Privacy Policy

Last updated: March 9, 2026

1. General Provisions

1.1. This Privacy Policy (hereinafter — the "Policy") defines the procedures for collecting, processing, storing, using, transferring, protecting, and destroying personal data of users of the LALAPAM platform (hereinafter — the "Platform"), located at lalapam.ru.

1.2. The Policy has been developed and operates in accordance with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter — FZ-152), Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of Requirements for the Protection of Personal Data During Their Processing in Personal Data Information Systems," and other regulatory legal acts of the Russian Federation in the field of personal data.

1.3. The Policy applies to all personal data that the Operator may receive from Users, Users' Clients, and other personal data subjects in the course of using the Platform.

1.4. By registering on the Platform, transmitting personal data, and/or using the Platform's functionality, the User expresses consent to the terms of this Policy. If the User disagrees with the terms of the Policy, the User must cease using the Platform.

1.5. The Operator does not control and is not responsible for third-party websites that the User may access via links posted on the Platform.

2. Personal Data Operator

2.1. The personal data operator is:

Name: Individual Entrepreneur Denis Nikolaevich Filipkin
TIN (INN): 731201040405
Address: 6 Kirova St., Apt. 225, Ulyanovsk, 432048, Russian Federation
Email: support@lalapam.ru

2.2. The Operator appoints a person responsible for organizing the processing of personal data in accordance with Article 22.1 of FZ-152.

3. Definitions

3.1. The following terms are used in this Policy:

Personal Data — any information relating directly or indirectly to an identified or identifiable natural person (personal data subject) (Article 3 of FZ-152).
Processing of Personal Data — any action (operation) or set of actions (operations) performed with or without automated means on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
Operator — Individual Entrepreneur Denis Nikolaevich Filipkin, who independently or jointly with other persons organizes and/or carries out the processing of personal data, and also determines the purposes of processing personal data, the composition of personal data subject to processing, and actions (operations) performed on personal data.
Personal Data Subject — a natural person to whom the processed personal data directly or indirectly relates.
Processor — a person who processes personal data on behalf of the Operator on the basis of a concluded agreement (processing instruction).
User — a natural or legal person (individual entrepreneur, self-employed) registered on the Platform and using its functionality to organize the sale of their services, goods, and bookings.
User's Client — a natural person who interacts with the User through the Platform as a consumer of services, goods, or bookings.
Platform — the LALAPAM software suite, including the website, web applications (PWA), Telegram Mini App, and associated application programming interfaces (API).

4. Categories of Personal Data

4.1. The Operator processes the following categories of personal data:

Category	Data Composition	Purpose of Processing
Identification Data	First name, last name, email address, phone number, profile photo	Registration, user identification, personal account management
Authorization Data	Telegram ID, VK ID, Yandex ID, MAX messenger ID, OAuth provider access tokens	Authorization and authentication through third-party providers (OAuth 2.0)
Technical Data	IP address, browser user-agent, session data (session identifier, creation time, expiration time)	Security, fraud prevention, technical support
Transactional Data	Order information (service/product name, amounts, dates, statuses), payment data (payment status, transaction identifier)	Contract performance, transaction accounting, reporting
Fiscal Data	Self-employed person's TIN (INN), Federal Tax Service receipt data (service name, amount, date)	Fiscal receipt generation via the "My Tax" API, compliance with Russian tax legislation
Analytics Data	Platform interaction events (order creation, payment, registration, notification sending, etc.)	Service quality improvement, platform usage analysis, technical issue identification

4.2. The Operator does not process special categories of personal data relating to race, ethnicity, political views, religious or philosophical beliefs, health status, or intimate life.

4.3. The Operator does not process biometric personal data.

5. Purposes of Data Processing

5.1. The Operator processes personal data exclusively for the following purposes:

Contract Performance — providing Platform functionality under the Terms of Service, including account creation and management, order processing, and personal account access.
Authorization and Authentication — user identification upon logging into the Platform, including through third-party providers (Telegram, VK ID, Yandex ID, email).
Sending Notifications — informing users about order statuses, reminders, and service messages through channels: Telegram, MAX messenger (VK), email, browser push notifications.
Fiscal Receipt Generation — automatic receipt creation through the Federal Tax Service "My Tax" API for self-employed users in accordance with the Russian Tax Code.
AI Assistant — generating recommendations, automatic business process configuration, processing user text queries using artificial intelligence technologies.
Analytics and Platform Improvement — collecting and analyzing depersonalized and aggregated data on Platform interactions to improve service quality, identify and resolve technical issues.
Security — preventing unauthorized access, fraud, DDoS attacks, and other information security threats.

