This document defines the policy regarding the processing of personal data (hereinafter the "Policy") of Chatika service, operated by Individual Entrepreneur Bazarbaeva Anastasia Stanislavovna, TIN (INN) 784042051798, address: Saint Petersburg, Kolpino, Rubezhnoe shosse, 14 (hereinafter the "Operator").
1. Principles of Personal Data Processing
The Operator is guided by the following principles when processing personal data:
- Legality and fairness — personal data is processed on a lawful and fair basis
- Purpose limitation — processing is limited to achieving specific, predetermined, and legitimate purposes
- Data minimization — the scope and nature of processed data correspond to the stated processing purposes
- Accuracy — personal data is accurate, sufficient, and, where necessary, kept up to date
- Storage limitation — personal data is stored no longer than required by the processing purposes
- Integrity and confidentiality — appropriate security measures are in place to protect personal data
2. Categories and Volumes of Processed Personal Data
The Operator processes the following categories of personal data:
A. Personal data of website visitors (chat widget users)
- Full name — for addressing and lead identification
- Email address — for communication and notifications
- Phone number — for callback and booking confirmation (encrypted AES-256-GCM)
- Chat message text — for providing the AI assistant service
- IP address — for security and analytics
- Cookie identifiers — for session management
B. Personal data of tenant employees (admin panel users)
- Full name — for identification in the system
- Email address — for authorization and notifications
- Hashed password — for authentication
- Role and permissions — for access control
Approximate volume: up to 10,000 data subject records per tenant, up to 1,000 tenants.
3. Processing Purposes by Category
| Data category | Processing purpose | Legal basis |
|---|
| Visitor name | Lead identification, personalization | Consent (Art. 6(1)(1) of 152-FZ) |
| Email | Notifications, lead capture, account access | Consent, contract execution (Art. 6(1)(5) of 152-FZ) |
| Phone number | Callback, booking confirmation | Consent (Art. 6(1)(1) of 152-FZ) |
| Chat messages | AI processing, response generation | Consent, contract execution |
| IP address, cookies | Security, analytics, fraud prevention | Legitimate interest (Art. 6(1)(7) of 152-FZ) |
| Account credentials | Authentication, authorization | Contract execution (Art. 6(1)(5) of 152-FZ) |
4. Processing Conditions and Procedures
Personal data processing begins upon:
- Obtaining consent of the Data Subject (for website visitors — by submitting data through the chat widget)
- Conclusion of a service agreement (for tenant employees — upon registration in the system)
Chatika acts in a dual role:
- As a DATA PROCESSOR on behalf of tenants (clinics, salons) who are the OPERATORS for their clients' data collected through the chat widget
- As an OPERATOR for tenant account data (business owner emails, passwords, billing information)
The relationship between Chatika and tenants is governed by a data processing agreement (DPA) included in the Terms of Service.
5. Information Security Measures
The Operator implements the following measures to ensure the security of personal data:
Organizational measures:
- Appointment of a person responsible for organizing PD processing
- Development and approval of internal regulatory documents on PD processing
- Familiarization of employees with PD processing requirements
- Establishment of a procedure for access to personal data
- Regular review and update of the security policy
Technical measures:
- Encryption of sensitive data at rest (AES-256-GCM for phone numbers)
- Encryption of data in transit (HTTPS with TLS 1.3)
- Password hashing (bcrypt with unique salt)
- Tenant data isolation at the database level
- Role-based access control (RBAC) with the principle of least privilege
- Audit logging of all operations with personal data
- Automated backup with encryption
- Use of certified cloud infrastructure (Yandex Cloud, Russia)
- Regular vulnerability scanning and software updates
6. Rights and Obligations of the Operator
The Operator has the right to:
- Process personal data in accordance with this Policy and applicable law
- Refuse to process personal data if there are no legal grounds
- Use automated means to process personal data
The Operator is obligated to:
- Process personal data exclusively for the stated purposes
- Ensure the security and confidentiality of personal data
- Respond to Data Subject requests within 10 business days
- Stop processing personal data upon withdrawal of consent
- Delete personal data upon expiration of the retention period
- Notify the authorized body (Roskomnadzor) of PD processing in accordance with the law
7. Exercising Data Subject Rights
The Data Subject has the right to:
- Obtain information about the processing of their personal data
- Require clarification, blocking, or deletion of personal data
- Withdraw consent to the processing of personal data
- Appeal the actions of the Operator to Roskomnadzor or in court
To exercise these rights, the Data Subject should send a request to:
The request must include: full name, contact email, description of the data, and the essence of the request. Response time: 10 business days.
When a Data Subject withdraws consent, the Operator ceases processing and deletes the data within 30 days, unless there are other legal grounds for processing.