1. WHAT THIS PRIVACY POLICY GOVERNS 
1.1. This Privacy Policy (hereinafter referred to as the Policy) describes how Ivan Gorbachev, Y-tunnus 3580975-8, acting as a personal data operator under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki) (hereinafter referred to as the Controller), collects, uses, transfers, stores, and otherwise processes the personal information of individuals. 
1.2. This Policy applies to all information, including personal data as defined by applicable laws of the European Union and Finland, that the Controller receives about you in connection with your use of the website https://docgorbachev.com, including all its pages and subdomains, as well as bots and related services at https://t.me/Ivangorbachev_bot?start=6917079f13c32e8b7b0a1a7d, https://t.me/Ivangorbachev_bot?start=6911b8082dbb085c1200c38c, 
https://ivangorbachev-bot.tg.pulse.is (hereinafter collectively referred to as the Site and Services), as well as in the course of concluding and fulfilling any agreements and contracts with you related to your use of the Services. 
1.3. The policy applies to the processing of personal data of all users and clients, regardless of the country you access the Website and Services from or the device you use, and irrespective of whether the interaction is conducted entirely electronically or through other means of communication. 
1.4. Ivan Gorbachev may receive your personal information both directly from you and from his partners whose websites, applications, products, or services you use, as well as from other sources containing publicly available personal data, to the extent permitted by applicable law. In cases where partners transfer personal data to Ivan Gorbachev, such transfer is carried out solely on legal grounds provided for by the GDPR and the Data Protection Act (Tietosuojalaki), and in accordance with the agreements and contracts concluded between Ivan Gorbachev and each partner. 
1.5. The use of the Site and Services may be governed by additional terms, including user agreements, offers, or special conditions applicable to specific programs, products, or services. These documents may supplement this Policy with respect to the processing of personal data or establish special rules for certain types of processing. In the event of any discrepancy between this Policy and such special terms, the information expressly stated in the special terms for the relevant Site or Services shall take precedence, provided this does not conflict with applicable data protection laws. 
2. WHO PROCESSES THE INFORMATION (Controller) 
To ensure your use of the Site/Service, your personal information is collected and used by Ivan Gorbachev, 3580975-8, email: vangorfin@gmail.com. 
3. PURPOSES OF PERSONAL DATA PROCESSING 
3.1. Protecting your personal information and privacy is extremely important to Ivan Gorbachev. Therefore, when you use the Website and Services, Ivan Gorbachev safeguards and processes your personal information in strict compliance with applicable laws. 
3.2. Personal data is processed by the Controller solely for the purposes necessary to provide consulting services, maintain the operation of the Website and Services, and comply with the requirements of European Union and Finnish law. Processing is carried out only to the extent necessary to achieve the purposes listed below.
3.3. Conclusion and execution of contracts Personal data is used for reviewing applications, preparing, concluding, and fulfilling contracts for the provision of consulting services, providing consultations, supporting clients, maintaining a record of interactions, and ensuring the proper fulfillment of obligations. 
3.4. Communication with Clients Personal data is processed in order to respond to your inquiries, provide the necessary materials, offer clarifications, notify you of changes to services, and to arrange consultations, meetings, and other interactions related to the services provided. 
3.5. Organization of settlements and financial accounting Personal data is used for invoicing, payment processing, accounting and tax reporting, generating primary documents, storing information related to service payments, as well as fulfilling obligations established by financial legislation. 
3.6. Fulfillment of the Controller's Legal ObligationsPersonal data is processed to comply with the requirements of Finnish and European Union law, including accounting and tax regulations, anti-financial crime measures, consumer protection rules, and to fulfill requests from government authorities as required by law. 
3.7. Ensuring the operation, monitoring, and security of the Website and Services Personal data may be processed to support the technical functioning of the Website and Services, prevent unauthorized access and misuse, detect and resolve technical issues, and ensure the protection of data and the stability of the underlying infrastructure. 
3.8. Improving the quality of consulting services and developing the Controller's activities Personal data is used to analyze clients' needs, study interest in various consulting products, improve the content and structure of the Website and Services, develop new forms of participation and interaction, as well as for internal analytics and professional planning. 
3.9. Marketing Communication and Service InformationWith your consent or within the limits of legitimate interest, the Controller may use your contact details to send you information about new consulting services, updates, events, educational materials, and other related communications. You have the right to opt out of these messages at any time. 
3.10. In all of the cases listed, data processing is carried out only to the extent necessary to achieve the specific purpose, and the legal grounds for processing are determined in accordance with the requirements of the GDPR and the Tietosuojalaki, and are disclosed in the relevant section of this Policy. 
4. WHAT PERSONAL INFORMATION ABOUT YOU IS COLLECTED BY THE CONTROLLER 
4.1. The Controller collects and processes only the personal data necessary to provide consulting services, ensure the operation of the Website and Services, and comply with the requirements of the European Union and Finnish legislation. The amount of information collected depends on whether you use specific features of the Website and Services, create an account, or interact with the Controller through feedback forms, bots, or other communication channels. 
