1. General Provisions
This Personal Data Processing Policy (the “Policy”) sets out the procedure for processing personal data and the measures to ensure its security applied by the Operator (Section 2) in connection with the provision of the OfferHack service (the “Service”) at offerhack.tech.
The Policy has been developed in accordance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data,” the Constitution of the Russian Federation, the Civil Code of the Russian Federation, and other regulatory acts of the Russian Federation.
The Policy applies to all personal data processed by the Operator using automated means, as well as without such means.
By using the Service, the User confirms that they have reviewed this Policy. Consent to the processing of personal data is formalized in a separate document — the Consent to the Processing of Personal Data.
2. Operator Information
The operator of personal data is:
Individual Entrepreneur Maslov Pavel Viktorovich
INN: 233711456369
OGRNIP: 326237500225791
Email: admin@offerhack.tech
Website: offerhack.tech
The Operator is registered as an operator processing personal data in the Register of Operators of the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor).
3. Categories of Data Subjects
The Operator processes the personal data of the following categories of subjects:
- Users of the Service — individuals who have registered with the Service and/or performed other actions to accept the Public Offer Agreement;
- Website Visitors — individuals who visit the Website without registering (with respect to technical data and cookies);
- Persons contacting support — individuals who send inquiries by email or through other available channels;
- Third parties whose data may be contained in user materials, audio, screen images, screenshots, documents, requests or other user content submitted by the User to the Service. The User is obliged not to transfer the data of third parties without lawful grounds.
4. Purposes of Processing Personal Data
The Operator processes personal data for the purposes of:
- concluding and performing the Public Offer Agreement for the provision of access to the Service;
- identifying the User when logging into the Account and providing access to the Service;
- generating AI responses to the User’s requests;
- processing subscription payments and issuing payment receipts in the manner established by the Operator’s applicable tax regime;
- sending the User service notifications (registration confirmation, password recovery, information about upcoming subscription charges and changes to the terms of service);
- handling the User’s support inquiries;
- analyzing use of the Service in statistical, aggregated and/or pseudonymized form to improve service quality;
- ensuring the security of the Service and preventing fraudulent and other improper actions;
- accounting for the use of credits, limits, pricing plans and features of the Service;
- detection and prevention of payment fraud, abuse, multi-accounting, automated use, circumvention of limits, unauthorized access and other violations of the Agreement and the Rules of Use;
- handling of payment disputes, refunds and chargeback procedures;
- diagnostics of errors, crash reports, monitoring of stability of the Website and the client application;
- recording the fact of acceptance, consents, versions of legal documents, notifications about subscription, price and automatic charges;
- sending advertising and informational messages — where the User has given separately expressed consent;
- fulfilling the obligations imposed on the Operator by applicable law.
5. Categories of Personal Data Processed
5.1. Data provided by the User
- Upon registration: email address, password (stored solely as a cryptographic hash), display name or nickname (at the User’s discretion).
- When contacting support: the content of messages and attached files.
- When using the Service: the content of the User’s requests to the AI, selected settings, and information about preferences.
5.2. Data collected automatically
- Technical device data: the type and version of the operating system, the type and version of the browser, screen resolution, interface language, time zone, and device identifiers.
- Network activity data: IP address, visit times, the path by which the Website was reached, and the URLs of pages viewed.
- Cookie and similar technology data:see Section 13.
- Usage data: the history of access to Service features, session duration, actions in the interface, and error logs.
- Web analytics data (Yandex.Metrica, Webvisor): statistical and analytical information about behavior on the Website — pages viewed, traffic sources, cursor movements, scrolling and clicks; may include pseudonymized identifiers. Basic statistics are collected from the moment of the visit; action recording (Webvisor) only after the User’s consent. For details, see clause 13.2.
5.3. Payment data
When paying for a subscription, the Operator receives from the payment provider OOO NKO “YooMoney” (the “YooKassa” service) a limited set of data: the transaction identifier, amount, date, the last four digits of the payment card, the card type, and the country of issuance. Full payment card data is not processed or stored by the Operator — it is processed directly by the payment provider in accordance with the PCI DSS security standard.
5.4. Recording of voice and screen images
Within certain features of the Service (voice input of questions, analysis of task screenshots, etc.), the Operator may process recordings of the User’s voice and images of their screen. Such data is processed solely for the purposes of speech recognition, analysis of visual content and generation of AI responses.
The Operator does not use voice, screen images, face, image of a person or other data for identification or authentication and does not create voice prints, biometric templates or identification profiles. For this reason, the processing of voice as part of user requests does not constitute the processing of biometric personal data within the meaning of Article 11 of Federal Law No. 152-FZ.
