Privacy Policy

POLICY ON THE PROCESSING OF PERSONAL DATA

This English translation is provided for convenience only. In case of any discrepancy between the Russian original and this English translation, the Russian version shall prevail.

This Personal Data Processing Policy has been drawn up in accordance with the requirements of the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” and defines the procedure for processing, systematizing, and using personal data, as well as measures to ensure the security of personal data received by LLC “SYROVARNYA” (hereinafter – the Operator) from clients using the Application and/or the Website and its individual services to receive services. This Policy is an integral part of the public offer for participation in the loyalty program, obtaining and using the electronic bonus card (hereinafter – the Offer), and the document regulating the processing of Card Users’ data.

If the User disagrees with the terms of this Policy, the User must immediately cease any use of the Website and/or the Application.

1. Basic concepts used in the Policy

Personal data – any information relating directly or indirectly to an identified or identifiable individual (personal data subject) – the User. Personal information (in addition to personal data) includes information uploaded by the User or transmitted electronically to the Operator, as well as information received during the use of the Card, allowing identification of the User as an individual – a subject of legal relations.

Personal data operator (Operator) – a person who independently or jointly with other persons (employees or third parties under special agreements) organizes and/or carries out the processing of personal data, determines the purposes of processing, the composition of personal data to be processed, and actions (operations) performed with personal data. In the context of this Policy, the Operator is the Organization. The terms Organization and Operator are equivalent in this Policy.

Processor – a legal entity performing personal data processing, namely recording, systematizing, accumulating, storing, extracting, using, blocking, deleting, destroying the User’s personal data on behalf of the Organization under an agreement. The Processor is not required to obtain the User’s consent to the processing of their personal data pursuant to paragraph 4, Article 6 of Federal Law No. 152-FZ.

Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.

Automated processing of personal data– processing of personal data using computing devices.

Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons.

Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons.

Blocking of personal data – temporary cessation of personal data processing (except where processing is necessary for clarification of personal data).

Use of personal data - actions (operations) with personal data performed by the Operator to make decisions or take other actions that create legal consequences in relation to the personal data subject or others, or otherwise affect the rights and freedoms of the personal data subject or others.

Anonymization of personal data – actions that make it impossible, without additional information, to determine the belonging of personal data to a specific personal data subject.

Destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and/or that destroy material carriers of personal data.

Personal data information system – a set of information technologies and technical means contained in the Organization’s and/or its partners’ databases, including the Processor, ensuring the processing of personal data.

Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign government authority, foreign individual, or foreign legal entity.

Geolocation – information about the User’s location obtained by the Organization and/or received from Third Parties.

Purchase data – data about purchases made by the User using the Website and/or Application (order composition), including date, time, amount, payment methods, delivery address, date and time.

Application usage data – data on User activity in the Application obtained by the Organization via analytics tools, including third-party SDKs, including but not limited to:

• Application pages visited, date and time of visit, time spent on pages;
• Unique device identifiers and other diagnostic and technological data, mobile device type, device IP address, mobile operating system, type and version of mobile internet browser or other software used for access.

Website usage data – data on User activity on the Website obtained by the Organization via analytics tools, including third-party SDKs, including but not limited to:

• Website pages (addresses), date and time of visit, time spent on pages;
• Unique device identifiers and other diagnostic and technological data, device type, IP address, operating system, type and version of internet browser or other software used for access.

User Agreement – an agreement posted online at https://www.syrovarnya.com, constituting an offer by the Operator to conclude an agreement with any third party using the Website under the terms provided in the User Agreement.

Website – the online site of the Program, owned by the Organization, located at https://www.syrovarnya.com

Application – mobile application “Syrovarnya”, developed and owned by the Organization, available on AppStore and GooglePlay.

Organization – LLC “SYROVARNYA”, OGRN 1187746320508, INN 7730242132, 115114, Moscow, Danilovsky Municipal District, Letnikovskaya Street, 5, room 1/2, and its partners.

Policy – this Privacy Policy establishing the procedure for processing Users’ personal information by the Organization.

User – an individual using the Website or Application under the User Agreement.

Phone number – phone number provided by the User to the Organization and/or obtained from Third Parties.

Third Parties – any third parties, including:

• Call centers;
• Communication operators;
• IT companies providing access to platforms and infrastructure for sending promotional and informational messages;
• Advertising agencies;
• Delivery service providers;
• Companies selling food products via the Website and Application.

Cookies – special files located on the User’s device containing textual information necessary for the functioning of the Website and may include anonymous unique identifiers.