4.2. If you use the Site or Services without registering, the Controller receives a limited set of technical data. If you create an account or provide information during a consultation, this data may be linked and used as part of your client profile in accordance with this Policy. 
4.3. The Controller assumes that the information you provide is accurate, up-to-date, and sufficient for processing purposes, and that you will promptly update your data if any changes occur. 
4.4. When collecting Personal Information, the Controller will inform you which data is required to enter into and fulfill an agreement, provide consulting services, or use specific features of the Website or Services, and which data you may provide at your own discretion. 
4.5. In cases where the provision of Personal Information is a prerequisite for entering into an agreement or receiving a service, failure to provide such information will make it impossible to conclude the relevant agreement or for the Controller to fulfill its obligations. In such instances, the Controller will explicitly indicate which information is required.
4.6. All other Personal Data that is not classified as mandatory is provided by you voluntarily. Failure to provide such data may result in limited functionality of certain Services or a reduced level of personalization, but it does not prevent access to the Website and basic consulting services, unless otherwise expressly stated in the terms of the relevant service. 
4.7. The Controller may collect the following categories of your personal information. 
a) Personal information you provide voluntarily: your first and last name, country of residence, contact details including phone number and email address, information provided when completing forms, sending messages or requests, booking a consultation, or entering into an agreement, data you submit during a consultation if required for the purpose of the consulting service. 
b) Technical information automatically collected when using the Site and Services: IP address, date and time of access, technical data about the browser and device, data on cookies and similar technologies, information about interactions with elements of the Site and Services. 
c) Information about your actions on the Website and in the Services, including data on which pages, sections, or features you used, records of your navigation, activity, and history of your requests, as well as data on the use of bots and services related to the operation of consulting products. 
d) Payment information: data on the fact of payment and the payment method, partial payment identifiers to the extent necessary for accounting and transaction confirmation (The Controller does not receive complete payment card details if the payment is processed by a third-party payment provider.) 
4.8. Information received from Partners The Controller may receive data from partners or services through which you interact with our consulting services, such as booking systems, payment platforms, or communication tools. Such data may only be transferred if there are legal grounds for doing so in accordance with GDPR and Tietosuojalaki. 
4.9. The Controller does not intentionally request or collect special categories of personal data, including information about racial or ethnic origin, political opinions, health status, biometric data, or other sensitive information. If you voluntarily provide such data during a consultation or communication, the Controller processes it only to the extent necessary to provide the service and in accordance with the legal bases established by the GDPR. 
4.10. At the same time, the Controller notes that in some cases, you may, on your own initiative, disclose such information during a consultation. If you voluntarily provide special categories of Personal Information, the Controller will process such data only to the extent necessary to provide the requested consulting services, and only to the extent permitted by Article 9 of the GDPR, in particular on the basis that the relevant information has been explicitly made public by you, or is necessary for the establishment, exercise, or defense of legal claims. 
4.11. The Controller takes additional measures to protect any special categories of Personal Information, including restricting access to such data, minimizing the amount and retention period, and implementing enhanced technical and organizational security measures. 
4.12. The Controller does not engage in automated decision-making that could significantly affect your rights and freedoms, nor does it use personal data to create profiles that could have legal consequences for you. 
4.13. The Controller does not verify the personal information you provide, except in cases specified by the user agreement or the terms of use for particular Services/the Site, and cannot assess its accuracy or determine whether you have the legal capacity to provide your personal information. Nevertheless, the Controller assumes that you are providing accurate and sufficient personal information and that you will update it in a timely manner. 
4.14. The Controller does not intentionally collect personal information such as racial origin, political views, or biometric data. However, you should be aware that the Controller cannot obtain your consent for such processing, as they are not aware in advance of the potentially sensitive nature of any personal information you may provide to the Controller.
4.15. The controller does not collect data for the purpose of profiling you in a way that could significantly affect your rights and freedoms under applicable law. 
5. LEGAL BASIS AND PURPOSES FOR PROCESSING YOUR PERSONAL INFORMATION 
5.1. The controller is not entitled to process your personal data without sufficient legal grounds. The controller processes your personal data only if such grounds are expressly provided for by applicable legislation of the European Union and Finland, including the General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki), and if the processing is necessary for clearly defined and lawful purposes. 
5.2. The Controller processes your personal information only in the following cases: a) Processing is necessary for the conclusion and performance of agreements between you and the Controller, including consulting service agreements, terms of use for the Website and Services, as well as any other agreements related to the provision of consulting services and associated digital services. This includes ensuring the operation of the Website and Services, providing you with access to materials, organizing communications regarding consultations, handling your inquiries, and preparing and delivering documents required for the conclusion and performance of agreements. 
b) Processing is necessary to comply with the legal obligations of the Controller. In particular, this includes fulfilling requirements related to accounting and taxation, complying with consumer protection laws and other mandatory regulations, as well as providing information to government authorities and supervisory bodies in cases and to the extent expressly required by the legislation of the European Union and Finland. 
c) Processing is necessary to safeguard the legitimate interests of the Controller in cases where such processing does not unduly affect your interests, fundamental rights, and freedoms. When your personal data is processed on this basis, the Controller conducts a balancing assessment and takes measures to ensure that its legitimate interests do not override your legal protections and privacy. 
