This Privacy Policy and Website Terms of Use (hereinafter — the Policy, Website Terms of Use) is an official document of TOCCO LLC, registered address: 109028, Moscow, Kazarmenny lane, bldg. 3, floor 1, premises XXXI, room 1-9 (hereinafter — the Company) regarding the processing of personal data, and it defines the procedure for processing and protecting information about various categories of personal data subjects, except for employees, former employees and relatives of employees.

The Company has developed this Policy, which describes how the Company processes personal data, including for the purposes of concluding, performing and terminating the Website Terms of Use agreement.

Relations concerning the processing of personal data are governed by this Policy, other official documents of the Company and the current legislation of the Russian Federation. The Policy applies to all persons using the Website. The Policy also contains the terms of the Website Terms of Use agreement. By continuing to use the Website (any of its functionality), you agree to this Policy and the terms of the Website Terms of Use agreement.

Personal data processing is based on the following principles:

• personal data processing is carried out on a lawful and fair basis;
• personal data processing is limited to the achievement of specific, predetermined and lawful purposes;
• processing of personal data incompatible with the purposes of their collection is not allowed;
• it is not allowed to merge databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
• only personal data that meet the purposes of their processing are subject to processing;
• the content and volume of processed personal data correspond to the declared processing purposes. Excessive processing of personal data in relation to the declared purposes is not allowed;
• when processing personal data, the accuracy of personal data, their sufficiency and, where necessary, their relevance to the processing purposes are ensured; necessary measures are taken to delete or clarify incomplete or inaccurate personal data;
• personal data are stored in a form that allows identification of the user or another personal data subject, no longer than required by the processing purposes, unless the storage period is established by federal law, consent to processing, or an agreement to which the personal data subject is a party, beneficiary or guarantor;
• processed personal data are destroyed upon achievement of the processing purposes or in case there is no longer a need to achieve these purposes, unless otherwise provided by federal law;
• personal data processing is not used for the purpose of causing material and/or moral harm to personal data subjects, or to hinder the exercise of their rights and freedoms.

• ensuring the protection of human and civil rights and freedoms when processing personal data, including the protection of the right to privacy, personal and family secrets, from unauthorized access and disclosure;
• ensuring the security of personal data during their collection, receipt, processing (use), transfer, storage, destruction and other actions provided for by law;
• ensuring proper fulfillment of obligations assumed by the Company in the process of concluding and executing the Goods Purchase Rules and the Website Terms of Use agreement.

The Company may process personal data solely for the purposes for which they were collected or received.

The collection and processing of personal data is carried out for the following purposes:

• User identification for feedback and request processing;
• Providing feedback to the user, including sending responses to requests, notifications and information related to the use of the website and the provision of services;
• Conclusion and execution of contractual relations (if necessary);
• Improving the quality of service, enhancing the operation of the website and the services provided
• Compliance with the requirements of the legislation of the Russian Federation in the field of personal data processing and storage.
• The transfer of personal data via feedback forms is voluntary. By submitting their data, the user expresses informed and conscious consent to their processing for the stated purposes.

The Company has the right to enter personal data into information systems, store and process them by any means not contrary to law for the specified purposes. Upon achievement of the processing purposes or in case there is no longer a need to achieve these purposes, unless otherwise provided by law or separately agreed by the parties, the processed personal data are subject to destruction.

The processing of personal data for the purposes specified above is carried out by the Company on the following lawful grounds:

• conclusion and execution of a contract to which the subject is a party, beneficiary or guarantor (including the Goods Purchase Rules and the Website Terms of Use agreement),
• with the consent of the personal data subject,
• to fulfill the functions and duties imposed on the Company by applicable law,
• to exercise the rights and legitimate interests of the Company or third parties, or to achieve socially significant purposes, provided that the rights and freedoms of the subject are not violated.

• with the use of automation tools;
• without the use of automation tools;
• mixed processing.

The Company prohibits making decisions based solely on automated processing of personal data that give rise to legal consequences for the subject or otherwise affect their rights and legitimate interests.

The Company does not place personal data in publicly available sources without the consent of the subject.

When collecting personal data, the Company ensures the collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion and destruction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation.

Biometric personal data and special categories of personal data are not provided for the purposes of concluding and executing the Website Terms of Use agreement.

The scope of rights and obligations of the subject is determined by current legislation, including Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.

This Policy only supplements the general provisions of regulatory legal acts for the purposes of regulating the interaction of the Company with users that has developed in the course of using the Website and its services, as well as with other personal data subjects.

