Approved by order of GETJET LLC
No. 1 dated January 11, 2025

Privacy Policy regarding the processing of personal data in Getjet Limited Liability Company

1. General Provisions

1.1. This Policy regarding the processing of personal data in GetJet Limited Liability Company (hereinafter referred to as the "Policy") has been developed by GETJET LLC (hereinafter referred to as the "Operator" or the "Company") in order to comply with the requirements of Federal Law No. 152-FZ dated June 27, 2006 "On Personal Data". The Policy defines the general procedure, principles, purposes, conditions and methods of processing personal data, the lists of subjects and personal data processed in the Company, and also ensures the protection of the rights of personal data subjects during the processing of their personal data.

1.2. Basic concepts used in the Policy:

• Personal data – any information relating directly or indirectly to a specific or identifiable individual (personal data subject);
• Personal data operator (operator) – a legal entity that, independently or jointly with other persons, organizes and/or carries out the processing of personal data, as well as determines the purposes of processing, the composition of personal data to be processed, and the actions (operations) performed with personal data;
• Processing of personal data – any action (operation) or set of actions (operations) performed with personal data using automation means or without using such means. Processing of personal data includes collection, recording, systematization, accumulation, storage, updating (refreshing, changing), retrieval, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, destruction;
• Automated processing of personal data – processing of personal data using computer technology;
• Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons;
• Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons;
• Blocking of personal data – temporary cessation of processing of personal data (except where processing is necessary to update personal data);
• Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which the physical media of personal data are destroyed;
• Anonymization of personal data – actions as a result of which it becomes impossible without using additional information to determine the ownership of personal data to a specific personal data subject;
• Personal data information system – a set of personal data contained in databases and information technologies and technical means ensuring their processing;
• Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign government authority, a foreign individual or a foreign legal entity;
• Personal data subject – an individual whose data is being processed;
• Confidentiality of personal data – a requirement for the Operator and other persons who have gained access to personal data not to disclose to third parties or disseminate personal data without the consent of the personal data subject, unless otherwise provided by federal law.

2. Basic Rights and Obligations of the Personal Data Operator

2.1. When collecting personal data, the Operator must provide the personal data subject, upon their request, with information regarding the processing of their personal data.

2.2. If the provision of personal data is mandatory in accordance with federal law, the Operator must explain to the personal data subject the legal consequences of refusing to provide their personal data.

2.3. When collecting personal data, including via the information and telecommunications network Internet, the Operator must ensure the recording, systematization, accumulation, storage, updating (refreshing, changing), and retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases specified in the Federal Law "On Personal Data".

2.4. The Operator must take measures that are necessary and sufficient to ensure the fulfillment of duties provided for by the Federal Law "On Personal Data" and regulatory legal acts adopted in accordance therewith.

2.5. The Operator must publish or otherwise provide unrestricted access to this Policy and to information on the implemented requirements for the protection of personal data. If the Operator collects personal data using information and telecommunications networks, the Operator must publish the Policy and information on the implemented requirements for the protection of personal data in the relevant information and telecommunications network, and also ensure the possibility of accessing this document using the relevant information and telecommunications network.

2.6. When processing personal data, the Operator must take necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions with respect to personal data.

2.7. The Operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with that person. The person processing personal data on behalf of the Operator must comply with the principles and rules for processing personal data provided for by the Federal Law "On Personal Data". The Operator's instruction must specify the list of actions (operations) with personal data to be performed by the person processing personal data and the purposes of processing, must establish the obligation of such person to maintain confidentiality and ensure the security of personal data during their processing, and must also indicate the requirements for the protection of processed personal data in accordance with Article 19 of the Federal Law "On Personal Data".

3. Basic Rights and Obligations of the Personal Data Subject

3.1. The personal data subject has the right to demand that the Operator update their personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or is not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights.

3.2. Processing of personal data for the purpose of promoting goods, works, services on the market by making direct contacts with a potential consumer using means of communication, as well as for the purpose of political campaigning, is permitted only with the prior consent of the personal data subject.

3.3. Making decisions based solely on automated processing of personal data that produce legal consequences with respect to the personal data subject or otherwise affect their rights and legitimate interests is permitted only with the written consent of the personal data subject or in cases provided for by federal laws, which also establish measures to ensure compliance with the rights and legitimate interests of the personal data subject.

3.4. If the personal data subject believes that the Operator is processing their personal data in violation of the requirements of the Federal Law "On Personal Data" or otherwise violates their rights and freedoms, the personal data subject has the right to appeal the Operator's actions or inaction to the authorized body for the protection of the rights of personal data subjects or in court.

