Privacy Policy (Policy on the Processing of Personal Data) / Privacy Policy

1. General Provisions

1.1. This Privacy Policy (hereinafter — “Policy”) establishes the procedure and conditions for the processing of personal data when using the website tloa.app (hereinafter — “Website”) and the progressive web application “TLOA — Law of Attraction” located at web.tloa.app (hereinafter — “Application”; jointly — “Services”), and also defines the rights of personal data subjects and the Controller’s obligations to protect such data. The Policy applies regardless of the device from which the user accesses the Services (web, mobile application, tablet, smart devices, and others).

1.2. The personal data Controller is Individual Entrepreneur Vezhina Oksana Vladimirovna (OGRNIP 324470400023858, INN 470516487295, address: 188300, Russia, Leningrad Oblast, Gatchinsky District, Gatchina, Shvedsky Lane, bldg. 1, apt. 53; contact for personal data requests: info@tloa.app) (hereinafter — “Controller”).

1.3. This Policy applies to all personal data that the Controller receives from users of the Services, as well as from persons contacting the communication channels specified on the Website or in the Application, regardless of the country of access, except as expressly provided by this Policy or mandatory legal provisions.

1.4. Legal framework. The Controller processes personal data in accordance with applicable provisions:
— Russian Federal Law No. 152-FZ “On Personal Data”;
— Regulation (EU) 2016/679 (GDPR) and UK GDPR;
— EU ePrivacy rules (as to cookies and similar technologies);
— California CCPA/CPRA law;
— Brazil Law No. 13.709/2018 (LGPD);
— Canada’s PIPEDA;
— as well as other applicable personal data protection laws in the United States (including the laws of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Tennessee (TIPA)) and the U.S. COPPA (Children’s Online Privacy Protection Act) as to children’s data processing.

In the event of a conflict of norms, the law mandatory for the user at the place of his or her habitual residence shall apply, provided that this does not conflict with the imperative requirements of Russian law on localization of Russian citizens’ data.

1.5. Territorial applicability and regional restrictions. Access to the Services is provided to users worldwide, except for users from mainland China, as well as other countries or territories subject to international sanctions or export restrictions that make provision of services impossible. Data of Russian citizens are subject to initial collection and storage in the territory of the Russian Federation (RU hub). Data of all other users are processed through the European hub (EU hub), unless otherwise provided by this Policy or mandatory legal provisions.

1.6. Cross-border processing. Due to the global availability of the Services, certain processing operations may involve the cross-border transfer of personal data to other countries, including states that do not provide an adequate level of data protection (for example, the United States). Such transfers are carried out on the basis of Standard Contractual Clauses (SCCs) of the European Commission, as well as other legal mechanisms provided for by applicable law (for example, the Data Privacy Framework for the U.S.). The Controller applies organizational and technical measures to ensure the security of such transfers.

1.7. Age restrictions. The Services are intended for users who have reached the age of 18. Registration and use of the Services by persons under 18 are prohibited. The Controller does not intentionally collect children’s data.

1.8. Set of documents. The Policy is part of the document package mandatory for the user and operates together with the following documents posted on the Website:
— User Agreement (offer agreement) governing the terms of use of the Services;
— Recurring Payment Terms (as a separate document or a section of the offer);
— The “Cookies” section of this Policy (information about the cookies used and management mechanisms).

On the user’s first visit to the Website, a cookie management banner is provided, allowing consent to or refusal of non-essential cookies. 1.9. Home hubs and region assignment. Upon registration and/or first use of the Services, the Controller assigns the User a “home hub” for data storage based on a combination of factors (declared country of residence, IP geolocation, and other technical indicators).

– Data of Russian citizens are always processed in the RU hub in accordance with the requirements of Russian law.

