1. MAIN DEFINITIONS

• 1.1. In connection with the relations of the parties related to personal data processing, the following definitions are applied.

  • 1.1.1. Personal data – any information relating to directly or indirectly to the certain, or defined natural person (subject of Personal data) – to the User of Service, the recipient of Goods.

  • 1.1.2. The personal data operator (Operator)

  • 1.1.3. Personal data processing - – any action (operation) or set of actions (operations) with Personal data performed with use of the automation equipment or without their use. Personal data processing includes, inter alia:

    • - collecting;

    • - record;

    • - systematization;

    • - accumulation;

    • - storage;

    • - specification (update, change);

    • - extraction;

    • - use;

    • - transfer (distribution, providing, access);

    • - depersonalization;

    • - blocking;

    • -deletion;

    • - destruction.

  • 1.1.4. Automated personal data processing – personal data processing by means of computer aids.

  • 1.1.5. Distribution of Personal data – the actions aimed at disclosing Personal data to an undefined group of people.

  • 1.1.6. Providing Personal data – the actions aimed at disclosing Personal data to a specific person or a certain group of persons.

  • 1.1.7. Blocking of Personal data – the temporary termination of personal data processing (except if processing is necessary for specification of Personal data).

  • 1.1.8. Destruction of Personal data – actions as a result of which it becomes impossible to restore the content of Personal data in the personal data information system and (or) as a result of which Personal data media are destroyed.

  • 1.1.9. Depersonalization of Personal data – actions as a result of which it becomes impossible to define the ownership of Personal data by a specific subject of Personal data without using additional information.

  • 1.1.10. The personal data information system – the set of Personal data contained in databases and information technology and technical means that support their processing.

  • 1.1.11. Cross-border transfer of Personal data – transfer of Personal data to the territory of a foreign country to authority of a foreign country, to a foreign natural person or foreign legal entity.

• 1.2. Other terms used in the Policy and (or) in the relations arising out of it are subject to interpretation in accordance with applicable law, and in the absence of their interpretation in the legislation – according to business practices and the scientific doctrine.

• 1.3. The terms and definitions specified in the Agreement are applicable in the relations of the parties within the Policy.

2. GENERAL PROVISIONS

• 2.1. By registering in Service, the User makes the acceptance of the Agreement and the Policy as its integral part. If the User does not agree with provisions of the Policy completely or in part – he is obliged to stop immediately using Service on all its devices.

• 2.2. Personal data collection is carried out primarily to provide the User with the personalized access to Service for use of all its functionality, including without limitation purchasing of goods from Sellers on pages of Service, ordering of Reservation services.

• 2.3. Transferring the data to the Operator at Service, the User gives the Operator the unconditional consent to processing of its Personal information both loaded by the User, and received by the Operator in the automated mode as a result of Service User`s actions, including User`s permission to Service always to use data on the geo-location of the User in the background. Such permission is required to Administration of Service for improvement of speed and accuracy of processing as well as quality of Orders execution.

• 2.4. If the User does not agree with data processing within the Policy – he undertakes to stop using Service immediately.

• 2.5. Personal information (in addition to Personal data) is understood as the personal information loaded by the User in Service or transferred on electronic channels to the Operator and also obtained in the course of use of Service allowing to identify the User as the natural person – the subject of legal relationship.

• 2.6. For any requests to the Operator, the User should use the means of communications belonging to the User personally (e-mail address, the phone, etc.).

• 2.7. Any Personal information of the User transferred to the Operator within Privacy Policy is perceived by the Operator "as is" and is not subject to prior validation. The User is personally liable for the authenticity of information provided to the Operator.

• 2.8. The Operator has the right to perform the automated processing of information submitted by the User.

3. PURPOSES OF COLLECTING PERSONAL DATA

• 3.1. Ensuring adequate protection of information about Users, including their Personal data, from illegal access and disclosure is the main Policy objective of the Operator.

• 3.2. Personal data processing is limited to achieving specific, predetermined and legitimate purposes listed in the Agreement and the Policy. The personal data processing incompatible with the purposes of collecting Personal data is not permitted.

