Privacy Policy

This Policy is an internal regulatory document of the MoleculAI Platform (hereinafter — the Company), adopted in accordance with applicable data protection laws and regulations governing the processing of personal data.

This Policy establishes:

• the purpose, procedures, and conditions for processing personal data;
• the categories of data subjects whose personal data is processed, the categories (lists) of personal data processed, the methods, timeframes for processing and storage, and the procedures for destroying such data once processing purposes have been met or other lawful grounds arise;
• provisions regarding the protection of personal data, procedures aimed at identifying and preventing violations of data protection laws, and remediating the consequences of such violations.

This Policy uses terms and definitions in accordance with the meanings established by applicable data protection laws.

This Policy takes effect upon approval by the Company and remains in force until it is revoked or replaced by a new Policy.

Amendments to this Policy are made by decision of the Company. Changes take effect upon signing of the corresponding document.

2. Categories of Data Subjects

2.1. The data subjects whose personal data is processed by the Company under this Policy include:

• job applicants;
• current employees;
• former current employees;
• family members of employees — in cases where such information is provided by the employee as required by law;
• other individuals whose personal data the Company is required to process in accordance with employment law and other applicable regulations;
• customers, contractors, and partners of the Company.

3. Purposes of Personal Data Processing and Categories of Data Processed

3.1. Under this Policy, personal data is processed for the purpose of applying and complying with employment law within the scope of employment and directly related relationships, as well as within civil law relationships, and for the Company's interactions with prospective partners, customers, and other individuals in order to protect the personal data of these categories of individuals, including:

• assisting with employment;
• maintaining HR and accounting records;
• supporting employees in pursuing education and career advancement;
• processing awards and recognitions;
• providing the working conditions, benefits, and compensation required by law;
• completing and submitting required reporting forms to authorized agencies;
• ensuring the personal safety of employees and others, as well as the protection of property;
• monitoring the quantity and quality of work performed;
• protecting the rights and freedoms of individuals when processing their personal data, including the right to privacy and personal and family confidentiality;
• promoting the Company's products, work, and services on the market through direct contact with prospective customers via communication channels;
• engaging with the Company on matters of mutually beneficial cooperation and entering into agreements with prospective partners, customers, and other individuals.

3.2. In accordance with the purpose specified in Section 3.1 of this Policy, the following personal data is processed:

• last name, first name, middle name (if applicable), as well as previous last name, first name, middle name (if applicable), and the date and place of any such changes;
• gender;
• date (day, month, year) and place of birth;
• photograph;
• citizenship information;
• type, series, number of the identification document, name of the issuing authority, and date of issue;
• individual insurance account number;
• taxpayer identification number;
• registered address and registration date at place of residence (place of stay), and actual address of residence;
• contact phone number, email address, and/or other contact information;
• details of civil status registration certificates and the information contained therein;
• information about marital status and family composition (degree of kinship, last names, first names, middle names (if applicable), dates and places of birth);
• information about education and/or qualifications or specialized knowledge;
• information about foreign language proficiency;
• information about military service obligations, military registration, and details of military registration documents;
• information about employment history, including previous places of work, periods, and length of service;
• information contained in documents granting the right to stay and work in the Russian Federation (for foreign citizens);
• information about income and obligations under writs of execution;
• bank account and bank card numbers;
• information about health status (for certain categories of employees);
• information about the presence (absence) of a criminal record and/or criminal prosecution, or the termination of criminal prosecution on rehabilitative grounds (for certain categories of employees);
• other personal data contained in documents whose submission is required by law, if the processing of such data corresponds to the processing purposes provided for in Section 3.1 of the Policy.

3.3. The Individual Entrepreneur does not process special categories of personal data concerning race, ethnicity, political views, religious or philosophical beliefs, or intimate life, except in cases provided for by the legislation of the Russian Federation.

4. Procedure and Conditions for Processing Personal Data

4.1. Before beginning the processing of personal data, the Individual Entrepreneur is required to notify Roskomnadzor of the intent to process personal data.

4.2. The legal basis for processing personal data is the Labor Code of the Russian Federation, other regulatory legal acts containing labor law provisions, Federal Law No. 152-FZ of July 27, 2006 'On Personal Data,' Federal Law No. 402-FZ of December 6, 2011 'On Accounting,' and Russian Government Decree No. 719 of November 27, 2006 'On Approval of the Regulations on Military Registration.'

4.3. The Individual Entrepreneur processes personal data in compliance with the principles and conditions provided for by personal data legislation and this Policy.

4.4. The Individual Entrepreneur processes personal data using the following methods:

• non-automated processing of personal data;
• automated processing of personal data, with or without transmission of the obtained information via information and telecommunications networks;
• mixed processing of personal data.

4.5. The Individual Entrepreneur processes personal data with the consent of the personal data subject, unless otherwise provided by personal data legislation.

4.5.1. The processing of personal data that the subject has authorized for dissemination is carried out in compliance with the prohibitions and conditions provided for in Article 10.1 of the Personal Data Law.

4.5.2. The processing of biometric personal data is permitted only with the written consent of the personal data subject. Exceptions are the situations provided for in Part 2 of Article 11 of the Personal Data Law.

4.6. The Individual Entrepreneur does not carry out cross-border transfer of personal data.

4.7. The processing of personal data is carried out through collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, anonymization, blocking, deletion, and destruction of personal data, including through the use of computing equipment.

4.7.1. The Individual Entrepreneur collects, records, systematizes, accumulates, and clarifies personal data by means of:

• obtaining original documents or their copies;
• copying original documents;
• entering information into record forms on paper and electronic media;
• creating documents containing personal data on paper and electronic media;
• entering personal data into personal data information systems.