5.3. The Controller processes your personal information to protect its legitimate interests, including but not limited to the following cases: 
a) For a deeper understanding of how you interact with the Website and Services, which sections and materials attract the most interest, which consultation formats and services are in highest demand, as well as any technical or content-related difficulties you may encounter while using the Website and Services. 
b) To improve, modify, adapt, personalize, and otherwise enhance the Website and Services, as well as consulting products and programs, so that they best meet the expectations and needs of users and clients. This includes analyzing feedback, studying usage statistics, and testing new features and interfaces. 
c) To offer you consulting services, materials, products, and services of the Controller that may be of interest to you, and, where there is a legal basis, to send you information about new services, special offers, and events. To the extent permitted by law and in line with your expectations, this may include the use of your personal information to provide relevant recommendations and limited marketing communications. 
d) For specific purposes, as well as in cases where required by applicable law, the Controller may request your separate consent for the processing of personal information. In such situations, processing will be carried out exclusively within the scope outlined in the consent, and only until you withdraw your consent. 
5.4. When requesting your consent, the Controller ensures that it is given freely, specifically, informedly, and unambiguously by you, through explicit expression of will, such as by ticking the relevant box, choosing settings, confirming an action on the Website, or by other similar means. You have the right to withdraw your consent at any time by sending an appropriate notice to the Controller in the manner provided by this Policy. Withdrawal of consent does not affect the legality of processing carried out prior to such withdrawal, but it may result in the inability to provide certain services or functionality if they directly depend on processing based on your consent.
5.5. The Controller informs you that you are not under any legal obligation to provide any personal information when simply visiting the Website. However, in situations where personal information is required for entering into and fulfilling a contract, providing consulting services, discharging the Controller’s legal obligations, or pursuing its legitimate interests, failure to provide such information may make it impossible to conclude a contract, provide advice, fulfill obligations, or access certain features of the Website and Services. 
5.6. The Controller always processes your personal information for predetermined purposes and only to the extent necessary and relevant to achieve those purposes. In particular, the Controller processes your personal information for the following purposes: 
a) Providing you with access to the Website and Services, ensuring the proper functioning of all their sections and features, including feedback forms, appointment booking services, personal accounts, and other tools used as part of consultation activities. 
b) Granting you access to your account if you are registered with the relevant Services, as well as maintaining and administering that account, including storing your preferences, interaction history, and other information necessary to ensure stable and convenient access to the services. 
c) Contacting you to send notifications, requests, and information related to the operation of the Website and Services, to existing contracts, to the provision of consulting services, as well as to process your inquiries, applications, questions, and claims. This includes organizational messages, consultation reminders, information about changes in the time or format of consultations, and responses to your requests. 
d) Personalizing the materials, services, and informational messages offered to you within reasonable limits, taking into account your preferences, interaction history, the subject of previous consultations, and other information about you available to the Controller on legitimate processing grounds. Where there is a relevant legal basis, this may include tailoring the content of informational and marketing messages to better match your interests. 
e) Enhancing the usability of the Website and Services, including analyzing user behavior on the Website, optimizing page structure, improving navigation, customizing the display of information, generating more relevant recommendations and offers, as well as refining the logic of forms and services. 
f) Development and enhancement of new consulting products, programs, interaction formats, and related services, including testing new ideas, analyzing the relevance of topics, creating and updating methodological materials, and improving the quality of consulting support. In this context, personal information is used in an aggregated or anonymized form whenever possible, or to the minimal extent necessary. 
g) Protection of your rights and legitimate interests, as well as the rights and legitimate interests of the Controller and other parties, including the prevention and resolution of disputes, handling of claims, documentation of services rendered, ensuring an evidentiary basis in case of potential disagreements, and fulfilling obligations to respond to lawful requests from competent authorities. 
h) Collection, processing, and presentation of statistical data and other analytical materials based on information about the use of the Website and Services. Whenever possible, anonymized or aggregated data is used. These actions are aimed at understanding general trends, improving the quality of consulting services, increasing the efficiency of the Website and Services, and planning the development of the Controller’s activities. 
i) Identifying security threats to the Site and Services and to users, preventing unauthorized access, fraudulent activities, and other forms of misuse, as well as conducting necessary checks when required to assess the integrity of counterparties when entering into contracts using the Site and Services. 
j) Organizing the receipt of your payments, processing payment for consulting and other services related to the Controller’s activities, as well as managing settlements, generating payment confirmation documents, and fulfilling related legal requirements in the areas of accounting and taxation.
5.7. All specified purposes and legal bases for processing your personal information apply collectively, in accordance with the principles of data minimization, storage limitation, accuracy, confidentiality, and security as established by the GDPR and Tietosuojalaki. 