The Company is unable to verify the accuracy of the personal data specified by the user of the Website during registration, except for the phone number and email address, but proceeds from the assumption that the user provides accurate personal data.

If the user has provided inaccurate personal data, they independently bear the risk of possible negative consequences (for example: denial of access restoration if the subject cannot be verified based on previously provided personal data, inability to return payment or issue goods). In case of a phone number change, the user is obliged to use the procedure for changing the phone number in their Account by entering a new phone number in the field where the previously registered phone number is specified and following the instructions on the Website.

The user is obliged to keep their credentials for accessing the Website and its services (login and password) secret from third parties. If the credentials become known to third parties or the user of the Website — the personal data subject — has grounds to assume such circumstances have occurred, they must contact technical support.

When processing personal data, the subjects have the right to:

• request information concerning the processing of their personal data,
• demand clarification, destruction or blocking of their personal data if the personal data is incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing,
• withdraw consent to the processing of personal data given to the Company,
• appeal the actions of the Company in administrative or judicial proceedings.

In case of any questions and appeals regarding the processing of personal data, in particular to withdraw consent to the processing of personal data, the subject has the right to contact the Company by:

• writing a letter to the Website technical support service at the email address specified on the Website from their account;
• submitting a written notification to the Company's registered address;
• other means provided by law or this Policy.

If there are subscriptions for receiving promotional communications, in addition to the methods specified above, the subject may request to unsubscribe from such communications by activating the automatic “Unsubscribe” function via the link present in the email containing the communication. In this case, sending communications to the email address from which the function was activated will cease.

The Company responds to requests from subjects within the time limits established by the legislation of the Russian Federation. If circumstances arise that require establishing additional information, the Company, in cases established by the legislation of the Russian Federation, has the right to extend the response period to the subject's request by up to 5 business days, provided that a reasoned notification of the reasons for the extension is sent to the subject.

The scope of rights and obligations of the Company as a personal data operator is determined by current legislation, including Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.

This Policy only supplements the general provisions of regulatory legal acts for the purposes of regulating the interaction of the Company with users that has developed in the course of using the Website and its services, as well as with other personal data subjects.

The Company processes personal data in accordance with the requirements of the law, this Policy and local regulations.

Responsible persons of the Company:

• organize the adoption of legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions with respect to personal data;
• exercise internal control over compliance with legal requirements;
• bring to the attention of employees the provisions of legislation on the processing of personal data and the requirements for personal data protection;
• organize the receipt and processing of appeals and requests, exercise control over the receipt and processing of such appeals;
• take necessary measures to eliminate violations.

The Company may engage third parties to process personal data in accordance with the legislation of the Russian Federation. Such third parties may include, in particular:

• couriers and companies providing delivery services for Goods ordered through the Online Store;
• counterparties of the Company providing services for Website hosting and support of information systems used, processing and transmission of fiscal data, acquiring services, and other services purchased by the Company for the above purposes;
• state/municipal authorities in cases established by the legislation of the Russian Federation.

The Company may carry out cross-border transfer of personal data in cases provided for by the legislation of the Russian Federation and agreements with foreign companies, including to countries that do not provide adequate protection of the rights of personal data subjects.

The Company has the right to engage third parties in the processing of received personal data and/or transfer the received data to them, as well as receive data from them for the specified purposes without additional consent of the personal data subject, provided that such third parties ensure the confidentiality and security of personal data during processing. Processing of personal data by such third parties is permitted with or without the use of automation tools, by mixed processing, as well as performance by them of any actions on processing personal data that do not contradict the legislation of the Russian Federation. Processing of personal data by a third party may only be carried out on the basis of an agreement that specifies the list of actions (operations) that will be carried out with personal data and the purposes of processing, as well as provisions on ensuring the security of personal data, including requirements not to disclose or distribute personal data without the consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation, and requirements in accordance with art. 19 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.

Destruction (deletion) of personal data is carried out in the manner prescribed by current legislation and the Company's regulations.

In general terms, destruction (deletion) of personal data is carried out by responsible persons:

• in cases provided for by law;
• at the request of the personal data subject, a state body or a court;
• upon expiration of storage periods;
• upon achievement of the personal data processing purposes.

Destruction of personal data is carried out in such a way as to exclude the possibility of their theft and unauthorized use.

Destruction of paper documents is carried out using a paper shredder by cutting the documents into pieces, guaranteeing the impossibility of text restoration, or by other means.