3.5. The personal data subject has the right to protection of their rights and legitimate interests, including compensation for losses and/or compensation for moral damage in court.

4. Principles of Personal Data Processing

4.1. The Company, as a personal data operator, processes the personal data of the Operator's employees, individuals who have resigned from the Company, individuals who are job applicants, and other personal data subjects.

4.2. The processing of personal data in the Company is carried out taking into account the need to ensure the protection of the rights and freedoms of the Operator's employees and other personal data subjects, including the protection of the right to privacy, personal and family secrets, based on the following principles:

• processing of personal data is carried out in the Company on a legal and fair basis;
• processing of personal data is limited to achieving specific, predetermined and lawful purposes;
• processing of personal data incompatible with the purposes of collecting personal data is not allowed;
• only personal data that meets the purposes of their processing is subject to processing;
• the content and scope of the processed personal data correspond to the stated purposes of processing. Redundancy of the processed personal data in relation to the stated purposes of their processing is not allowed;
• when processing personal data, accuracy of personal data, their sufficiency, and where necessary, relevance in relation to the purposes of processing personal data are ensured. The Operator takes necessary measures or ensures their adoption to remove or update incomplete or inaccurate personal data;
• storage of personal data is carried out in a form that makes it possible to identify the personal data subject, no longer than required by the purposes of processing personal data, unless the storage period for personal data is established by federal law or a contract to which the personal data subject is a party, beneficiary, or guarantor;
• processed personal data is destroyed or anonymized upon achievement of the processing purposes or in case of loss of the need to achieve these purposes, unless otherwise provided by the legislation of the Russian Federation.

4.3. The Operator processes personal data for the following purposes:

• ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, and local regulatory acts of the Operator;
• exercising the functions, powers and duties imposed by the legislation of the Russian Federation on the Company, including providing personal data to state authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, as well as to other state bodies;
• regulating labor relations with the Operator's employees (assistance in employment, training and career advancement, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property);
• providing the Operator's employees and their family members with additional guarantees and compensation, including medical care and other types of social security;
• protecting the life, health or other vital interests of personal data subjects;
• preparation, conclusion, execution and termination of contracts with the Company's counterparties and clients;
• preparation of reference materials for internal information support of the Company's activities;
• execution of judicial acts, acts of other bodies or officials subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
• exercising the rights and legitimate interests of the Operator within the framework of the activities provided for by the Charter and other local regulatory acts of the Operator, or third parties, or achieving socially significant goals;
• for other lawful purposes.

5. Purposes of Processing, Categories of Personal Data Subjects, Categories and List of Processed Personal Data, Methods, Terms of Their Processing and Storage, Procedure for Destroying Personal Data upon Achieving Purposes or upon Occurrence of Other Legal Grounds

5.1. Categories of personal data subjects include:

5.1.1. Individuals in an employment relationship with the Operator, including individuals who have resigned from the Company.

• Purpose of processing: maintaining personnel records and organizing employee records of the Company, regulating labor and other directly related relations, as well as fulfilling the requirements of labor, tax legislation, military registration, state statistical records and other requirements provided for by applicable law.
• List of processed personal data: last name, first name, patronymic, phone number, email address, passport data (series, number, issued by and when), date of birth, place of birth, citizenship, gender, taxpayer identification number (ITN), individual insurance account number (SNILS), information on education and qualifications, information on awards, incentives, honorary titles, information contained in educational documents, information on work history and length of service, information on marital status, series and number of document confirming name change, information contained in military registration documents, information necessary for calculating employee wages and other payments, health information (paper-based only), residential address and/or registration address, academic titles and distinctions, driver's license information.
• Method of processing: mixed (automated and non-automated).
• Processing and storage terms: in accordance with the requirements of labor and tax legislation.
• Destruction procedure: the Operator's responsible person destroys the personal data of the personal data subject with the execution of a corresponding act.

5.1.2. Individuals who are job applicants.

• Purpose of processing: attracting and selecting candidates for employment with the Company.
• List of processed personal data: last name, first name, patronymic, phone number, email address, information on education, information on work experience, other information that the applicant may provide in their resume or application form.
• Method of processing: mixed (automated and non-automated).
• Processing and storage terms: until a decision is made to hire the candidate or reject them for the vacancy.
• Destruction procedure: the Operator's responsible person destroys the personal data of the personal data subject with the execution of a corresponding act.

5.1.3. Clients and counterparties of the Operator (individuals)

• Purpose of processing: conclusion and execution of a contract to which the personal data subject is a party.
• List of processed personal data: last name, first name, patronymic, date of birth, place of birth, gender, citizenship, phone number, email address, passport data (series, number, issued by and when), international passport data, taxpayer identification number (TIN), individual insurance account number (SNILS), residential address and/or registration address, bank details.
• Method of processing: mixed (automated and non-automated).
• Processing and storage terms: in accordance with the requirements of applicable tax and accounting legislation.
• Destruction procedure: the Operator's responsible person destroys the personal data of the personal data subject with the execution of a corresponding act.

