1. General Provisions

1.1. This policy in the field of processing and protection of personal data of the operator (hereinafter - the Policy) has been developed in order to comply with the requirements of the legislation of the Russian Federation in the field of personal data processing, discloses the main categories of personal data processed by the operator, the purposes, methods and principles of processing, the rights and obligations of the operator during processing , the rights of subjects of personal data. The policy is a publicly available document declaring the conceptual foundations of the operator's activities in the processing of personal data. 1.2. This Policy has been developed on the basis of: Articles of the Constitution of the Russian Federation; Labor Code of the Russian Federation; Federal Law of July 27, 2006 No. 152-FZ On Personal Data; Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”; Requirements for the protection of personal data during their processing in personal data information systems, approved by the decree of the Government of the Russian Federation of November 1, 2012. No. 1119; Provisions on the specifics of personal data processing carried out without the use of automation tools, approved by the Government of the Russian Federation dated September 15, 2008 No. 687. 1.3. This Policy determines the procedure for handling personal data of clients (subjects of personal data), IE Gorbunov A.V (hereinafter referred to as the Company, operator) and personal data of employees of the Company, which are necessary for the employer in connection with labor relations. 1.4. With regard to information about the subjects of personal data, which makes it possible to identify his identity, with the exception of impersonal and publicly available personal data, in cases established by federal laws, the confidentiality of such information must be ensured. 1.5. The protection of the client's personal data from their unlawful use or loss must be ensured by the operator at his expense in the manner prescribed by the Federal Law and other regulatory documents of the Russian Federation. 1.6. The Policy is mandatory for all employees of the Company who have access to personal data. 1.7. The purposes of collecting personal data in the Company are: - conclusion of labor contracts, contracts with contractors, fulfillment of obligations under these contracts; - personnel planning, decision-making on the employment of a candidate for a position; - compliance with tax legislation, accounting; - implementation of access control; - organization of the provision of services by the Company in the manner prescribed by the current legislation of the Russian Federation, including the provision of services for express delivery of items through an electronic service on the Internet at the address: www.returnservice.ru 1.8. The legal basis for the processing of personal data is a set of legal acts in the field of personal data processing, in pursuance of which the Company processes personal data, including, but not limited to: - federal laws and regulations adopted on their basis regulating relations related to the activities of the Company as operator for the processing of personal data; - the charter of the Company; - agreements concluded between the Company and the subject of personal data; - consent to the processing of PD (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the powers of the operator); - this Policy and other local acts on the processing of personal data in force in the Company. 1.9. The operator does not process biometric personal data (characterize the physiological and biological characteristics of a person, on the basis of which his identity can be established), special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, intimate life, and does not produce cross-border transfer of personal data to the territory of a foreign state. 1.10. Categories of personal data subjects: - employees of the operator (including former ones), candidates for filling vacant positions, as well as relatives of employees; - clients and contractors of the operator (individuals). 1.11. This Policy does not apply to relations arising from the organization of storage, acquisition, accounting and use of archival documents containing personal data in accordance with the legislation on archival affairs in the Russian Federation, as well as the processing of personal data classified in the established manner as information constituting a state secret. 1.12. In cases not specified in this Policy, you should be guided by the current federal laws and regulatory legal acts of the Russian Federation that regulate the procedure for processing personal data.

