Privacy Policy

---

Privacy Policy

1. GENERAL PROVISIONS

1.1 This policy of ALO COLLECTION INC. in respect of processing of personal data (hereinafter - the Policy) applies to all personal data which ALO COLLECTION INC. (hereinafter - the operator) may receive from the subject of personal data.

1.2 This Policy applies to personal data received both before and after the approval of this Policy.

1.3 This Policy is a publicly available document declaring the conceptual basis of the Operator's activities in processing and protection of personal data.

2. PERSONAL DATA PROCESSED BY THE OPERATOR

2.1 For the purposes of this Policy, personal data means:

2.1.1 Personal data received by the Operator for the execution of a contract, a party to which, or a beneficiary or guarantor, under which the subject of personal data is.

2.1.2 Personal data received by the Operator in connection with the implementation of labor relations.

2.2 Terms and conditions of termination of processing and storage of personal data of the subject of personal data shall be determined in the manner prescribed by the legislation of the Russian Federation.

3. THE OBJECTIVES FOR THE COLLECTION, PROCESSING AND STORAGE AND THE LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

3.1 The Operator shall collect, process and store the personal data of the subject of personal data in order to:

3.1.1 Performance of the contract. At the same time, in accordance with paragraph 5 of Part 5 of the legislation, the processing of personal data necessary to perform the contract, a party to which or a beneficiary or guarantor, under which the subject of personal data is a subject of personal data, as well as to enter into an agreement on the initiative of the subject of personal data or the contract under which the subject of personal data will be a beneficiary or guarantor, is carried out without the consent of the subject of personal data.

3.1.2 Implementation of the employment relationship.

3.1.3 Performing and exercising the functions, powers, and duties imposed on the Operator and other requirements in the field of processing and protection of personal data.

4. TERMS AND CONDITIONS OF PROCESSING OF PERSONAL DATA AND ITS TRANSFER TO THIRD PARTIES

4.1 The operator carries out processing of personal data with the use of automation means and without the use of automation means.

4.2 The operator is entitled to transfer the personal data of the subject of personal data to third parties in the following cases:

4.2.1 The subject of personal data has explicitly expressed his or her consent to such actions.

5. RIGHTS OF THE SUBJECT OF PERSONAL DATA

5.1 The subject of personal data has the right to receive information relating to the processing of his personal data, including:

5.1.1 Confirmation of the fact of processing of personal data by the Operator.

5.1.2 Legal basis and purpose of processing of personal data.

5.1.3 Methods of personal data processing used by the Operator.

5.1.4 Name and location of the Operator, information about persons (excluding the Operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Operator.

5.1.5 Processed personal data pertaining to the relevant personal data subject, the source of the personal data.

5.1.6 Terms of processing of personal data, including the terms of their storage.

5.1.7 Procedure for exercising by the subject of personal data.

5.1.8 Information about implemented or suspected cross-border data transfer.

5.1.9 Name or surname, first name, patronymic, and address of the person processing the personal data on behalf of the operator, if processing is or will be assigned to such person.

5.2 The information relating to the processing of personal data of the subject of personal data, provided to the subject of personal data shall not contain personal data relating to other subjects of personal data, unless there are legitimate grounds for the disclosure of such personal data.

5.3 Information regarding the processing of personal data on the subject of personal data may be provided to the subject of personal data or his/her legal representative by the operator when they apply, or at the request of the subject of personal data or his/her legal representative.

5.3.1 The request must contain the number of the personal data subject's or his/her representative's main identification document, information about the date of issue of the said document and the issuing authority, information confirming the personal data subject's participation in contractual relations with the Operator (contract number, contract conclusion date, conventional word designation and/or other information), or information otherwise confirming the fact of personal data processing by the Operator, the signature of the personal data subject or his/her representative.

5.3.2 The request may be sent in the form of an electronic document and signed by electronic signature in accordance with the legislation of the Russian Federation.

5.4 The subject of personal data has the right to request the Operator to clarify his personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take statutory measures to protect his rights.

6. INFORMATION ON IMPLEMENTED REQUIREMENTS FOR PERSONAL DATA PROTECTION

6.1 The most important condition for realization of the Operator's activity objectives is ensuring the necessary and sufficient level of security of information systems of personal data, observance of confidentiality, integrity, and availability of processed personal data, and preservation of data carriers, containing personal data at all stages of their processing.

6.2 The conditions and mode of protection of information referred to personal data established by the Operator allow ensuring protection of processed personal data.

6.3 The Operator developed and implemented a set of organizational, administrative, functional, and planning documents regulating and ensuring security of processed personal data.

6.4 The security regime for processing and handling of personal data was introduced, as well as the security regime for the premises where personal data carriers are processed and stored.

6.5 A person responsible for the organization of personal data processing, administrators of personal data information systems, and security administrators of personal data information systems were appointed, their responsibilities were defined, and instructions for information security were developed.

6.6 The circle of persons entitled to process personal data was determined, instructions to users on personal data handling, anti-virus protection, and actions in crisis situations were developed.

6.7 Requirements to personnel and the degree of responsibility of employees for ensuring the security of personal data were determined.

6.8 Employees engaged in personal data processing were familiarized with provisions of the Russian Federation legislation on personal data security and requirements for personal data protection, documents determining the Operator's policy on personal data processing, and local acts on personal data processing. The above employees shall be periodically trained in the rules of personal data processing.

6.9 Necessary and sufficient technical measures are taken to ensure security of personal data from accidental or unauthorized access, destruction, modification, blocking access, and other unauthorized actions:

6.9.1 A system of access delimitation has been introduced.

6.9.2 Protection against unauthorized access to automated workplaces, information networks, and personal data bases is established.

6.9.3 Protection against malicious software and mathematical influence was installed.

6.9.4 Information and databases are regularly backed up.

6.9.5 Information is transmitted over public networks using cryptographic protection of information.

6.10 The system of control over the processing of personal data and its security is organized. Compliance checks of personal data protection system, audits of personal data protection level in personal data information systems, functioning of information protection means, identification of changes in personal data processing, and protection regime are planned.

7. ACCESS TO THE POLICY

7.1 The current hard copy version of the Policy is kept at the address: 161/51 Moo 10, Chalong Sub-district, Muang Phuket district, Phuket 83130, Thailand.

7.2 The electronic version of the current version of the Policy is posted on the Operator's website in section 9: "Confidentiality and Protection of Personal Information."

8. UPDATING AND APPROVAL OF THE POLICY

8.1 The Policy shall be approved and put into effect by an administrative document signed by the Head of the Operator.

8.2 The Operator has the right to amend this Policy. When changes are made, the name of the Policy shall specify the date of the last update of the revision. The new version of the Policy comes into effect from the moment it is posted on the Operator's website unless otherwise stipulated by the new version of the Policy.