5.1.4. Representatives/employees of clients and counterparties of the Operator (legal entities)

• Purpose of processing: execution of a contract to which the client/counterparty (legal entity) is a party.
• List of processed personal data: last name, first name, patronymic, phone number, email address, passport data (series, number, issued by and when), residential address and/or registration address.
• Method of processing: mixed (automated and non-automated).
• Processing and storage terms: until expiry of the contract or replacement of representatives/employees of legal entity counterparties with whom interaction is carried out for the purpose of executing the contract.
• Destruction procedure: the Operator's responsible person destroys the personal data of the personal data subject with the execution of a corresponding act.

5.1.5. Registered users of the Operator's website or mobile application

• Purpose of processing: identifying an individual as a registered user of the website; placing an order and/or concluding a contract remotely; providing the user with access to personalized resources of the website; establishing feedback with the user, including sending notifications, requests regarding the use of the website, provision of services, processing requests and applications; creating an account for making purchases; notifying about order status; providing effective customer and technical support when problems arise related to the use of the website; providing service updates, special offers, pricing information, newsletters and other information on behalf of the website or on behalf of the website's partners (with consent); carrying out advertising activities (with consent).
• List of processed personal data: last name, first name, patronymic, email address, phone number, social media IDs and other data provided by the user independently.
• Method of processing: mixed (automated and non-automated).
• Processing and storage terms: until withdrawal of consent to the processing of personal data.
• Destruction procedure: the Operator's responsible person destroys the personal data of the personal data subject with the execution of a corresponding act.

5.1.6. Clients, potential clients

• Purpose of processing: informing about products, services, news, promotions and offers via telephone, SMS and email from the Company and its partners.
• List of processed personal data: last name, first name, patronymic, phone number, email address.
• Method of processing: mixed (automated and non-automated).
• Processing and storage terms: until withdrawal of consent to the processing of personal data.
• Destruction procedure: the Operator's responsible person destroys the personal data of the personal data subject with the execution of a corresponding act.

5.1.7. Other personal data subjects (to ensure the realization of the processing purposes specified in Section 4 of the Policy).

The categories and list of processed personal data with respect to other personal data subjects, the terms of their processing and storage, and the procedure for destroying personal data upon achievement of the purposes of their processing or upon occurrence of other legal grounds are determined in accordance with the legislation of the Russian Federation and local regulatory acts of the Operator, taking into account the purposes of personal data processing specified in Section 4 of the Policy.

5.2. Processing of special categories of personal data concerning racial or ethnic origin, political views, religious or philosophical beliefs, intimate life is not carried out by the Company.

5.3. Cross-border transfer of data is not carried out by the Operator.

5.4. Processing of biometric personal data is not carried out by the Company.

5.5. Processing of personal data permitted by the personal data subject for dissemination is carried out by the Company based on the consent of the personal data subject to dissemination, subject to the prohibitions and conditions on the processing of personal data established by the personal data subject.

6. Procedure and Conditions for Processing Personal Data

6.1. Processing of personal data is carried out after taking necessary measures to protect personal data.

6.2. The Operator is not entitled to process the personal data of a personal data subject without their written consent, except for cases provided for in Article 6 of the Federal Law "On Personal Data".

6.3. Consent in the form of an electronic document signed by an electronic signature in accordance with federal law is recognized as equivalent to consent in writing on hard copy containing the handwritten signature of the personal data subject.

6.4. Written consent of the personal data subject must include:

• last name, first name, patronymic;
• address of the personal data subject;
• number of the main identity document, information on the date of issue of the said document and the issuing authority;
• name and address of the Operator;
• purpose of processing personal data;
• list of personal data for the processing of which the consent of the personal data subject is given;
• list of actions with personal data for the performance of which consent is given, a general description of the methods of processing personal data used by the Operator;
• term during which the consent is valid;
• method of its withdrawal;
• signature of the personal data subject.

6.5. The Operator organizes the processing of personal data in the following order:

1. appoints a person responsible for organizing the processing of personal data, establishes a list of persons with access to personal data;
2. issues this Policy and local acts on personal data processing matters;
3. applies legal, organizational and technical measures to ensure the security of personal data;
4. carries out internal control and/or audit of the compliance of personal data processing with the Federal Law "On Personal Data" and regulatory legal acts adopted in accordance therewith, the requirements for the protection of personal data, this Policy, and local acts of the Operator;
5. assesses the harm that may be caused to personal data subjects in the event of a violation of the Federal Law "On Personal Data", determines the relationship between the said harm and the measures taken by the Operator aimed at ensuring the fulfillment of the duties provided for by this Federal Law;
6. familiarizes the Operator's employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, this Policy, local acts on personal data processing matters, and/or trains these employees.

