POLICY

regarding the processing of personal data of website visitors

1. General provisions

1.1 This Personal Data Processing Policy (hereinafter – “Policy”) has been prepared in accordance with clause 2 part 1 article 18.1 of the Federal Law of the Russian Federation “On Personal Data” No152-FZ of July 27, 2006 (hereinafter – “Law”) and defines the position of the legal entity Rushn Peptaid Group LLC (OGRN: 1217700024190, INN: 9703025414, registration address: 125039, Moscow, Presnenskaya nab, 10, bldg. 2, room. 97, office 2/185 and/or its affiliates, (the “Company”) in the field of processing and protection of personal data (the “Data”), observance of the rights and freedoms of everyone and, in particular, the right to privacy, personal and family secrets.

2 Areas of application

2.1 This Policy applies to Data received both before and after the enactment of this Policy.

2.2 Understanding the importance and value of Data and taking care of observance of constitutional rights of citizens of the Russian Federation and citizens of other states, the Company ensures reliable protection of Data.

3. Definitions

3.1 Data means any information relating to a directly or indirectly defined or identifiable natural person (citizen), i.e. such information includes in particular: name, e-mail, telephone number.

3.2 Processing of Data shall mean any action (operation) or a set of actions (operations) with Data performed using automated means and/or without the use of such means. Such actions (operations) include: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Data.

3.3 Data security means protection of Data from unauthorized and/or unauthorized access, destruction, change, blocking, copying, provision, distribution of Data, as well as from other unlawful actions in relation to Data.

4. Legal basis and purposes of Data processing

4.1 Processing and security of Data in the Company shall be carried out in accordance with the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, by-laws, other federal laws of the Russian Federation defining cases and specifics of Data processing, guidance and methodological documents of FSTEC and FSS of Russia.

4.2 Subjects of Data processed by the Company are:

Customers – consumers, including visitors to the Company’s website https://rnd.peptide.one, including for the purpose of placing an order on the website https://rnd.peptide.one with subsequent delivery to the customer, recipients of services, participants of bonus loyalty programs;

4.3 The Company shall process Subject Data for the following purposes:

exercising the functions, powers and duties imposed on the Company by the legislation of the Russian Federation in accordance with the federal laws, including but not limited to: The Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, the Federal Law of 01.04.1996 No 27-FZ “On individual (personified) accounting in the mandatory pension insurance system”, the Federal Law of 27.07.2006 No 152-FZ “On Personal Data”, the Federal Law of 28.03.1998 No 53-FZ “On Military Duty and Military Service”, the Federal Law of 26.02.02.1997 No 31-FZ “On mobilization training and mobilization in the Russian Federation”, Federal Law of 8.02.1998 No 14-FZ “On Limited Liability Companies”, Federal Law of 07.02.1992 No 2300-1 “On Protection of Consumer Rights”, Federal Law of 21.11.1996 No 129-FZ “On Accounting”, Federal Law of 29.11.2010 No 326-FZ “On Mandatory Medical Insurance in the Russian Federation”,

Participants of bonus loyalty programs in order to:1. to provide information on goods, ongoing promotions, status of personal account; 2. to identify the participant in the loyalty program; to ensure the procedure of recording the accumulation and use of bonuses; 3. to fulfill the Company’s obligations under the loyalty program. Customers – consumers in order to:1. providing information on goods/services, ongoing promotions and special offers; 2. analyzing the quality of service provided by the Company and improving quality of Company’s customer service; 3. informing about order status; 4. performing contracts, including agreement of purchase and sale, including remote agreement on the Site, paid services; providing services as well as accounting of services provided to consumers for mutual settlements; 5. delivering ordered goods to customer who placed order on the Site

5. Principles and conditions of Data processing.

5.1 When processing Data, the Company shall adhere to the following principles: the Data shall be processed legally and fairly; the Data shall not be disclosed to third parties or disseminated without the consent of the Data subject, except in cases requiring the disclosure of Data at the request of authorized state bodies, legal proceedings; the specific legitimate purposes shall be defined before the start of data processing (including collection); only the Data necessary and sufficient for the stated processing purpose shall be collected; the combination of the data and the data shall be combined.

