Personal Data Consent

RU EN

PERSONAL DATA PROCESSING POLICY

Promakeup LLC

(version dated “07” January 2026)

1. General Provisions

1.1. This Policy defines the procedure and conditions for the processing of personal data and the measures taken to ensure the security of personal data by Promakeup LLC (hereinafter, the Operator).

1.2. This Policy has been developed in accordance with the requirements of Federal Law No. 152-FZ “On Personal Data”. In particular, the Operator ensures the observance of data subject rights, including the right to access, rectify, block and destroy personal data, and also implements the necessary legal, organizational and technical protection measures.

1.3. The Operator publishes this Policy publicly on its website / in its application (if any).

2. Information about the Operator

Operator: Promakeup Limited Liability Company (“Promakeup” LLC)

Taxpayer Identification Number (INN): 9713011844

Registered address: 127247, Moscow, Dmitrovskoe Highway, 107A, Bldg. 4

Contacts for personal data matters:

  • e-mail: askme@pmkl.ru
  • postal address for requests: 127247, Moscow, Dmitrovskoe Highway, 107A, Bldg. 4

3. Terms

The terms used in this Policy have the meanings set out in Federal Law No. 152-FZ (personal data, processing, operator, dissemination, provision, blocking, destruction, cross-border transfer, etc.).

4. Principles and Legal Grounds for Processing

4.1. Personal data is processed lawfully and fairly and is limited to achieving specific, pre-determined and lawful purposes.

4.2. Legal grounds for processing may include:

  • the data subject’s consent;
  • the necessity to perform a contract to which the data subject is a party and/or beneficiary;
  • compliance with legal obligations.

4.3. Important: consent to the processing of personal data is executed separately from other documents/information signed or confirmed by the data subject.

5. Categories of Data Subjects and Purposes of Processing

The Operator may process personal data of the following categories of data subjects (to the extent necessary for the purposes):

5.1. Website/application visitors:

  • providing access to functionality, operation of feedback forms, consultations;
  • ensuring security and preventing fraud;
  • improving service quality, website analytics;

5.2. Clients (customers) / personal account users:

  • registration and account administration;
  • order placement, payment, delivery / pickup, returns;
  • support, processing requests and claims;
  • informing about order status (email / SMS / messengers — where applicable and subject to legal requirements).

5.3. Contractors and representatives of contractors:

  • conclusion and performance of contracts, document flow, settlements, claims management.

5.4. Job applicants / employees:

  • recruitment, HR records management, compliance with labour legislation.

6. Scope of Personal Data Processed

6.1. The Operator processes personal data provided by the data subject directly, as well as data generated when using the website/service.

6.2. Depending on the purposes, the following personal data may be processed:

  • full name;
  • contact details (phone number, e-mail);
  • delivery address;
  • information about orders / requests;
  • service identifiers (login, user ID);
  • technical data (IP address, cookies, browser/device information) — when using the website.

7. Processing Conditions, Storage, and Destruction

7.1. Processing includes the following actions: collection, recording, systematization, accumulation, storage, updating (rectification), use, transfer (provision/access), blocking, deletion, destruction.

7.2. Retention periods are determined by the purposes of processing, statutory document retention periods and/or the term of the relevant contracts. Upon achievement of the purposes, personal data is destroyed or anonymized unless otherwise required by law.

7.3. Localization: when collecting personal data of citizens of the Russian Federation via the Internet, recording/systematization/accumulation/storage and other actions using databases located outside the Russian Federation are not permitted, except as provided by law.

8. Transfer of Personal Data to Third Parties

8.1. The Operator may entrust the processing of personal data to processors (contractors) and may also transfer personal data to third parties to the extent necessary for the purposes of processing and where there is a legal basis (e.g., for delivery, payment processing, IT support).

8.2. When engaging contractors, the Operator ensures that confidentiality and personal data security obligations are included in the relevant contracts.