Retention periods: raw audio fragments — until transcription is completed, but not more than 24 hours; raw screen images and screenshots — until processing is completed and an AI response is generated, but not more than 30 days; resulting transcripts and AI responses — for the dialog history retention period or until deletion by the User.
5.5. AI responses and user materials
The Operator also processes:
- the content of AI responses, dialog history, transcripts, results of processing of audio, images and screenshots;
- user materials: files, documents, notes, resumes, legends, system prompts, user context, images, screenshots, audio files, text materials and other data uploaded or transmitted by the User to the Service;
- subscription data: pricing plan, subscription status, dates of charges and automatic renewal, fact of cancellation of automatic renewal and removal of payment method, notifications sent about price and charges;
- client application data: application version, operating system and its version, crash logs, diagnostic events, state of granted application permissions (microphone, screen, etc.), overlay/hotkeys/audio and screenshot processing errors;
- consents and document versions: versions of the Public Offer Agreement, Policy, Consent and other legal documents, date and time of the consent/acceptance, IP address and user-agent at the moment of acceptance, notification events about material changes.
The said materials may contain personal data of the User themselves or of third parties if the User independently included them in the request or material. The User is obliged not to transfer the data of third parties to the Service in the absence of lawful grounds and not to transfer information protected by law.
5.6. Anti-fraud data and payment information
To prevent fraud, payment fraud, circumvention of limits, multi-accounting, automated use and other violations of the Agreement, the Operator processes technical indicators and signals, including:
- risk-score, anti-abuse signals, signs of suspicious activity, signs of multi-accounting and automation;
- request frequency, credit consumption, login and logout events, security events;
- device identifiers, session parameters, suspicious IPs, geo-signals;
- payment events, information about payment disputes and chargebacks, history of blocks and sanction lists.
5.7. Categories of data the Operator does not request
The Operator does not knowingly request and does not require the provision of special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, state of health, intimate life), biometric personal data, or personal data of persons under 18 years of age.
The User is prohibited from transmitting such data through the Service in the absence of lawful grounds. If such data is transmitted by the User on their own initiative as part of a request or user material, it is processed exclusively as part of executing the relevant request and is subject to deletion in the ordinary course.
6. Legal Grounds for Processing
The Operator processes personal data on the following legal grounds provided for by Part 1 of Article 6 of Federal Law No. 152-FZ:
- Consent of the subject (clause 1) — expressed in the form of the Consent to the Processing of Personal Data;
- Performance of a contract (clause 5) — the Public Offer Agreement to which the User is a party;
- Fulfillment of operator obligations imposed by law (clause 2) — tax legislation and accounting legislation;
- Exercise of the operator’s rights and legitimate interests (clause 7) — ensuring the security of the Service, preventing fraudulent actions, and improving service quality — provided that these interests do not violate the rights and freedoms of the data subject.
7. Methods and Retention Periods
Personal data is processed using a mixed method — both with the use of automated means (software and hardware) and without such means.
The Operator performs the following actions with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), blocking, deletion, and destruction.
Data retention periods:
- Raw audio fragments — until transcription is completed, but not more than 24 hours.
- Raw screen images and screenshots — until processing is completed and an AI response is generated, but not more than 30 days.
- AI responses, transcripts and dialog history — for the period of existence of the account or until deletion by the User of the relevant dialogs.
- User materials — for the period of existence of the account or until deletion by the User.
- Account data — for the entire period the account exists. After the account is deleted — destruction within 30 (thirty) calendar days.
- Payment data — 5 (five) years from the date of the transaction.
- Anti-fraud and chargeback data — up to 3 (three) years.
- Consents, versions of legal documents and information about acceptance — for the term of the Agreement and 3 (three) years after its termination.
- Support inquiry data — 3 (three) years from the date the inquiry is closed.
- Access logs and security logs — 1 (one) year.
- Pseudonymized analytical data linked to a user or device identifier — for the period of existence of the account and 12 months after its deletion.
- Genuinely anonymized analytical data that does not allow identification of the subject — may be stored indefinitely.
8. Transfer of Personal Data to Third Parties
The Operator does not sell personal data.The transfer of personal data to third parties is carried out solely in the cases provided for in this Section.
8.1. Service providers
- Cloud infrastructure: Yandex Cloud / VK Cloud / Selectel / another Russian provider — hosting of servers and databases within the territory of the Russian Federation.
- Payment provider: OOO NKO “YooMoney” (the “YooKassa” service) — processing of subscription payments.
- Federal Tax Service of Russia — issuance of payment receipts in the manner established by the Operator’s applicable tax regime.