5.2 The Company may include the subjects’ Data in publicly available sources of Data, whereby the Company shall take the subject’s written consent to the processing of their Data, or by expressing consent through a website form (checkbox), by clicking which the subject of personal data expresses their consent.

5.3 The Company does not process Data relating to race, nationality, political views, religious, philosophical and other beliefs, intimate life, membership in public associations, including trade unions.

5.4 The Company does not process biometric data (information describing the physiological and biological characteristics of the person on the basis of which the person can be identified and which is used by the data controller for the identification of the data subject).

5.5 The Company does not carry out cross-border transfer of Data.

5.6 The Company shall be entitled to transfer Data to third parties (federal tax service, state pension fund and other state bodies) in cases stipulated by the legislation of the Russian Federation.

5.7 Persons processing Data on the basis of an agreement concluded with the Company (commissioned by the Operator) shall be obliged to comply with the principles and rules of Data processing and protection stipulated by the Law. For each third party, the contract shall define the list of actions (operations) with Data to be performed by the third party processing the Data, the purpose of processing, establish the obligation of such person to ensure confidentiality and security of Data when processing it, specify requirements for protection of processed Data in accordance with the Law.

5.8 In order to comply with the requirements of the applicable laws of the Russian Federation and its contractual obligations, the Company shall process Data both with and without the use of automation tools. The set of processing operations includes collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, destruction of Data.

5.9 The Company shall prohibit making decisions based solely on automated Data processing that produce legal consequences in relation to the Data subject or otherwise affect their rights and legitimate interests, except in cases stipulated by the laws of the Russian Federation.

6. Rights and obligations of Data subjects and the Company with regard to Data processing

6.1 The subject, whose Data is processed by the Company, has the right to – to receive from the Company:

confirmation of the fact of Data processing and information about the availability of Data related to the relevant Data subject; information about the legal basis and purpose of Data processing;

Information about the Data processing methods applied by the Company; information about the name and location of the Company; information about persons (except for the Company employees) who have access to Data or to whom Data may be disclosed on the basis of a contract with the Company or on the basis of federal law; list of processed Data relating to the Data subject and information about the source of its receipt, unless other procedure for providing such Data is provided for by federal law; information about the terms of Data processing, including about the time of data processing, including from

– require the Company to:

clarify his Data, block or destroy it if the Data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing; withdraw his consent to the processing of Data at any time; demand the elimination of unlawful actions of the Company in relation to his Data;

To appeal against the Company’s actions or omissions to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) or in court if the Data Subject believes that the Company is processing his Data in violation of the requirements of the Law or otherwise violates his rights and freedoms;

– to protect their rights and legitimate interests, including compensation for losses and/or compensation for moral damages in court.

6.2 In the course of Data processing the Company shall:

Provide the Data subject, at his/her request, with information regarding the processing of his/her Personal Data, or legally refuse to do so within thirty days from the date of receipt of the Data subject’s or his/her representative’s request; explain to the Data subject the legal consequences of refusal to provide Data if provision of Data is mandatory under the federal law;

Prior to the commencement of Data processing (if the Data is not received from the Data subject), provide the following information to the Data subject, except in the cases stipulated by Article 18(4) of the Act:

1) name or surname, first name, patronymic and address of the Company or its representative; 2) purpose of Data processing and its legal basis; 3) intended Data users; 4) rights of Data subjects stipulated by Law;

5) the source of obtaining Data. take necessary legal, organizational and technical measures or ensure their adoption to protect Data from unauthorized or accidental access, destruction, change, blocking, copying, provision, distribution of Data, as well as from other unlawful actions in relation to Data; publish in the Internet and provide unrestricted access using the Internet to the document defining its Policy on Data processing, to information about implemented requirements to