2. Basic concepts of personal data

2.1. For the purposes of this Policy, the following basic concepts are used: • Automated processing of personal data - processing of personal data using computer technology; • Documented information - information recorded on a tangible medium by documenting information with requisites that make it possible to determine such information or, in cases established by the legislation of the Russian Federation, its tangible medium; • Documents containing personal information of the client - forms of documentation, including information about personal data; • Information - information (messages, data) regardless of the form of their presentation; • Personal data information system - a set of personal data contained in databases and information technologies and technical means providing their processing; • Confidentiality of personal data - a mandatory requirement for the operator or other person who has gained access to personal data to prevent their dissemination and not to disclose personal data to third parties without the consent of the subject of personal data, unless otherwise provided by federal law; • Depersonalization of personal data - actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without using additional information; • Processing of personal data - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, systematization, accumulation, storage, clarification (update, change), extraction, use , transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data; • The processing of personal data contained in the personal data information system or extracted from such a system (hereinafter referred to as personal data) is considered carried out without the use of automation tools (non-automated), if such actions with personal data, such as the use, clarification, distribution, destruction of personal data in relation to each of the subjects of personal data, are carried out with the direct participation of a person; • Publicly available personal data - personal data, access of an unlimited number of persons to which is provided with the consent of the subject of personal data or to which, in accordance with federal laws, the requirement of confidentiality does not apply; • Operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations), committed with personal data; • Blocking of personal data - temporary termination of the processing of personal data (unless the processing is necessary to clarify personal data); • Client - an individual (entity) using the website on the Internet at the address: www.returnservice.ru (hereinafter referred to as the website, electronic service), in order to receive services for the delivery of items, otherwise carrying out civil law relations with the Company, in including acting as a representative (employee) of another legal entity with whom the Company has concluded an agreement on the provision of services for express delivery of items. • Personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data); • Personal data of the client - any information relating to a specific or determined on the basis of such information an individual (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, series and number of the passport, address registration and actual residence, taxpayer identification number (TIN), etc .; 2.1.16. Provision of personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons; • Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons; • Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;

3. Personal data of the employee

personal data), including his last name, first name, patronymic, year, month, date and place of birth, passport series and number, registration and actual residence address, taxpayer identification number (TIN), etc .; 2.1.16. Provision of personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons; • Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons; • Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed; 3. Personal data of the employee 3.1. The personal data of the Company's employees include documents containing information on passport data, education, attitude to military service, marital status, place of residence, as well as on their previous places of work. 3.2. The processing of the employee's personal data is carried out on the basis of his written consent, with the exception of cases directly provided for by the current legislation of the Russian Federation. 3.3. A set of documents accompanying the process of formalizing the labor relations of an employee in the Company during his admission, transfer and dismissal. • Information provided by an employee upon joining the Company must be in documentary form. When concluding an employment contract in accordance with Art. 65 of the Labor Code of the Russian Federation, a person applying for work presents to the employer: - a passport or other identity document; - a work book, except for cases when an employment contract is concluded for the first time or an employee enters a job on a part-time basis, or the employee does not have a work book due to its loss or for other reasons; - insurance certificate of state pension insurance; - military registration documents - for persons liable for military service and persons subject to military registration; - a document on education, qualifications or special knowledge - when applying for a job requiring special knowledge or special training; - certificate of TIN assignment (if available to the employee). • When registering an employee in the Company by the person who recruits personnel, the unified form T-2 Personal employee card is filled in, which reflects the following personal and biographical data of the employee: - general information (name of the employee, date of birth, place birth, citizenship, education, profession, work experience, marriage status, passport data); - information about military registration; - data on employment; In the future, the following is entered into the personal card: - information about transfers to another job; - information about certification; - information about professional development; - information about professional retraining; - information about awards (incentives), honorary titles; - information about vacations; - information about social benefits; - information about the place of residence and contact numbers. • The Company creates and stores the following groups of documents containing data about employees in a single or consolidated form: Documents containing personal data of employees (sets of documents accompanying the process of formalizing labor relations when hiring, transferring, dismissing; a set of materials for questioning, testing ; conducting interviews with a candidate for a position; originals and copies of orders on personnel; personal files and work books of employees; cases containing grounds for an order on personnel; cases containing materials of certification of employees; official investigations; reference and information databank on personnel (filing cabinets, journals); originals and copies of reporting, analytical and reference materials, copies of reports sent to state statistics bodies, tax inspectorates, higher management bodies and other institutions). 3.4. An employee, as a subject of personal data, has the right to receive information: - about the operator, about the location of the operator, - about the presence of the operator of personal data relating to the respective subject of personal data, - to confirm the fact of processing personal data by the operator, as well as the purpose of such processing; - on the methods of processing personal data used by the operator; - about persons who have access to personal data or who can be provided with such access; - about the list of processed personal data and the source of their receipt; - about the terms of processing personal data, including the terms of their storage; - what legal consequences the processing of his personal data may entail for the subject of personal data; - to get acquainted with personal data, except for the case when the provision of personal data violates the constitutional rights and freedoms of others. 3.5. The employee has the right to: - require the operator to clarify his personal details