Machine-readable media containing personal data — if any (except for PC hard drives and servers) — are stored in a safe. Machine-readable media are physically destroyed in order to make restoration and further use impossible. This is achieved by deformation, breaking the integrity of the medium or burning it.

Files subject to destruction located on the hard drive of a PC or server are deleted using operating system tools followed by “emptying the recycle bin”. Data from information systems are deleted using the tools and functionality of information systems, but in any case the possibility of restoring personal data is not provided.

If the personal data subject, on their own initiative, provides additional personal data not required to achieve the processing purpose, such data will be immediately destroyed by the Company after consideration of the appeal or other interaction with the subject.

For the purposes of protecting personal data, the Company applies measures and methods set forth in the legislation of the Russian Federation.

In order to ensure the security of personal data protection, specific algorithms of security schemes will not be provided in the Policy, only general solutions.

The solutions applied to ensure the security of personal data, implemented within the personal data protection system taking into account current threats to personal data security and applied information technologies, include (including but not limited to):

• identification and authentication of access subjects and access objects;
• access control of access subjects to access objects;
• software environment restriction;
• protection of machine-readable information media on which personal data are stored and/or processed;
• registration of security events;
• anti-virus protection;
• intrusion detection (prevention);
• control (analysis) of personal data security;
• ensuring the integrity of the information system and personal data;
• ensuring the availability of personal data;
• protection of the virtualization environment;
• protection of technical means;
• protection of the information system, its means, communication and data transmission systems;
• identification of incidents (a single event or a group of events) that may lead to failures or disruption of the information system and/or to the emergence of threats to personal data security (hereinafter — incidents), and response to them;
• configuration management of the information system and the personal data protection system; the Company conducts periodic audits of the applied solutions and their updating.

The assessment of the harm that may be caused to users in the event of the Company's violation of the requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” is determined in accordance with articles 15, 151, 152, 1101 of the Civil Code of the Russian Federation, as well as Order of Roskomnadzor No. 178 dated October 27, 2022 “On Approval of the Requirements for Assessing the Harm That May Be Caused to Personal Data Subjects in the Event of Violation of the Federal Law ‘On Personal Data’”.

The correlation of this harm and the measures taken to prevent, avoid and/or eliminate its consequences is established in this Policy and other local regulations of the Company.

For the purposes of this Policy, harm means moral harm and/or material damage to the subject or the Company that may actually be caused in case of a breach of security architecture by someone.

Prevention of harm is a set of legal, organizational and technical measures. Legal measures consist of studying and applying legislation on the prevention of harm, developing local acts and applying them in this area of the Company's activities.

Organizational measures include careful selection, training and placement of personnel, increasing their motivation in matters of harm prevention. Technical measures combine the creation of conditions and the implementation of measures to prevent harm, including:

• ensuring the safety of the operator's property, including material information carriers, by establishing and maintaining appropriate security regimes.
• preventing the Company's confidential information, including information constituting commercial and official secrets, from reaching unauthorized persons by allocating special premises for the processing and storage of personal data.
• ensuring the information security of the Company and the uninterrupted operation of technical means of processing personal data.
• ensuring the physical protection of facilities on the Company's balance sheet by establishing internal and access control regimes.
• ensuring the physical protection of the Company's employees while performing their official duties, a comfortable moral and psychological climate and an atmosphere of business cooperation among our employees.
• immediate restoration of personal data modified or destroyed as a result of unauthorized access to them.
• constant monitoring of the level of personal data protection.

Measures to ensure the security of personal data in the Company in accordance with Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” include, among others, the following:

• accounting of the categories and list of personal data processed by the Company, categories of subjects whose personal data are processed, storage periods and the procedure for destroying such personal data;
• accounting of machine-readable personal data carriers and the Company's information systems in which personal data are processed;
• determination of the required level of security of personal data processed in the Company's personal data information systems;
• identification of threats to personal data security during their processing in information systems;
• identification and implementation of technical and organizational measures ensuring personal data protection before the introduction of new personal data processing processes and new personal data information systems;
• implementation and documentation of the assessment of harm that may be caused to personal data subjects in the event of violation of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”, the correlation of this harm and the measures taken by the Company;
• establishment of rules for access to personal data processed in information systems, as well as ensuring the registration and accounting of actions performed with personal data in information systems;
• application of information protection tools that have undergone the conformity assessment procedure in the prescribed manner;
• detection of facts of unauthorized access to personal data and other incidents, taking measures to eliminate and mitigate the consequences;
• restoration of personal data modified or destroyed as a result of unauthorized access to them;
• accounting of positions of the Company's employees whose access to personal data, processed both with and without the use of automation tools, is necessary for the performance of official (labor) duties;
• ensuring that the Company's employees directly processing personal data are familiarized under signature with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, this

Policy and other local acts of the Company on the processing and protection of personal data, training of the Company's employees;

• control and assessment of the effectiveness of the applied measures to ensure the security of personal data before the commissioning of the personal data information system;
• implementation of regular internal control/audit of compliance of personal data processing and security with the current legislation of the Russian Federation in the field of personal data processing and security.

