SmenaFon
RU EN
Sign up

Personal data processing policy

Compliant with Russian 152-FZ; describes what we process and why.

This Personal Data Processing Policy (the "Policy") is drafted in accordance with Article 18.1 of the Russian Federal Law No. 152-FZ of 27 July 2006 "On Personal Data" and defines the order of personal data processing in the SmenaFon service. Where applicable, GDPR principles are also followed.

1. Data controller

The controller of the personal data of service users is IE ___________ (Tax ID ___________, OGRNIP ___________, registered address: ___________). Contact: support@smenafon.ru.

Up-to-date company details are published on the "Company details" page after operator registration. Until then, this document is a working draft of the service policy.

2. Categories of data subjects

  • Representatives and staff of phone-retail salons, and individual Home users, registering an account on smenafon.ru.
  • End customers of salons: the service operator does not receive their personal data. Transfer payloads stay strictly inside the salon’s local network.

3. Categories of personal data processed

The service processes only account, license and technical service metadata:

  • Email address used for signup, sign-in, password recovery and service notifications.
  • Password hash (Argon2id) — the password itself is not stored and is not available to the operator’s staff.
  • Salon name (or "Home" for individuals), country, selected plan and trial/subscription validity.
  • Acceptance of Terms and Privacy Policy, including date and time.
  • IP address and basic HTTP headers (User-Agent) — in web-server logs, retained for 30 days for security purposes.
  • Workstation technical identifier (SHA-256 hash of computer name, OS, MAC) — does not allow identifying a physical person.
  • Transfer session metadata: session UUID, start/end time, duration, per-type counters (photo / video / contacts / events / files). Content is never transferred.
  • Payment information: masked card number, payment provider transaction ID, amount, currency (received from YuKassa/Stripe; the full card PAN is never stored at the operator).
  • Support correspondence if the user contacts the service by email.

4. Purposes of processing

  • User identification and authentication in the personal dashboard.
  • Provision of license access to Salon Agent / SmenaFon Home software.
  • Provision of a 30-day trial period for salons and usage limit accounting.
  • Settlement accounting, generation and storage of accounting documents (invoices, acts).
  • Notifying the user about account status, password reset, changes in service terms.
  • Service security (abuse detection, incident investigation).

5. Legal grounds

  • Subject’s consent (Art. 6 §1 (1) of 152-FZ; GDPR Art. 6 (1)(a)) — given by explicit affirmative action at signup.
  • Performance of a contract to which the subject is a party (Art. 6 §1 (5) of 152-FZ; GDPR Art. 6 (1)(b)).
  • Compliance with statutory obligations of the operator (e.g. RF tax accounting laws).

6. Methods of processing

Processing is performed by automated means on operator servers physically located in the Russian Federation. No cross-border transfer takes place.

7. Retention periods

  • User account data — for the duration of the contract and 12 months after termination for accounting compliance.
  • Payment documents — 5 years from the transaction date (RF Tax Code).
  • Access logs — 30 days.
  • Password reset tokens — up to 1 hour after creation.

8. Security measures

  • Transport between user and service over HTTPS with a valid TLS certificate.
  • Passwords stored as Argon2id hashes; reset tokens as SHA-256 hashes.
  • Server access restricted to SSH keys with MFA for administrators.
  • Daily database backups with encryption in transit to object storage.

9. Disclosure to third parties

  • Payment provider (YuKassa — JSC NCO YooMoney, or Stripe for international users): receives the user’s email and subscription identifier to process the payment.
  • Infrastructure, email delivery and backup providers may process technical data only to the extent required for service operation and contract performance.
  • Personal data is not sold or transferred to third parties for advertising use.

10. Data subject rights

The data subject has the right to:

  • obtain information about the operator and processing of their data;
  • request correction, blocking or destruction of their data;
  • withdraw consent (which leads to service termination and account deletion);
  • delete the account themselves — button in the dashboard "Delete account" section;
  • complain to Roskomnadzor (the Russian DPA) as the supervisory authority.

Requests are sent to support@smenafon.ru; response time up to 30 calendar days.

11. Cookies

The site uses only technical cookies required to operate (UI language, session ID, CSRF protection). No analytics or advertising cookies. You may disable cookies in browser settings, but logging into the dashboard will become impossible.

12. Changes to the Policy

The operator may update this Policy. The current version is always at smenafon.ru/privacy. Material changes are notified to the user’s email at least 14 calendar days in advance.

Current as of publication date.