5.2. Processing of personal data incompatible with the stated purposes is not permitted.

6. Legal Basis for Processing

6.1. Personal data processing is carried out on the following legal grounds:

Consent of the personal data subject (Article 6, Part 1, Clause 1 of FZ-152) — upon registration on the Platform, when connecting additional communication channels, and when using the AI assistant.
Contract performance (Article 6, Part 1, Clause 5 of FZ-152) — processing of data necessary for the performance of the Terms of Service to which the personal data subject is a party, as well as for concluding a contract at the subject's initiative.
Legitimate interest of the operator (Article 6, Part 1, Clause 7 of FZ-152) — processing of data necessary to ensure Platform security, prevent fraud, conduct internal analytics, and improve service quality, provided that such processing does not violate the rights and freedoms of the personal data subject.
Compliance with legal obligations (Article 6, Part 1, Clause 2 of FZ-152) — processing of fiscal data in accordance with the requirements of the Russian Tax Code.

6.2. Consent to the processing of personal data may be withdrawn by the subject in the manner prescribed in Section 10 of this Policy. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

7. Transfer of Data to Third Parties

7.1. The Operator is entitled to transfer personal data to third parties exclusively in cases provided for by this Policy and applicable legislation of the Russian Federation.

7.2. List of third parties to whom personal data may be transferred:

Service	Purpose	Data Transferred	Jurisdiction
Resend	Email notification delivery	Email address, message content	USA
Telegram Bot API	Telegram messenger notifications	Chat ID, message text	UAE
MAX (VK)	MAX messenger notifications	User ID, message text	Russian Federation
OpenAI	AI assistant (text query processing)	User query text (without identification data where possible)	USA
VK ID	OAuth authorization	Access token, profile data (name, photo)	Russian Federation
Yandex ID	OAuth authorization	Access token, profile data (name, email, photo)	Russian Federation
Federal Tax Service ("My Tax" API)	Fiscal receipt generation	Self-employed person's TIN, transaction amount, service name	Russian Federation
Web Push (browser)	Browser push notifications	Subscription endpoint, encryption keys	Depends on browser push service provider

7.3. Data is transferred to third parties exclusively in the volume necessary to achieve the stated processing purposes.

7.4. The Operator obligates third parties to maintain the confidentiality of personal data and ensure their security during processing, and to not use personal data for purposes not provided for by this Policy.

8. Cross-Border Data Transfer

8.1. The Operator carries out cross-border transfer of personal data to the following countries:

USA — OpenAI (AI query processing), Resend (email delivery).
UAE — Telegram (notification delivery via Telegram Bot API).

8.2. Legal grounds for cross-border transfer:

Consent of the personal data subject to cross-border transfer (Article 12, Part 4, Clause 1 of FZ-152).
Necessity of performing a contract between the operator and the personal data subject (Article 12, Part 4, Clause 2 of FZ-152).

8.3. Protective measures for cross-border transfer:

Data encryption during transmission using TLS 1.2 protocol or higher.
Data minimization — only data strictly necessary for the provision of the respective services is transferred.
Data depersonalization when transferring to OpenAI — direct identification data is excluded from queries where technically feasible.
Risk assessment and verification of the level of protection in the receiving country in accordance with the requirements of Article 12 of FZ-152.

9. Data Retention Periods

9.1. The Operator retains personal data for no longer than required by the purposes of processing, unless a different retention period is established by federal law or contract.

Data Category	Retention Period	Basis
Account data (identification, authorization)	Until account deletion by the user or upon subject's request	Contract performance
Authorization sessions	30 days from creation	Security
Order data (transactional)	3 years from order creation date	Contract performance, legitimate interests of the operator
Fiscal data	4 years from the end of the tax period	Article 23 of the Russian Tax Code
Analytics events	3 years from event registration	Legitimate interests of the operator (service improvement)
Message queue data (notifications)	30 days after sending	Technical delivery assurance

9.2. Upon expiration of the retention period, personal data shall be destroyed or depersonalized within no more than 30 days, unless otherwise provided by applicable legislation.

9.3. In the event of consent withdrawal by the personal data subject, the Operator shall cease processing and destroy personal data within no more than 30 days from the date of receiving the withdrawal, except in cases where processing may be continued on another legal basis (Section 6.1 of this Policy).

