Personal Data Processing Policy

Effective date: March 10, 2026

1. General Provisions

This Personal Data Processing Policy ("Policy") was developed in accordance with Federal Law No. 152-FZ of 27.07.2006 "On Personal Data" and defines the procedure for processing personal data and security measures applied by ShadeNPV (Fame app LTD) (hereinafter "Operator").

Email: support@shadenpv.com

2. Key Definitions

• Personal data— any information directly or indirectly relating to an identified or identifiable individual (personal data subject).
• Processing of personal data— any action or set of actions performed with or without automated means on personal data, including collection, recording, systematisation, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), depersonalisation, blocking, deletion, destruction.
• Automated processing— processing of personal data using computing equipment.

3. Personal Data Processed

The Operator processes the following User personal data:

• Email address.
• Device identifier (Device ID) — generated by the app automatically.
• Operating system type and version.
• App version.
• IP address (processed upon connecting to the server, not stored).
• Subscription information (plan type, start and end dates).

The Operator does not collect or process: bank card data (processed by YooKassa), browsing history, internet traffic content, DNS queries, biometric data, location data.

4. Purposes of Personal Data Processing

Personal data processing is carried out for the following purposes:

• User identification and authentication.
• Providing access to the ShadeVPN service.
• Subscription and plan management.
• Payment processing (via YooKassa).
• Technical support and troubleshooting.
• Sending subscription status notifications.
• Compliance with Russian Federation legislation.

5. Legal Grounds for Processing

Personal data processing is carried out on the basis of:

• Subject's consent to data processing (clause 1, part 1, art. 6 of Federal Law No. 152-FZ) — provided upon registration.
• Performance of an agreement to which the subject is a party (clause 5, part 1, art. 6 of Federal Law No. 152-FZ) — the public offer agreement for VPN services.
• Compliance with legal requirements (clause 2, part 1, art. 6 of Federal Law No. 152-FZ).

6. Processing Conditions

Personal data processing is carried out using automated means. Personal data is not distributed or transferred to third parties without the subject's consent, except as required by Russian Federation legislation.

6.1. Third-Party Data Transfers

Personal data may be transferred to:

• YooKassa (YooMoney LLC)— for processing payment transactions. Only data required for payment processing is transferred.
• Authorised government bodies — on grounds and in the manner established by Russian Federation legislation.

6.2. Cross-Border Transfers

The Operator's VPN servers are located in the United Kingdom, France, Netherlands, Latvia, Estonia, Finland, USA, Russia and Sweden. When connecting to the VPN, technical information (device identifier) may be transferred to servers in these countries. The Operator ensures adequate data protection in accordance with Russian Federation legislation.

7. Processing and Retention Periods

• Account data(email, device identifier) — retained for the duration of the subscription and 30 days after it ends, then deleted.
• Diagnostic logs— retained for no more than 14 days, then automatically deleted.
• Payment data— retained in accordance with Russian tax and accounting legislation (at least 5 years).

8. Personal Data Protection Measures

The Operator takes necessary and sufficient organisational and technical measures to protect personal data:

• Data encryption in transit (TLS 1.3).
• Authentication token storage in device secure storage (Keychain, EncryptedSharedPreferences, Credential Manager).
• Password hashing (bcrypt, cost 12).
• Access control for information systems.
• Server infrastructure protection (firewalls, intrusion detection).
• Regular software updates.

9. Rights of the Personal Data Subject

In accordance with art. 14 of Federal Law No. 152-FZ, the personal data subject has the right to:

• Obtain information regarding the processing of their personal data, including: confirmation of processing, legal grounds and purposes, processing methods, information about persons with access to the data.
• Request clarification, blocking or destruction of personal data that is incomplete, outdated, inaccurate, unlawfully obtained or no longer necessary for the stated processing purpose.
• Withdraw consent to personal data processing by sending a request to the Operator's email.
• Appeal the Operator's actions or inactions to the authorised personal data protection body (Roskomnadzor) or in court.

To exercise these rights, send a request to: support@shadenpv.com. A response will be provided within 30 calendar days.

10. Operator Obligations

The Operator is obliged to:

• Provide the personal data subject, upon request, with information about the processing of their personal data.
• Cease processing personal data upon withdrawal of consent (except as required by law).
• Destroy personal data upon achievement of processing purposes or upon the subject's request.
• Notify Roskomnadzor in the event of security incidents involving personal data.

11. Changes to this Policy

The Operator may amend this Policy. The current version is available at shadenpv.com/personal-data. Continued use of the Service after changes constitutes acceptance of the updated Policy.

12. Contact Information

• ShadeNPV (Fame app LTD)
• Email: support@shadenpv.com
• Regulatory authority: Roskomnadzor (rkn.gov.ru)