4. Personal data of clients

4.1. The personal data of clients includes information about passport data, as well as other information accompanying the provision of services for the delivery of items and related services through an electronic service on the Internet at the address: www.returnservice.ru 4.2. The receipt of the client's personal data is carried out by the client submitting his consent to the processing of personal data through the website, except for cases expressly provided for by the current legislation of the Russian Federation. If the client is incapacitated or does not reach the age of 15 years, consent to the processing of his personal data is given in writing by his legal representative. 4.3. The client, as a subject of personal data, including a special category of personal data, has the right to receive information: - about the operator, about the location of the operator, - about the presence of the operator of personal data relating to the relevant subject of personal data, - to confirm the fact of processing personal data by the operator, as well as the purpose of such processing; - on the methods of processing personal data used by the operator; - about persons who have access to personal data or who can be provided with such access; - about the list of processed personal data and the source of their receipt; - about the terms of processing personal data, including the terms of their storage; - what legal consequences the processing of his personal data may entail for the subject of personal data; - to get acquainted with personal data, except for the case when the provision of personal data violates the constitutional rights and freedoms of others. 4.4. The client has the right: - to require the operator to clarify his personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing; - access to your Personal Data when you personally contact a representative of the Operator with a passport; - access to your Personal Data when sending a written request, which must contain the number of the main document proving the identity of the subject of Personal Data, information about the date of issue of the specified document and the issuing authority and the handwritten signature of the subject of Personal Data; - issue a power of attorney for the right to access his personal data; - take measures provided by law to protect their rights. 4.5. Customers' personal data are stored for the duration of the contracts concluded with them, as well as for 3 (three) years after the expiration of such contracts. 4.6. The condition for the termination of the processing of personal data is the achievement of the purposes of their processing, the expiration of the consent of the subject of personal data to the processing of his personal data, withdrawal of consent to the processing of personal data, as well as identification of illegal processing.

5. Collection, processing and storage of personal data

personal data on behalf of the Company, if processing is entrusted to such a person; - a list of actions with personal data for the performance of which consent is given, a general description of the methods of processing personal data used by the operator; - the period during which the consent is valid, as well as the method of its withdrawal, unless otherwise established by federal law; - signature. 5.6 It is prohibited to demand from a person applying for a job (or hiring) documents other than those provided for by the Labor Code of the Russian Federation, other federal laws, decrees of the President of the Russian Federation and decrees of the Government of the Russian Federation. 5.7 Personal data of subjects are stored in electronic databases and on paper in the Company. For this, specially equipped cabinets and safes are used. The personal files of the dismissed (underwent examination, treatment) subjects are stored in the archive of the Society. 5.8. For the purpose of information support, publicly available sources of personal data (including reference books, electronic databases) can be created. Publicly available sources of personal data may include surname, name, patronymic, position, department, office phone numbers and email address. 5.9. Information on the calculation and payment of wages to the Company's employees is stored in electronic databases and on paper in the premises of the economy and accounting department. Upon expiration of the storage periods established by the legislation of the Russian Federation, this information is transferred to the archive of the Company. 5.10 Specific responsibilities for maintaining, storing personal files of subjects, filling out, storing and issuing work books, other documents reflecting the personal data of subjects are assigned to employees engaged in recruiting personnel. 5.11 Personal data of clients are stored in electronic databases, which may be connected to the local network of the organization, as well as on paper. 5.12 Access to electronic databases is limited by password. It is possible to transfer personal data of clients between structural divisions using registered removable media or via the internal network of the Company using technical and software means of protecting information, with access only for employees of the Company and its partners who are allowed to work with personal data and only to the extent required by the data employees for the performance of their duties. 5.13 Personal data of subjects is stored no longer than required by the purpose of their processing, and they are subject to destruction upon achievement of the processing goals or in case of loss of the need to achieve them. Documents containing personal data are subject to storage and destruction in the manner prescribed by the archival legislation of the Russian Federation. 5.14 Upon receipt of information constituting the personal data of subjects, interested parties have the right to receive only those personal data that are necessary to perform specific functions and tasks.