8.3. I also agree that Promakeup LLC has the right to transfer to T-Pokupki LLC (OGRN 1237700231449, INN 7743414212, Address: 125212, Moscow, Golovinskoye sh., 5, bld. 1, office 193) all of my personal data that is in the possession/access of Promakeup LLC.

9. Cross-Border Transfer

9.1. Cross-border transfer of personal data is carried out only when necessary and in compliance with legal requirements.

9.2. Before commencing a cross-border transfer, the Operator must submit to the authorized authority a notification of its intention to carry out such transfer, separately from the notification of personal data processing.

10. Cookies and Analytics

10.1. Cookies and similar technologies may be used on the website for the proper operation of the website, security, and analytics.

10.2. The data subject may restrict the use of cookies in the browser settings; however, some website functions may not work correctly.

11. Data Subject Rights and Request Procedure

11.1. The data subject has the rights provided by law, including the right to:

  • receive information about the processing, including legal grounds and purposes;
  • request rectification / blocking / destruction of personal data on the grounds established by law.

11.2. Requests shall be sent to the e-mail/postal address specified in Section 2.

11.3. The response time is as provided by law (generally, 10 business days with a possible extension of up to 5 business days upon a reasoned notice).

11.4. Withdrawal of consent is carried out by sending a notice to the Operator.

12. Notification to Roskomnadzor

12.1. Before starting personal data processing, the Operator notifies the authorized authority of its intention to process personal data, unless statutory exceptions apply.

13. Personal Data Security Measures

13.1. The Operator implements the necessary legal, organizational and technical measures to protect personal data from unlawful/accidental access, destruction, alteration, blocking, copying, provision, dissemination and other unlawful actions.

13.2. Internal measures may include: access control and segregation, activity logging/control, employee training, internal audits and control, etc.

14. Final Provisions

14.1. This Policy is effective indefinitely until replaced by a new version.

14.2. The Operator may update this Policy; the current version is published on the website.

14.3. Matters not regulated by this Policy are governed by the legislation of the Russian Federation.

15. Current processing details for pmkl.ru

Disclosure revision: 27 June 2026. Consent policy version: 2026-06-27.

Operator: PROMAKEUP LLC, TIN 9713011844, PSRN 1247700180078, KPP 771301001, registered address: 127247, Moscow, Dmitrovskoe highway, 107A, building 4, e-mail: askme@pmkl.ru.

15.1. Purposes and data

The Operator processes account and contact data, order and delivery details, application form data, consent records, and security logs only for account operation, contract performance, support, fraud prevention, and optional marketing. Data is retained for the period required for the stated purpose and applicable statutory record-keeping or dispute periods.

15.2. Service providers

Depending on the operation selected by the user, limited data may be provided to Beget and the PMKL/Supabase infrastructure in Russia, CDEK or OZON for delivery, VTB Bank, Yandex Pay/Split, Dolyami, Robokassa or YooKassa for payment, the fiscal data operator for receipts, Telegram or MAX for user-selected communications, and Yandex.Metrica for consented analytics. Payment card details are entered on the payment provider's side and are not stored by the Operator.

15.3. Cookies and analytics

Only necessary cookies are used before the user makes a choice. Functional, analytics, and marketing categories are disabled by default. Yandex.Metrica counter 106696733, Webvisor, click maps, and e-commerce analytics start only after analytics-cookie consent. The choice can be changed through Cookie settings in the site footer.

15.4. Data localisation and international transfers

Primary recording and storage of Russian citizens' personal data use databases located in the Russian Federation. The Operator does not transfer data from the primary site database across borders without completing the requirements of Article 12 of Federal Law 152-FZ. External messengers, social networks, or payment services opened by the user may independently process data under their own policies.

15.5. Requests and withdrawal

Send access, correction, deletion, restriction, or consent-withdrawal requests to askme@pmkl.ru or to the Operator's registered address. Registered users can withdraw marketing consent in profile settings.

15.6. Consent records

The Operator keeps a grant and withdrawal log containing the consent type, action, source, policy version, consent session identifier, and server event time. The same session identifier is stored with the relevant order, application, subscription, or profile. Request context is stored as cryptographic hashes.