1. General provisions

1.1. This Policy has been developed in accordance with Federal Law No. 152‑FZ of 27.07.2006 "On Personal Data", the Labor Code of the Russian Federation, Decree of the Government of the Russian Federation No. 687 of 15.09.2008, Decree of the Government of the Russian Federation No. 1119 of 01.11.2012 and other regulatory legal acts of the Russian Federation.

1.2. The Policy defines the procedure for processing and measures to ensure the security of personal data taken by LIV LLC (hereinafter referred to as the Operator).

1.3. The Operator ensures the legality, fairness and confidentiality of personal data processing, protection of human and civil rights and freedoms.

1.4. The Policy applies to all personal data processed by the Operator, including the data of:

- employees;

- job seekers;

- clients and counterparties;

- representatives of legal entities;

- site visitors and users https://taigaiot.com;

- other subjects of personal data.

1.5. The Policy is a publicly available document and is posted on the Operator's website.

2. Basic concepts used in the Policy

2.1. Automated personal data processing is the processing of personal data using computer technology.

2.2. Blocking of personal data is the temporary termination of the processing of personal data (except in cases where the processing is necessary to clarify personal data).

2.3. Website is a collection of graphic and informational materials, computer programs and databases that ensure their availability on the Internet at https://taigaiot.com.

2.4. Personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

2.5. Depersonalization of personal data - actions as a result of which it is impossible to determine the identity of personal data to a specific subject without using additional information.

2.6. Personal data processing is any action (operation) or set of actions (operations) performed with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, destruction.

2.7. Operator is a legal entity or individual who independently or jointly with other persons organizes and/or performs the processing of personal data, as well as determines the purposes of personal data processing and their composition.

2.8. Personal data - any information relating directly or indirectly to a specific or identifiable natural person (personal data subject).

2.9. Personal data subject - an individual to whom personal data relate.

2.10. Website User - a person who visits the Operator's website.

2.11. Provision of personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons.

2.12. Dissemination of personal data - actions aimed at disclosing personal data to an unspecified group of persons, including posting on the Internet.

2.13. Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to a foreign authority, individual or legal entity.

2.14. Destruction of personal data - actions as a result of which personal data is destroyed without the possibility of their recovery.

3. Categories of subjects and composition of personal data processed

3.1. Employees: full name, date of birth, passport data, address, phone, email, SNILS, INN, information about education, employment, marital status, bank details, payroll data and other data necessary for employment relations.

3.2. Applicants:

full name, contacts, resume information, education, work experience.

3.3. Clients and counterparties:

full name, position, contacts, details of contracts.

3.4. Website users:

full name, phone number, email, IP address, cookies, web analytics data.

3.5. Biometric personal data is not collected, processed or stored by the Operator.

3.6. Special categories of personal data (information about health status, race and nationality, political views, religious or philosophical beliefs, intimate life) They are not processed by the Operator, except in cases directly provided for by the legislation of the Russian Federation.

4. Purposes of personal data processing

Personal data is processed for the purposes of:

- conclusion, execution and termination of employment contracts;

- maintaining personnel, accounting and tax records;

- calculation and payment of wages and other payments;

- providing information to government agencies (FTS, SFR, Rosstat, etc.);

- execution of contracts with clients and counterparties;

- providing access to corporate information systems and cloud services;

- ensuring the functioning of the website and its services;

- processing of website users' requests;

- sending information and service messages (subject to consent);

- conducting web analytics and improving the quality of the website;

- ensuring the safety of employees and monitoring the performance of duties;

- protection of property and legitimate interests of the Operator;

- organization of training, professional development and career development of employees;

- support of corporate culture, internal communications and corporate events;

- compliance with the requirements of the legislation of the Russian Federation.

5. Legal grounds for personal data processing Personal data

processing is carried out on the basis of:

- consent of the personal data subject;

- conclusion and execution of employment contracts;

- conclusion and execution of civil law contracts;

- requirements of the legislation of the Russian Federation;

- the realization of the legitimate interests of the Operator, provided that the rights and freedoms of personal data subjects are not violated, including for the purposes of:

· ensuring the functioning of the website, information systems and services of the Operator,

· ensuring information security and preventing unauthorized access,

· protection of property, rights and legitimate interests of the Operator,

· consideration of appeals, claims and requests,

· maintaining internal accounting, reporting and record keeping,

· judicial protection of the Operator's rights.

6. Terms and procedure of processing

6.1. Processing is carried out by both automated and non-automated methods.

6.2. The Operator performs the following actions: collection, recording, systematization, accumulation, storage, refinement, use, transfer, depersonalization, blocking, deletion, destruction.

6.3. Personal data is processed only to the extent necessary to achieve the purposes of processing.

6.4. The terms of processing and storage of personal data are determined by the purposes of processing and the requirements of the legislation of the Russian Federation:

6.4.1. Personal data of employees and personnel documents are stored within the time limits established by the legislation on archival affairs of the Russian Federation, including up to 75 (seventy-five) years in accordance with Federal Law No. 125-FZ "On archival affairs in the Russian Federation" and a list of standard administrative archival documents approved by the authorized federal body.

6.4.2. Personal data of other subjects (applicants, contractors, site users) are stored for no longer than the purposes of processing require, or until the consent of the personal data subject is revoked, unless otherwise provided by law.

7. Transfer of personal data to third parties

7.1. The Operator has the right to entrust the processing of personal data to third parties on the basis of a contract for the processing of personal data (contract /agreement with conditions of protection and confidentiality).