– Data of all other users are processed in the EU hub, unless otherwise required by mandatory rules of applicable law. If the declared country does not match the IP geolocation, the Service requests confirmation of the chosen country from the User (for example, a warning about a possible VPN). Confirmation is performed by a simple action in the interface (“Confirm” / “Change country”). The User is responsible for the accuracy of the chosen country. The Controller records the fact of confirmation (date/time, IP, userID, notification version). If the User provides false information, responsibility for the consequences of such inaccuracy rests solely with the User.”

1.10. Consent and recording of expressions of will. Upon registration, the user confirms acceptance of the Policy and the User Agreement, and separately expresses consent to the processing of sensitive personal data (if planning to use the relevant features). Consent to recurring charges is requested separately when subscribing. The Controller keeps records (logs) of the fact, date, and version of consent, as well as the user identifier and technical parameters at the moment consent is given, to the extent sufficient to confirm the lawfulness of processing.

1.11. Updates and revisions. The Policy may be changed by the Controller to reflect changes in legislation, operational processes, or the composition of the Services. When making material changes, the Controller notifies users via a banner/notification in the Services and, if necessary, requests renewed consent. Previous versions of the Policy are retained and provided upon request. The Policy is effective from the date specified in the preamble and until replaced by a new version.

1.12. Language versions and priority. The Policy is published in Russian and English. For users whose data are subject to localization in the Russian Federation, the Russian version is the priority version. For users outside the Russian Federation, the English version is the priority version. In the event of discrepancies between versions, the version that provides a higher level of protection of the data subject’s rights shall apply, unless otherwise required by a mandatory provision of applicable law.

1.13. Limitation of liability for external resources. The Policy applies exclusively to the Websites and Application controlled by the Controller. Links to third-party resources are provided for convenience; the Controller does not control the privacy policies and practices of such resources.

1.14. Contacts for data protection matters. To exercise rights provided by applicable law (access, correction, deletion, portability, restriction, objection, withdrawal of consent), as well as for other data protection matters, the user may contact: info@tloa.app. The procedure for reviewing requests and response times are set out in the relevant section of this Policy.

2. Terms and Definitions

2.1. For the purposes of this Policy, the following terms are used:

2.1.1. User — any individual who has reached the age of 18 and has registered for or uses the Services (the Website and/or the Application).

2.1.2. Controller — Individual Entrepreneur Vezhina Oksana Vladimirovna (OGRNIP 324470400023858, INN 470516487295), processing Users’ personal data.

2.1.3. Personal data — any information relating directly or indirectly to the User. This Policy distinguishes:

- ordinary personal data: first name, last name, e-mail, password, subscription status, checklists, virtual accounts, push settings, interface language, chat history, technical device data (IP, cookies, device ID, etc.);

- sensitive personal data: voice recordings, intentions, beliefs, test results, program progress.

2.1.4. Sensitive data — personal data of special categories, including information about worldview, personal beliefs, psychological state, as well as biometric data (voice recordings). Processing of such data is allowed only with separate consent of the User.

2.1.5. Technical data — information automatically transmitted during the use of the Services: IP address, cookies data, browser information, device model, operating system, language, and settings.

2.1.6. Virtual account — a game feature of the Application that allows the User to create virtual balances and perform imaginary operations. A virtual account is not a means of payment, is not connected to real banking systems, and has no monetary value.

2.1.7. Checklists and notes — data created by the User to record tasks and intentions within the Program.

2.1.8. Progressive Web Application (PWA) — the mobile web application “TLOA — Law of Attraction,” installed through a browser and running on the User’s device.

2.1.9. Home hub — the personal data storage infrastructure assigned by the Controller upon registration depending on the User’s citizenship/country of residence and IP geolocation (RU hub for Russian citizens, EU hub for other Users).

2.1.10. Analytics services — third-party tools (for example, Google Analytics, Yandex.Metrica) used to analyze traffic and use of the Service.

2.1.11. Payment aggregator — a third-party organization (for example, Prodamus) that processes bank card and payment data. The Controller does not store card details and receives only subscription status and transaction identifiers.

2.1.12. Chat bot — Service functionality that enables the User to interact with an artificial intelligence system. For processing requests, an external AI processing provider acting as a data processor on behalf of the Controller may be used.