6. Transfer of personal data of personal data subjects

6.1 When transferring personal data of subjects, employees of the Company who have access to personal data must comply with the following requirements: • Do not disclose the personal data of the subject to a third party without the written consent of the employee of the subject, except for cases when it is necessary to prevent a threat to the life and health of the subject, as well as in other cases provided for by the Labor Code of the Russian Federation or other federal laws. • Do not communicate the personal data of the subject for commercial purposes without his written consent. • To warn the persons receiving the personal data of the subject that this data can be used only for the purposes for which they were communicated, and to require these persons to confirm that this rule has been observed. • Allow access to personal data of subjects only to specially authorized persons, while these persons should have the right to receive only those personal data of subjects that are necessary to perform specific functions. • All information about the transfer of personal data of the subject must be registered in the Log of the transfer of personal data in order to control the legality of the use of this information by the persons who received it. The log records information about the person who sent the request, the date of transfer of personal data or the date of notification of the refusal to provide them, and also notes what information was transferred.

7. Protection of personal data

7.1. Protection of personal data in the Company is the adoption of legal, organizational and technical measures aimed at: - ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information; - observance of confidentiality of information of limited access; - exercise of the right to access information. 7.2. In order to ensure the safety of personal data during their processing in the Company's electronic databases: - establish a list of persons who process personal data or have access to them; - ensure the separate storage of personal data (material media), the processing of which is carried out for various purposes; - provide access control in accordance with the approved documents on the protection and implementation of access control - in cases provided for by the current legislation of the Russian Federation; - the premises in which the work with personal data is carried out must ensure the safety of personal data carriers and information protection means, as well as exclude the possibility of uncontrolled penetration or presence of unauthorized persons in these premises; - access to information in electronic form should be carried out using password protection, and in personal data information systems - using automation tools in accordance with regulatory documents; - electronic media containing personal data are recorded in the register of electronic media of personal data. 7.3. Ensuring the security of personal data in personal data information systems is carried out in accordance with the requirements of Art. 19 of the Federal Law of July 27, 2006 No. 152-FZ On Personal Data, Requirements for the protection of personal data when processing them in personal data information systems, approved by the decree of the Government of the Russian Federation of November 1, 2012. No. 1119, regulatory and governing documents of the authorized federal executive bodies. 7.4 Measures to ensure the security of personal data are carried out in accordance with the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, approved by order of the FSTEC of Russia dated 18.02.2013 No. 21. 7.5 Selection and implementation of methods and methods of protecting information in the information system are carried out on the basis of threats to the security of personal data (threat models) determined by the Company and depending on the level of security of the information system, determined in accordance with the Requirements for the protection of personal data when processing them in personal data information systems, approved By order of the FSTEC of Russia dated November 1, 2012 No. 1119. 7.6 The selected and implemented methods and methods for protecting information in the information system should ensure the neutralization of the alleged threats to the security of personal data during their processing in information systems as part of the personal data protection system. 7.7. Ensuring the security of personal data in personal data information systems without using automation tools is carried out in accordance with the requirements of the Regulation on the specifics of personal data processing carried out without using automation tools, approved by the Government of the Russian Federation dated September 15, 2008 No. 687. 7.8. Employees of the Company who have access to personal data are obliged to take the necessary organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution, as well as from other illegal actions in relation to this information.