- Email delivery services: for sending service and other notifications to the User.
- AI providers and data processing providers: providers of large language models, multimodal models, speech recognition (transcription) models, image and screenshot processing models and other AI tools — for the generation of AI responses and the operation of the Service. The specific composition of providers within this category may change.
- Monitoring, logging and product analytics services — for ensuring stability, security and quality of the Service (error tracking, logging, metrics, product analytics).
- CDN, WAF, hosting and network providers — for the operation of the Website and the Service, protection against attacks, content delivery.
- Web analytics service: OOO “YANDEX” (the “Yandex.Metrica” service, including the “Webvisor” feature) — analysis of Website traffic and User behavior in statistical, aggregated and/or pseudonymized form. The data is processed on servers within the territory of the Russian Federation; for details, see clause 13.2.
The transfer of data to such providers is carried out on the basis of agreements that oblige them to maintain confidentiality and to process data solely for the purposes agreed with the Operator.
8.2. Transfer to government authorities
The Operator discloses personal data to authorized government authorities of the Russian Federation in the cases and in the manner provided for by applicable law, including in response to justified requests from law enforcement, tax, judicial, and other authorized authorities.
8.3. Transfer upon reorganization
In the event of the Operator’s reorganization or the sale of its business or assets, personal data may be transferred to a legal successor with prior notice to the User by email at least 30 (thirty) calendar days before the date of transfer.
9. Cross-Border Transfer of Personal Data
The Operator may carry out cross-border transfer of personal data to foreign states in which AI providers, providers of data processing, monitoring, logging, product analytics, CDN/WAF, hosting and other contractors engaged by the Operator are located.
Before commencing a cross-border transfer, the Operator submits to Roskomnadzor a notification of its intent to carry out the cross-border transfer of personal data in the manner provided for by Article 12 of Federal Law No. 152-FZ. If the composition of foreign recipients is expanded, the Operator updates the notification before the start of such transfer.
AI providers are not transferred the User’s account identifiers (e.g., account email) unless required for the operation of the Service. However, the content of requests, files, audio, images or user context may contain personal data if the User independently includes them in the request. The terms of data processing by AI providers depend on the specific provider and tariff.
10. Database Localization within the Russian Federation
In accordance with Part 5 of Article 18 of Federal Law No. 152-FZ and Federal Law No. 242-FZ of July 21, 2014, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of the personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation.
The physical hosting of servers and databases containing the personal data of citizens of the Russian Federation is carried out in the data centers of Russian cloud providers within the territory of the Russian Federation.
11. Personal Data Protection Measures
The Operator applies the necessary legal, organizational, and technical measures to protect personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision, and dissemination, as well as against other unlawful actions, including:
- appointment of a person responsible for organizing the processing of personal data;
- use of encryption for data in transit (HTTPS/TLS) and storage of passwords as cryptographic hashes;
- differentiation of access rights to the information systems for processing personal data; granting access on the principle of minimum necessary privileges;
- journaling of operations on personal data and protected actions in administrative interfaces;
- mandatory two-factor authentication for accounts with administrative privileges;
- encryption of user materials at rest in object storage;
- control over the storage of secrets and credentials, regular rotation of keys and access tokens;
- regular data backup and testing of recovery procedures;
- monitoring of information security, response to incidents and internal procedure for handling incidents.
In the event that a fact of unlawful or accidental transfer (provision, dissemination, access) of personal data is established, resulting in a violation of the rights of data subjects, the Operator notifies Roskomnadzor within 24 hours of discovering such a fact in accordance with Part 3.1 of Article 21 of Federal Law No. 152-FZ.
Despite the measures taken by the Operator, the transmission of data over the Internet cannot be guaranteed to be secure; the User assumes the risk of using the Internet to transmit data to the Operator.
12. Rights of the Data Subject
As a data subject, the User has the right to:
- Obtain information about the fact that their personal data is being processed by the Operator, the purposes and methods of its processing, the retention periods, the list of data processed, and the sources from which the data was obtained (Articles 14, 18 of Federal Law No. 152-FZ);
- Demand the clarification of their personal data, its blocking or destruction, if the data is incomplete, outdated, inaccurate, unlawfully obtained, or is not necessary for the stated purpose of processing;
- Withdraw consent to the processing of personal data by sending the corresponding notice to the Operator;
- Object to the processing of personal data for the purpose of promoting goods, works, and services on the market (direct marketing);
- Object to decisions that produce legal consequences being made solely on the basis of automated processing of personal data;
- Appeal the actions or inaction of the Operator to Roskomnadzor (federal.rkn.gov.ru) and/or to a court.