5.8. The processing of Personal Data is carried out by the Controller in strict compliance with Article 6 of the EU General Data Protection Regulation (GDPR). Depending on the specific circumstances, the following legal bases may apply. 
5.9. Personal data is processed when such processing is necessary for the conclusion and performance of a contract to which you are a party, including agreements for the provision of consulting services, terms of use of the Website and Services, and other agreements entered into between you and the Controller, in accordance with Article 6(1)(b) of the GDPR. 
5.10. Personal data is processed for the purpose of fulfilling the Controller’s legal obligations within the limits established by the laws of Finland and the European Union, including but not limited to accounting, taxation, consumer rights protection, and other mandatory requirements, in accordance with Article 6(1)(c) of the GDPR. 
5.11. Personal data is processed for the purpose of pursuing the Controller’s legitimate interests, in cases where such processing is necessary to ensure the stable and secure operation of the Website and Services, to protect the rights and legitimate interests of the Controller, to improve the quality of consulting services, and to develop its professional activities, provided that the interests, rights, and freedoms of data subjects do not override the Controller’s legitimate interests. This basis for processing is in accordance with Article 6(1)(f) of the GDPR. 
5.12. In situations where the processing of Personal Information cannot be based on a contract, legal obligation, or the Controller’s legitimate interests, processing is carried out on the basis of your separate, freely given, informed, and unambiguous consent, in accordance with Article 6(1)(a) of the GDPR. 
6. HOW YOUR PERSONAL INFORMATION IS PROTECTED 
6.1. The Controller takes all necessary legal, organizational, and technical measures to protect your personal information from unauthorized access, accidental loss, alteration, destruction, disclosure, misuse, as well as from any other forms of processing that do not comply with the requirements of the General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki). 
6.2. In most cases, your personal information is processed automatically, using information systems and technical solutions that do not require access to data by the Controller's employees. In cases where access to personal information is necessary, it is granted only to those individuals who need it to carry out specific tasks as part of their professional duties, and only to the extent required to achieve the relevant processing purpose. 
6.3. All individuals who may be granted access to your personal information are required to adhere to the Controller’s internal policies and procedures designed to ensure the confidentiality, integrity, and security of personal data. These individuals must follow the principles of data minimization, limit the use of personal information to the scope of their responsibilities, protect information from unauthorized access, and comply with the security measures established by the Controller. The obligation to maintain confidentiality continues even after the termination of employment or any other relationship with the Controller. 
6.4. The Controller has implemented a range of technical and organizational measures aimed at protecting personal information. These measures include, without limitation: 
a) the use of secure data transmission channels and encryption technologies 
b) Storing information on secure servers in compliance with European legislation requirements c) regular software updates 
d) access control, including user rights management 
e) Monitoring activity to detect attempts at unauthorized access and other security threats f) Data backup and recovery to prevent information loss 
g) technical mechanisms that prevent the modification and destruction of data without proper authorization
h) assessment of the risks associated with the nature of the personal data being processed and the scope of the processing 
6.5. All security measures are implemented taking into account the current state of technological development, the cost-effectiveness of their deployment, the nature and volume of personal data being processed, potential risks to your rights and freedoms, as well as the GDPR requirements for ensuring an adequate level of data protection. The Controller regularly evaluates the effectiveness of these measures and updates them as necessary to maintain a high level of security and compliance with applicable laws. 
6.6. The Controller also takes measures to prevent unauthorized access to the Website and Services, including the use of authentication tools and monitoring activities that may indicate a security risk. In the event of a security threat or breach of confidentiality, the Controller takes all possible steps to mitigate the consequences and prevent similar incidents in the future, and, where necessary, fulfills its obligations to notify supervisory authorities and data subjects in accordance with GDPR requirements. 
7. WHO ELSE HAS ACCESS TO YOUR PERSONAL INFORMATION AND TO WHOM IT MAY BE DISCLOSED 
7.1. The Controller may transfer your personal information only when such transfer is necessary to achieve the processing purposes specified in this Policy and when such transfer complies with the requirements of the General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki). Data transfers are carried out strictly within the legal grounds applicable to the specific situation and under security measures that ensure the protection of your personal information. 
7.2. Transfer within the Controller's operations: 
a) In cases where the processing of personal information requires the involvement of employees or other individuals acting on behalf of the Controller, access to your personal information may be granted only to those persons for whom such access is necessary to fulfill their professional duties. These individuals are required to maintain confidentiality, ensure the protection of personal information, use it solely for the purposes specified in this Policy, and act in accordance with the Controller’s internal procedures and security requirements. 
b) The Controller may also share your personal information with its affiliates if they are involved in providing services, ensuring the operation of the Website and Services, or fulfilling the Controller’s obligations in the provision of consulting services. If any affiliates are located outside the European Economic Area and the level of data protection in the relevant jurisdiction is lower than that required by the GDPR, the Controller will ensure that appropriate safeguards are in place, such as the European Commission’s standard contractual clauses or other measures as provided by the GDPR. 
c) Personal information transferred within the activities of the Controller or its affiliates is processed solely for the purposes explicitly stated in this Policy and to the extent necessary to accomplish specific tasks. 
