// May 23–26, 2024, Luzhniki Sports Complex, Moscow

Privacy Notice

This Privacy Notice (hereinafter the Policy) governs the use of data received by JSC Positive Technologies, located at 8 Preobrazhenskaya Square, office 60, Preobrazhenskoye District, Moscow, 107061, Russian Federation (hereinafter the Company, we, or us) via the website of the international information security forum Positive Hack Days 12 (hereinafter the Forum) at phdays.com (hereinafter the website) and the website of the contractor RUVENTS LLC (hereinafter the Contractor, RUVENTS LLC).

In this Policy we openly explain all methods of personal data processing when using the Company's websites. As experts in the protection of devices, infrastructure, and data, we understand the importance of a proper approach to data privacy and security and adhere to the principle of comprehensive and complete protection of our users' personal data.

The Policy was developed by the Company in compliance with Federal Law No. 152-FZ On Personal Data in effect as of July 27, 2006 (hereinafter the Law). As an international company, we take into account provisions of other regulatory acts on personal data, including the General Data Protection Regulation (GDPR).

The Policy is developed and used in conjunction with the Consent to processing of personal data.

1. General information

1.1. Personal data is any information that refers directly or indirectly to a particular or designated individual. For instance, a person's last name, first name, middle name, or patronymic, passport data, INN, SNILS, job title, company name, email address, phone number, and other information shall be deemed personal data.

Personal data also includes technical information if it can be related to an individual: IP address, type of operating system, type of device (computer, cell phone, tablet), browser type, geolocation, web form entries, online service provider, and bank details. If we cannot relate the information to the individual in any way, we will not treat this information as personal data.

1.2. The Company processes only those personal data that we have received from users as physical persons via our websites, products, accounts in social networks, and services (hereinafter the Services).

1.3. This Privacy Notice defines the Company's policy of processing and protection of personal data and is available at phdays.com. We provide unrestricted access to the Privacy Notice to any person who has personally contacted the Company.

1.4. The primary goal of the Company is to ensure protection of the individuals' rights and freedoms during processing of personal data, including protection of one's right to personal and family privacy, and clear and strict compliance of requirements of the Russian law on personal data above all.

1.5. This Policy applies to all personal data on individuals processed by the Company, as well as to processes related to personal data processing. The Company may process personal data with or without automated data processing tools. The processes may include without limitation collection, recording, systematization, accumulation, storage, changing (updating, modification), electronic copying, extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and erasure of personal data.

1.6. The Company processes and stores personal data on servers located in the Russian Federation.

1.7. The Company has the right to update this Policy as necessary. The Policy must be revised in case of significant changes in international or national legislation on personal data. If we process personal data, we undertake to notify you of any such changes by email.

1.8. The Company does not check validity of personal data or the legal capacity of the person providing such data. You guarantee that all data is valid, up-to-date, and compliant with the legislation of the Russian Federation.

2. Third-party services (Contractor)

RUVENTS LLC (INN 7703806326, OGRN 1147746160320)

2.1. The Company uses the Contractor's platform for the Forum. This is why RUVENTS LLC processes your personal data listed in the Policy, including data collection and storage. Such processing of personal data is governed by the terms of service of RUVENTS LLC.

2.2. We use the services provided by RUVENTS LLC to arrange your participation in the forum as a speaker. Therefore we process only the data collected by RUVENTS LLC, which we can access through the platform of RUVENTS LLC.

2.3. Send an email to users@runet-id.com if you have questions regarding the processing of your personal data by RUVENTS LLC or about your data that RUVENTS LLC stores.

3. Purposes of personal data processing

3.1. The Company shall be guided by sufficiency, reasonableness, and feasibility when processing personal data. We carry out processes related to personal data processing in cases and for purposes listed in this section.

3.2. When you access our Services. Personal data is processed in order to ensure proper performance of obligations by the Company, proper provision of services, receipt and processing of requests for such services, registration on the Services, identification of a Service user, recovery of Service password, and in any other cases related to such actions. Your use of the Services shall mean unconditional acceptance of this Policy and personal data processing conditions stated herein. If you disagree with this policy, stop using the Services immediately.