6.6. When processing personal data, the Operator takes necessary legal, organizational and technical measures, including:

1. identifies threats to the security of personal data during their processing in personal data information systems;
2. applies organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;
3. applies information security means that have undergone the conformity assessment procedure in accordance with the established procedure;
4. assesses the effectiveness of the measures taken to ensure the security of personal data before putting the personal data information system into operation;
5. keeps records of machine media of personal data;
6. detects facts of unauthorized access to personal data and takes measures;
7. restores personal data modified or destroyed due to unauthorized access;
8. establishes rules for access to personal data processed in the personal data information system, and also ensures registration and recording of all actions performed with personal data in the personal data information system.

6.7. When processing personal data, the Operator performs, in particular, collection, recording, systematization, accumulation, storage, updating (refreshing, changing), retrieval, use, transfer, blocking, deletion, and destruction of personal data.

6.8. In order to ensure the safety and confidentiality of personal data, all operations with personal data must be performed only by the Operator's employees performing this work in accordance with their job duties.

6.9. The Operator receives personal data directly from personal data subjects or their representatives with appropriate authority. The subject's consent to receive their personal data from third parties is not required in cases where the subject's consent to transfer their personal data to third parties has been obtained in writing when concluding an agreement with the Operator, as well as in cases established by federal law.

The Operator does not use foreign services as a means of collecting personal data, except when the personal data subject independently, of their own free will, sent or transferred their personal data using foreign services.

6.10. Storage of documents with personal data and their copies at workplaces and/or in open access, leaving cabinets (safes) open when an employee leaves the workroom is prohibited.

6.11. Documents containing personal data in electronic form may be stored in specialized databases or in specially designated directories with access restriction and differentiation. Copying such data is prohibited.

6.12. Upon dismissal of an employee who has access to personal data, or upon termination of access to personal data, the documents and other media containing personal data are handed over by the employee to their immediate supervisor.

7. Use of Cookie Files on the Company's Website on the Internet

Website – the Company's internet website located at the domain name https://getjet.com/.

Cookies – a small piece of data sent by a web server and stored on the User's computer. Cookies can be used for various purposes, but are typically used to ensure the effective functioning of the website and to collect/store information about user preferences. In other words, cookies make using the Internet easier because they provide users with a personalized website experience and easy navigation. Cookies are passive files and cannot spread computer viruses or other malicious software.

When the User visits the Website, the Operator collects and processes cookies. They contain information about previous visits to the Website, websites (requests) from which the User navigated to the Website, assigned identifiers (IDs), IP address, location information, device type, session date and time, information about actions on the website, including using metric programs such as Yandex Metrica, Gudok, which may also place cookies on the User's device and use the User's data under the conditions determined by the operators of such services.

The Company takes full responsibility and, in accordance with the legislation of the Russian Federation, protects the personal data of the Website User. The processing of cookies is carried out by the Operator to the extent necessary to improve the functioning and optimize the operation of the website. Third-party cookies are accessible to the operators who place them on this website.

If the User does not agree to the Company using this type of file, the User must configure their browser settings accordingly or not use the Website. By continuing to use the Website, the User confirms their consent to the use of cookies in accordance with this Policy.

For the purposes of this Policy, cookies also include similar technologies such as web trackers, pixels, etc. The Website Administration uses the following cookies:

• Technical cookies – necessary for the proper operation of the Website, without them the Website cannot function properly, e.g., Gudok;
• Analytical cookies and Marketing cookies – added to the Website pages by third-party providers, such as Yandex (the list of cookies is updated by third-party providers, the Company is not responsible for its changes).

The User may at any time independently restrict or completely disable the setting of cookies through their web browser settings. Most modern browsers and internet security software support the ability to fully, partially, or selectively block cookies and other technical means used to obtain Statistical information, as well as delete previously saved cookies. In this regard, the User is recommended to study the security settings on their device and independently choose the preferred options. Settings may be implemented differently in each browser. The User should refer to the "Help" section of their browser and also check their firewall settings (if applicable). If the User refuses to accept cookies and uses other technical means, the Website Administration cannot technically guarantee that Users will have constant access to all Website functions, including ordering goods and services by all means provided on the Website.