2. General Provisions

2.1. The Operator considers it a primary goal and a condition of its activities to respect human and civil rights and freedoms when processing personal data, including protection of privacy, personal and family secrets.

2.2. This Operator’s personal data processing policy (hereinafter – the Policy) applies to all information that the Operator may receive about the Users of the Website https://www.syrovarnya.com and the mobile application “Syrovarnya.” The text of the Policy is available online at https://www.syrovarnya.com.

2.3. The User’s use of the Website and/or Application and/or Card constitutes the User’s unconditional consent to this Policy and the terms of processing their personal information contained herein. If the User disagrees with these terms, they are not permitted to use the Website, Application, or Card.

2.4. The Policy regulates the processing of the User’s personal information in connection with the use of the Website and/or Application and/or Card. This Policy does not regulate the User’s actions on third-party websites and applications linked from the Website and/or Application and/or Card. When using third-party websites or applications, the User is subject to the privacy policies of those websites and applications. The Organization and Partners recommend that Users review such third-party policies before providing them with personal information.

2.5. By accepting the Offer, the User gives their unconditional consent to the processing of their personal data in accordance with the Policy as an integral part of the Offer. If the User does not fully agree with the Policy, they must immediately stop using the Card on all their devices.

2.6.The text of consent for receiving informational, advertising, news, or marketing materials is provided in Appendix No. 1 to this Policy.

2.7. Registration of the Card and consent to the processing of personal data in accordance with this Policy is carried out by the User depending on the method of Card activation:

• On the website – by entering the phone number in the corresponding pop-up window;
• In the mobile application – by entering the phone number in the corresponding window;
• By any other activation method of the Card specified on the Operator’s website.

2.8. Collection of personal data is primarily aimed at providing the User with personalized access to the Card and functioning of all privileges granted to the User under the Program.

2.9. By providing their data in the Card, the User gives the Operator unconditional consent to the processing of their personal information, both uploaded by the User and automatically obtained by the Operator through actions performed by the User with the Card.

2.10. For any inquiries to the Operator, the User must use communication tools personally owned by the User (their phone number).

2.11. Any personal information of the User transmitted to the Operator and/or its partner, including the Processor, under this Policy is perceived by the Operator “as is” and is not subject to preliminary verification for accuracy. The User bears full responsibility for the accuracy of the information provided.

2.12. When disclosing or providing information, the Operator complies with the confidentiality requirements established by Article 7 of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data,” and the measures to ensure the security of personal data during processing as per Article 19 of the same law.

2.13. The Operator and Processor may also carry out automated processing of information provided by the User.

2.14. In accordance with paragraph 7, part 4, article 16 of Federal Law No. 149-FZ “On Information, Information Technologies, and Information Protection,” all personal data is stored on a server located in the Russian Federation.

3. Personal data processed by the Operator

3.1.Under this Policy, personal information of the User includes:

• Personal information provided by the User during registration (account creation) or during the use of the Website and/or Application, or otherwise obtained by the Organization, including personal data:

1. Full name of the User;
2. Mobile phone number;
3. User’s gender;
4. Date of birth;
5. Geolocation;
6. Purchase data;
7. User’s email address;
8. User cookies when visiting the Operator’s and/or partners’ websites according to the Program;
9. Other data necessary for fulfilling obligations under the Offer, provided by the User during interaction if required by such obligations.

• Usage data automatically transmitted to the Organization via software installed on the User’s device.
• Other information about the User whose processing is provided for in the User’s consent to personal data processing and/or agreements with the User (User Agreement; retail purchase agreement).

3.2. The Website uses cookie files. On first visit, the User may be asked for consent to use cookies. Subsequently, the User may refuse cookies. Refusal may limit access to some Website functions. Cookies used include, but are not limited to:

1. Session Cookies – for Website management;
2. Security Cookies – to ensure security.

3.3. The above list may be modified at the Operator’s discretion. No written notification to the User is required. Entry of additional necessary data by the User constitutes consent to such changes.

3.4. All User data is used by the Operator solely for the purposes specified in the Policy and the Offer and is stored until withdrawal of consent by the User or completion of obligations under the Offer or a similar agreement, whichever occurs first.

3.5. The aforementioned data is hereinafter collectively referred to as Personal Data.

4. Legal grounds and purposes of personal data processing

4.1. Processing of Users’ personal data is carried out on the following legal grounds:

• Civil Code of the Russian Federation;
• User Agreement and other agreements posted on https://www.syrovarnya.com and/or in the Application;
• Federal Law No. 129-FZ of 08.08.2001 (as amended on 27.12.2018) “On State Registration of Legal Entities and Individual Entrepreneurs” (effective from 01.01.2019);
• Other federal laws and regulations governing relations related to the Operator’s activities;
• Charter documents of the Operator;
• Internal regulations of the Operator;
• Offer, contracts concluded between the Operator and the personal data subject, as well as between the Operator and third parties;
• Consent to personal data processing (in cases not explicitly provided by Russian legislation, but within the Operator’s authority).

