PERSONAL DATA PROCESSING POLICY
Revision dated March 26, 2026
This document is a translation of the original Russian version, provided for informational purposes only. In case of any discrepancy between this translation and the Russian original, the Russian version shall prevail.
Controller Information
Name: Zeon Lab Email: support@zeonbot.com Website: https://zeonbot.com
1. General Provisions
1.1. This Personal Data Processing Policy (hereinafter — the "Policy") defines the procedure for processing and protecting personal data of users of the online service "ZeonBot" (hereinafter — the "Service").
1.2. Personal Data Controller — Zeon Lab (hereinafter — the "Controller").
1.3. This Policy has been developed in accordance with:
- Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter — "152-FZ");
- Government Decree No. 1119 dated November 1, 2012 "On Approval of Requirements for the Protection of Personal Data during Processing in Personal Data Information Systems";
- other regulatory acts of the Russian Federation in the field of personal data protection.
1.4. This Policy is an integral part of the Service Agreement (Public Offer) published at https://zeonbot.com.
1.5. By using the Service and/or providing personal data, the user (hereinafter — the "Data Subject") expresses consent to the terms of this Policy. If the Data Subject does not agree with the terms of the Policy, they must cease using the Service.
2. Categories of Personal Data Subjects
2.1. The Controller processes personal data of the following categories of subjects:
- users of the Service — individuals who use the functional capabilities of the Service on a subscription basis.
3. Personal Data Processed
3.1. The Controller processes the following categories of personal data:
Data provided by the Data Subject:
- email address.
Data collected automatically when using the Service:
- IP address;
- cookie data;
- browser type and version, operating system;
- date and time of access to the Service;
- user actions within the Service (usage logs).
Data received from third parties:
- payment information from engaged payment agents: payment confirmation, amount, date, payment method, transaction identifier (without storage of bank card details).
Data that the Controller does NOT collect or store:
- bank card data (processed directly by payment agents);
- passport data;
- biometric personal data;
- special categories of personal data.
4. Purposes and Legal Grounds for Processing
4.1. The Controller processes personal data for the following purposes:
| Purpose of Processing | Legal Basis | Data Used |
|---|---|---|
| Performance of the service agreement (providing access to the Service) | Art. 6(1)(5) of 152-FZ (contract performance) | |
| Identification of the Data Subject when using the Service | Art. 6(1)(5) of 152-FZ (contract performance) | |
| Payment processing and record keeping | Art. 6(1)(5) of 152-FZ (contract performance) | Email, payment information |
| Communication with the Data Subject (technical support, notifications) | Art. 6(1)(5) of 152-FZ (contract performance) | |
| Security and abuse prevention | Art. 6(1)(5) of 152-FZ (contract performance) | IP address, usage logs |
| Service improvement and usage analytics | Data Subject's consent (Art. 6(1)(1) of 152-FZ) | Cookies, anonymized browser data, logs |
5. Methods of Personal Data Processing
5.1. Processing is carried out using automated means.
5.2. Processing includes: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), anonymization, blocking, deletion, and destruction.
5.3. The Controller does not process special categories of personal data (Art. 10 of 152-FZ) or biometric personal data (Art. 11 of 152-FZ).
6. Transfer of Personal Data to Third Parties
6.1. The Controller transfers personal data to the following categories of third parties:
| Recipient | Purpose of Transfer | Data Transferred | Legal Basis |
|---|---|---|---|
| Payment agents (acquiring banks, payment service providers) | Payment processing | Email, order identifier, amount | Contract performance |
| Hosting provider | Storage and processing of Service data | All data (in encrypted form) | Contract performance (data processing assignment, Art. 6(3) of 152-FZ) |
| Analytics services (subject to consent) | Collection of anonymized statistics | Cookies, anonymized browser data | Data Subject's consent |
6.2. The Controller does not sell and does not transfer personal data to third parties for marketing or advertising purposes.
6.3. The Controller may transfer personal data upon request of authorized state bodies of the Russian Federation in cases provided for by law (Art. 6(1)(2) of 152-FZ).
7. Cross-Border Transfer of Personal Data
7.1. Servers hosting the Service may be located outside the Russian Federation.
7.2. Cross-border transfer of personal data is carried out in accordance with Art. 12 of 152-FZ and only to countries that provide adequate protection of the rights of personal data subjects.
7.3. Primary recording, systematization, and storage of personal data of citizens of the Russian Federation is carried out using databases located within the territory of the Russian Federation (Art. 18(5) of 152-FZ).