Descriptions of settings for the most popular browsers are available at the following links:

Google Chrome
Microsoft Edge
Yandex Browser (English version may be available via browser settings)
Some Statistics Services provide Users with the opportunity to declare that they do not wish the Statistics Services to take their activity into account (always or in some cases). This can be done via the following links:
Yandex Services (page is in Russian; international users may refer to Yandex's English privacy section)

8. Procedure for Processing Personal Data in Information Systems

8.1. Processing of personal data in information systems is carried out after the implementation of organizational and technical measures to ensure the security of personal data, determined taking into account current threats to the security of personal data and information technologies used in the information systems.

8.2. Ensuring security during the processing of personal data contained in information systems of state bodies and subordinate organizations is carried out in accordance with Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems", and the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, approved by Order of the FSTEC of Russia No. 21 dated February 18, 2013.

8.3. An authorized employee who has the right to process personal data in information systems is provided with a unique login and password for access to the corresponding information system. Access is provided in accordance with the functions provided for by the employee's job duties.

8.4. Information may be entered both automatically upon receipt of personal data from the official website on the internet, and manually upon receipt of information on hard copy or in another form that does not allow its automatic registration.

8.5. Ensuring the security of personal data processed in information systems of state bodies is achieved by excluding unauthorized, including accidental, access to personal data.

8.6. In the event of detection of violations of the procedure for processing personal data by authorized employees, measures are immediately taken to determine the causes of violations and eliminate them.

8.7. The set of measures to ensure the security of personal data implemented within the personal data protection system, taking into account current threats to the security of personal data and applied information technologies, includes:

• identification and authentication of access subjects and access objects;
• access control of access subjects to access objects;
• software environment restriction;
• protection of machine information media on which personal data is stored and/or processed;
• security event logging;
• antivirus protection;
• intrusion detection (prevention);
• monitoring (analysis) of personal data security;
• ensuring the integrity of the information system and personal data;
• ensuring the availability of personal data;
• protection of the virtualization environment and technical means;
• protection of the information system, its means, communication and data transmission systems;
• detection of incidents (a single event or group of events) that may lead to failures or disruption of the information system's functioning and/or the emergence of threats to the security of personal data, and response to them;
• configuration management of the information system and the personal data protection system.

8.8. Current threats to the security of personal data mean a set of conditions and factors that create a real danger of unauthorized, including accidental, access to personal data during their processing in an information system, which may result in the destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as other unlawful actions.

• Type 1 threats are relevant to an information system if, among other things, threats related to the presence of undocumented (undeclared) capabilities in the system software used in the information system are relevant to it.
• Type 2 threats are relevant to an information system if, among other things, threats related to the presence of undocumented (undeclared) capabilities in the application software used in the information system are relevant to it.
• Type 3 threats are relevant to an information system if threats not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system are relevant to it.

The determination of the type of personal data security threats relevant to an information system is carried out taking into account the assessment of possible harm carried out in execution of paragraph 5 of part 1 of Article 18.1 of the Federal Law "On Personal Data".

8.9. In accordance with paragraph 11 of Article 19 of the Federal Law "On Personal Data", the level of personal data security is understood as an integral indicator characterizing the requirements, the implementation of which ensures the neutralization of certain personal data security threats during their processing in personal data information systems. Four levels of personal data security are established for the processing of personal data in information systems.

8.9.1. The need to ensure the first level of personal data security during their processing in an information system is established if at least one of the following conditions is present:

a) threats of type 1 are relevant to the information system and the information system processes either special categories of personal data, or biometric personal data, or other categories of personal data;
b) threats of type 2 are relevant to the information system and the information system processes special categories of personal data of more than 100,000 personal data subjects who are not employees of the Operator.

8.9.2. The need to ensure the second level of personal data security during their processing in an information system is established if at least one of the following conditions is present:

a) threats of type 1 are relevant to the information system and the information system processes publicly available personal data;
b) threats of type 2 are relevant to the information system and the information system processes special categories of personal data of the Operator's employees or special categories of personal data of fewer than 100,000 personal data subjects who are not employees of the Operator;
c) threats of type 2 are relevant to the information system and the information system processes biometric personal data;
d) threats of type 2 are relevant to the information system and the information system processes publicly available personal data of more than 100,000 personal data subjects who are not employees of the Operator;
e) threats of type 2 are relevant to the information system and the information system processes other categories of personal data of more than 100,000 personal data subjects who are not employees of the Operator;
f) threats of type 3 are relevant to the information system and the information system processes special categories of personal data of more than 100,000 personal data subjects who are not employees of the Operator.