4.2. The Operator adheres to the above legal grounds for processing Users’ personal data and maintains the list of applicable regulations in an up-to-date state.

4.3. The purpose of the Policy is to ensure proper protection of information about Users, including their personal data, against unauthorized access and disclosure.

4.4. Processing of personal data is limited to achieving specific, predetermined, and lawful purposes listed in the Offer and the Policy. Processing incompatible with the purposes of collection is not allowed.

4.5. The Website and Application process only the personal information necessary to provide services, execute agreements with the User, or information processed with the User’s consent during registration and/or as required by applicable law.

4.6. The User’s phone number is necessary for Card registration assigned to a specific User; other data is provided voluntarily unless objectively required to fulfill obligations under the Offer or directly required by the Program.

4.7. The main purpose of collecting personal data is to provide the User with privileges when making purchases at the Organization’s restaurant(s) and/or its partners, according to the Program.

4.8. The Operator processes Users’ personal data for the following purposes:

• Registration, identification, and sending notifications to enable participation in the loyalty Program;
• Conducting marketing and other research based on the User’s purchase history to improve service quality;
• User identification during registration/authentication;
• Providing access to personalized resources in the Application and/or Website;
• Establishing feedback with the User, including sending notifications, requests, emails, SMS, push notifications, processing requests;
• Execution of contracts with the User;
• Verification of accuracy and completeness of personal data provided by the User;

• Notification of efficient customer and technical support in case of issues using the Application and/or Website;
• Monitoring use of the Application and/or Website;
• Sending advertising messages with the User’s consent;
• Improving the Application and/or Website, developing new services;
• Conducting statistical and other research based on anonymized data;
• Other purposes provided by the User’s consent to personal data processing or contract with the Organization.

4.9. The specific scope of personal data processed for the above purposes is defined in Section 3 of the Policy.

4.10. The Operator may use Users’ personal data for any marketing, informational, organizational, or other communications (email, push, SMM, etc.) related to the Card and Operator’s and/or partners’ activities only after obtaining additional consent or subscription. The User can withdraw consent at any time; consent for purposes under Section 3.3 remains valid.

4.11. The Operator may process personal information for other purposes provided in the consent and/or Offer.

4.12. Users’ personal information is stored and processed on the territory of the Russian Federation.

5. Conditions for processing and transfer of personal information to third parties

5.1. Processing is carried out in accordance with the User Agreement, this Policy, the User’s consent, and applicable data protection laws.

5.2. Confidentiality and security of all Users’ personal information are ensured.

5.3. The Operator may transfer Users’ personal information to Third Parties only in the following cases:

• The User has consented to such actions;
• Transfer is necessary for use of the Website/Application or execution of a contract with the User;
• To protect the rights and lawful interests of the Organization;
• Disclosure to government authorities is carried out according to Russian law;
• Other cases provided by law.

6. Consent procedure

6.1. Information added during registration and use of the Card is not publicly accessible.

6.2. The Operator does not verify the User’s data; it is assumed that the User:

• Is legally competent, or consent is provided by a legal representative;
• Provides accurate information in the volumes necessary to use the Website/Application. Users are responsible for keeping information up to date. Consequences of inaccurate or incomplete data are described in the User Agreement.

6.3. The User consents to personal data processing as follows:

1. In the Application – by entering a phone number and verification code; consent is deemed given upon pressing “Confirm.”
2. On the Website – same procedure as above.
3. When filling out feedback forms, surveys, or other service requests – consent is given when the submission button is pressed.
4. For subscription to marketing materials – consent is given by checking the box “I hereby consent…” upon subscription.
5. Automatic data sent via software installed on the User’s device is consented at the start of using the Website.

6.4. Consent is effective from the date provided and for the period necessary to achieve the processing purposes.

7. Personal data processing

7.1. Processing is performed using databases located in the Russian Federation.

7.2. Automated systems are used, except when non-automated processing is required by law.

7.3. Processing includes collection, recording, systematization, accumulation, storage, clarification, retrieval, use, transfer, anonymization, blocking, deletion, and destruction.

7.4. Data collection is per Section 6.3.

7.5. Data storage is on a cloud server until:

• Destruction by Operator upon withdrawal of consent;
• Expiration of consent.

