Privacy Policy

1. Introduction

This Privacy Policy (hereinafter — the "Policy") has been developed in accordance with Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data", Federal Law No. 149-FZ dated 27.07.2006 "On Information, Information Technologies and Protection of Information" and defines the procedures for processing and protecting personal data of Users of the Flute CMS platform (hereinafter — the "Service").

This Policy applies to all personal data that the Operator may receive from Users when using the Service: visiting the website, registering, making purchases, and interacting with the marketplace. By using the Service, you consent to the processing of your personal data under the terms of this Policy. Personal data processing includes the following operations: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.

The Operator adheres to the principle of data minimization: only personal data that is necessary and sufficient to achieve the specified processing purposes is collected and processed. Processing of personal data that is excessive in relation to the stated purposes is not permitted.

2. Definitions

The following terms are used in this Policy in accordance with Article 3 of Federal Law No. 152-FZ:

• "Personal Data" — any information relating directly or indirectly to an identified or identifiable natural person (data subject).
• "Operator" — a legal entity or individual entrepreneur that independently or jointly with others organizes and/or carries out the processing of personal data, and determines the purposes and content of data processing.
• "Processing of Personal Data" — any action (operation) or set of actions performed with personal data, including collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, and destruction.
• "Data Subject" — a natural person whose personal data is being processed.
• "Confidentiality of Personal Data" — the Operator's and other persons' obligation not to disclose or distribute personal data without the consent of the data subject, unless otherwise required by law.
• "Cross-Border Transfer of Personal Data" — the transfer of personal data to a foreign state, to a foreign authority, a foreign natural person, or a foreign legal entity.

3. Personal Data Operator

The personal data operator is Individual Entrepreneur Antipov Nikita Aleksandrovich, TIN (INN): 263219145920, PSRNIE (OGRNIP): 326890000010309, region: Yamalo-Nenets Autonomous Okrug (YaNAO), Russia, email: xenozf@gmail.com. The Operator determines the purposes and methods of personal data processing, ensures their security, and observes the rights of data subjects in accordance with Federal Law No. 152-FZ.

The person responsible for the organization of personal data processing is the Operator (Antipov N.A.). Inquiries regarding the processing of personal data, exercise of rights, or complaints should be directed to: xenozf@gmail.com.

4. Data We Collect

We collect the following categories of personal data:

Data Provided by the User

When registering, making purchases, and interacting with the Service, you may provide:

• Authentication data: when signing in via Discord OAuth — username, identifier, email address, avatar; when signing in via Telegram OAuth — user identifier, first/last name (if available), username, profile photo (if available)
• Profile information you add or update
• Payment data (processed by a third-party payment aggregator; the Licensor does not store bank card details)
• Support requests, feedback, and other correspondence
• Product reviews, ratings, and comments
• Information about your websites and game servers connected to the Service

Data Collected Automatically

When using the Service, the following data is collected automatically:

• Device information: browser type, operating system
• Log data: IP address, access time, pages viewed
• Usage data: sections visited, actions performed
• Approximate location based on IP address
• Data collected through cookies and similar technologies

Data from Third Parties

We may receive data from:

• Discord — authentication data upon sign-in
• Payment aggregators — transaction status information
• Analytics services — anonymized usage data

5. Purposes of Data Processing

Personal data is processed for the following purposes:

• Providing, maintaining, and improving the Service
• Creating and managing User accounts
• Performing the license agreement: processing payments, issuing licenses, providing updates
• Providing technical support and handling inquiries
• Sending notifications about account status, security, and Product updates
• Sending informational and promotional messages (only with User consent, with opt-out option)
• Personalizing the interface and recommendations
• Ensuring security, preventing fraud and abuse
• Complying with the requirements of Russian legislation
• Analyzing Service usage for improvement
• Developing new features and Products

6. Legal Basis for Processing

Personal data is processed on the following legal grounds (Article 6 of Federal Law No. 152-FZ):

• Contract performance: processing necessary for the performance of the license agreement (Clause 5, Part 1, Article 6 of 152-FZ)
• Data subject consent: when you give explicit consent to data processing (Part 1, Article 6 of 152-FZ)
• Legitimate interests of the Operator: ensuring security and improving the Service
• Legal compliance: when processing is required by law (Clause 2, Part 1, Article 6 of 152-FZ)

7. Data Sharing with Third Parties

We do not sell Users' personal data. Data may be shared in the following cases:

• Service providers: payment aggregators, hosting providers, analytics services — to the extent necessary for service delivery
• Legal requirements: upon requests from courts, law enforcement, and other authorized bodies of the Russian Federation
• Rights protection: to protect the rights, security, and legitimate interests of the Operator and Users
• With User consent: in other cases — only with explicit consent
• Reorganization: in case of business reorganization — in compliance with Federal Law No. 152-FZ
• Anonymized data: aggregated statistical data that does not identify the User

8. Cookies

The Service uses cookies to ensure functionality and improve user experience:

Types of Cookies Used

• Essential: ensure basic Service functionality (authentication, session security)
• Functional: save User preferences (language, theme)
• Analytics: help analyze Service usage
• Marketing: used to display relevant offers (if applicable)

Upon first visit to the Service, a cookie usage notification is displayed. By continuing to use the Service, you agree to the use of cookies. You can manage cookies through your browser settings. Disabling essential cookies may affect Service functionality.