7.3. Transfer of personal information to third parties 
The Controller may disclose your personal information to third parties if such disclosure is necessary to achieve the processing purposes specified in this Policy, to fulfill a contract with you, or to comply with the Controller's legal obligations. Such third parties may process personal information either as independent controllers or as data processors acting on documented instructions from the Controller. 
Among the third parties to whom your personal information may be disclosed are:
a) Partners providing the Controller with services, technical solutions, digital tools, and platforms necessary for organizing consulting activities, operating the Website and Services, exchanging materials, storing information, conducting online interactions, scheduling meetings, or delivering other related services. 
b) Providers of information and technical services, consultants, as well as individuals involved in ensuring the security of the Site and Services, including threat detection, fraud prevention, analysis of abnormal activity, and carrying out other activities aimed at protecting the data, interests, and rights of all users. 
c) Payment organizations, such as banks, payment instrument providers, international payment systems, and other financial institutions involved in processing your payments, confirming payment transactions, or fulfilling obligations related to financial operations carried out when using the Website and Services. 
d) Persons providing the Controller with information or services necessary to verify your reliability or to comply with legal requirements during the conclusion and execution of contracts, if such verifications are necessary to prevent breaches of contract or to ensure the legal protection of the Controller and other parties. 
7.4. The Controller may also disclose your personal information to the following categories of third parties. 
a) To persons to whom the rights and obligations under agreements related to the provision of consulting services or the functionality of the Website and Services have been assigned, as well as to persons who have acquired control over the activities of the Controller or any part thereof, including in cases of reorganization, transfer of assets, or other forms of succession. 
b) To national and international regulatory authorities, law enforcement agencies, courts, and state or municipal bodies, if the Controller is required to provide such information in accordance with applicable law or upon an official request within the scope of their authority. 
c) To any third parties, if you have given separate consent for such a transfer, and only to the extent specified in the consent you have provided. 
d) To third parties in cases where the transfer of personal information is necessary to ensure the legal protection of the Controller or third parties, including situations where you violate the terms of use of the Website and Services, the terms of agreements entered into with the Controller, the provisions of this Policy, or applicable law, or when there is a risk of such a violation. 
7.5. All disclosures of personal information to third parties are made only to the extent necessary to achieve the relevant purpose of processing, with protective measures in place as required by the GDPR and the Tietosuojalaki. The controller requires third parties to maintain confidentiality, ensure the security of personal information, and prohibit the use of such data for any purposes other than those for which it was provided. 
8. WITHDRAWAL OF CONSENT FOR THE PROCESSING OF PERSONAL DATA 
8.1. If the processing of your Personal Information is based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the legality of processing carried out on the basis of consent before its withdrawal. 
8.2. Withdrawal of consent may result in the termination of services or features that cannot be provided without processing your Personal Information based on your consent. The Controller will inform you of such consequences before obtaining your consent and at the time of its withdrawal. 
8.3. To withdraw your consent, you may use the appropriate settings within the Services, if available, or send a notification to the Controller using the contact information provided in this Policy. The Controller will review your request and cease processing of your Personal Information based on consent, except where further processing is required to comply with legal obligations or to protect legal claims.
9. RETENTION PERIODS FOR YOUR PERSONAL INFORMATION 
9.1. The Controller retains your personal information only for as long as necessary to fulfill the purposes outlined in this Policy and to comply with the requirements of European Union and Finnish law. The retention period is determined by the nature of the services provided, applicable contractual obligations, accounting, tax, and other legal requirements, as well as the principles of data minimization and storage limitation established by the GDPR. 
9.2. Personal information is stored for the entire duration of the contractual relationship between you and the Controller, including the period of consultation preparation, provision of consulting services, exchange of materials, project support, as well as the time necessary to fulfill mutual obligations after the completion of services. After the contractual relationship ends, personal information is retained only to the extent required to fulfill the Controller’s legal obligations or to protect its rights in the event of potential disputes or claims. 
9.3. Personal data required for fulfilling accounting and tax obligations is retained for the periods expressly stipulated by Finnish accounting and tax legislation. These periods may extend for several years following a financial transaction and the close of the reporting period, and the Controller is obligated to comply with them regardless of the termination of contractual relations. 
9.4. Personal information required to ensure the security of the Website and Services, to prevent violations, to record incidents of unlawful actions, or to analyze technical malfunctions, is retained for the period necessary to achieve these purposes, after which it is deleted, anonymized, or archived in accordance with established procedures. 
9.5. Personal information processed on the basis of your consent is retained for as long as your consent remains valid. You have the right to withdraw your consent at any time, after which your personal information will be deleted or anonymized, unless its further retention is required by other legal grounds. 