• 3.3. The main objective of collecting Personal data of Users is enabling the User to purchase of goods from the Seller, order Reservation through Service, to accept payments and to be able to communicate with the Seller and Administration in order to perform obligations.

• 3.4. The Operator has the right to use Personal data of Service Users for any marketing, information, organizational etc. mailings connected with the activity of Service and (or) the Seller, its Restaurant. This purpose of processing is to lead to the targeted use of the Service pages needed by the User based on his preferences, thereby increase the consumer value of Service.

4. THE PROCESSED DATA

• 4.1. Subjects of legal relations – the User, the recipient of Goods, the representative of the Seller, the employee of Administration give unconditional consent to the Operator to the processing of the following data:

  • surname, name, middle name;

  • image (photo);

  • gender;

  • geo-location in the background;

  • food preferences of the User;

  • nationality;

  • date and place of birth;

  • data of the identity document (type, the series, number, date of issue and issuing authority);

  • contact phone numbers information;

  • e-mail addresses information, the Internet User name, information about the account created in mobile application (account);

  • information about payment details;

  • metadata, cookies-files data, cookies-identifiers, the IP addresses, information about the operating system, model of the mobile device and also the software version.

• 4.2. According to the interface of Service, data which are processed by the Operator with the User`s consent according to the present Policy look as follows.

  • 4.2.1. The data used for tracking information about the User on Service and on the websites owned by third parties:

    • Purchases;

    • Search history;

    • Geo-location;

    • Usage data;

    • Financial information;

    • Contact details;

    • Identifiers;

    • Other information.

  • 4.2.2. Data, related to the User’s identity:

    • Purchases;

    • Geo-location;

    • User content;

    • Identifiers;

    • Confidential data;

    • Financial information;

    • Contact details;

    • Contacts;

    • Search history;

    • Usage data;

    • Diagnostics;

    • Other information.

  • 4.3. More about the data listed in Paragraph 4.2. of the Policy and also about ways to manage them, read in " Privacy Information in the App Store and Data management", published on the website page HYPERLINK "https://support.apple.com/ru-ru/HT211970" https://support.apple.com.

  • 4.4. Operator processes other data necessary for performance of obligations under the Agreement, reported to the Operator in the course of interaction, if the need arose according to obligations and the Operator reported about it to the Personal data

  • 4.5. The above list of User data may change at the discretion of Administration. The written notice of the User of such changes is not required. If the User enters other necessary data on Service himself – it means that he agrees with changes and with processing of the entered Personal data.

  • 4.6. All User data are used by the Operator only for the purposes, specified in Privacy policy and stored until the consent is revoked by the User or obligations of the parties under the Agreement or the similar contract (depending on what will come earlier) are completed.

5. PROCEDURE AND CONDITIONS FOR PERSONAL DATA PROCESSING

• 5.1. When adding of information by the User on Service in the course of its use, such information does not get into the public access.

• 5.2. Providing the User Personal information at the request of public authorities (local governments) is carried out in accordance with the legislation.

• 5.3. According to the application of the User sent to the Operator by e-mail, User`s Personal information shall be removed as required in the application completely or in part from the Operator`s database within 10 (ten) working days in the event of termination of the Agreement and carrying out all mutual settlements under it.

• 5.4. The operator carries out transmission of the User data to the employees to perform their official duties. In particular, employees of the Operator keep the register of data records and carry out other actions for the purpose of performing the Operator`s obligations under the Agreement.

• 5.5. Mandatory validation of the User data for compliance with the Policy is not provided. The Operator has the right, but is not obliged to delete the data and information of the User that violate the Policy, the Agreement and (or) the current legislation.

• 5.6. Achieving the purposes of personal data processing, expiration of consent for data processing or the revocation of consent of the subject of Personal data to his Personal data processing and also revealing of the illegal personal data processing may be a condition for termination of personal data processing.

6. DATA PROCESSING SECURITY

• 6.1. The Operator takes technical and organizational legal measures to ensure security of personal information of the User from illegal or accidental access to them, destruction, modification, blocking, copying and distribution and from other illegal actions.