4.7.2. The Individual Entrepreneur uses the following information systems:

• corporate email;
• electronic document management system;
• user workstation support system;
• regulatory reference information system;
• human resources management system;
• remote access control system;
• information portal.

4.8. The transfer (dissemination, provision, access) of personal data of personal data subjects is carried out in the cases and in the manner provided for by personal data legislation and this Policy.

5. Terms of Processing and Storage of Personal Data

5.1. The Individual Entrepreneur ceases the processing of personal data in the following cases:

• upon detection of unlawful processing of personal data (processing must cease within three business days from the date of such detection);
• upon achievement of the processing purposes (with certain exceptions);
• upon expiration of the term or withdrawal by the personal data subject of consent to the processing of their personal data (with certain exceptions);
• upon the personal data subject's request to the Individual Entrepreneur to cease the processing of personal data (processing must cease no later than 10 business days from the date of receipt of the request).

5.2. Personal data is stored in a form that allows identification of the personal data subject no longer than is required for the purposes of processing. Exceptions are cases where the storage period for personal data is established by federal law or by a contract to which the personal data subject is a party.

5.3. Personal data on paper media is stored by the Individual Entrepreneur for the document retention periods established by the legislation on archival affairs in the Russian Federation.

5.4. The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data on paper media.

6. Procedure for Blocking and Destroying Personal Data

6.1. The Individual Entrepreneur blocks personal data in the manner and under the conditions provided for by personal data legislation.

6.2. Upon achieving the purposes of personal data processing or if the need to achieve these purposes is lost, personal data shall be destroyed or anonymized.

6.3. Personal data obtained unlawfully or not necessary for the processing purpose shall be destroyed within seven business days from the date the personal data subject provides supporting information.

6.4. Personal data whose processing has been terminated due to unlawfulness and for which lawful processing cannot be ensured shall be destroyed within 10 business days from the date the fact of unlawful processing is identified.

6.5. Personal data shall be destroyed within 30 days from the date of achieving the processing purpose, unless otherwise provided by an agreement to which the personal data subject is a party, another agreement between them and the sole proprietor, or unless the sole proprietor is not entitled to process personal data without the consent of the personal data subject on grounds provided by federal laws.

6.6. Personal data shall be destroyed (if their retention is not required for processing purposes) within 30 days from the date of receiving the personal data subject's withdrawal of consent to their processing.

6.7. Selection of physical media (documents, hard drives, flash drives, etc.) and/or information in information systems containing personal data subject to destruction is performed by the sole proprietor's responsible person processing personal data.

6.7.2. Personal data on paper media shall be destroyed using a shredder. Personal data on electronic media shall be destroyed by mechanically damaging the integrity of the medium in a way that prevents reading or recovering personal data, as well as by deleting data from electronic media using methods and tools that guarantee the removal of residual information.

6.7.3. The responsible person confirms the destruction of personal data in accordance with the Requirements for Confirming the Destruction of Personal Data approved by Order of Roskomnadzor No. 179 dated 10/28/2022.

7. Protection of Personal Data

7.1. Without the written consent of the personal data subject, the sole proprietor does not disclose personal data to third parties and does not distribute personal data, unless otherwise provided by federal law.

7.2. To protect personal data, the sole proprietor appoints (approves):

• an employee responsible for organizing the processing of personal data;
• a list of positions in which personal data is processed;
• a list of personal data accessible to employees holding positions involving the processing of personal data;
• the procedure for accessing premises where personal data is processed;
• the procedure for transferring personal data to the sole proprietor;
• the form of consent to the processing of personal data;
• the procedure for protecting personal data when processed in personal data information systems;
• the procedure for conducting internal investigations and audits;
• other local regulations adopted in accordance with personal data legislation requirements.

7.3. Employees holding positions that involve the processing of personal data are granted access to it after signing a non-disclosure obligation.

7.4. Physical media containing personal data is stored in lockable cabinets (where applicable).

7.5. Access to personal information contained in the sole proprietor's information systems is granted through individual passwords.

7.6. The sole proprietor uses certified antivirus software with regularly updated databases.

7.7. The sole proprietor's employees who process personal data periodically undergo training on personal data legislation requirements.

7.9. The sole proprietor conducts internal investigations in the following situations:

• in cases of unlawful or accidental transfer (provision, distribution, access) of personal data that resulted in a violation of the rights of personal data subjects;
• in other cases provided by personal data legislation.

7.10. The employee responsible for organizing personal data processing exercises internal control over compliance with personal data legislation requirements. Internal control is carried out in the form of internal audits.

7.11. An internal investigation is conducted if a fact of unlawful or accidental transfer of personal data resulting in a violation of the rights of personal data subjects is identified (hereinafter referred to as an incident).

7.11.1. In the event of an incident, the sole proprietor notifies Roskomnadzor within 24 hours about the incident, its alleged causes, the harm caused to the rights of the personal data subject, and the measures taken to eliminate the consequences of the incident.

7.11.2. Within 72 hours, the sole proprietor is required to notify Roskomnadzor of the results of the internal investigation and provide information about the persons whose actions caused the incident (if any).

7.12. If confirmed information is provided that personal data is incomplete, inaccurate, or outdated, changes shall be made within seven business days.

8. Liability for Violation of Rules Governing Personal Data Processing

8.1. Persons guilty of violating the provisions of Russian Federation legislation on personal data during personal data processing are subject to disciplinary and material liability in the manner established by the Labor Code of the Russian Federation and other federal laws. In addition, they are subject to administrative, civil, or criminal liability in the manner established by federal laws.

8.2. Moral damage caused to a personal data subject as a result of a violation of their rights, violation of personal data processing rules, or failure to comply with data protection requirements shall be compensated in accordance with the legislation of the Russian Federation. Compensation for moral damage is carried out independently of compensation for property damage and losses incurred by the personal data subject.