9. Personal Data Protection

The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized access, destruction, modification, blocking, copying, and distribution (Article 19 of 152-FZ). Measures include:

• Data encryption in transit (TLS/SSL) and at rest
• Restricted access to personal data (role-based access control)
• Regular security audits and system monitoring
• Familiarizing personnel with data protection requirements
• Incident response procedures for security breaches and data leaks

No method of data transmission over the Internet is absolutely secure. The Operator makes all reasonable efforts to protect your data but cannot guarantee absolute security.

Incident Response and Breach Notification

In the event of a personal data breach (unauthorized access, leak, loss, or destruction), the Operator shall:

• Notify Roskomnadzor within 24 hours from the moment the incident is detected (in accordance with Federal Law No. 266-FZ dated 14.07.2022)
• Notify affected data subjects within 72 hours via available communication channels
• Conduct an internal investigation to determine the causes of the incident and minimize its consequences
• Take measures to prevent similar incidents in the future

10. Data Retention

Personal data is retained no longer than necessary for the purposes of processing:

• Account data: retained for the duration of the account's existence
• Transaction data: retained for the periods required by Russian law (at least 5 years for accounting documents)
• Dispute resolution data: retained until claims are resolved
• Backups: data may persist in backups for a limited period

Upon account deletion or User request, personal data is deleted or anonymized within 30 days, except for data required to be retained under Russian law.

11. Data Subject Rights

In accordance with Federal Law No. 152-FZ, you have the following rights:

• Right of access: obtain information about the processing of your personal data and a copy thereof (Article 14 of 152-FZ)
• Right to correction: request correction of inaccurate or outdated data
• Right to deletion: request cessation of processing and deletion of data (Article 21 of 152-FZ)
• Right to blocking: request blocking of data pending clarification
• Right to data export: request an export of your data
• Right to withdraw consent: withdraw consent to data processing at any time
• Right to opt out: opt out of receiving promotional messages
• Right to complain: file a complaint with Roskomnadzor (Federal Service for Supervision of Communications, Information Technology, and Mass Media) — rkn.gov.ru

To exercise your rights, send a request to xenozf@gmail.com. We will review your request within 10 business days (Article 20 of 152-FZ).

12. Data Storage and Cross-Border Transfer

Primary processing and storage of personal data of citizens of the Russian Federation is carried out using databases located on the territory of the Russian Federation, in accordance with Part 5, Article 18 of Federal Law No. 152-FZ.

Cross-border data transfer may be carried out to countries ensuring adequate protection of data subject rights (the list is determined by Roskomnadzor). For transfers to other countries, additional safeguards are applied, including data subject consent and contractual obligations of the data recipient.

13. Data of Minors

The Service is not intended for persons under 14 years of age. We do not knowingly collect personal data from children. Processing of data of persons aged 14 to 18 is permitted with the consent of their legal guardians. If we learn that a child's data was collected without proper consent, we will take steps to delete it.

If you believe a minor has provided us with personal data without parental consent, please contact us.

14. Links to Third-Party Resources

The Service may contain links to third-party websites and services (Discord, GitHub, payment systems). We do not control and are not responsible for the processing of your data by third parties.

We recommend reviewing the privacy policies of third-party services before using them.

15. Do Not Track Signals

Some browsers support a "Do Not Track" feature. Currently, we do not process such signals due to the absence of a unified standard for their interpretation.

16. Changes to This Privacy Policy

The Operator may update this Policy. When making material changes, we will notify you by:

• Publishing the updated Policy on the website
• Sending an email notification (for significant changes)
• Displaying a notice within the Service

The date of the last update is indicated at the beginning of the document. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

17. Contact Information

For inquiries regarding personal data processing, please contact us:

• Email: xenozf@gmail.com
• Discord: official community server: discord.gg/BcBMeVJJsd
• Telegram: @flamesina
• GitHub: Issues and Discussions: github.com/Flute-CMS/cms

We will review your inquiry within 10 business days in accordance with Federal Law No. 152-FZ.