8.9.3. The need to ensure the third level of personal data security during their processing in an information system is established if at least one of the following conditions is present:

a) threats of type 2 are relevant to the information system and the information system processes publicly available personal data of the Operator's employees or publicly available personal data of fewer than 100,000 personal data subjects who are not employees of the Operator;
b) threats of type 2 are relevant to the information system and the information system processes other categories of personal data of the Operator's employees or other categories of personal data of fewer than 100,000 personal data subjects who are not employees of the Operator;
c) threats of type 3 are relevant to the information system and the information system processes special categories of personal data of the Operator's employees or special categories of personal data of fewer than 100,000 personal data subjects who are not employees of the Operator;
d) threats of type 3 are relevant to the information system and the information system processes biometric personal data;
e) threats of type 3 are relevant to the information system and the information system processes other categories of personal data of more than 100,000 personal data subjects who are not employees of the Operator.

8.9.4. The need to ensure the fourth level of personal data security during their processing in an information system is established if at least one of the following conditions is present:

a) threats of type 3 are relevant to the information system and the information system processes publicly available personal data;
b) threats of type 3 are relevant to the information system and the information system processes other categories of personal data of the Operator's employees or other categories of personal data of fewer than 100,000 personal data subjects who are not employees of the Operator.

8.10. The composition and content of measures to ensure the security of personal data necessary to ensure each of the levels of personal data security are given in the appendix to the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems, approved by Order of the FSTEC of Russia No. 21 dated February 18, 2013.

9. Updating, Correcting, Deleting and Destroying Personal Data, Responding to Subject Requests for Access to Personal Data

9.1. The personal data subject has the right to receive information regarding the processing of their personal data, including containing:

1. confirmation of the fact of processing of personal data by the operator;
2. legal grounds and purposes of processing personal data;
3. purposes and methods of processing personal data used by the operator;
4. name and location of the Operator, information about persons (except for the Operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Operator or on the basis of federal law;
5. processed personal data relating to the relevant personal data subject, the source of their receipt, unless a different procedure for providing such data is provided for by federal law;
6. terms of processing personal data, including the terms of their storage;
7. procedure for the exercise by the personal data subject of the rights provided for by the Federal Law "On Personal Data";
8. information on the carried out or intended cross-border data transfer;
9. name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if processing is or will be entrusted to such person;
10. other information provided for by the Federal Law "On Personal Data" or other federal laws.

9.2. The above information must be provided to the personal data subject by the Operator in an accessible form, and must not contain personal data relating to other personal data subjects, except where there are legal grounds for disclosing such personal data.

9.3. The information specified in clause 9.1 is provided to the personal data subject or their representative by the Operator upon application or upon receipt of a request from the personal data subject or their representative. The request must contain the number of the main identity document of the personal data subject or their representative, information on the date of issue of the specified document and the issuing authority, information confirming the participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and/or other information), or information otherwise confirming the fact of processing of personal data by the Operator, the signature of the personal data subject or their representative. The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

9.4. If the information specified in clause 9.1, as well as the processed personal data, were provided for review to the personal data subject upon their request, the personal data subject has the right to contact the Operator again or send a repeated request in order to obtain the information specified in clause 9.1 and review such personal data no earlier than 30 days after the initial application or sending of the initial request, unless a shorter period is established by federal law, a regulatory legal act adopted in accordance therewith, or a contract to which the personal data subject is a party, beneficiary or guarantor.

9.5. The personal data subject has the right to contact the Operator again or send a repeated request in order to obtain the information specified in clause 9.1, as well as for the purpose of reviewing the processed personal data before the expiry of the period specified in clause 9.4, if such information and/or processed personal data were not provided to them for review in full based on the results of the consideration of the initial application. The repeated request, along with the information specified in clause 9.1, must contain a justification for sending the repeated request.

9.6. The Operator has the right to refuse the personal data subject to fulfill a repeated request that does not comply with the conditions provided for in clauses 9.4 and 9.5. Such refusal must be reasoned. The burden of proving the validity of the refusal to fulfill a repeated request lies with the Operator.

9.7. The Operator must inform the personal data subject or their representative of the existence of personal data relating to the relevant personal data subject, as well as provide an opportunity to review such personal data upon application of the personal data subject or their representative, or within 30 days from the date of receipt of the request of the personal data subject or their representative.

9.8. The Operator must provide free of charge to the personal data subject or their representative the opportunity to review the personal data relating to that subject.

9.9. Within a period not exceeding seven working days from the date the personal data subject or their representative provides information confirming that the personal data is incomplete, inaccurate or outdated, the Operator must make the necessary changes to them.

9.10. Within a period not exceeding seven working days from the date the personal data subject or their representative provides information confirming that such personal data was unlawfully obtained or is not necessary for the stated purpose of processing, the Operator must destroy such personal data.

