Personal Data Processing Policy

Last updated: 06.10.2025

1. General Provisions

  • 1.1. This Policy has been developed in accordance with Federal Law No. 152-FZ of 27.07.2006 'On Personal Data' and other regulatory acts of the Russian Federation and defines the procedure for processing and protecting personal data, made by Shaidullin T.M. Tax 165122127501 (hereinafter - PD) by the Operator.
  • 1.2. The Policy applies to the website, mobile applications, desktop application, web application and API of the Convly service (hereinafter - the Service).
  • 1.3. The Operator processes PD in automated and non-automated ways exclusively for the purposes specified in this Policy.
  • 1.4. Special categories of PD and biometric PD are not processed unless processing is required or permitted by law.

2. Terms

User β€” a natural person using the Service.
Content β€” audio/video files uploaded by the User for transcription.
Operator β€” a state body, municipal body, legal entity or natural person, independently or jointly with other persons organizing and (or) carrying out the processing of personal data.
Processor β€” a person processing PD on behalf of the Operator.
Biometric PD β€” information about physiological characteristics of a person (for example, voice) used for identity verification.

3. Composition of processed personal data

  • 3.1. Registration data: e-mail, password/SSO identifier, name (if specified).
  • 3.2. Technical data: IP address, cookies, user-agent, device identifiers (stored for up to 12 months).
  • 3.3. Content data: speech and other information contained in uploaded files; transcribed text (stored until deleted by the User).
  • 3.4. Payment data: tokens/identifiers of operations with the payment provider, payment statuses (without storing card details).
  • 3.5. Support requests: messages, tickets, correspondence.

4. Purposes of personal data processing

  • β€” providing transcription services and related functions;
  • β€” communication with Users, technical support;
  • β€” fulfilling legal requirements (tax and accounting, responses to government agencies);
  • β€” ensuring Service security and preventing abuse;
  • β€” marketing mailings with User consent.

5. Legal bases for processing

  • β€” performance of the service agreement with the User;
  • β€” fulfillment of legal obligations of the Operator;
  • β€” legitimate interest of the Operator (security, service development) with balance of interests;
  • β€” consent of the PD subject for a specific purpose.

6. Biometric data and voice

Voice recording is qualified as biometric PD only when used for identity verification. The Service only performs transcription and does not use voice for identity establishment, therefore special grounds for biometric processing are not required.

7. Localization and transfer of personal data

  • 7.1. Personal data of Russian Federation citizens are recorded, systematized and stored in databases located on the territory of the Russian Federation.
  • 7.2. Cross-border transfer of PD is not carried out. If it becomes necessary to transfer PD outside the RF, the Operator will ensure compliance with the requirements of Art. 12 of Law No. 152-FZ.

8. Transfer of data to third parties

  • 8.1. PD may be transferred to:
  • β€” hosting providers and data centers;
  • β€” payment operators;
  • β€” technical support and analytics providers;
  • β€” authorized government agencies β€” in cases provided by law.
  • 8.2. Processors are obliged to maintain confidentiality and apply PD protection measures.
  • 8.3. Without legal basis or User consent, PD is not disclosed.

9. Measures to ensure PD security

  • β€” TLS 1.3 encryption during transmission and AES-256 during storage;
  • β€” RBAC, MFA for administrative access;
  • β€” firewalls and network segmentation;
  • β€” daily backup (30-day retention);
  • β€” logging of administrator actions (12-month retention);
  • β€” internal regulations, staff training, annual security audit.

10. Personal data retention periods

  • β€” account data β€” until deleted by the User;
  • β€” Content and transcripts β€” until deleted by the User;
  • β€” technical logs β€” 12 months;
  • β€” documents containing PD β€” for periods established by legislation.

11. Rights of personal data subjects

The User has the right to:

  • β€” obtain information about the processing of their PD;
  • β€” demand clarification, blocking or deletion of PD;
  • β€” withdraw consent for PD processing;
  • β€” restrict PD processing in cases provided by law;
  • β€” appeal the Operator's actions to Roskomnadzor or court.

Requests are sent to e-mail privacy@convly.ru; response within 30 days.

12. Policy Changes

  • 12.1. The Operator has the right to change the Policy by publishing a new version on the website.
  • 12.2. The Policy is valid indefinitely until replaced by a new version.