9.6. Personal information provided or collected in connection with your inquiries, correspondence, support requests, or participation in consultation programs is retained until your request has been processed and for a period necessary to enable subsequent verification of the proper fulfillment of obligations, as well as to safeguard the Controller's legitimate interests in case of any claims. 
9.7. In cases where personal information is no longer required for the purposes for which it was collected, and there is no legal basis for its further retention, the Controller ensures its deletion, destruction, or irreversible anonymization. Deletion is carried out in compliance with technical and organizational security measures to prevent unauthorized access and eliminate the possibility of information recovery. 
9.8. The Controller regularly reviews the stored data to ensure its relevance, eliminate redundancy, and verify compliance with established retention periods. If it is determined during a review that certain information is no longer needed, the Controller takes steps to delete or anonymize the data, in accordance with the principles set out in the GDPR and the Tietosuojalaki. 
10. HOW YOUR PERSONAL INFORMATION IS PROCESSED 
10.1. The Controller processes your personal data in strict compliance with the requirements of the General Data Protection Regulation (GDPR), the Finnish Data Protection Act (Tietosuojalaki), and other applicable European Union regulations. All data processing activities are carried out transparently, lawfully, and solely for the purposes that have been predetermined by the Controller and are explicitly stated in this Policy. 
10.2. The processing of your personal information may include collection, recording, organization, structuring, storage, modification, retrieval, transmission, restriction, deletion, or any other action provided for under the GDPR. All such actions are carried out exclusively within the legal grounds described in this Policy and in compliance with the principles of lawfulness, data minimization, accuracy, storage limitation, confidentiality, and data security.
10.3. When transferring your personal information to countries outside the European Economic Area, the Controller ensures that appropriate data protection safeguards, as required by the GDPR, are in place. In particular, transfers of your personal information to Russia are carried out using the European Commission’s Standard Contractual Clauses, which provide a level of data protection comparable to that required under EU law. The use of these clauses is intended to ensure the integrity, confidentiality, and security of your personal information, regardless of the jurisdiction in which it is processed. 
10.4. If you are located in a jurisdiction where the law requires your explicit consent for the cross-border transfer of personal information, your use of the Site or Services will be regarded as your clear and unambiguous consent to such transfer. This consent includes permission for the transfer, storage, and processing of your personal information in jurisdictions outside the European Economic Area, including Russia, to the extent necessary for providing you with consulting services, operating the Site and Services, fulfilling contractual obligations, or achieving other legitimate purposes outlined in this Policy. 
10.5. The Controller takes all reasonable measures to ensure that your personal information, when transferred outside the European Economic Area, is processed under conditions that provide a level of protection comparable to the requirements of the GDPR. This includes selecting service providers and partners who implement up-to-date technical and organizational security measures, such as encryption, secure data transmission channels, access control systems, and other safeguards designed to prevent unauthorized access, loss, destruction, alteration, or unlawful processing of information. 
10.6. In cases where your personal information is processed in other jurisdictions, the Controller ensures that such processing remains necessary, justified, and limited to the purposes set forth in this Policy. The Controller also regularly assesses the applicability and effectiveness of the security measures in place, and updates or enhances them as necessary to maintain a high level of personal information security. 
11. YOUR RIGHTS 
11.1. You are entitled to all the rights granted to data subjects under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki). The controller ensures that your rights are exercised in good faith, in a timely manner, and in full compliance with the requirements of applicable law. All of the rights listed below may be exercised by you within the conditions established by law and to the extent that these rights apply to the specific circumstances of the processing of your personal information. 
11.2. The rights you are entitled to under applicable law: 
a) You have the right to access your personal information processed by the Controller. This means you can request confirmation as to whether your personal information is being processed, obtain a copy of the data the Controller holds about you, and receive information about the purposes of processing, the categories of data involved, the recipients, and the retention periods. 
b) If you believe that any personal information held by the Controller is inaccurate, incomplete, or outdated, you have the right to request its correction or update. If you have an account, you can update the relevant information yourself through your account interface. 
c) If applicable law provides for it, you have the right to request the deletion of your personal information, either in whole or in part. This right may be exercised, for example, if the information is no longer necessary for the purposes for which it was collected, or if the processing was based on your consent, which you have chosen to withdraw. 
d) You have the right to withdraw your consent to the processing of personal information at any time if the processing is based on consent. The withdrawal of consent does not affect the legality of processing carried out prior to such withdrawal, but it may result in the inability to provide certain services or features that directly depend on your consent. 
e) In certain cases, you have the right to request that the processing of your personal information be restricted. This may include temporarily suspending data processing, retaining your information without performing any processing operations, or other measures provided by law, if there are grounds to believe that the data is being processed improperly or beyond what is necessary.
f) If applicable law provides such an option, you have the right to object to the processing of your personal information. This may include processing based on the Controller’s legitimate interests, including certain types of analytics or marketing communications. The Controller will cease processing your data unless they can demonstrate compelling legitimate grounds that override your rights and interests, or if the processing is necessary for the establishment, exercise, or defense of legal claims. 
g) You may also have other data subject rights provided under the GDPR, including the right to data portability, the right to obtain information about the logic involved in any automated processing (if applicable), and the right not to be subject to a decision based solely on automated processing when such a decision produces legal effects or otherwise significantly affects your rights and freedoms. 
h) In cases where providing your personal information is required for entering into an agreement or receiving a service, you will be informed of this in advance. The submission of personal information to the Controller when using the Website or Services is voluntary, reflects your intention and interest in using the Controller’s services, and is not a legal obligation. However, the absence of certain data may render the use of the Website or Services impossible or restricted. 