Block unlawfully processed Data related to the Data subject or ensure its blocking (if the Data processing is performed by another person acting on behalf of the Company) from the moment of application or receipt of request for the verification period, in case of detection of unlawful processing of Data upon application of the Data subject or his/her representative or upon request of the Data subject or his/her representative or the authorized body for protection of the personal data subjects; clarify Data or ensure its clarification

cease the unauthorised processing of Data or ensure the cessation of unauthorised data processing by a person acting on behalf of the Company, in case the unauthorised processing of Data by the Company or a person acting on the basis of a contract with the Company is identified, within a period not exceeding 3 working days from the date of such identification; cease Data processing or ensure its cessation (if data processing is performed by another person acting under contract with the Company) and destroy or ensure the destruction of Data (if the Data is destroyed by another person acting under contract with the Company)

7. Data protection requirements

7.1 When processing Data, the Company shall take the necessary legal, organizational and technical measures to protect Data from unauthorized and/or unauthorized access to it, destruction, change, blocking, copying, provision, distribution of Data, as well as from other unlawful actions in relation to Data.

7.2 Such measures under the Act include, but are not limited to

appointment of a person responsible for the organization of Data processing and a person responsible for ensuring Data security; development and approval of local regulations on the processing and protection of Data; application of legal, organizational and technical measures to ensure Data security:

– Determination of threats to Data security in the course of its processing in information

application of organizational and technical measures to ensure security

Data during its processing in personal data information systems, necessary to meet the requirements for Data protection, the execution of which ensures the levels of Data protection established by the Government of the Russian Federation;

– use of information protection tools that have passed the conformity assessment procedure in accordance with the established procedure;

– assessment of efficiency of measures taken to ensure Data security prior to commissioning of the personal data information system;

– recording of machine-readable Data carriers, if Data is stored on machine-readable media;

– detecting unauthorized access to Data and taking measures to prevent similar incidents in the future;

– recovery of Data modified or destroyed as a result of unauthorized access to it;

– Establishment of rules of access to Data processed in personal data information system, as well as ensuring registration and recording of all actions performed with Data in personal data information system. control over measures taken to ensure security of Data and level of security of personal data information systems;

Assessment of the harm that may be caused to the Data subjects in case of violation of the requirements of the Law, the ratio of the said harm and the measures taken by the Company to ensure compliance with the obligations stipulated by the Law; compliance with the conditions that exclude unauthorized access to the tangible media of Data and ensure Data safety;

familiarization of the Company’s employees directly engaged in Data processing with the provisions of the legislation of the Russian Federation on Data, including the requirements for Data protection, local regulations on the processing and protection of Data, and training of the Company’s employees.

8. Terms of Data processing (storage)

8.1 The term of processing (storage) of Data shall be determined based on the purpose of Data processing, in accordance with the term of the contract with the Data subject, the requirements of federal laws, the requirements of Data operators on whose behalf the Company carries out Data processing, the basic rules of the archives of organizations, the limitation period.

8.2 Data whose processing (storage) period has expired shall be destroyed, unless otherwise provided by federal law. Storage of Data after termination of its processing shall be allowed only after its depersonalization.

9. Procedure for obtaining explanations on data processing issues

9.1 Persons whose Data is processed by the Company may obtain explanations regarding the processing of their Data by contacting the Company in person or by sending a corresponding written request to the Company’s location: 125039, Moscow, Presnenskaya Naberezhnaya, 10, bldg. 2, room 97. 97, office 2/185.

9.2 If an official request is sent to the Company, the text of the request must specify:

the surname, first name, patronymic of the Data subject or his representative; the number of the main identity document of the Data subject or his representative, information about the date of issue of the said document and the issuing authority; information confirming the Data subject’s relationship with the Company; information for feedback in order for the Company to respond to the request; the signature of the Data subject (or his representative). If the request is sent electronically, it shall be in the form of an electronic document and signed by electronic signature in accordance with the laws of the Russian Federation.