3.3. To encourage you to participate in events held by the Company by sending advertising and promotional materials encouraging you to participate in events held by the Company and its partners. To contact you, the Company shall have the right to use the phone number, email addresses, and messengers (including but not limited to Telegram) you provide.

3.4. When you participate in events held by the Company and register as a participant. Participation in events held by the Company shall mean unconditional acceptance of this Policy and personal data processing conditions stated therein. If the Subject of personal data disagrees with this Policy, he or she must stop participating in events immediately.

3.5. To inform you about the Company's activities: to provide you with information (including advertising) about the Company's services, software products, events, promotions, and other activities (among other things and through direct contact with you). To contact you, the Company shall have the right to use the phone number, email addresses, and messengers (including but not limited to Telegram) you provide.

3.6. To encourage you to cooperate with the Company: to provide you with information about the Company, its partners, and affiliates in order to encourage you to cooperate with the Company in its projects and activities (among other things, by direct contact with you). To contact you, the Company shall have the right to use the phone number, email addresses, and messengers (including but not limited to Telegram) you provide.

3.7. When contacting you to receive feedback and to provide you with any accurate and complete information related to the Company's activities. This information can include information about the Services, mail distribution of information on Services and services, and events and promotional activities arranged by the Company and/or authorized third parties. To contact you the Company shall have the right to use the phone number and/or email you provide.

3.8. When we receive your feedback:

  • To collect information on loyalty and satisfaction with Services and services, for further review and processing of that information.
  • To improve quality of Services and services.
  • To conduct any studies.

3.9. To ensure protection and confidentiality of your personal data. By processing personal data, we ensure operability and security of Services, confirm actions you perform, prevent fraud, cyberattacks, and other abuse, and perform investigation of such cases.

3.10. When considering candidates for vacant positions in order to consider a candidate, make a decision on hiring, and create a talent pool.

4. List of processed personal data

4.1. Depending on the web form you are filling out, we may process the following personal data:

4.1.1. General personal data: full name, position, company name, email address, phone number, messenger accounts (including Telegram), job, professional and personal interests

4.1.2. Other personal data: gender, date and place of birth, personal photo, citizenship, information about the place of residence and registration, identity documents, information about the position held, working conditions, basic and additional education, professional experience and skills, information on seniority, medical insurance, military registration, marital status and family, information about medical restrictions for work, suitability for the position (work performed), violations and penalties, awards and rewards, and employment expiration

4.2. Other information processed by the Company:

4.2.1. Data about technical devices: IP address, type of operating system, type of device (computer, cell phone, tablet), browser type, geolocation, web form entries, and Internet provider

4.2.2. Information automatically obtained from the Services, including using cookies. Cookies are text fragments automatically saved in the memory of your Internet browser using our website. This allows the website to access saved data on your computer and retrieve it when necessary. We use cookies to remember the language you use to access the website. Next time you visit our website, we will be able to take into account your preferences regarding the use of our website. Most Internet browsers save cookies automatically, but you can always change your browser settings and stop saving cookies

4.2.3. Information obtained as a result of your actions, including the data on submitted comments, inquiries, replies, and questions

5. Principles of personal data processing

5.1. Sufficiency is the main principle we follow when processing personal data: your data will not be processed unless it is absolutely necessary. When processing personal data, we are also governed by the following principles:

5.2. Legality and fairness of personal data processing

5.3. Processing of personal data in compliance with specific, predetermined, and legitimate purposes

5.4. Prevention of merging of databases containing personal data processed for incompatible reasons

5.5. Processing of only personal data fit for processing

5.6. Compliance of personal data content and volume with the stated processing purpose

5.7. Accuracy, sufficiency, currency, and reliability of personal data

5.8. Legitimacy of technical measures aimed at personal data processing

5.9. Reasonableness and feasibility of personal data processing

5.10. Storage of personal data in a format allowing identification of the individual is permitted only for the time required for their processing, or for as long as the individual's consent is valid

5.11. Immediate destruction or anonymization of processed personal data in cases specified in the Policy

6. Processing personal data

6.1. Personal data collection

Personal data can be collected in the following ways:

  • You provide personal data by filling in forms, including online forms on the Services.
  • Data is collected automatically using technologies and services, such as web protocols, cookies, and web markers launched only when you enter your data.
  • You provide personal data in writing, including the use of communication means.