11.3. How you can exercise your rights 
a) To exercise these rights, you may use the available features in your account, provided that such an account exists and contains the necessary tools to modify, delete, or request your personal information. 
b) If the interface of the Website or Services does not provide specific tools to exercise a particular right, you may submit a corresponding request to the Controller. The contact details required to reach the Controller are provided in Section 2 of this Policy. 
c) The controller reviews requests related to the exercise of data subjects' rights within the timeframes established by the GDPR and provides a response within a reasonably prompt period, taking into account the nature of the request and the volume of data involved. 
d) If you are dissatisfied with the way the Controller processes your personal information, or believe that the processing is in violation of applicable law, you have the right to submit a complaint or request clarification from the Controller. The Controller will review your inquiry and take appropriate measures to resolve the situation in accordance with the law. 
e) If you are not satisfied with the Controller’s response, you have the right to file a complaint with the competent data protection authority. In Finland, this authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). 
12. CROSS-BORDER TRANSFER OF PERSONAL DATA 
12.1. Personal information may be transferred to and processed outside the European Union and the European Economic Area, including in countries for which the European Commission has not issued an adequacy decision. In such cases, the Controller ensures that appropriate safeguards for the protection of personal information are implemented in accordance with Articles 44–49 of the GDPR. 
12.2. In particular, when transferring Personal Information to such countries, the Controller uses the Standard Contractual Clauses approved by the European Commission, and, where necessary, implements additional technical and organizational measures—including encryption, pseudonymization, and access restrictions—to ensure a level of protection comparable to that required under EU data protection law. 
12.3. You are hereby additionally informed about the fact and legal grounds of the cross-border transfer of Personal Data, as well as about the potential risks that may persist despite the measures implemented by the Controller, to the extent specified in the current guidance and recommendations of the European data protection authorities. 
13. HOW WE USE COOKIES AND OTHER SIMILAR TECHNOLOGIES ON OUR WEBSITES OR WHEN YOU USE OUR SERVICES 
13.1. What cookies does the Controller use and for what purposes?
Cookies are small pieces of data that are received and processed by the device you use to access the Sites. Cookies store certain information on your device and send it back to the Sites during subsequent visits, which helps facilitate your experience and allows the system to remember your settings and preferences over time, such as browser settings, interface language, selected display options, and to recognize your account if you log in. 
13.2. The following types of cookies are used on the Websites: 
a) Strictly necessary cookies (technical cookies). These cookies are essential for the operation of the Sites and the provision of Services to you. They ensure basic functions such as proper page display, the functioning of forms and interfaces, and maintaining connection security. In addition, they allow the Controller to identify your hardware and software, including the type of browser used, in order to ensure the required level of compatibility and performance. 
b) Statistical and analytical cookies. These cookies allow us to identify users, count their number, and collect information about their activities on the Sites and within the Services, including data on pages visited, content viewed, transactions made, and links clicked. This information is used to analyze how the Sites and Services are used and to improve them. 
c) Technical cookies aimed at improving performance. These cookies collect information about how users interact with the Sites and Services, what errors occur, and when failures or delays happen. This information helps to identify errors, test new features, and enhance the performance and stability of the Sites and Services. 
d) Functional cookies. These cookies enable additional features that make it easier for you to use the Sites, such as saving your preferences (like interface language, location, and selected display settings) and remembering choices you have made, so you don't have to re-enter the same information every time you visit. 
e) Tracking and advertising cookies (including third-party cookies). These cookies collect information about users, traffic sources, pages visited, ads shown to you, and the advertisements you clicked that led you to an advertised page. This information may be used to display advertising that may be of interest to you, based on an analysis of the personal information collected about you, as well as for statistical and research purposes. Such cookies may be set by the Controller or by third parties (such as advertising networks or analytics platforms), depending on the Services used. 
13.3. The Controller uses cookies and other similar technologies only to the extent necessary to achieve the specified purposes, and in compliance with the requirements of the GDPR and applicable electronic communications privacy laws. 
13.4. How long cookies are stored on your device: 
a) The Controller uses the information contained in cookies solely for the purposes specified in this Policy. Once these purposes have been fulfilled, the collected data remains stored on your device only for a period determined by the relevant type of cookies, but not exceeding the time required to achieve their purpose, after which they are automatically deleted from your system. 
b) Some cookies are session-based, meaning they exist only during your active session on the Website and are deleted once you close your browser. Other cookies may be persistent and stored on your device for a specified period determined by each individual cookie. These are used to save your settings and preferences or for analytical and advertising purposes. Once the specified period expires, persistent cookies are automatically deleted, and may be reinstalled during subsequent visits to the Website with your consent, if required. 
