Privacy Policy of InstaVector Investment Company Ltd.

1. General provisions

The present Privacy Policy has been developed with an aim to ensure personal data protection at InstaVector Investment Company (herein referred to as Company) and compliance with the Russian Federation legislation. It contains the basic provisions of the Company’s corporate regulations, namely those concerning processing and protecting personal data of the Company’s customers and those related to personal data of the Company’s staff.

1.2. The processing of personal data is based on the following principles:

  • Personal data processing purposes and means are legitimate and bona fide;
  • Personal data processing purposes conform to the powers of the Company and to the purposes determined and declared at the stage of collection;
  • The volume and nature of personal data and processing means comply with the purposes of personal data processing;
  • Personal data is reliable, appropriate and sufficient for the processing purposes and excessive data in terms of collection purposes is impossible to be processed;
  • Organizational and technical measures for the security of personal data are legitimate;
  • The Company’s employees involved in the protection and processing of personal data are constantly trained so that to increase their knowledge and skills in this field;
  • The Company strives to improve the personal data protection system on a regular basis.

2. Personal data processing purposes

2.1. In accordance with the principles of personal data processing, the Company outlines the following personal data processing purposes:

  • To comply with the Russian Federation legislation, namely the Labour and Tax Codes, anti-money laundering and terrorist financing regulations, the Federal Act On Counteracting the Illegitimate Use of Insider Information and Market Manipulation, and other statutory acts of the Russian Federation;
  • To ensure the compliance with the powers of the Company and the purposes determined and declared at the stage of personal data collection;
  • To fulfill the obligations under the employment contract or any other civil law contract.

3. Personal data processing regulations

3.1. Categories of personal data subject to processing:

  • Full name;
  • Date and place of birth;
  • Citizenship;
  • Residential address;
  • Family status;
  • VAT identification number;
  • Occupation;
  • Passport details;
  • Other data mandatory in accordance with the Company’s corporate regulations, and/or the Russian Federation legislation, and/or a contractual relationship.

3.2. The Company shall not accept the following categories of personal data for processing:

  • Racial or ethnic origin;
  • Political opinions;
  • Philosophical and religious beliefs;
  • Data concerning health or sex life.

3.3. Provided the subject has unambiguously given his consent, and unless otherwise specified by the Russian Federation legislation, the Company reserves the right to disclose the information to the third parties:

  • Federal Tax Service of the Russian Federation;
  • Pension Fund of the Russian Federation;
  • Federal Financial Markets Service of the Russian Federation;
  • Federal Financial Monitoring Service of the Russian Federation;
  • Non-state pension funds;
  • Insurance companies;
  • Lending institutions;
  • Private security companies;
  • Vocational education and training institutions;
  • Auditors;
  • Stock market professionals;
  • Exchanges and other trade organizers.

3.4. Biometric information (physiological and biological characteristics used to identify an individual) is not subject to processing.

3.5. The Company shall not transfer personal data abroad (i.e. transferring personal data to another country, foreign authorities, a foreign individual or company).

3.6. The Company shall not make any decisions regarding personal data subjects on the sole basis of automatic data processing.

3.7. The Company shall not publicize personal data without prior consent of the subject.

4. Personal data protection measures implemented

4.1. The Company shall assess the damage which the subject may suffer, determine personal data security threats and take appropriate technical and organizational measures based on appropriate safeguards, which include the following means of information protection:

  • Access Control Subsystem: recording and identifying the list of individuals that enjoy access to personal data; distribution of rights to access information systems; password-based authentication.
  • Registration and Accounting Subsystem: keeping and using data storage media protecting data from theft, substitution, and deletion.
  • Antivirus Subsystem: malware prevention at every stage of personal data processing.
  • Data Integrity Subsystem: regular information systems check-ups and access restrictions in order to ensure data invariability in case of data corruption by accident and/or by intention.
  • Backup Subsystem: backing up and restoring data.
  • Data Leak Prevention Subsystem: monitoring all channels of personal data traffic, controlling and assessing measures being implemented.

5. Liabilities

5.1. The Company has appointed a person in charge of personal data processing and protection.

5.2. Individuals who have breached personal data safeguards laid down in the Russian Data Protection Act, the present Privacy Policy or the Company’s corporate regulations are subject to the Russian Federation legislation.