This Privacy Policy (hereinafter referred to as the "Policy"):

• applies to the "Operator";
• is fully integrated into the terms of the online sales agreement via this link;
• defines what information can be attributed to a user, directly or indirectly identifiable, and the purposes for which it is used;
• establishes the principles for processing Personal Data.

The following terms are used in this Policy:

• "Operator" — a state or municipal body, legal entity, or individual that organizes and/or processes personal data, independently or jointly with others; determines the purposes of processing, the composition of the data, and the actions taken with personal data.
• Personal data — any information relating directly or indirectly to an individual (the subject of personal data).
• Personal data processing — any action with personal data, including collection, recording, systematization, accumulation, and other operations, with or without the use of automation tools. Confidentiality of personal data is the obligation of the Operator or other data owner not to disclose it without the consent of the data subject, unless there are other legal grounds.
• A cookie is a small amount of data sent by a web server and stored on the user's computer; it is sent back each time a resource is accessed.

The "Operator" places security at the core of its operations. Its policy is aimed at the proper and lawful handling of personal data, ensuring its confidentiality, integrity, and availability. Users' personal data is processed within the Russian Federation (RF) in accordance with Federal Law No. 152-FZ "On Personal Data." The "Operator" adheres to the principles of the Policy and encourages users to send questions and complaints to the following address: 350004, Krasnodar, Kozhevennaya st., 141.

1. Principles of personal data processing at the "Operator":

• Personal data is collected for pre-established, legitimate purposes (target limitation);
• Processing is carried out lawfully and transparently (lawfulness, fairness, and openness);
• Collection is limited to the information necessary for the purpose (data minimization);
• Data must be accurate and, if necessary, deleted or rectified promptly (accuracy);
• Data is retained for the time required for the purpose (storage limitation);
• Processing is protected from illegal activity and accidental loss (integrity and confidentiality);
• Data subjects have the right to access, amend, and delete their data, as well as other rights (accessibility).

2. Purposes of Processing User Personal Data
The Operator collects user personal data related to travel through mobile applications:
2.1. To fulfill the contract to which the user is a party, as well as to provide additional services during travel (e.g., meals, special conditions, hotel accommodation in case of involuntary ticket refund for medical reasons).

• Full name, date of birth, gender, identity document details (e.g., passport, birth certificate), expiration date, place of residence, contact information, routes, travel dates, and dietary preferences.
• Visa information for international travel, including the number, country of issue, and expiration date, is provided by the user in their personal account.

2.2. The following data is also processed to promote products and services:
Full name, gender, date of birth, contact information, travel information, and loyalty program participation information.
Some pages of websites and applications use cookies. The Cookie Policy describes this in more detail.

3. Processing of User Personal Data
Actions with user data include collection, storage, updating, use, transfer, and deletion, with or without automated means. Data may be transferred to third parties only for the performance of the transportation contract and is not used to advertise third-party products.
The Operator provides data to government agencies upon lawful request and to partners to ensure security and improve service quality. The data is stored for 3 years after the end of the air carriage agreement and may be processed longer if required by law.

4. Destruction of Personal Data
Data is destroyed once the processing purposes have been achieved or if there are legal grounds for doing so, in accordance with internal regulations. If unlawful processing is detected, the data is blocked pending an investigation.
If inaccurate data is detected, it is blocked pending an investigation, and if the inaccuracy is confirmed, it is corrected. In the event of unlawful processing, the "Operator" will cease such processing within three business days. If the lawfulness of the processing cannot be ensured, the data is destroyed within ten business days.
Users and authorized bodies are notified of any rights violations within twenty-four hours. The Operator will notify the results of the internal investigation of the identified incident within seventy-two hours, and will also provide information on the persons whose actions caused the incident (if any).
If the user revokes consent to data processing, the Operator will cease processing and destroy the data, if its storage is no longer required, within thirty days. Requests to cease processing are also fulfilled within ten business days, with a possible extension of five days if the reason is specified in the notification. If it is impossible to destroy data in a timely manner, it is blocked and destroyed within six months. Documents containing data are destroyed after the expiration of the statutory retention period or upon the occurrence of other grounds, through an expert commission:

• Paper documents are shredded.
• Electronic documents are erased or destroyed along with the media.

5. Data Processing Security
The Operator guarantees the secure processing of users' personal data by implementing appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Data security questions can be directed to the contact information provided.
The "Operator" maintains internal controls and audits of data processing compliance with personal data law and security requirements. Data security is ensured by:

• threat identification;
• implementation of appropriate organizational and technical measures;
• verifying the effectiveness of security measures;
• data storage media inventory;
• detection and remediation of unauthorized access;
• data recovery after unauthorized access;
• establishing access rules and tracking actions in information systems;
• monitoring the level of data security.

Personal account password requirements:

• minimum password length in characters – 8;
• password must contain upper and lower case letters;
• password must contain special characters;
• it is not recommended to use passwords from other accounts.

6. Access to, Amendment, or Deletion of Personal Data
Users may request access to, amendment, or deletion of their data if it is incomplete, outdated, inaccurate, or illegally obtained. The "Operator" recommends informing you of any changes to data.
For questions regarding viewing, amending, access, retention periods, and other data processing issues, please contact us using the provided contact information.

7. Liability
The "Operator" monitors compliance with the law and can confirm this. Data processing activities are recorded. The "Operator" will not be liable for the loss or disclosure of data if the information:

• became publicly known prior to the loss or disclosure;
• was received from a third party;
• Disclosed with the user's consent.

Questions regarding this Policy can be directed to the contact information provided.

8. Complaints
Users have the right to file complaints regarding the processing of their data. All complaints are processed promptly. They can be directed to the contact information provided.

9. Amendments to this Policy
The "Operator" reserves the right to amend this Policy and reminds users to review the terms and conditions with each new purchase. The new policy version comes into effect from the moment it is posted on the website, unless otherwise stated.