9.11. The Operator must notify the personal data subject or their representative of the changes made and the measures taken, and take reasonable measures to notify third parties to whom the personal data of this subject was transferred.

9.12. In the event of detection of unlawful processing of personal data upon application of the personal data subject or their representative, or upon request of the personal data subject or their representative, or the authorized body for the protection of the rights of personal data subjects, the Operator must block the unlawfully processed personal data relating to this personal data subject, or ensure their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator), from the moment of such application or receipt of the specified request for the period of verification.

9.13. In the event of detection of inaccurate personal data upon application of the personal data subject or their representative, or upon their request, or upon request of the authorized body for the protection of the rights of personal data subjects, the Operator must block the personal data relating to this personal data subject, or ensure their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator), from the moment of such application or receipt of the specified request for the period of verification, if blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

9.14. Upon confirmation of the fact of inaccuracy of personal data, the Operator, based on information provided by the personal data subject or their representative or the authorized body for the protection of the rights of personal data subjects, or other necessary documents, must update the personal data or ensure their updating (if the processing of personal data is carried out by another person acting on behalf of the Operator) within seven working days from the date of provision of such information and unblock the personal data.

9.15. In the event of detection of unlawful processing of personal data carried out by the Operator or a person acting on behalf of the Operator, the Operator must, within a period not exceeding three working days from the date of such detection, stop the unlawful processing of personal data or ensure the cessation of unlawful processing of personal data by the person acting on behalf of the Operator. If it is impossible to ensure the lawfulness of personal data processing, the Operator must, within a period not exceeding ten working days from the date of detection of unlawful processing of personal data, destroy such personal data or ensure their destruction. The Operator must notify the personal data subject or their representative, and if the application of the personal data subject or their representative or the request of the authorized body for the protection of the rights of personal data subjects was sent by the authorized body for the protection of the rights of personal data subjects, also that body, of the elimination of the violations committed or of the destruction of personal data.

9.16. Upon achieving the purpose of processing personal data, the Operator must stop processing personal data or ensure its cessation (if the processing of personal data is carried out by another person acting on behalf of the Operator) and destroy the personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of achieving the purpose of processing personal data, unless otherwise provided by a contract to which the personal data subject is a party, beneficiary or guarantor, another agreement between the Operator and the personal data subject, or unless the Operator is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by the Federal Law "On Personal Data" or other federal laws.

9.17. Upon withdrawal by the personal data subject of consent to the processing of their personal data, the Operator must stop processing or ensure the cessation of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator) and, if the retention of personal data is no longer required for the purposes of processing personal data, destroy the personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding 30 days from the date of receipt of such withdrawal, unless otherwise provided by a contract to which the personal data subject is a party, beneficiary or guarantor, another agreement between the Operator and the personal data subject, or unless the Operator is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by the Federal Law "On Personal Data" or other federal laws.

9.18. In the absence of the possibility of destroying personal data within the specified periods, the Operator blocks such personal data or ensures their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) and ensures the destruction of personal data within a period not exceeding six months, unless a different period is established by federal laws.

10. Final Provisions

10.1. This Policy is a publicly available document.

10.2. The liability of persons with access to personal data is determined by the applicable legislation of the Russian Federation.

Terms of Use

Moscow
"11" January 2025

This Agreement is a public offer and defines the terms of use of materials and services posted on the website on the Internet at: https://getjet.com (hereinafter referred to as the "Site") between GETJET LLC, the copyright holder of the Site (hereinafter referred to as the "Site Administration"), and visitors and/or users (hereinafter referred to as the "User") of this Internet site.

1. General Terms

1.1. The Site is created as a meta-search platform for the provision of services for searching, booking and ordering a charter flight and/or seats on a charter flight.

1.2. The use of materials and services of the Site is governed by the norms of the current legislation of the Russian Federation.

1.3. By starting to use any service, its individual functions, gaining access to the Site's materials, or completing the registration procedure, or switching the toggle to the active mode, the User confirms that they accept the terms of this Agreement, as well as the Privacy Policy regarding the processing of personal data in Getjet Limited Liability Company, which is an integral part of this Agreement and is posted on the page at: https://getjet.com/privacy-policy. If the User disagrees with any of the provisions of the Agreement, they are not entitled to use the Site's services.

2. Rules for Using the Site

2.1. The User agrees not to take any actions or leave comments or records that could be considered as violating Russian legislation or international law, including in the field of intellectual property, copyright and/or related rights, generally accepted moral and ethical norms, as well as any actions that lead or may lead to disruption of the normal operation of the Site and the Site's services.