2.1.13. Push notifications — messages sent by the Application to the User’s device for the purpose of reminding about program completion and progress. Notifications are not promotional in nature and are managed by the User through settings.

2.1.14. Cookies — small text files stored in the User’s browser. Cookies may be:

- strictly necessary (ensuring the operation of the Service, including authorization);

- functional (saving settings);

- analytical (for example, Google Analytics, Yandex.Metrica). The User can manage cookies through the banner on first visit and through browser settings.

2.1.15. Data recipients — third-party organizations involved in data processing on behalf of the Controller (payment aggregators, hosting providers, analytics providers, AI processing providers, etc.) that are required to comply with contractual obligations regarding confidentiality and security.

2.1.16. Declared country — the country of residence/citizenship specified by the User during registration or in the profile, used to assign the home data storage hub and apply regional rules.

3. Composition of Processed Data

3.1. Personal data provided by the User:
– first name, last name, e-mail address, password;
– data entered when using the program: intentions, beliefs, test results, progress of completion (day scale, sprout), checklists, virtual accounts;
– voice recordings created when using the Program’s functions;
– support requests, messages sent through feedback channels.
3.2. Automatically collected data:
– technical device data (IP address, cookies, device identifiers, browser and OS data, interface language, settings);
– events and logs of Service use (logins, actions, errors, interaction metadata);
– payment data: subscription status and transaction identifiers provided by the payment aggregator (Prodamus);
– analytical data collected through Google Analytics and Yandex.Metrica;
– push notification settings and delivery facts.
3.3. Data that are not collected:
– exact geolocation of the User;
– contacts from the device address book;
– photos, videos, and other media files;
– bank details and full payment card data;
– biometric data, except for voice recordings;
– social network and third-party account data.
3.4. All data are processed and stored in the home hub assigned at registration (RU hub for Russian citizens, EU hub for other Users), in accordance with section 1 of this Policy.

