1. Introduction and Scope

This Personal Data Processing Policy (hereinafter referred to as the “Policy”) is developed in accordance with the Federal Law of the Russian Federation No. 152-FZ “On Personal Data” and the EU General Data Protection Regulation (GDPR). It regulates the entire lifecycle of personal information of Site visitors and customers: from collection and storage to use, transfer, and deletion. The purpose of this document is to protect the rights of data subjects, ensure transparency of processing, and comply with international privacy standards.

1.1. Key Terms

• Operator — the administration of the TumanClothing Website, determining the purposes and methods of data processing.
• Data subject — an individual whose personal data is processed by the Operator.
• Personal data — any information that allows identifying a data subject (full name, contact, location, technical details, etc.).
• Data processing — any operations performed on data: collection, recording, storage, modification, use, transfer, deletion.

2. Categories of Processed Personal Data

1. Identification data: full name, date of birth (if voluntarily provided).

2. Contact details: email, phone number.

3. Location data: country, city, postal address, ZIP code, pickup point.

4. Order details: product names, quantity, cost, order date, and delivery status.

5. Additional information: order comments, product preference parameters.

6. Reviews and feedback: text, ratings, photos.

7. Technical details: IP address, device and browser information, cookie data, browsing history.

3. Purposes of Personal Data Processing

1. Fulfillment of the sales contract: order processing, payment, assembly, packaging, and delivery of goods.

2. Documentation: issuing electronic receipts, invoices, and accounting records.

3. Communication with the user: order status notifications, customer support responses.

4. Marketing communications: sending promotions, promo codes, and special offers with the data subject’s consent.

5. Service personalization: improving recommendations, adapting the interface and content.

6. Analytics and quality improvement: collection and aggregation of anonymized statistics (Google Analytics 4, Search Console).

7. Security assurance: fraud prevention, protection of infrastructure and accounts.

8. Legal obligations: providing data upon request of supervisory authorities and compliance with the law.

Processing for other purposes is carried out only upon prior notification and explicit consent of the data subject.

4. Legal Grounds for Processing

Consent of the data subject (Art. 6 (1) (a) GDPR): for marketing communications and non-essential notifications.

Performance of a contract (Art. 6 (1) (b) GDPR): order processing and delivery.

Legitimate interests of the Operator (Art. 6 (1) (f) GDPR): website security, auditing, analytics, fraud prevention.

Compliance with legal requirements: storage of accounting documents, provision of information upon lawful requests.

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5. Retention Periods for Personal Data

Orders and related documents: minimum of 5 years.

Consents for newsletters: until consent is withdrawn.

Technical logs and cookies: up to 14 months.

Return and complaint data: minimum of 3 years.

Other data: within the scope of processing purposes and legal requirements; then deleted or anonymized.

6. Transfer of Data to Third Parties

Personal data is transferred strictly on legal grounds and in the minimum necessary scope:

• Courier and postal services — for delivery.
• Payment providers and crypto payment gateways — for transaction processing.
• Hosting providers and data centers — for website operation.
• Analytics services (Google Analytics 4, Search Console) — in anonymized form.
• State and supervisory authorities — on legal grounds.

Each data recipient is bound by a confidentiality agreement with the Operator and is obliged to ensure the protection of the transferred data.

7. Use of Cookies and Similar Technologies

The Website uses the following categories of cookies:

• Necessary cookies: cart functionality, sessions, authorization.
• Functional cookies: saving user preferences.
• Analytical cookies: collection of anonymized statistics (Google Analytics 4).
• Marketing cookies: retargeting and personalization with user consent.

Users can manage cookies in browser settings. Disabling certain categories may limit the functionality of the Website.

8. Rights of Data Subjects

Data subjects have the right to:

• Request confirmation of processing and access to their data.
• Amend and correct inaccurate or incomplete data.
• Request data deletion (“right to be forgotten”) in the absence of legal grounds for retention.
• Restrict processing in certain cases.
• Object to processing based on the Operator’s legitimate interests.
• Receive data in a machine-readable format and transfer it to another operator.
• Withdraw consent for processing based on consent.
• File complaints with supervisory authorities (Roskomnadzor, European regulators).

Requests should be sent to [email protected], response time — no later than 30 calendar days.

9. Data Security Measures

The Operator applies a set of technical and organizational measures:

• Data encryption: SSL/TLS (HTTPS) for information transmission.
• Secure storage: encrypted databases, isolated servers.
• Software updates: regular patches and system updates.
• Access control: limiting employee rights based on the principle of least privilege.
• Security audits: vulnerability testing and incident monitoring.
• Pseudonymization: removal of direct identifiers where not required.

In case of security incidents, users and supervisory authorities are notified within the time limits established by law.

10. Updates and Entry into Force

Changes to the Policy are made without prior notice and come into effect upon publication on the Website. Continued use of the Website after updates constitutes acceptance of the new version.

Last updated: July 25, 2025