2.2. Use of the Site's materials without the consent of the copyright holders is not permitted.

2.3. When quoting the Site's materials, including copyrighted works, a link to the Site is mandatory.

3. Limitation of Liability

3.1. The Site Administration is not responsible for the User's visit and use of external resources, links to which may be contained on the Site.

3.2. The Site Administration shall not be liable and has no direct or indirect obligations to the User in connection with any possible or incurred losses or damages related to any content of the Site, copyright registration and information about such registration, goods or services available on or obtained through external sites or resources, or other contacts of the User entered into using information posted on the Site or links to external resources.

3.3. The User agrees that the Site Administration bears no responsibility and has no obligations whatsoever in connection with advertising that may be posted on the Site.

4. Other Terms

4.1. All possible disputes arising from this Agreement or related to it shall be resolved in accordance with the current legislation of the Russian Federation.

4.2. A court finding any provision of the Agreement invalid or unenforceable shall not invalidate the other provisions of the Agreement.

4.3. Inaction on the part of the Site Administration in the event of a violation by any User of the provisions of the Agreement does not deprive the Site Administration of the right to take appropriate actions later to protect its interests and protect the copyright of the Site's materials protected in accordance with the law, which may be expressed in graphic images, video materials, texts.

4.4. The Site Administration has the right to unilaterally change the terms of this Agreement at any time. Such changes come into force after 3 (three) calendar days from the moment the new version of the Agreement is posted on the site. If the User disagrees with the changes made, they must refuse access to the Site and stop using the Site's materials and services.

Consent to Processing of Personal Data

I, freely, by my own will and in my own interest in accordance with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data", hereby give my consent to GetJet Limited Liability Company, location address: 121357, MOSCOW, INTERNAL TERRITORIAL FORMATION MOZHAYSKY MUNICIPAL DISTRICT, VEREYSKAYA STREET, BUILDING 29, STRUCTURE 134, ROOM 2N/2 (hereinafter referred to as the "Operator"), when contacting the Operator's website on the Internet at https://getjet.com, by filling in a "checkbox" (placing a "tick"/"web mark" in the field "I agree to the processing of personal data"), to verify and process, including collection, recording, systematization, accumulation, storage, updating (refreshing, changing), retrieval, use, transfer (provision, access), blocking, deletion, destruction of personal data specified when filling out the collection form on the website https://getjet.com (hereinafter referred to as "processing of personal data") using automation means and without using automation means, of my personal data: last name, first name, patronymic; contact phone number; email address; social media IDs and other data provided by me independently, for the following purposes:

• identifying me as a registered user of the website, for placing an order and/or concluding a contract remotely;
• providing me with access to personalized resources of the website;
• establishing feedback with me, including sending notifications, requests regarding the use of the website, provision of services, processing my requests and applications;
• creating an account for making purchases;
• notifying me of the order status;
• providing me with effective customer and technical support when problems arise related to the use of the website;
• providing me with service updates, special offers, pricing information, newsletters and other information on behalf of the website or on behalf of the website's partners (with consent);
• carrying out advertising activities (with consent).

I agree that, if necessary for the realization of the purposes of processing personal data, the Operator has the right to entrust the processing of personal data to the operators of data storage platforms (data centers):

• Yandex.Cloud LLC (TIN: 7704458262, OGRN: 1187746678580 dated July 13, 2018, legal address: 119021, Moscow, Lev Tolstoy Street, Building 16, Premise 528).
• Bitrix24.Disk (INFOTECH LLC, TIN: 7810498732, OGRN: 1079847124235 dated December 11, 2007, legal address: 192012, ST. PETERSBURG, INTERNAL TERRITORIAL FORMATION OBUKHOVSKY MUNICIPAL DISTRICT, OBUKHOVSKOYE OBORONY AVENUE, BUILDING 112, STRUCTURE 2, LITERA I, OFFICE 308).

I give my consent to the transfer of personal data to third parties (service providers) for the purpose of organizing the process of providing services to me by the Operator. I am notified and agree that the provision of quality services to me by the Operator is impossible without the transfer of my personal data to third parties.

Also, the Operator may transfer my personal data to third parties in order to prevent threats to my life and health, as well as in cases established by law.

I confirm that I understand the meaning of all terms listed in this consent and their compliance with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data".

This Consent is valid until the purposes of processing are achieved or the consent is withdrawn, but not more than 3 (three) years from the date of providing the Consent.

I confirm that I have been notified that consent to the processing of personal data may be withdrawn in accordance with Part 2 of Article 9 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" by providing a written application to the Operator. In the event of withdrawal of consent to the processing of personal data, the Operator has the right to continue processing personal data without my consent if there are grounds specified in paragraphs 2-11 of Part 1 of Article 6, Part 2 of Article 10 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data".