6.2. Storage and use of personal data. Personal data shall be stored only on properly secured media, including electronic media, and processed with or without automated data processing tools

6.3. Processing

  • If the Company uses automated personal data processing, it shall make sure to use databases located in the Russian Federation. The Company has the right to combine personal data into an information system and process it with or without automation tools or other software. The Company works with information systems of personal data according to a commonly used algorithm (collection, systematization, accumulation, storage, clarification, use, blocking, destruction, and so on). The methods of data processing are as follows (included but not limited to the following): automatic verification of postal codes with a code database, automatic verification of street names, human settlements, clarification of data by contacting me (by mail, email, phone (including mobile phone), the Internet, messengers), segmentation of the information base using specified criteria, periodic contacts with me by phone (including mobile phone), email, the Internet, and messengers.

6.4. Handover of personal data

  • The Company may provide your personal data to third parties, including, but not limited to, consultants, partners, providers under agreements, contractors, and agents (hereinafter Consultants) for proper performance of its obligations as per clause 2.9. of the Terms of use, and also in cases when data is provided to ensure compliance with agreement terms and conditions, regulatory requirements, to prevent or stop illegal actions, or to protect the interests of the Company and third parties.
  • The Company transfers personal data to third parties when it is necessary to comply with the terms of an agreement, regulatory requirements, to prevent or stop your illegal actions, and to protect the legitimate interests of the Company and third parties.
  • Third parties (hereinafter Consultants) include the Company's partners, including affiliates, consultants, contractors (including organizations that own servers, people making calls, SMS mailings, any other types of mailings and notifications, as well as people who conduct surveys and research), contractors, and agents.
  • Personal data is transmitted to Consultants to achieve the above purposes on the basis of an agreement. Consultants undertake to use personal data strictly in compliance with this Policy to achieve the stated purposes and to provide services under an agreement.

6.5. Erasure of personal data

The company erases personal data in the following cases:

  • Threat to security of Services
  • The purpose of personal data processing is achieved, or it is no longer necessary to achieve it
  • You violated the Policy
  • The personal data storage period has expired
  • The agreement has expired or was terminated
  • At your request or if you revoke the consent for personal data processing

7. Your rights

7.1. You have the right to receive information on processing of your personal data, including the following:

  • Confirmation that your data is being processed
  • Legal grounds for your personal data processing
  • Purposes and methods the Company uses to process your personal data
  • Information on what personal data of yours we process and where we get it from
  • Period for processing and storage of your personal data
  • Procedure for exercising the rights provided for by the legislation of the Russian Federation
  • Information on actual or planned cross-border data transfer
  • Information on persons to whom your personal data may be provided under an agreement with the Company or in compliance with the legislation of the Russian Federation
  • Name and address of the entity or full name and address of the individual processing personal data on behalf of the Company (if such an entity or individual was instructed or will be instructed to do the processing)
  • Other information provided for by the legislation of the Russian Federation

8. Obligations of the Company

8.1. At your request, provide information on your personal data processing indicated in clause 7.1 of this Policy, or a substantiated refusal.

8.2. Take necessary and sufficient measures to fulfill obligations provided for by the Law.

8.3. At your request, update processed personal data, block or remove it if it is incomplete, outdated, inaccurate, obtained illegally, or not required for the stated purpose of processing.

8.4. Ensure that personal data is processed with due diligence. If it is impossible, the Company shall erase or ensure the erasure of personal data within 10 (ten) business days after discovering that data was processed without due diligence.

