Privacy Notice (EN)

⚠ Документ - DRAFT, требует проверки юристом до публикации.

Privacy Notice (English)

Version: v1

This Privacy Notice describes how the operator of measurethetreasure.com (self-employed [FIO], INN [INN], operating under Russian Federation Tax Code Chapter 32.4 «professional income tax»; «the Operator») processes personal data of users who interact with the site from outside the Russian Federation, and where that processing intersects EU GDPR, UK GDPR, US state laws (CCPA/CPRA, CDPA, CPA, CTDPA, UCPA), Canadian PIPEDA, Australian Privacy Principles и Brazilian LGPD.

The Russian-law version of the Privacy Policy is published separately at `/legal/privacy` (in Russian); to the extent of any conflict between this English Notice and the Russian Privacy Policy, the Russian text applies under Russian law (152-FZ); this English text governs interactions with EU/UK/Canada/AU/Brazil/USA users to satisfy their respective regulators.

1. Operator (controller)

• Name: [FIO]
• INN: [INN]
• Tax status: self-employed (Russian Federation, Chapter 32.4 of the Tax Code)
• Email: support@measurethetreasure.com
• Postal address: [available upon written request]

2. Categories of personal data we collect

| Category | Purpose | Legal basis |

|---|---|---|

| Email address | account creation, transactional notifications | contract; consent |

| Password hash | authentication | contract |

| IP address, User-Agent | security, fraud prevention | legitimate interest; consent (consent_kind=processing) |

| Session identifiers | login state | contract |

| Subscription / payment records (no card numbers) | service delivery, accounting | contract; legal obligation (RU tax law) |

| Audit-log records | incident response, dispute resolution | legitimate interest |

| Telegram account identifier (chat_id) | notification delivery | consent (consent_kind=tg) - optional |

3. Legal bases (GDPR Article 6 / UK GDPR Article 6)

• Contract (Art.6(1)(b)): processing necessary для performing the subscription contract.
• Consent (Art.6(1)(a)): for the cross-border transfer to the EU primary database (`consent_kind='cross_border'`), for the processing of email + password hash + audit data (`consent_kind='processing'`), and for Telegram delivery (`consent_kind='tg'`, optional).
• Legal obligation (Art.6(1)(c)): payment-record retention для Russian tax compliance (Tax Code Article 23(8) - 5 years).
• Legitimate interest (Art.6(1)(f)): IP-address-based abuse prevention.

4. International transfers

The site's primary database is hosted in the European Economic Area; a Russian-based edge node (`ru-node`) hosts a collection-log replica that satisfies Russian Federal Law 152-FZ Article 18(5)(1) (first-write on Russian territory). EU/EEA-EU transfers are intra-EEA. Russia → EEA transfers operate under the user's explicit cross-border consent recorded in `user_consents` (kind='cross_border'), in line with Roskomnadzor Order № 274 of 15.03.2013 (recognising EU/EFTA as adequate jurisdictions).

Telegram notifications, when enabled, transfer chat_id and message body to Telegram FZ-LLC servers in the United Arab Emirates. The UAE is not recognised by Roskomnadzor as an adequate jurisdiction; the transfer relies on the user's explicit consent (kind='tg'), which is withdrawable at any time от `/account/privacy` or through the `/stop` command in the bot chat.

5. Your rights

Under the GDPR (Art.15–22), UK GDPR, CCPA/CPRA (CA), CDPA (VA), CPA (CO), CTDPA (CT), UCPA (UT), PIPEDA (Canada), the Privacy Act 1988 (Australia), и LGPD (Brazil), you have the rights listed below. We respond within 30 days (45 under CCPA when verifying identity).

• Access to your personal data (`/account/data-export` provides a self-service ZIP).
• Rectification of inaccurate data (`/account/profile` for editable fields; email change via `/forgot-password` flow).
• Erasure / right to be forgotten (Art.17 GDPR / CCPA «right to delete»). Use `/account/danger`. Records required by Russian tax law are retained for 5 years; everything else is deleted within 30 days.
• Restriction of processing.
• Data portability (Art.20). The DSAR ZIP is JSON, structured per-table.
• Objection to processing based on legitimate interest (Art.21).
• Right to withdraw consent (Art.7(3)) - does not affect the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint with a supervisory authority - your local DPA (e.g. ICO in the UK; CNIL in France). EU users may also lodge with the operator's lead supervisory authority [TBD with EU hosting provider].

6. CCPA / CPRA & US state laws

• We do not sell personal data, и we do not «share» personal data for cross-context behavioural advertising as defined in CPRA § 1798.140(ah).
• We do not use personal data для targeted advertising.
• US state-residents (CA, VA, CO, CT, UT) may exercise their access / deletion / opt-out rights через `/account/data-export` and `/account/danger`. Verifiable consumer requests via support@measurethetreasure.com receive a response within the 45-day CCPA window (extendable once by 45 days).
• We do not collect sensitive personal data (SSN, exact geolocation, biometric, health, government IDs).

7. UK

The UK GDPR governs UK-resident processing. The Operator is not established in the UK; the controller has не appointed a UK Representative under UK GDPR Art.27 (low-volume EU/UK exposure). Complaints may be raised with the Information Commissioner's Office (ICO) https://ico.org.uk/.

8. Canada / Australia / Brazil

• PIPEDA (Canada): principles 1–10 are observed; complaints may be addressed to the OPC https://www.priv.gc.ca/.
• Privacy Act 1988 (Australia): APP 1–13 observed; OAIC at https://www.oaic.gov.au/.
• LGPD (Brazil): data subject rights mapped к GDPR equivalents above; ANPD at https://www.gov.br/anpd/.

9. China (PIPL)

The site is not directed at residents of mainland China and does not provide payment in Chinese rubles or specifically Chinese languages. Users from China access the service at their own risk; we make no representations about PIPL compliance.

10. Children

The service is not directed at persons under 18. We do not knowingly collect personal data from minors; if you believe a minor's data is being processed, contact support@measurethetreasure.com и we'll delete the record promptly.

11. Cookies

We use strictly-necessary cookies only (session, CSRF, language preference, region preference, cookie-banner-seen). No analytics, no advertising, no third-party trackers. See `/legal/cookies-en` for the per-cookie disclosure required by the UK PECR / EU ePrivacy Directive.

12. Retention

• Account profile: until account deletion.
• Payment records: 5 years after the transaction (Russian Tax Code Art.23(8)).
• Audit-log: 365 days (configurable; default per `RETENTION_DAYS`).
• Notification log: 90 days (configurable; default per `NOTIFICATION_LOG_RETENTION_DAYS`).

13. Changes

We will notify users of material changes by email at least 14 days before they take effect. Version history of this Notice is appended below.

14. Contact

support@measurethetreasure.com.

---

Version history

• v1 - initial English-language Notice. Effective: [TBD on launch].