8. Personal Data Retention Periods
8.1. Personal data is stored for the entire period of the Data Subject's use of the Service.
8.2. After cessation of use of the Service, personal data is stored for 1 (one) year, after which it is destroyed.
8.3. Payment information is stored for 5 (five) years in accordance with the tax legislation of the Russian Federation.
8.4. Upon withdrawal of consent for personal data processing, the Controller ceases processing and destroys the data within 30 (thirty) calendar days, except for data whose processing is required by law (clause 8.3).
9. Procedure for Destruction of Personal Data
9.1. Destruction of personal data is carried out by irreversible deletion of records from the Controller's databases.
9.2. Upon destruction of personal data, the Controller prepares a destruction certificate (upon request of the Data Subject).
9.3. Destruction is carried out in the following cases:
- upon expiration of retention periods (Section 8);
- upon the Data Subject's withdrawal of consent;
- upon achievement of the processing purpose;
- upon detection of unlawful processing — within 10 business days.
10. Protection of Personal Data
10.1. The Controller implements organizational and technical measures to protect personal data in accordance with Art. 19 of 152-FZ, including:
- use of secure data transmission protocols (HTTPS/TLS);
- restriction of the circle of persons who have access to personal data;
- encrypted data storage;
- regular updates of software and security systems;
- access control to data processing systems.
10.2. The Controller does not store bank card data. Payment details are processed directly by certified payment agents (acquiring banks and payment service providers) compliant with the PCI DSS standard.
10.3. The Data Subject understands and agrees that the transmission of information over the Internet always involves certain risks. The Controller takes reasonable measures to protect data but cannot guarantee absolute security of information during its transmission over the Internet.
10.4. The Controller is not liable for loss, theft, or unauthorized disclosure of data if it occurred due to the fault of third parties or the Data Subject themselves.
11. Rights of the Data Subject
11.1. The Data Subject has the right (Art. 14, 15, 16, 21 of 152-FZ):
- to obtain information about the processing of their personal data (list of data, purposes, retention periods, third parties);
- to request correction of personal data, their blocking or destruction, if they are incomplete, outdated, inaccurate, or unlawfully obtained — the Controller must make changes within 7 business days (Art. 21 of 152-FZ);
- to withdraw consent to personal data processing;
- to request cessation of processing of personal data for the purposes of promoting goods/services;
- to request deletion of personal data;
- to file a complaint about the Controller's actions with the authorized body — the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) or with a court.
11.2. To exercise their rights, the Data Subject sends a request to the email address: support@zeonbot.com. The request must include: full name (or email), the nature of the request, and contact information for the response.
11.3. The Controller reviews the request within 10 (ten) business days from the date of receipt. If additional verification is required, the period may be extended, and the Data Subject will be notified accordingly.
11.4. Withdrawal of consent for personal data processing may result in the inability to continue providing services (access to the Service), of which the Data Subject is notified prior to cessation of processing.
12. Cookies
12.1. The Service uses cookies for:
- ensuring proper operation of the web interface (authentication, sessions);
- collecting Service usage statistics.
12.2. Functional cookies (necessary for the Service operation) are set automatically. Analytical cookies are set with the Data Subject's consent.
12.3. The Data Subject may disable cookies in browser settings. Disabling functional cookies may result in the inability to use the Service web interface.
13. Consent to Personal Data Processing
13.1. Consent to personal data processing is provided by the Data Subject through conclusive actions: using the Service, paying for a Subscription (Art. 9(1) of 152-FZ).
13.2. Separate consent of the Data Subject is not required for data processing necessary for contract performance (Art. 6(1)(5) of 152-FZ) and compliance with legal obligations (Art. 6(1)(2) of 152-FZ).
13.3. The Data Subject may withdraw consent to personal data processing by sending a request to the email address: support@zeonbot.com. The procedure for withdrawal and its consequences are set out in clause 11.4 of this Policy.
14. Changes to the Policy
14.1. The Controller reserves the right to amend this Policy. The current version is published at https://zeonbot.com.
14.2. Continued use of the Service after publication of changes constitutes the Data Subject's acceptance of the updated Policy.
14.3. The Controller recommends that Data Subjects periodically check the current version of the Policy.
15. Responsible Person and Contact Information
Personal Data Controller:
Name: Zeon Lab Email for personal data inquiries: support@zeonbot.com Website: https://zeonbot.com