SmenaFon
RU EN
Sign up

Personal data processing policy

Compliant with Russian 152-FZ; describes what we process and why.

This Personal Data Processing Policy (the "Policy") is drafted in accordance with Article 18.1 of the Russian Federal Law No. 152-FZ of 27 July 2006 "On Personal Data" and defines the order of personal data processing in the SmenaFon service. Where applicable, GDPR principles are also followed.

1. Data controller

The controller of personal data of service users is the self-employed individual Pavel Yurievich Tytskin (Russian "Professional Income Tax" payer; Tax ID 616405326607). Contact for data subject requests: support@smenafon.ru.

Full accounting details are published on the "Service provider details" page.

2. Categories of data subjects

  • Representatives and staff of phone-retail salons, and individual Home users, registering an account on smenafon.ru.
  • End customers of salons: the service operator does not receive their personal data. Transfer payloads move strictly inside the salon’s local network and are not sent to the SmenaFon server.

3. Categories of personal data processed

The service processes only account, license and technical service metadata:

  • Email address used for signup, sign-in, password recovery and service notifications.
  • Password hash (Argon2id) — the password itself is not stored and is not available to the operator’s staff.
  • Salon name (or "Home" for individuals), country, selected plan and trial/subscription validity.
  • Acceptance of Terms and Privacy Policy, including date and time.
  • IP address and basic HTTP headers (User-Agent) — in web-server logs, retained for 30 days for security purposes.
  • Salon Agent workstation technical identifier (SHA-256 hash of computer name, OS, MAC) — does not allow identifying a physical person.
  • Mobile-app session identifiers (opaque bearer tokens, stored only as SHA-256 hashes; device label, platform, app version; last-used and revocation timestamps) — let the user stay signed in without repeatedly transmitting the password and let them revoke an individual device.
  • Transfer session metadata (both Salon Agent and mobile-app sessions): session UUID, kind (AGENT/MOBILE), start/end time, duration, per-type counters (photo / video / contacts / files), success status. The actual transferred content is never received or stored by the operator.
  • Payment information: masked card number, payment provider transaction ID, amount, currency (received from YuKassa; the full card PAN is never stored at the operator).
  • Support correspondence if the user contacts the service by email.

4. Purposes of processing

  • User identification and authentication in the personal dashboard.
  • Provision of license access to Salon Agent / SmenaFon Home software.
  • Provision of a 30-day trial period for salons and usage limit accounting.
  • Settlement accounting, generation and storage of accounting documents (invoices, acts).
  • Notifying the user about account status, password reset, changes in service terms.
  • Service security (abuse detection, incident investigation).

5. Legal grounds

  • Subject’s consent (Art. 6 §1 (1) of 152-FZ; GDPR Art. 6 (1)(a)) — given by explicit affirmative action at signup.
  • Performance of a contract to which the subject is a party (Art. 6 §1 (5) of 152-FZ; GDPR Art. 6 (1)(b)).
  • Compliance with statutory obligations of the operator (e.g. RF tax accounting laws).

6. Methods of processing

Processing is performed by automated means on operator servers physically located in the Russian Federation. No cross-border transfer takes place.

7. Retention periods

  • User account data — for the duration of the contract and 12 months after termination for accounting compliance.
  • Payment documents — 5 years from the transaction date (RF Tax Code).
  • Access logs — 30 days.
  • Password reset tokens — up to 1 hour after creation.

8. Security measures

  • Transport between user and service over HTTPS with a valid TLS certificate.
  • Passwords stored as Argon2id hashes; password-reset, email-verification and mobile bearer tokens stored as SHA-256 hashes. A leak of the database alone does not allow recovering the original token or password.
  • Server infrastructure access restricted to passphrase-protected SSH keys; the administrative interface binds only to the loopback address 127.0.0.1 and is reachable exclusively through a secure SSH tunnel.
  • Daily database backups to local protected storage.
  • Request rate limiting and segregation of public and administrative interfaces at the reverse-proxy layer.

9. Disclosure to third parties

  • Payment provider YuKassa (JSC NCO YooMoney): receives the user’s email and subscription identifier to process the payment.
  • Infrastructure, email delivery and backup providers may process technical data only to the extent required for service operation and contract performance.
  • Personal data is not sold or transferred to third parties for advertising use.

10. Data subject rights

The data subject has the right to:

  • obtain information about the operator and processing of their data;
  • request correction, blocking or destruction of their data;
  • withdraw consent (which leads to service termination and account deletion);
  • delete the account themselves — button in the dashboard "Delete account" section;
  • complain to Roskomnadzor (the Russian DPA) as the supervisory authority.

Requests are sent to support@smenafon.ru; response time up to 30 calendar days.

11. Cookies

The site uses only technical cookies required to operate: lt_session (dashboard session), lt_lang (selected UI language), _csrf (form CSRF protection) and lt_cookie_consent (acknowledgement of this notice). The service sets no analytics or advertising cookies. You may disable cookies in browser settings, but logging into the dashboard will then become impossible.

The SmenaFon mobile app (Android APK) does not use cookies — the bearer authentication token is stored in the device's secure local storage (EncryptedSharedPreferences) and is removed when the user signs out.

12. Changes to the Policy

The operator may update this Policy. The current version is always at smenafon.ru/privacy. Material changes are notified to the user’s email at least 14 calendar days in advance.

Current as of publication date.