• 6.2. The prevention of unauthorized access to information and (or) transfer it to persons that do not have the right for the information access is provided on the Service software.

• 6.3. The Operator also carries out the following activities to ensure security of Personal information:

  • 6.3.1. Threats to the security of Personal information at its processing are defined;

  • 6.3.2. Organizational and technical measures for security of Personal information at its processing are taken;

  • 6.3.3. Persons, responsible for personal data processing of the User, from among employees of the Operator are appointed;

  • 6.3.4. The information security tools which have passed the compliance assessment procedure in the prescribed manner are applied;

  • 6.3.5. The assessment of effectiveness of the taken measures for Personal information security is carried out;

  • 6.3.6. The procedures aimed at figuring out facts of illegal access to Personal information are adopted;

  • 6.3.7. Recovery of the Personal information modified or destroyed due to unauthorized access to it is made;

  • 6.3.8. Rules of access to Personal information are set and also registration and recording of all actions made with Personal information is provided;

  • 6.3.9. Only the licensed software on the workstations of the Operator involved in Users data processing is used;

  • 6.3.10. Access restriction at technical and organizational level to the workstations of the Operator involved in personal data processing is provided;

  • 6.3.11. The measures taken to ensure security of Personal information is constantly monitored.

• 6.4. The Operator is not responsible for actions of the third parties who got access to Personal information of the User as a result of unauthorized access to Service and also due to other illegal actions, made by the third parties when the Operator could not have foreseen them or prevented them.

7. DATA STORAGE POLICY

• 7.1. The Personal data storage is carried out according to the consent of the User during the term set in the Policy.

• 7.2. The Personal data storage is carried out no longer, than the purposes of their processing required. The processed Personal data shall be destroyed or depersonalized upon reaching the purposes of processing or in case of loss of need for reaching these purposes.

• 7.3. The personal data collected for different purposes is stored separately in the data processing system of the Operator or, on condition of storage on tangible media, as part of the official duties of the relevant branch of the Operator.

• 7.4. The employee of the Operator having access to Personal data in relation to the performance of work duties provides the storage of information containing Personal data, excluding access to them for the third parties. In the absence of the employee the documents containing Personal data are not in his workplace. When leaving on holiday, business trip and other cases of the long absence of the employee in the workplace, he transfers the documents and other media containing Personal data to the person to be entrusted with such work duties by the local act of the Operator. If such person is not appointed, the documents and other media containing Personal data of Users are transferred to other employee having access to Personal data according to instructions of the head of the relevant structural branch of the Operator.

• 7.5. At dismissal of the employee having access to Personal data, the documents and other media containing Personal data are transferred to other employee having access to Personal data according to instructions of the head of the structural branch and with the notice of the inspector on data security.

8. BACKUP POLICY

• 8.1. The Operator provides backup of Personal data in the architecture to prevent loss of information in case of failures of hardware; software; equipment failures; failures of the operating system and application software; malware infection; accidental destruction of information, errors of Users; deliberate destruction of information, etc.

• 8.2. Backup makes it possible to move Personal data from one workstation of the Operator to another, as a result, removes dependence of integrity of Personal data on the specific workstation and (or) the specific place.

• 8.3. The following main categories of information is subject to backup:

  • 8.3.1. Personal data of Users;

  • 8.3.2. Information necessary to restore servers and database management systems of Service;

  • 8.3.3. Information of automated Operator architecture systems, including databases.

• 8.4. The "Trade secret" neck is assigned to all media containing a data backup, thus, all backup information is confidential and is protected by the Operator according to the current legislation.

• 8.5. The operator appoints an employee responsible for backup of Personal data.