4. Purposes of Personal Data Processing

4.1. Users’ personal data are processed by the Controller solely for the following purposes:
4.1.1. Registration, authentication, and administration of the User’s account, assignment of the home data storage hub.
4.1.2. Provision and support of the Services’ functionality, including working with intentions, beliefs, tests, progress, and voice recordings, as well as their playback to the User.
4.1.3. Ensuring the operation of the chat bot, including transferring user messages to the artificial intelligence technology provider for generating responses within the scope of the service provision.
4.1.4. Payment processing and subscription management, including subscription setup and renewal, invoicing, payment status accounting, and interaction with the payment aggregator.
4.1.5. Interface personalization and saving user settings, including language, time parameters, and reminder schedule, as well as sending functional push notifications related to program completion.
4.1.6. Processing User requests and inquiries through support, correspondence, and incident resolution.
4.1.7. Ensuring information security, preventing fraud and abuse, monitoring operability, investigating and fixing failures, maintaining event logs.
4.1.8. Maintaining records (logs) of Users’ consent, processing data subjects’ requests for access, correction, deletion, portability, and restriction of processing, as well as managing consent withdrawal.
4.1.9. Compliance with legal and regulatory requirements, including localization of personal data of Russian citizens, accounting and tax records, document retention for statutory periods, and responses to lawful requests from public authorities.
4.1.10. Producing aggregated and de-identified statistics on use of the Services, carrying out analytics and measurements to improve quality and develop new features, including the use of analytics services subject to compliance with cookie and confidentiality requirements.
4.1.11. Backup and restoration of data, testing, auditing, as well as other operations directly necessary to maintain the continuity and stability of the Services.
4.1.12. Establishment, exercise, or defense of legal claims of the Controller or third parties under applicable law.
4.2. Restrictions on data use:
4.2.1. Personal data are not used for direct marketing, mass mailings, or targeted advertising.
4.2.2. Personal data are not sold and are not transferred for purposes of so-called sale or sharing within the meaning of California law (sale/share) for advertising purposes.
4.2.3. The Controller does not make decisions producing legal effects for the User solely on the basis of automated processing without human involvement.
4.2.4. The use of analytics and cookies is limited to the purposes of measurement and improvement of the Services, with the User being provided with a mechanism to manage non-essential cookies.
4.3. Legal grounds for processing:
4.3.1. Performance of a contract with the User and provision of the Services: registration and authentication, access to program functionality, chat bot operation, payment processing and subscription management, User support, functional notifications.
4.3.2. User consent: processing of sensitive personal data (including voice recordings, intentions, beliefs, test results, progress), use of non-essential cookies and analytics, setup of recurring charges, cross-border transfer in cases where required by law.
4.3.3. Fulfillment of legal obligations: localization of data of Russian citizens, accounting and tax records, document retention, responses to requests from competent authorities, compliance with data protection legislation.
4.3.4. Legitimate interests of the Controller: ensuring the security of the Services, preventing fraud and abuse, maintaining event logs, improving and developing functionality, internal reporting and control, provided that the User’s rights and freedoms are respected.
4.3.5. Establishment, exercise, or defense of legal claims: processing of data necessary to protect the rights and interests of the Controller or third parties in judicial and pre-trial proceedings.
4.4. De-identification and aggregation of data:
4.4.1. For analytics and reporting purposes, the Controller may de-identify personal data, eliminating the possibility of identifying the User, and use such data in aggregated form for statistics, improvement of the Services, and publication of non-personalized metrics.
4.4.2. De-identification and aggregation operations are performed in compliance with applicable standards and do not permit reverse identification of the User without a separate legal basis.
4.5. Information on the place and participants of processing:
4.5.1. Processing is carried out in the designated home data storage hub in accordance with section 1 of this Policy.
4.5.2. Certain operations may be carried out with the involvement of engaged service providers necessary for the operation of the Services (payment aggregator, analytics, AI provider), provided that they comply with contractual confidentiality obligations and applicable law requirements. Details about data recipients and cross-border transfers are set out in the relevant sections of the Policy. 

5. Legal Grounds for Personal Data Processing

5.1. The User’s personal data are processed on the following legal grounds:
– the data subject’s consent to processing (Article 6 of Russian Federal Law No. 152-FZ; Article 6(1)(a) GDPR; other applicable provisions);
– the necessity of processing for the performance of a contract to which the User is a party (Article 6(1)(b) GDPR);
– the legitimate interests of the Controller that do not infringe the User’s rights and freedoms (Article 6(1)(f) GDPR), including ensuring security, preventing fraud, carrying out analytics, and improving the Services;
– the necessity of complying with mandatory legal requirements (Article 6(1)(c) GDPR; Article 6 of Russian Federal Law No. 152-FZ).
5.2. With respect to sensitive personal data (biometric data — voice recordings; information about intentions, beliefs, psychological state), the legal basis is exclusively the User’s separate explicit consent (Article 9(2)(a) GDPR; Article 10 of Russian Federal Law No. 152-FZ).
5.3. Processing of payment data is carried out on the basis of:

– performance of the contract between the User and the Controller;

– compliance with legal requirements regarding accounting and tax records;

– the User’s consent to recurring payments (in cases where it is provided through the payment aggregator interface).
5.4. Processing of technical data (IP address, cookies, device ID, device settings) is based on:

– the Controller’s legitimate interests in ensuring the operation and security of the Services;

– the User’s consent to the installation and use of non-essential cookies (through the banner on the first visit).
5.5. Processing of data for feedback, support, and request handling purposes is carried out on the basis of:

– the User’s consent expressed when sending the relevant request;

– the Controller’s legitimate interest in ensuring service quality.
5.6. Forms of the User’s consent expression:

– at registration: a checkbox “I accept the Privacy Policy and the User Agreement” (for ordinary personal data);
– at registration: a separate checkbox “I agree to the processing of sensitive data” (for voice recordings, intentions, beliefs, progress, test results);

– when subscribing: separate consent to recurring charges (in the Prodamus interface);

– on the first visit to the Website: a cookie banner allowing consent to or refusal of non-essential cookies.