10. Peculiarities of processing and protection of Data collected by the Company using the Internet

10.1 The Company processes the Data, received from the users of the Site from the resource: http://russianpeptide.com (hereinafter jointly – the Site), as well as those received by the Company’s phone: +7 (971) 561 37 8349

, to the Company’s e-mail address: rnd@peptide.one, via the Company’s feedback form located at: https://rnd.peptide.one/ru/контакты/

10.2 Data collection

There are two main ways in which the Company obtains Data via the Internet:

10.2.1 Provision of Data

Provision of Data (self-entry of data):

name e-mail phone number

10.2.2. by Data Subjects by contacting the Company by phone: +7 (971) 561 37 8349, at the Company’s e-mail address: rnd@peptide.one, via the Company’s feedback form located at: https://rnd.peptide.one/ru/контакты/

10.3 Automatically collected information

The Company may collect and process information that is not personal data:

information about the interests of users on the Site based on the search queries entered by users of the Site about products sold and offered for sale by the Company in order to provide relevant information to the Company’s customers when using the Site, as well as generalization and analysis of information about which sections of the Site and products are in the greatest demand among the Company’s customers;

processing and storage of search queries from Site users in order to generalize and create client statistics on the use of Site sections.

The Company automatically receives certain types of information obtained during users’ interaction with the Site, e-mail correspondence, etc. This refers to technologies and services such as web protocols, cookies, web memos, and applications and tools of the specified third party.

However, web tags, cookies and other monitoring technologies do not enable the automatic collection of Data. If a user of the Site provides their Data at their discretion, such as when filling out a feedback form or sending an e-mail, only then are processes launched to automatically collect detailed information for the ease of use of the web sites and/or to improve user interaction.

10.4 Use of Data

The Company shall be entitled to use the provided Data in accordance with the stated purposes of its collection, subject to the consent of the Data subject, if such consent is required in accordance with the requirements of the legislation of the Russian Federation in the field of Data.

The data obtained in aggregated and impersonal form can be used to understand better the needs of customers of goods and services sold by the Company and to improve the quality of service.

10.5 Data transfer

The Company may entrust the processing of Data to third parties only with the consent of the Data subject. The Data may also be transferred to third parties in the following cases:

a) As a response to lawful requests of authorized state bodies, in accordance with laws, court decisions, etc.

b) The Data shall not be disclosed to third parties for marketing, commercial and other similar purposes, except with the prior consent of the Data subject.

10.6 The Website contains links to other web resources where there may be useful and interesting information for the Website users. However, this Policy shall not apply to such other websites. Users clicking on the links to other sites shall be recommended to read the policies on data processing posted on such sites.

10.7. User of the Site can withdraw his consent to Data processing at any time by sending a notice by calling the Company telephone number: +7 (971) 561 37 8349, the Company e-mail: rnd@peptide.one, via the Company’s feedback form at https://rnd.peptide.one/ru/контакты/, or by sending a written notice to the Company address: 125039, Moscow, Presnenskaya nab. 97, office 2/185. Upon receipt of such a notification, the processing of User Data will be terminated and his Data will be deleted, except in cases where processing may be continued in accordance with the law. Final provisions This Policy is a local regulation of the Company. This Policy is publicly available. Public accessibility of this Policy is ensured by publishing it on the Company’s Website. This Policy may be revised in any of the following cases:

in case of changes in the Russian legislation in the field of processing and protection of personal data; in cases when orders are received from competent state authorities to eliminate inconsistencies affecting the scope of the Policy;

by decision of the Company’s management; in case of changes in the purposes and terms of Data processing; in case of changes in the organizational structure, structure of information and/or telecommunication systems (or introduction of new ones); in case of application of new technologies for Data processing and protection (including transfer, storage); in case of necessity to change the process of Data processing related to the Company’s activities. In case of non-compliance with the provisions of this Policy, the Company and its employees shall be liable in accordance with the applicable laws of the Russian Federation. Control of compliance with the requirements of this Policy is carried out by the persons responsible for the organization of data processing of the Company, as well as for the security of personal data.