Privacy Policy

Last updated: March 25, 2026

1. General Provisions

This Privacy Policy (hereinafter the "Policy") defines the procedure for processing and protecting personal data of individuals (hereinafter "Data Subjects") who use the Chatika service (hereinafter the "Service").

Operator of personal data: Individual Entrepreneur Bazarbaeva Anastasia Stanislavovna, TIN (INN) 784042051798, address: Saint Petersburg, Kolpino, Rubezhnoe shosse, 14.

The Policy has been developed in accordance with Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006, and other regulatory acts of the Russian Federation governing the processing and protection of personal data.

By using the Service, the Data Subject consents to the processing of their personal data in accordance with this Policy.

2. Legal Basis for Processing Personal Data

Personal data is processed on the following legal grounds:

Consent of the Data Subject (Article 6, Part 1, Paragraph 1 of 152-FZ)
Execution of a contract to which the Data Subject is a party (Article 6, Part 1, Paragraph 5 of 152-FZ)
Compliance with a legal obligation of the Operator (Article 6, Part 1, Paragraph 2 of 152-FZ)
Legitimate interests of the Operator, provided that the rights and freedoms of the Data Subject are not violated (Article 6, Part 1, Paragraph 7 of 152-FZ)

3. Purposes of Processing Personal Data

The Operator processes personal data for the following purposes:

Providing access to the Service and its functionality
Identifying the Data Subject during registration and authorization
Processing visitor inquiries received via the chat widget
Collecting and processing leads (contact data of website visitors) on behalf of tenants
Sending service notifications (transaction emails)
Improving the quality and functionality of the Service
Fulfilling legal obligations of the Operator
Ensuring the security of the Service and preventing fraud

4. Categories of Processed Personal Data

The Operator processes the following categories of personal data:

Category	Data	Purpose
Identification data	Full name	Account registration, lead identification
Contact data	Email address, phone number	Communication, notifications, lead capture
Chat messages	Text of conversations in the widget	Providing the Service, AI processing, analytics
Technical data	IP address, browser type, cookies	Service operation, security, analytics
Account data	Login, hashed password, tariff plan	Authorization, billing

Phone numbers are encrypted using AES-256-GCM before storage in the database.

5. Categories of Data Subjects

The Operator processes personal data of the following categories of Data Subjects:

Website visitors who interact with the chat widget (name, phone, email, messages)
Employees and representatives of tenant organizations (business owners, managers) who use the admin panel (email, password, name)

6. Procedure and Conditions for Processing Personal Data

Processing of personal data is carried out using the following methods:

Collection — receiving data from the Data Subject through web forms and the chat widget
Recording — entering data into the database
Systematization — organizing data for operational use
Accumulation — storing data in the database
Storage — maintaining data in a form that enables identification of the Data Subject
Clarification (update, modification) — making changes at the request of the Data Subject
Extraction — accessing data from the database for processing
Use — applying data for the stated purposes
Blocking — temporary cessation of data processing
Deletion — irreversible destruction of data

Automated data processing is performed using computing equipment. Decisions based solely on automated processing that have legal consequences for the Data Subject are not made.

7. Personal Data Retention Periods

Personal data is stored for the following periods:

Data type	Retention period	Basis
Lead data (name, phone, email)	365 days from the date of collection	Legitimate interest in conversion
Chat messages	90 days from the date of creation	Service provision
Account data	Until account deletion by the user	Contract execution
Technical logs	90 days	Security and debugging

Upon expiration of the retention period, personal data is irreversibly deleted from the database.

8. Transfer of Personal Data to Third Parties

The Operator may transfer personal data to the following third parties (sub-processors):

Sub-processor	Purpose	Data transferred	Location
Polza.ai	AI processing of chat messages	Chat message text (anonymized)	Russia
Unisender	Sending email notifications	Email address	Russia
YClients	Online booking integration	Name, phone, booking details	Russia
Yandex Cloud	Infrastructure and data storage	All data (encrypted)	Russia (ru-central1-b)

Personal data is transferred to third parties exclusively for the purposes stated in this Policy and on the basis of data processing agreements (DPA).

9. Cross-Border Transfer of Personal Data

The Operator does not perform cross-border transfer of personal data. All data is processed and stored on servers located in the Russian Federation (Yandex Cloud, ru-central1-b region).

All sub-processors specified in Section 8 are organizations registered and operating in the Russian Federation.

10. Rights of Data Subjects

The Data Subject has the right to:

Obtain information about the processing of their personal data (Article 14 of 152-FZ)
Require clarification of their personal data, blocking or deletion thereof if the data is incomplete, outdated, inaccurate, or illegally obtained (Article 14 of 152-FZ)
Withdraw consent to the processing of personal data by sending a request to the email address specified in Section 12
Appeal the actions or inaction of the Operator to the authorized body for the protection of the rights of personal data subjects (Roskomnadzor) or in court
Protect their rights and legitimate interests, including compensation for damages and/or moral harm, through the courts

11. Personal Data Protection Measures

The Operator takes the following organizational and technical measures to protect personal data:

Encryption of sensitive data (phone numbers) using AES-256-GCM
Encryption of all data in transit using HTTPS/TLS 1.3
Password hashing using bcrypt with salt
Tenant data isolation at the database level (multi-tenancy)
Role-based access control (RBAC)
Audit logging of all actions with personal data
Regular software updates and security patching
Backup of data with encryption

12. Procedure for Data Subject Requests

The Data Subject may submit a request regarding the processing of their personal data to the following address:

privacy@chatika.help

The request must contain:

Last name, first name, patronymic (if any) of the Data Subject
Contact email address
Description of the personal data to which the request relates
The essence of the request (access, clarification, deletion, blocking)

The request is processed within 10 (ten) business days from the date of receipt. In case the request cannot be fulfilled, the Data Subject will be notified with an explanation of the reasons.

13. Person Responsible for Personal Data Processing

The person responsible for organizing the processing of personal data is:

Individual Entrepreneur Bazarbaeva Anastasia Stanislavovna, TIN (INN) 784042051798

Contact email: privacy@chatika.help

14. Final Provisions

This Policy is effective from the date of publication on the Service website.

The Operator reserves the right to amend this Policy. In case of changes, the new version of the Policy is published on the Service website with the updated date.

The current version of the Policy is permanently available at: https://chatika.help/privacy

In case of conflict between this Policy and applicable law, the provisions of the legislation of the Russian Federation shall prevail.

← Back to Home PD Processing Policy →