary, administrative, civil, or criminal liability in the manner established by legislation of the Russian Federation.

5. RIGHTS OF THE PERSONAL DATA SUBJECT
5.1. The data subject has the right to receive information concerning the processing of their PD, including containing: • Confirmation of the fact of PD processing by the Operator; • Legal grounds and purposes of PD processing; • Purposes and methods of PD processing used by the Operator; • Name and location of the Operator, information about persons (except for Operator employees) who have access to PD or to whom PD may be disclosed based on a contract with the Operator or based on federal law; • Processed PD relating to the corresponding data subject, source of their receipt, if a different procedure for providing such data is not provided for by federal law; • Periods of PD processing, including storage periods; • Information about completed or proposed cross-border data transfer; • Name or surname, first name, patronymic, and address of the person processing PD on behalf of the Operator, if processing is delegated or will be delegated to such person; • Other information provided for by Federal Law "On Personal Data."
5.2. The data subject has the right to demand from the Operator clarification of PD, their blocking or destruction in case the PD are incomplete, outdated, inaccurate, unlawfully obtained, or are not necessary for the stated purpose of processing, and also to take measures provided by law to protect their rights.

6. PROTECTION OF PERSONAL DATA
6.1. When processing PD, the Operator takes necessary legal, organizational, and technical measures to protect PD from accidental or unlawful access, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other unlawful actions in relation to PD.
6.2. Main PD protection measures used by the Operator include: • Appointment of a person responsible for organizing PD processing, training and instruction, internal control over compliance with PD protection requirements (at least once a year); • Identification and authentication of data (users who are Operator employees, external users who are not Operator employees), management of identifiers and authentication tools; • Determination of current threats to PD security during their processing in the PDIS and development of measures and activities for PD protection; • Establishment of access rules to PD processed in the PDIS, and ensuring registration and accounting of all actions performed with PD in the PDIS; • Establishment of individual access passwords for Operator employees to the PDIS in accordance with their job responsibilities; • Application of information security tools that have passed the conformity assessment procedure in the established manner; • Certified antivirus software on workstations and servers with regularly updated databases; • Compliance with conditions ensuring PD integrity and excluding unauthorized access to them; • Detection of facts of unauthorized access to PD and taking corresponding measures; • Restoration of PD modified or destroyed as a result of unauthorized access; • Training of Operator employees on provisions of Russian Federation legislation on PD, including requirements for PD protection, familiarization with documents defining the Operator's policy regarding PD processing, and local acts on PD processing; • Scanning of services and applications for vulnerabilities using a combination of static source code analysis and dynamic testing to ensure software security; • Encryption of all data during transmission using TLS/SSL; • Configuration management of the information system and PD protection system; • Conducting independent penetration testing of the Website on an annual basis; • Protection of technical means, control and management of physical access to technical means, protection tools, and functioning support tools; • Control (analysis) of PD security with regular security checks (at least once a year); • Handling of data subject requests.
6.3. PD security threat models are provided for in legislative acts of the Russian Federation, methodological documents of state bodies (FSTEC/RKN), and standards (GOST).
6.4. For PD obtained by the Operator via the Website, protection level UZ-3 is applied (when processing data from 1,000 to 100,000 data subjects, threats of type 3 exist (individual malicious actors), and special and biometric categories of PD are absent).

7. FINAL PROVISIONS
7.1. This Policy shall be posted on the Website megapalacehotel.com and unrestricted access to it shall be ensured.
7.2. This Policy is subject to amendment and supplementation in case of emergence of new legislative acts and special regulatory documents on processing and protection of PD, but no less than once a year.
7.3. Control over compliance with the requirements of this Policy is carried out by the person responsible for organizing PD processing, appointed by the Operator.
7.4. Liability of officials of the Operator who have access to PD for failure to comply with requirements regulating processing and protection of PD is determined in accordance with legislation of the Russian Federation and internal regulatory documents of the Operator.

Last Revised: January 22, 2026