7.2. Such persons may include: hosting providers, cloud infrastructure operators (including Yandex Cloud), accounting and IT services, and web analytics operators.

When transferring personal data to third parties, the Operator is obliged to:

- conclude a contract or agreement with them, including obligations to respect confidentiality and the requirements of the legislation of the Russian Federation on personal data;

- ensure that third parties process personal data strictly to the extent and for the purposes specified in the contract;

- monitor third parties' compliance with personal data protection requirements.

7.3. The transfer of personal data to government agencies is carried out only in cases stipulated by the legislation of the Russian Federation.

7.4. Cross-border transfer of personal data on the territory of foreign states not included in the list of countries providing adequate protection of the rights of PD subjects (the current register on pd.rkn.gov.ru ), may be carried out only with the written consent of the personal data subject and/or the performance of the contract.

8. Localization of personal data

8.1. The processing of personal data is carried out by the Operator in compliance with the requirements of the legislation of the Russian Federation in the field of personal data.

8.2. When collecting personal data, including via the Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification) and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, in accordance with the requirements of Federal Law No. 152-FZ.

8.3. The Operator's personal data information systems and databases are hosted on servers located in the Russian Federation, including the infrastructure of Russian cloud service providers (including Yandex Cloud services), which provide data storage exclusively in data centers located in the Russian Federation.

8.4. The User has the right to receive any clarifications regarding the processing of his personal data by contacting the Operator by e-mail. info@taigaiot.com

8.5. The Policy is valid indefinitely until it is replaced by a new version. The current version is freely available on the official website of the Operator.

9. Use of cookies and analytics

9.1. The Website uses cookies and web analytics technologies (for example, Yandex.Metrica).

9.2. Cookies are used for the correct operation of the website, traffic analysis and user experience improvement.

9.3. Processing is carried out based on the user's consent expressed through the cookie banner.

9.4. The user can disable cookies in the browser settings.

10. Personal data information systems

10.1. The processing of personal data by the Operator is carried out using personal data information systems (ISPs).

10.2. Personal data is processed in the following information systems:

- personnel and accounting of employees;

- electronic document management;

- corporate email;

- the Operator's official website;

- web analytics systems (Yandex.Metrica);

- cloud infrastructure (Yandex Cloud, servers are located on the territory of the Russian Federation).

10.3. All databases of personal data used by the Operator are hosted and processed on the territory of the Russian Federation (localization requirement, art. 18.1 of Federal Law No. 152-FZ).

11. Security measures

11.1. Protection is carried out in accordance with Articles 18.1 and 19 152-FZ, Resolution No. 1119, FSTEC Order No. 21 and taking into account the new requirements for anonymization for GIS (art.13.1).

11.2. The security level UZ-2 has been established for ISPDn.

11.3. Organizational measures:

- a responsible person has been appointed;

- local acts have been developed;

- access is restricted;

- employees have been familiarized with the signature;

- compliance is monitored.

11.4. Technical measures:

- identification and authentication of users;

- access control;

- antivirus protection;

- firewalls;

- backup;

- event logging;

- leakage protection;

- the use of certified SPI if necessary.

12. Rights of personal data subjects

12.1. The personal data subject has the right to:

- receive information regarding the processing of his personal data, including confirmation of the fact of processing, legal grounds, purposes, methods of processing, retention periods, a list of processed data and information about the persons to whom the data is transferred;

- request access to your personal data and receive copies of it;

- require clarification, updating, correction of inaccurate or incomplete data;

- require the blocking or destruction of personal data in cases provided for by law.;

- require restrictions on the processing of personal data;

- revoke previously given consent to the processing of personal data;

- object to the processing of personal data carried out on the basis of the legitimate interests of the Operator;

- to demand protection of their rights and legitimate interests, including compensation for damages and compensation for moral damage;

- appeal against actions (inaction) The operator is referred to Roskomnadzor or in court.

12.2 Requests and requests regarding the processing of personal data are sent to the Operator:

- by e-mail: info@taigaiot.com

- or by the postal address of the Operator.

12.3 The Operator considers the requests of personal data subjects and provides a response no later than 10 working days from the date of receipt of the request, unless other deadlines are established by the legislation of the Russian Federation.

13. Cross-border transfer

13.1. It is carried out only in compliance with the requirements of the legislation of the Russian Federation and there are legitimate grounds.

14. Notification of the authorized body

14.1 The Operator, in accordance with the procedure established by law, notified the authorized body for the protection of the rights of personal data subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Communications - Roskomnadzor) of its intention to process personal data.

14.2 Information about the Operator is entered in the register of personal data operators: Registration number: 54-22-007189 Date of inclusion in the register: 14.09.2022.

14.3 In case of changes in the purposes, composition of the personal data being processed, processing methods, information systems or other information subject to notification, the Operator ensures timely changes to the register of personal data operators.

14.4 In case of a change in objectives, composition or other information, the Operator notifies the RCN and makes changes to the register.

15. Final provisions

15.1 This Policy was approved by the Order of the General Director of LIV LLC / Internet of Things Laboratory (according to Registry No. 54-22-007189), No. 84-1 dated August 31, 2025.

15.2 The Policy is put into effect from the date of approval and is valid indefinitely until the adoption of a new version.

15.3 The Operator has the right to make changes to this Policy. The new version is approved by the order of the Operator and posted on the official website.