To exercise the rights specified, the User sends a written request to the Operator’s email address: admin@offerhack.tech.
The Operator’s response time is no later than 10 (ten) business days from receipt of the request (with the possibility of an extension of up to 5 business days on the grounds provided for by Part 8 of Article 14 of Federal Law No. 152-FZ). Destruction of data at the subject’s request is carried out within 30 (thirty) calendar days.
13. Cookies and Similar Technologies
The Website uses cookies and similar technologies (collectively, “cookies”) to ensure the operation of the Website and to improve the user experience.
13.1. Categories of cookies used
- Strictly necessary cookies — ensure the basic operation of the Website (authentication, session preservation, settings storage). They cannot be disabled — without them the Website does not function.
- Functional cookies — remember the User’s preferences (selected language, theme, interface settings). They improve the convenience of using the Website.
- Analytical cookies — allow the Operator to analyze use of the Website in statistical, aggregated and/or pseudonymized form in order to improve service quality. They may include Yandex.Metrica services.
The Operator does not use cookies for targeted advertising purposes and does not transfer cookie data to advertising networks.
13.2. Yandex.Metrica and Webvisor
To analyze Website traffic and User behavior, the Operator uses the web analytics service Yandex.Metrica, provided by OOO “YANDEX” (OGRN 1027700229193, 16 Lva Tolstogo St., Moscow, 119021). OOO “YANDEX” acts as a party processing personal data on behalf of the Operator.
Yandex.Metrica collects, in statistical and/or pseudonymized form:
- visit data — pages viewed, traffic sources, and session duration;
- technical device and browser data, IP address, and approximate location (by IP);
- User actions on the page — cursor movements, scrolling, and clicks (the “Webvisor” feature).
Webvisor is a Yandex.Metrica feature that records User actions on the page so the Operator can subsequently replay them in pseudonymized form in order to improve the usability of the Website. The content of form fields containing personal and confidential data (email addresses, phone numbers, payment data) is not recorded and is automatically replaced with “asterisk” characters. Password input fields are not recorded under any circumstances.
The data is processed by Yandex.Metrica on servers located within the territory of the Russian Federation, in accordance with the Yandex Privacy Policy and the Terms of Use of the Yandex.Metrica service.
Yandex.Metrica collects data at two levels:
- Basic statistics (pages viewed, traffic sources, technical device and browser data, IP address, click map) are collected in statistical, aggregated and/or pseudonymized form from the moment the Website begins to be used — on the basis of informing the User by means of a notice (cookie banner) displayed on the first visit.
- Recording of User actions by the “Webvisor” feature (cursor movements, scrolling, clicks, behavior in the interface) is performed only after obtaining the User’s explicit consent — by clicking the “Accept” button in the cookie banner. Until such consent is given, the “Webvisor” feature is not activated and no action recording is carried out.
The User has the right to refuse the use of analytical cookies and to withdraw previously given consent by disabling cookies in the browser settings or by clearing cookies and local storage (localStorage).
13.3. Managing cookies
By clicking the “Accept” button in the cookie banner, the User expresses consent to extended data collection, including the recording of actions by the “Webvisor” feature. Basic analytics and strictly necessary cookies are used on the basis of the Operator’s legitimate interest and of informing the User. The User may at any time:
- configure or disable cookies in their browser settings (the “Privacy” section or similar);
- delete previously set cookies through the browser settings;
- enable private browsing mode, in which cookies are deleted at the end of the session.
Disabling strictly necessary cookies may make it impossible to log into the Account and use the Service.
14. Minor Users
The Service is not intended for use by persons under 18 (eighteen) years of age. The Operator does not knowingly request or process the personal data of such persons.
If the Operator becomes aware that it has collected the personal data of a person under 18 years of age, such data is subject to immediate destruction.
Legal representatives of minors who discover that their child has provided the Operator with personal data without their consent may contact the Operator at admin@offerhack.tech to have such data deleted.
15. Changes to the Policy
The Operator has the right to amend this Policy unilaterally in connection with changes in legislation, the development of the Service, or for other reasons. The new version of the Policy is published on the Website at a permanent link.
The Operator notifies Users of material changes to the Policy by email or by posting a notice in the Service interface at least 14 (fourteen) calendar days before the changes take effect.
16. Contact Information
All inquiries related to the processing of personal data (requests, demands, withdrawal of consent, complaints) should be sent to the Operator at the following email address: admin@offerhack.tech.
The User also has the right to contact the authorized authority for the protection of the rights of data subjects — Roskomnadzor:
Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)
Address: 7 Kitaygorodsky Proezd, Bldg. 2, Moscow, 109074
Website: rkn.gov.ru