In order to prevent harm, the Company has appointed a person responsible for organizing the processing of personal data and a person responsible for ensuring the security of personal data.

The Website and its services, interactive services and applications, email messages and any other communications on behalf of the Company may use identification cookie files and other technologies such as pixel tags and web beacons.

Such technologies help to understand the behavior of users of the Website and its services, in particular which sections of the Website and its services have been visited by users, and measure the effectiveness of advertising and online searches.

The user can disable cookies in the settings of the web browser or mobile device used. Please note that some features of the website may become unavailable after disabling cookies.

Some technical information is collected automatically and stored in statistics files. Such information includes, without limitation: the Internet Protocol address (IP address), browser type and language, Internet service provider information, referral and exit pages, operating system information, date and time stamp, as well as visit information. This information is used to understand and analyze trends, administer the Website, study user behavior on the Website and collect demographic information about the main user base as a whole.

Some email messages use interactive links to information posted on the Website. When users follow such links, before they reach the destination page on our Website, their requests are separately registered. The Company tracks such “transit” data in order to determine the interest of users of the Website and its services in specific topics and measure the effectiveness of our communications with consumers. If the user wishes that their communications are not tracked in this way, they should not follow text or graphic links in email messages.

Pixel tags allow us to send email messages in a format that is readable by consumers and report whether such messages have been read. The Company has the right to use such information to limit the number of messages sent to users or to stop sending them.

The Company uses the following types of web analytics tools:

Technical and functional cookies:

These files, generated by the Website engines, are used to ensure the smooth operation of the Website, as well as to remember the settings selected by the user (in particular, language control and pop-up banners).

Marketing and analytical cookies and pixels:

Yandex.Metrica and Google Analytics services are used to collect and statistically analyze data related to the use of the Website. Data collected by the web analytics systems used may be received and processed by third-party providers of such systems (in particular, Yandex LLC, Google LLC), including those located in other countries. In addition, various pixels of additional services may also be used.

The Company has the right to place various advertising materials on the pages of the Website. If the user of the Website does not wish to view these offers, they should not follow the text or graphic links posted.

Direct contact with the subject for the promotion of the Company's goods is permitted only with consent given during the registration and/or use of the Website or in any other way. The Company may request the subject's consent multiple times with each contact. If the consent is not given upon subsequent requests by the Company (for example, when filling out web forms with a corresponding consent checkbox), the previously given consent will not automatically be considered withdrawn and will continue to be valid for the period specified in the consent.

In the absence of consent to the processing of personal data for the purpose of promoting goods, works and services, the Company carries out communication only to fulfill obligations provided for by law or user requests: for example, when sending an electronic receipt for the purchase of goods, a callback or a letter following the consideration of an appeal.

At the time of giving consent, the subject confirms their desire to receive advertising mailings, indicating the desired methods of receiving them, if applicable.

Refusal to receive informational mailings does not entail any negative consequences for the subject. In this case, the Company takes measures aimed at excluding the means of communication specified by the subject from the informational mailing.

For violation of the requirements of regulatory acts and this Policy, the persons at fault are liable in accordance with the procedure established by the legislation of the Russian Federation.

The Company has the right to unilaterally make changes/additions to this Policy. For the changes/additions to come into force, the Company complies with the procedure for the preliminary publication of such information on the Website, which comes into force after 10 calendar days from the date of their publication, and no additional agreements need to be signed.

Special rule:

• changes/additions made to the Policy and accompanying documents in connection with changes in legislative and regulatory requirements come into force immediately, at the time of publication, or simultaneously with the entry into force of changes in the said acts;
• changes/additions made to the Policy and accompanying documents in connection with the addition of functions performed by the Website and its services, changes in the composition and structure of documents, terminology and in other similar cases, come into force after the publication of such changes/additions on the Website from the date specified therein.
• any changes/additions to the Policy from the moment they come into force in compliance with the procedures described above apply to all persons using the Website and its services prior to the date of entry into force of the changes/additions.