8.5. If the agreement with you expires or if you revoke your consent for personal data processing, we stop processing your personal data and erase it within 30 (thirty) business days of receipt of your cancellation. An exception can be made when processing continues by virtue of legislation of the Russian Federation.

9. Information on personal data protection

9.1. All personal data you provide shall be confidential by default. Protection of personal data processed by the Company is ensured by implementation of legal, organizational, and technical measures necessary and sufficient to ensure compliance with requirements of the legislation of the Russian Federation on personal data. However, we always strive to ensure maximum protection of your data and apply more measures to protect personal data than required by legislation. Below are some of them.

9.2. Legal measures

9.2.1. Development of local legal regulations to fulfill requirements of the Russian legislation, including this Privacy Notice, and placing it at phdays.com/en/policies/privacy-notice.

9.2.2. Refusal to process personal data if the methods of such processing do not meet the purposes of processing predefined by the Company.

9.3. Organization requirements

9.3.1. Appointing a person responsible for arrangement of personal data processing You can contact this person at the following email address: pt@ptsecurity.com

9.3.2. Limiting the number of Company's employees with access to personal data, and arranging a system of access permits

9.3.3. Regular assessment of risks related to personal data processing

9.3.4. Internal investigations to identify any facts related to unauthorized access to personal data

9.3.5. Using encryption when processing personal data

9.3.6. Monitoring and performing of security assessments of the Company's network infrastructure

9.3.7. Educating Company employees on provisions of the Russian Federation legislation on personal data, including personal data protection requirements, local regulations of the Company on personal data protection, and training employees

9.3.8. Arranging secure premises that store media with personal data to prevent unauthorized access or the presence of individuals who have no right to access such premises

9.3.9. Arranging trainings for Company employees in various aspects of personal data processing

9.4. The Company undertakes to and insures that if the third parties are given the right to process personal data, they shall maintain confidentiality of such personal data and not use it without a legal basis for its processing.

10. Cross-border data transfer

10.1. We are an international company. Therefore, for purposes stated in this Policy, we may transfer your personal data to countries other than where it was originally obtained. This is called cross-border data transfer. Before cross-border data transfer, the Company shall ensure that the country to which personal data is transferred will ensure adequate protection of your rights as a subject of personal data. In case of cross-border personal data transfer, we protect your data in compliance with the Policy.

10.2. Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of your rights may be carried out in the following cases:

  • We have your written consent for the cross-border transfer of your personal data.
  • The transfer is provided for by international treaties of the Russian Federation.
  • The transfer is provided for by federal laws if it is necessary in order to protect the constitutional foundations of the Russian Federation, ensure the country's defense and state security, and ensure stable and secure functioning of the transport system, protect the interests of individuals, society, and the state in the transportation field from unlawful interference.
  • To fulfill an agreement to which you are a party.
  • To protect your life, health, and other vital interests of yours or the interests of others when it is impossible to obtain your written consent.

11. Limited effect of the Policy

11.1. You must be reasonable and responsible when placing your personal data where it can be publicly available, including feedback and comments on the Services.

11.2. The Company shall not be responsible for any actions of third parties who gain access to your personal data as a result of your actions.

12. Inquiries of the subject of personal data

12.1. You have the right to send inquiries to the Company, including inquiries regarding the use of your personal data:

  • In writing to Preobrazhenskaya Sq. 8, Moscow, 107061
  • By sending a document by email to pt@ptsecurity.com

12.2. Your inquiry must contain the following information:

  • Your national ID number
  • Date of ID issue, issuing authority
  • Information confirming your relationship with the Company
  • Your signature

12.3. The Company undertakes to process your inquiry and respond within 30 (thirty) calendar days as of inquiry receipt.

12.4. All correspondence received by the Company (both written and electronic inquiries) is considered restricted information and will not be disclosed without your written consent.

13. Contact information and details of the Company:

Full company name

Joint-Stock Company Positive Technologies

Contact details

Phone: +7 495 744 01 44

Fax: +7 495 744 01 87

Email address

info@ptsecurity.com