6. Procedure for Collecting and Storing Personal Data

6.1. Personal data are collected in the following ways:

– when the User registers in the Services — by filling out the registration form (first name, last name, e-mail, password);

– when subscribing — by transferring data to the payment aggregator (Prodamus), while the Controller does not store bank card details;

– when using the Program — by the User creating content (intentions, beliefs, voice recordings, checklists, virtual account, progress of completion);

– automatically when using the Services — technical device data (IP address, cookies, device ID, browser and OS information, interface language, access time);

– when contacting support and through communication channels — data contained in the User’s messages.
6.2. All voice recordings and other sensitive data are stored exclusively in the User’s “home hub.” Data of Russian citizens are localized and initially processed in a data center located in the territory of the Russian Federation. Data of all other Users are processed in the European hub (EU hub), unless otherwise provided by law or this Policy.
6.3. Personal data are stored in a form allowing identification of the data subject no longer than is necessary for the purposes of processing, unless a longer retention period is required by law.
6.4. Access to personal data is granted only to the Controller’s authorized employees, as well as to authorized service providers (Prodamus, Google Analytics, Yandex.Metrica, DeepSeek), strictly to the extent necessary for the performance of their functions.
6.5. The Controller applies measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, disclosure, dissemination, as well as from other unlawful actions.
6.6. The Controller keeps records of the collection, modification, and deletion of personal data, and also stores technical logs of actions in the Services for information security purposes and compliance with legal requirements.

6.7. The User is responsible for the accuracy of the country of residence information provided during registration. If a VPN is used or knowingly false information is provided, responsibility for possible consequences (including the determination of the home data storage hub) rests with the User.

7. Transfer to Third Parties and Cross-Border Data Transfer

7.1. The Controller may transfer Users’ personal data only in cases and to the extent necessary to achieve the purposes specified in this Policy, and solely on legal grounds.

7.2. Personal data may be transferred to the following categories of recipients:

- Payment aggregators (for example, Prodamus) — for processing payments and recurring charges;

- Analytics services (for example, Google Analytics, Yandex.Metrica) — for analyzing the use of the Services;

- AI processing providers (chat bot) — for processing data entered by the User and generating responses;

- Hosting providers and infrastructure providers — to ensure the functioning of the Services;

- Support services and contractors — for interaction with the User;

- Government authorities — in cases expressly provided for by law.

7.3. The Controller does not sell Users’ personal data to third parties and does not use them for distributing promotional mailings.

7.4. Cross-border transfer.

- Data of Russian citizens are subject to mandatory storage and processing in the territory of the Russian Federation (RU hub).

- Data of users from other countries are processed in the infrastructure of the European Union (EU hub).

- Certain operations may involve transfer of data to other countries, including states that do not provide an adequate level of protection (for example, the U.S.). Such transfers are carried out on the basis of Standard Contractual Clauses (SCCs) of the European Commission, the Data Privacy Framework (DPF) mechanism (if the recipient is certified), as well as with the application of additional organizational and technical measures (for example, encryption, access restriction, data minimization).

7.5. If required by mandatory legal requirements, data may be disclosed to authorized state authorities (courts, inquiry and investigative bodies, tax authorities, etc.), but only within the procedures provided by law.

7.6. All recipients of personal data are obliged to ensure their confidentiality and use them solely for the purposes for which the data were transferred.