13.5. Who else has access to the information contained in cookies: 
a) Personal information collected through cookies placed on your device may be transferred to and accessed by the Controller and the third parties specified in Section 7 of this Policy, to the extent necessary to achieve the processing purposes described above. In particular, when using third-party cookies, the relevant information may be processed by these third parties in accordance with their own terms and privacy policies.
b) The use of personal information outside of the Sites for advertising purposes, if such use occurs, may be governed by separate user agreements and policies posted on third-party websites that set such cookies or otherwise access them. The Controller and/or such third parties may also provide you with the option to opt out of ad personalization, if such option is provided for under applicable laws and regulations governing the use of the relevant products and services. 
13.6. When you first visit the Sites, you may be asked to consent to the use of cookies, except for those strictly necessary cookies that may be used without separate consent due to their functional purpose. If, after having agreed to the use of cookies, you decide to change your mind, you can do so by deleting the cookies stored in your browser. This option is generally available in your browser settings; for more detailed information, please refer to your browser’s user guide or the developer’s website. After deleting cookies, a pop-up window requesting your consent may appear again the next time you visit the Sites, allowing you to make a different choice. 
13.7. If you choose to refuse the use of cookies, some features of the Sites may become unavailable to you, and the overall quality and functionality of the Sites and Services may be limited. You can also adjust your browser settings to accept or reject all cookies by default, or only cookies from specific websites, including the Controller's Sites. 
13.8. If you have consented to the use of cookies on one of the Controller’s Websites, and have not made a separate, different choice, we may assume that you have approved the use of cookies on all of the Controller’s Websites, unless otherwise specified in the Websites’ interface or in the individual cookie management settings. 
13.9. The controller may also use web beacons (pixel tags) and other similar technologies to access cookies previously placed on your device, including for the following purposes: 
a) Identifying your actions on the Websites and during the use of the Services by accessing and using cookies stored on your device, for the purpose of analyzing user behavior and improving the functionality of the Websites and Services. 
b) The collection of statistical information related to the operation of the Websites, Services, consulting products, utilities, and Controller’s offerings, including for the purposes of analyzing traffic, the demand for specific sections, evaluating the effectiveness of informational and marketing materials, and improving the quality of services provided. 
14. EFFECTIVE DATE AND AMENDMENT HISTORY 
14.1. This Policy takes effect on the date indicated at the beginning as the date of last update and applies to the processing of Personal Information from that date onward. 
14.2. The Controller may periodically review and update this Policy to reflect changes in applicable law, personal information processing practices, or the operation of the Website and Services. If any material changes are made, the Controller will notify you in accordance with the procedure described in the Policy update section. 
14.3. The current version of the Policy is always available on the Website. Upon request, you may obtain information about previous versions of the Policy and their effective dates, provided that such record-keeping is maintained according to the Controller’s internal procedures. 
15. UPDATE OF THIS POLICY 
15.1. This Policy may be subject to change and amendment. The Controller reserves the right to modify the text of the Policy at their discretion when necessary to align its content with changes in applicable legislation of the European Union and Finland, including but not limited to, changes in the field of personal data protection, regulation of electronic communications, and related requirements, as well as in cases where there are changes to the structure, content, functionality, or operating methods of the Website and Services used to provide consulting services. 
15.2. The Controller undertakes not to make substantial changes to this Policy that would unreasonably restrict your rights, impose additional obligations, or alter the legal grounds for processing your personal information without providing you with proper notice. In the event of significant changes affecting the procedures for processing personal information, the list of processing purposes, data categories, recipient groups, the procedure for exercising your rights, or other important provisions, the Controller will inform you of such changes either in advance or at the time the changes take effect.
15.3. Notification of changes may be posted on the Website or within the Services, including by means of an informational message, pop-up window, or banner, stating the nature of the changes and the date they take effect. If we have your contact information and this method of communication is possible and appropriate, the notification may also be sent to you via other channels, such as email. The controller may ask you to review the updated version of the Policy and confirm your acceptance of its terms where required by applicable law. 
15.4. The current version of the Policy is always available on the Website. The date of the last update may be indicated at the top of the document, allowing you to determine whether the Policy has changed compared to a previous version. It is recommended that you review the Policy periodically for any updates, so you are informed about how your personal information is processed. In cases where applicable law requires your separate consent for changes related to specific types of processing, such changes will only take effect after the appropriate consent has been obtained. 
16. Questions and Suggestions 
The Controller welcomes your questions and suggestions regarding the implementation or modification of this Policy. You may use the email address vangorfin@gmail.com to submit requests concerning the exercise of your rights or to file complaints about the inaccuracy of your Personal Information or the unlawful processing of such data. 
By Ivan Gorbachev 3580975-8 
Email: vangorfin@gmail.com