• 8.6. The main tasks of the person responsible for backup, are:

  • 8.6.1. Planning of backup and restoration;

  • 8.6.2. Setting of the lifecycle and calendar of activities;

  • 8.6.3. Daily overview of the backup process logs;

  • 8.6.4. Protection of the database of backup;

  • 8.6.5. Daily definition of a temporary backup window;

  • 8.6.6. Creation and support of open reports, open problem reports;

  • 8.6.7. Consulting vendors and backup software providers;

  • 8.6.8.Development of the backup system;

  • 8.6.9.Monitoring of tasks in the sphere of backup;

  • 8.6.10.Reporting on failures and successes;

  • 8.6.11. Analysis and solution of problems;

  • 8.6.12. Backup operations and library management;

  • 8.6.13. Architecture performance analysis;

  • 8.6.14. Consideration and analysis of the technique of backup;

  • 8.6.15. Planning of architecture development, definition of daily, weekly and monthly tasks.

  • 8.6.16. The person responsible for the backup having the right to make proposals and to require the terminations of personal data processing in cases of violation of the set backup technology or failure of the backup system.

• 8.7. Backup of Personal data is made with frequency once a month.

• 8.8.All backup procedures are monitored by a person responsible for personal data processing assigned from among employees of the Operator (data protection officer) within 5 (Five) working days since the completion of these procedures.

• 8.9. In case of an error in the backup system, the person responsible for backup reports about it to the head of Administration in the shortest time.

• 8.10. Check of backup copies is carried out selectively at least 1 (Once) a month.

9. INCIDENT RESPONSE POLICY

• 9.1. The incident of information security of Personal data is any unforeseen or undesirable event that can break activity or information security of the Operator architecture and lead to the leak of personal data and (or) violation of the Policy.

• 9.2. The following can serve the source of information on the incident of information security:

  • 9.2.1. The messages of workers, Users, counterparties of the Operator e-mailed to him in the form of memos, letters, statements, etc.

  • 9.2.2. Notifications/messages of supervisory authority concerning personal data processing.

  • 9.2.3. The data obtained by the Operator based on the analysis of information systems logs, Personal data protection system.

• 9.3. The employee of the Operator that obtained information on the incident reports about it to the data protection officer that records the incident in the electronic incident control system, assigning it a serial number, recording the date of the incident and its essence. Database of information security incidents updated as incidents occur.

• 9.4. The user whose rights are affected by the incident is informed about the incident by e-mail, in the shortest time, but no later than 30 (Thirty) working days after the incident occurred. Within the same period all possible measures are taken to reduce or prevent further damage to the rights of the User.

• 9.5. Analysis of incidents is made by the person responsible for data processing from among employees of Operator who on each incident:

  • 9.5.1. Collects and analyzes all data on circumstances of the incident (e-mails, log files of information systems, testimonies of Users and Operator employees, etc.);

  • 9.5.2. Determines how much Personal data was leaked, circumstances accompanying leakage;

  • 9.5.3. Identifies persons responsible for violation of the prescribed measures for protection of Personal data;

  • 9.5.4. Identifies the causes and conditions that contributed to the violation.

  • 9.5.5.At the end of the incident analysis forms a report to the Operator`s guide.

• 9.6. After the incident has been analyzed and the data protection inspector`s report has been received the Operator makes a decision on punishment of those responsible.

10. FINAL PROVISIONS

• 10.1. Privacy policy is the public document; its current version is always located on the corresponding page of Service.

• 10.2. The Operator has the right to change unilaterally the text of the Policy without prior notice to the User. In that case, the appropriate notification of the User will be the publication of new edition of the Policy on Service. Responsibility for timely review of the current version of the Policy is entirely up to the User.

• 10.3. The Policy is made in English. The right of the Azerbaijan Republic is applied to the relations of the parties within the Policy (applicable law). The acceptance of the Policy by a foreign User means that the text of the Agreement is clear to him and he does not need the translation. If required for translation the foreign Users undertake to translate into the language they need on their own and at their own expense.

• 10.4. All disagreements and disputes arising in connection with use of Personal information of the User are settled in accordance with the current legislation in the claim pre-trial procedure. Term of answer to the claim concerning personal data processing is 30 (thirty) working days. If the dispute has not been resolved in the pre-trial procedure – it is subject to consideration in the court where the Operator is located.

• 10.5. An integral part of the Policy – "The Policy of processing of cookies" is enclosed (application No. 1).