8. User Rights

8.1. The User has the following rights regarding their personal data in accordance with Russian Federal Law No. 152-FZ, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable laws:
8.1.1. Right of access — to obtain confirmation of the processing of personal data and a copy of such data.
8.1.2. Right to rectification — to require correction of inaccurate or outdated personal data.
8.1.3. Right to erasure (“right to be forgotten”) — to require deletion of their personal data, except where retention is mandatory by law.
8.1.4. Right to restriction of processing — to require temporary suspension of data processing in certain cases.
8.1.5. Right to object — to object to the processing of personal data, including processing for analytics and statistics purposes.
8.1.6. Right to data portability — to receive personal data in a structured, machine-readable format and transfer it to another controller.
8.1.7. Right to withdraw consent — to withdraw consent to the processing of personal data at any time, including consent to the processing of sensitive data.
8.1.8. Right to manage cookies and push notifications — to change settings independently in the Application or browser.
8.1.9. Right to lodge a complaint — to contact the authorized supervisory authority (in Russia — Roskomnadzor; in the EU — the national data protection authority; in the U.S. — the FTC or the relevant bodies).
8.2. Requests to exercise Users’ rights shall be sent to the e-mail address: info@tloa.app.
8.3. The Controller is obliged to respond to the User’s request without undue delay, but no later than 30 (thirty) calendar days from receipt of the request.
8.4. If the User’s request is denied, the Controller must provide a reasoned response.
8.5. When the User’s account is deleted, all personal data are deleted or anonymized, except for information subject to retention by law (for example, accounting data).

9. Personal Data Security

9.1. The Controller takes all necessary legal, organizational, and technical measures to protect Users’ personal data from unlawful or accidental access, destruction, alteration, blocking, copying, dissemination, as well as from other unlawful actions.
9.2. The following measures are used to protect personal data:
– data transfer is carried out exclusively through secure communication channels (HTTPS/TLS);
– passwords are stored only in encrypted form using cryptographic algorithms;
– sensitive data (voice recordings, intentions, beliefs, test results, progress) are stored exclusively in encrypted form in the home hub (RU hub for Russian citizens, EU hub for other Users);
– access to data is restricted to a circle of the Controller’s authorized persons and is granted only when necessary for the performance of official duties;
– all administrative accesses to personal data and actions with them are logged;
– regular backup of data is performed in the relevant hub (RU or EU);
– protection tools against unauthorized access, antivirus software, and intrusion detection systems are used;
– software is regularly updated and vulnerabilities are checked;
– an incident response plan is implemented, providing for notification of authorized authorities and Users in the event of a data breach within the time limits established by applicable law (GDPR, LGPD, CPRA, etc.).
9.3. The User is obliged to keep their credentials (login and password) confidential and not share them with third parties. The Controller is not responsible for the actions of third parties who gained access to the User’s account as a result of the User’s violation of security rules.
9.4. Despite the security measures taken, the User understands that no method of data transmission or storage can guarantee absolute protection and accepts the risks associated with the use of the Services.

10. Cookies and Analytics

10.1. To ensure the operation of the Services, their personalization, and traffic analysis, cookies and similar technologies are used.
10.2. Cookies may fall into the following categories:
– strictly necessary (ensure the operation of the Services, including authorization and session preservation);
– functional (save the User’s settings and preferences, such as interface language, push settings);
– analytical (Google Analytics, Yandex.Metrica) — used only with the User’s consent and allow collecting statistics on the use of the Services in order to improve their operation.
10.3. On the first visit to the Website, the User receives a cookie banner where they may agree to the use of non-essential cookies or refuse them. Cookie settings may be changed by the User in the browser at any time.
10.4. Advertising cookies and tracking technologies are not used in the Services.
10.5. Data collected by analytics services are transferred and processed by the respective providers (Google, Yandex) under their own privacy policies. Processing of such data may occur outside the User’s country of residence.
10.6. (EU/UK) For users from the European Economic Area and the United Kingdom, analytical cookies (Google Analytics) are installed only after consent via the cookie banner. The banner provides equivalent options: “Accept all”, “Reject all”, “Customize”. In the “Customize” section, the user may select cookie categories. Strictly necessary cookies are always used.

11. Retention Periods and Data Deletion

11.1. Users’ personal data are stored no longer than necessary for the purposes for which they were collected, or until the User withdraws consent, deletes the data personally, or deletes the account.