10. Rights of Personal Data Subjects

10.1. The personal data subject has the following rights in accordance with FZ-152:

Right to information (Article 14 of FZ-152) — the subject has the right to receive information regarding the processing of their personal data, including: confirmation of processing, legal grounds and purposes, processing methods, operator's name and address, composition of processed data, processing and storage periods.
Right of access to personal data — the subject has the right to request and receive a copy of their personal data processed by the Operator.
Right to rectification (Article 14, Part 1 of FZ-152) — the subject has the right to demand clarification, updating, or correction of inaccurate or incomplete personal data.
Right to erasure (Article 14, Part 1 of FZ-152, Article 21 of FZ-152) — the subject has the right to demand destruction of personal data if the data is incomplete, outdated, unlawfully obtained, or unnecessary for the stated purpose of processing.
Right to withdraw consent (Article 9, Part 2 of FZ-152) — the subject has the right to withdraw previously given consent to the processing of personal data at any time.
Right to restriction of processing — the subject has the right to demand restriction of processing of their personal data in cases provided by law.
Right to data portability — the subject has the right to request their personal data in a structured, commonly used, and machine-readable format (JSON).
Right to appeal (Article 17 of FZ-152) — the subject has the right to appeal the actions or inaction of the Operator to the authorized body for the protection of personal data subjects' rights (Roskomnadzor) or through judicial proceedings.

10.2. To exercise their rights, the personal data subject shall send a written request to the Operator's email address: support@lalapam.ru.

10.3. The request must contain:

Last name, first name, and patronymic (if available) of the subject.
Email address registered on the Platform (or another identifier for verification).
Description of the request (the specific right the subject wishes to exercise).

10.4. The Operator shall review the request and provide a response within 10 business days from the date of receiving the request or the subject's appeal (Article 20 of FZ-152). If additional verification is required, the period may be extended, and the subject shall be notified accordingly.

10.5. The Operator may refuse to fulfill the request in cases provided by the legislation of the Russian Federation, including when identification of the subject is not possible.

11. Cookies and Local Storage

11.1. The Platform uses browser local storage technologies (localStorage) to ensure service functionality.

Identifier	Type	Purpose	Retention Period
session_token	localStorage	User authorization (session identifier storage)	Until logout
Theme preference	localStorage	Saving user interface settings (light/dark theme)	Indefinite (until cleared by user)

11.2. The Platform does not use third-party advertising or analytics cookies.

11.3. All data in localStorage is stored exclusively on the user's device and is not transmitted to third parties.

12. Security Measures

12.1. The Operator takes necessary and sufficient organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, distribution, and other unlawful actions by third parties, in accordance with Article 19 of FZ-152 and Government Decree No. 1119.

12.2. Technical security measures:

Data encryption in transit — all connections to the Platform are protected by TLS 1.2 protocol or higher (HTTPS).
Encryption of sensitive data in the database — API keys, access tokens, and other secret data are stored in encrypted form.
Access control — role-based access model with permission segregation (User, Administrator, Staff). Each user has access only to their own data and their organization's data.
Session authentication — cryptographically strong session identifiers with limited validity period (30 days) are used.
Regular backups — automatic database backups with encryption and storage in secure object storage.
Activity logging — security event logging for incident detection and investigation.

12.3. Organizational security measures:

Limiting the circle of persons who have access to personal data.
Controlling access to server equipment and software.
Regular auditing of security measures and software updates.

13. Processing of Users' Client Data

13.1. With respect to the personal data of Users' Clients, the Operator (LALAPAM) acts as a processor on behalf of the User, who is an independent operator of the personal data of their Clients.

13.2. The User, by using the Platform to interact with their Clients, is obligated to:

Independently determine the legal basis for processing the personal data of their Clients.
Obtain proper consent from Clients for the processing of their personal data, if required under FZ-152.
Inform Clients that their personal data is processed using the LALAPAM Platform.
Ensure the exercise of rights of their Clients as personal data subjects.

13.3. The procedure for processing Users' Client data is governed by the Data Processing Agreement (DPA), which is an integral part of the Terms of Service.

13.4. LALAPAM processes Users' Client data exclusively within the scope of the User's instruction and for purposes determined by the User. LALAPAM does not use Users' Client data for its own purposes not provided for by the instruction.

13.5. In the event of receiving requests from Users' Clients regarding their personal data, LALAPAM notifies the respective User and assists in fulfilling the request.

14. Changes to the Policy

14.1. The Operator reserves the right to amend this Privacy Policy.

14.2. The Operator shall notify users of changes no less than 30 (thirty) calendar days before the changes take effect by publishing the updated version of the Policy on the Platform and/or sending a notification through available communication channels (email, push notification, messenger message).

14.3. Continued use of the Platform after the changes take effect constitutes the user's acceptance of the updated Policy.

14.4. If the user disagrees with the changes, the user has the right to cease using the Platform and delete their account.

14.5. The current version of the Policy is always available at: lalapam.ru/en/privacy.

15. Contact Information

15.1. For any questions related to the processing of personal data, the personal data subject may contact the Operator:

Operator: Individual Entrepreneur Denis Nikolaevich Filipkin
TIN (INN): 731201040405
Address: 6 Kirova St., Apt. 225, Ulyanovsk, 432048, Russian Federation
Email: support@lalapam.ru

15.2. The authorized body for the protection of personal data subjects' rights is the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor): rkn.gov.ru.