8. Responsibility

8.1. Responsibility for violation of the rules governing the processing and protection of personal data of employeesPersons guilty of violation of the rules governing the receipt, processing and protection of personal data of an employee are subject to disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Russian Federation.

9. Interaction between the operator and the subject of personal data

9.1. The operator is obliged to inform the subject of personal data or his representative information about the processing of personal data of such a subject upon receipt of relevant requests from the subject of personal data and their representatives, as well as authorized bodies, regarding the inaccuracy of personal data, the illegality of their processing, withdrawal of consent, access of the subject personal data to your data. 9.2. The request of the subject of personal data can be sent on paper, and can also be submitted through the site. 9.3. The operator is obliged, within the time frame provided for by the current legislation of the Russian Federation, to respond to the request received and inform the subject of personal data about the results of its consideration. 9.4. The response to the request can be sent to the subject in the same way that the request was received from him, or on paper at his place of residence (if known to the operator).

10. Final provisions

10.1. This Policy comes into force from the date of approval by the General Director of the Company and is valid indefinitely. 10.2. Changes and additions to this Policy are made by issuing orders and instructions by the General Director of the Company. 10.3. Familiarization of the Company's employees with this Policy is carried out on paper under a personal signature. 10.4. The publication and disclosure of this Operator's Policy in the field of personal data to an unlimited number of persons is carried out by publishing it on the Company's website. 10.5. Appendices to this Policy are: • Consent to the processing of personal data. • Consent to the processing of personal data of individual clients (for the site). II. Consent to the processing of personal data The user, by leaving an appeal on the website www.returnservice.ru, accepts this Consent to the processing of personal data (hereinafter referred to as the Consent). Acting freely, by their own will and in their own interest, as well as confirming their legal capacity, in accordance with the Federal Law of 27.07.2006. No. 152-FZ On Personal Data and other regulatory legal acts, the User has decided to provide his personal data (hereinafter - PD) and agrees to their processing by IP Gorbunov (hereinafter - PD Operator), on the following conditions : 1) This consent is given to the processing of PD both without using automation tools, and with their use; 2) Consent is given to the processing of the following personal data of the User: • last name, first name, patronymic, year, month, date of birth, place of birth, address , passport data; • contact telephone numbers, e-mail addresses; • place of work and position held; • user data (location information; type and version of the OS; type and version of the Browser; type of device and its screen resolution; source from where the user came to the site, from which site or for what advertisement; language of the OS and Browser; which pages opens and which buttons the user clicks; ip-address). 3) Personal data is not publicly available. 4) Purpose of PD processing: processing incoming requests from individuals in order to fulfill obligations for the formation of orders and delivery of items, as well as analytics of the individual's actions on the web website and the functioning of the website, advertising and newsletters. 5) The grounds for processing PD are: Article 24 of the Constitution of the Russian Federation, Article 6 of the Federal Law of 27.07.2006. No. 152-ФЗ On personal data, this Consent to the processing of personal data. 6) In the course of processing with PD, the following actions will be performed: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction. 7) PD are processed until an individual refuses (unsubscribes) from advertising and newsletters. Also, PD processing may be terminated at the request of the PD subject. The storage of PD recorded on paper is carried out in accordance with Federal Law No. 125-FZ On Archival Affairs in the Russian Federation and other regulatory legal acts in the field of archiving and archival storage. The consent may be revoked by the PD subject or his representative by sending a corresponding written application to the PD Operator at the address: 125008, Moscow, st. Mikhalkovskaya 8.8) If the PD subject or his representative revokes the consent to the processing of personal data, the PD Operator has the right to continue processing the PD without the consent of the PD subject if there are grounds, in accordance with paragraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Federal of the law of 27.07.2006. No. 152-FZ On Personal Data. 9) This Consent is valid during the term of the contract for the provision of services for express delivery of items concluded between the PD Operator and the User, or a legal entity in whose interests the User acts, as well as during three years after the expiration of the said agreement.