11.2. Ordinary personal data (first name, last name, e-mail, password, subscription status, checklists, virtual accounts, push settings, interface language, chat history, technical device data) are stored for the entire period of use of the Services and are deleted when the User’s account is deleted or upon the User’s request.

11.3. Sensitive personal data (voice recordings, intentions, beliefs, program progress, test results) are stored:

- until the corresponding intention or record is deleted by the User;

- or until the account is deleted;

- or upon the User’s withdrawal of consent to the processing of sensitive data.

11.4. Subscription and payment data are stored exclusively with the payment aggregator (Prodamus or another provider selected by the Controller). The Controller receives and stores only the subscription status and transaction identifiers.

11.5. In cases where the law obliges the Controller to retain certain data (for example, accounting and tax information), such data are retained for the periods established by law (in the Russian Federation — 5 years or another period expressly provided by law).

11.6. In the event of complete inactivity of the User’s account for 12 (twelve) months, the Controller deletes the account together with all personal data, after notifying the User by e-mail at least 30 (thirty) calendar days before deletion.

11.7. Backup copies of data are stored in the same data centers as the main data (RU hub for Russian citizens, EU hub for other Users) and are subject to deletion within the established retention periods and backup rotation cycles after deletion of the relevant data from the main system.

11.8. The User may at any time request deletion of all their data (“right to be forgotten”) by sending a request to info@tloa.app. In this case, the Controller deletes the data from the main system without undue delay, and from backup copies — within the rotation cycles as provided in clause 11.7.

12. Updates to this Policy

12.1. The Controller may amend this Policy to reflect changes in legislation, the composition of the Services, the technologies used, the list of data recipients and subprocessors, as well as the purposes of processing.
12.2. When making material changes affecting Users’ rights and interests (for example, expanding the categories of data processed, changing the purposes or legal bases of processing, adding new data recipients, changing storage regions), the Controller posts a notice in the Services and sends an informational message to the e-mail specified in the account no later than the date the changes take effect, unless otherwise required by applicable law.
12.3. In cases where the changes require obtaining new consent (including consent to process sensitive data or consent to use non-essential cookies), the Controller requests such consent through the Services interface before continuing the relevant processing.
12.4. The effective date and the last updated date are indicated in the preamble to the Policy. The Controller maintains versioning of the Policy and stores previous versions; copies are provided upon the user’s request to info@tloa.app.
12.5. Continued use of the Services after the changes take effect means the User’s consent to the updated version, except where express consent is required by law.
12.6. If the User’s applicable law requires notification of the competent authority or compliance with special procedures when changing processing conditions, the Controller complies with such requirements.

13. Contacts

13.1. For all questions related to the processing of personal data, the User may contact the Controller at:
Individual Entrepreneur Vezhina Oksana Vladimirovna
OGRNIP: 324470400023858
INN: 470516487295
Legal address: 188300, Russia, Leningrad Oblast, Gatchinsky District, Gatchina, Shvedsky Lane, bldg. 1, apt. 53.
E-mail: info@tloa.app
13.2. Requests to exercise the rights of a personal data subject (including access, correction, deletion, restriction of processing, withdrawal of consent, portability) are considered within the time limit established by applicable law:
– under GDPR — no later than 30 days;
– under Russian Federal Law No. 152-FZ — within 30 calendar days;
– under other laws — within the time limits established by the relevant jurisdiction.
13.3. To confirm identity when submitting a request, the Controller may request additional information (for example, confirmation of access to the e-mail specified in the account).
13.4. If the User believes that their rights have been violated, they may file a complaint with the data protection supervisory authority in their jurisdiction (for example, Roskomnadzor in the Russian Federation, the national DPA in the EU, the ICO in the United Kingdom, the FTC in the U.S.) or go to court.

13.5. Additionally. Users located outside the Russian Federation may exercise their rights in accordance with applicable law (for example, GDPR in the EU, UK GDPR, CPRA in California, LGPD in Brazil). In such cases, the Controller ensures that there are lawful grounds for cross-border data transfer and complies with the requirements of the relevant legislation.