7.6. Data clarification may be requested by the User.

7.7. Data dissemination occurs only for:

• Profile display for communication and remote services;
• Publication of User reviews of services.

7.8. Data may be transferred to partners (Processors) under the following conditions:

• Processor uses databases in Russia;
• Ensures confidentiality and security;
• Implements measures to prevent unauthorized access.

7.9. Purposes of data transfer:

• Optimization of informational/advertising messages;
• Sending informational messages;
• Execution of agreements with involvement of third parties.

7.10. Allowed operations: collection, recording, systematization, accumulation, storage, clarification, retrieval, use, transfer, anonymization, blocking, deletion, destruction. Third parties may not redistribute data.

7.11. Data destruction occurs upon:

• Withdrawal of consent;
• User request;
• Expiration of consent.

8. Security measures

8.1. Legal, organizational, and technical measures include:

• Appointing a responsible person;
• Registration in the personal data operators’ registry;
• Applying technical measures to secure information systems;
• Monitoring unauthorized access;
• Evaluating security measures effectiveness.

8.2. Software prevents unauthorized access.

8.3. The Operator and the Processor are not responsible for third-party illegal actions beyond their control.

9. Backup policy

9.1. Backup prevents data loss due to system or software failures, malicious actions, or accidental deletion.

9.2. Enables moving data between workstations, reducing dependency on a single device or location.

9.3. Backup includes:

• User personal data;
• Data needed for server and database recovery;
• Information from automated systems.

10. Incident response

10.1. Security incident – any unforeseen or undesirable event that may compromise personal data.

10.2. Incident sources:

• Employee/User/Contractor notifications;
• Regulatory notifications;
• System logs analysis;
• Report to data protection officer, logged in incident management system.

10.3. Investigation includes:

• Collecting and analyzing all data;
• Determining leak volume;
• Identifying responsible parties;
• Establishing causes.

10.4. Report prepared for the Operator management.

10.5. The Operator decides on sanctions post-investigation.

11. Cookie policy

11.1. Cookies contain identifiers sent from server to browser and back. They may be persistent or session-based.

11.2. Cookies do not personally identify Users, but may link to stored personal data.

11.3. Purposes: authentication, personalization, security, advertising, analytics.

11.4. Service providers like Google Analytics may use cookies; information used for reporting and analysis.

11.5. Personalized ads may use cookies; opt-out options provided.

11.7. Browsers allow disabling/removal of cookies; methods vary.

11.8. Blocking all cookies may affect functionality of Website/Application

12. User rights

12.1. Users may:

• Provide data at discretion;
• Edit personal data in account;
• Delete data via account;
• Request clarification, blocking, or deletion of incomplete, outdated, inaccurate, illegally obtained, or unnecessary data;
• Request information on processing as per Article 14, Federal Law No. 152-FZ.

13. Obligations of Organization and Users

13.1. User obligations:

• Provide accurate personal data;
• Notify Organization of changes;
• Bear responsibility for actions via their account.

13.2. Organization obligations:

• Use data only for stated purposes;
• Ensure confidentiality.

14. User inquiries

14.1. Users may submit inquiries regarding personal data or withdrawal of consent.

14.2. Inquiries must be sent from registered email to info@syrovarnya.com.

14.3. Must include: ID details, proof of relationship with the Operator, content, signature.

14.4. The Operator checks completeness, validity, and provides responses including requested information, reasoned refusal, or action taken.

14.5. Response time: 30 calendar days.

15. Policy amendments

15.1. The Operator may amend Policy; Users must review changes periodically.

15.2. New Policy effective upon publication; continued use constitutes acceptance.

16. Miscellaneous

16.1. Policy governed by Russian law.

16.2. Integral part of User Agreement on https://www.syrovarnya.com and Application.

16.3. Published on Website and Application.

16.4. The Operator may unilaterally amend Policy without notice.

16.5. New version effective upon posting unless otherwise indicated.

16.6. Questions can be sent to the Organization.

17. Contact information

Address: 115114, Moscow, Danilovsky District, Letnikovskaya St., 5, Premises 1/2

Email: info@syrovarnya.com

Website: https://www.syrovarnya.com

Publication date: December 29, 2025

Appendix №1 - Consent to receive informational, advertising, news, or marketing materials

1. In accordance with Article 18, Federal Law No. 38-FZ, I consent to LLC “Syrovarnya” (OGRN 1187746320508, INN 7730242132) to process my personal data and send materials via phone, email, push notifications, and on-site.
2. Guarantee provided contact details belong to me; will inform the Operator if they change.
3. Consent valid until withdrawal.