Personal Data Processing Policy

1. General Provisions

1.1. The Personal Data Processing Policy (hereinafter referred to as the "Policy") defines the procedure for processing and ensuring the security of personal data of Users of the Whisper Summary AI Bot service in the Telegram messenger (@WhisperSummaryAI_bot) (hereinafter referred to as the "Service", "Bot"), as well as measures implemented by the Operator to protect personal data.

1.2. Operator: Individual Entrepreneur Lyashch Maxim Mikhailovich, INN 770302130747, OGRNIP 324508100365725 (hereinafter referred to as the "Operator"). Details and contacts are specified in the Policy.

1.3. The Policy applies to personal data that the Operator receives when the User uses the Service in Telegram, as well as in the performance of the User Agreement (hereinafter referred to as the "User Agreement").

1.4. Processing of personal data is carried out by the Operator using automation tools and/or without their use (mixed processing) and may include: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, and destruction of personal data in accordance with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter referred to as "152-FZ").

2. Terms and Definitions

2.1. User — a legally capable individual who has reached the age of 18, using the Service and having accepted the terms of the User Agreement.

2.2. Content — any audio and video files, text messages, links to external resources, and other materials transmitted by the User to the Bot for processing.

2.3. Result — textual information (transcript, summary) generated by the Service based on the Content.

2.4. UUID — a technical identifier of a request/session used by the Operator to minimize the transfer of direct User identifiers (for example, Telegram ID, username) to external providers, according to the logic described in the User Agreement.

3. Categories of Personal Data Processed

3.1. The Operator may process the following categories of data:

1. Telegram identifiers: Telegram ID, username/nickname, profile name (if available to the Operator through the Telegram API);
2. Content provided by the User;
3. Processing result;
4. Technical logs and events: information about request times, message/session identifiers, security events, and other technical data generated during the operation of the Service.

3.2. Content and/or Result may contain personal data of the User and/or third parties. The User guarantees the legality of transmitting Content and the existence of a legal basis for processing personal data of third parties if such data is present in the Content. The Operator does not perform preliminary verification of Content for the presence of personal data of third parties.

3.3. The Operator processes audio and video recordings (as part of Content) exclusively for automated conversion into text (transcription and summarization) and generation of Results. The Operator does not identify the User by voice/image and does not use Content for biometric identification; with this approach, processing does not pursue the purposes of processing biometric personal data within the meaning of 152-FZ.

3.4. The User is prohibited from using the Service to process special categories of personal data and biometric personal data as defined in the User Agreement; in case of violation of this prohibition, the User bears the responsibility provided for by the User Agreement and applicable law.

4. Purposes and Legal Grounds for Processing

4.1. Processing purposes:

1. providing access to the functionality of the Service and performance of the User Agreement;
2. User support and handling of inquiries;
3. ensuring the security of the Service, preventing abuse, detecting and suppressing violations of the User Agreement;
4. improving the quality of the Service based on statistics/metrics and error analysis, subject to compliance with the principles of minimization and security.

4.2. Legal grounds for processing personal data:

1. processing necessary for the performance of a contract to which the personal data subject is a party (User Agreement);
2. consent of the personal data subject — in cases where it is required, including cross-border transfer (if there is separate consent/acceptance of the relevant terms).

5. Entrusting Processing to Third Parties and Use of Providers

5.1. To provide the functionality of the Service, the Operator has the right to engage third parties (contractors/AI technology providers and service providers) to process personal data on behalf of the Operator, subject to:

1. concluding agreements providing for confidentiality and security measures;
2. processing data only to the extent necessary for the stated purposes;
3. compliance with the requirements of 152-FZ.

5.2. The Operator does not transfer User Content for the purpose of training AI models.

6. Cross-Border Transfer of Personal Data

6.1. In the course of performing the User Agreement and generating Results, the Operator may carry out cross-border transfer of Content and/or technical data (to the minimum extent necessary) to providers whose infrastructure may be located outside the Russian Federation. Cross-border transfer is carried out in accordance with Article 12 of 152-FZ.

6.2. As of the date of this Policy revision, the Operator uses (or may use) the following providers located in the United States for processing Content for transcription/summarization and generating Results:

1. OpenAI, Inc.;
2. Anthropic, PBC;
3. OpenAI, Inc.;
4. Anthropic, PBC;
5. Fireworks.ai, Inc.;
6. Groq, Inc.;
7. Deepgram, Inc.

6.3. The User is informed that the United States is not included in the list of foreign states ensuring adequate protection of the rights of personal data subjects, approved by Roskomnadzor Order No. 128 dated August 5, 2022. In this regard, cross-border transfer to the United States is carried out with the explicit consent of the User to such transfer and in compliance with the requirements of 152-FZ.

6.4. The Operator takes available measures to exclude the transfer of direct User identifiers known to the Operator (including Telegram ID and username) to external providers. A UUID is used for technical identification of the request; the correspondence between UUID and the User's account is stored in the Operator's infrastructure and is used only for providing services and ensuring the operability of the Service. The correspondence key between UUID and user identifiers is stored separately from depersonalized data, in a secure environment with restricted access.

6.5. The current list of providers and countries (territories) where processing is carried out may be updated by the Operator; updated information is reflected in this Policy.

7. Processing Terms, Storage, and Destruction

7.1. Personal data is processed for the period necessary to achieve the purposes of processing, unless a different period is provided for by the legislation of the Russian Federation or the User Agreement.

7.2. Content and Results may be stored to the extent and for the period necessary to provide the functionality of the Service, ensure security, and fulfill legal requirements. Upon the User's request, the Operator may delete Content/Results in the absence of other legal grounds for storage.

7.3. Upon achievement of the purposes of processing or in the presence of grounds for termination of processing (including withdrawal of consent, where applicable), the Operator destroys personal data within the time limits provided for by applicable legislation. Confirmation of destruction is carried out in accordance with Roskomnadzor Order No. 179 dated October 28, 2022 "On Approval of Requirements for Confirmation of Destruction of Personal Data".

8. Rights of the Personal Data Subject

8.1. The User has the rights provided for by the legislation of the Russian Federation, including the right to receive information about the processing of personal data, clarification of personal data, as well as blocking/destruction of personal data in the presence of legal grounds.

8.2. To exercise rights and submit inquiries, the User may send a request to the Operator's email address: info@whispersummary.com.

8.3. In order to protect data and prevent unauthorized access, the Operator has the right to request additional information from the applicant to identify the User as a personal data subject (for example, Telegram ID/username, information about the last interaction with the Bot), to the extent reasonably necessary to process the request.

9. Personal Data Security Measures

9.1. The Operator takes legal, organizational, and technical measures aimed at protecting personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, and other unlawful actions, including:

1. restriction and differentiation of access to data;
2. monitoring of security events and anomaly detection;
3. use of secure data transmission channels;
4. backup and recovery as part of ensuring the stability of the Service (if necessary);
5. other measures corresponding to the nature and volume of data processed and the risks.

9.2. The Operator has the right (but is not obligated) to apply automated and other Content control measures for violations of the Policy, User Agreement, or the presence of special categories of personal data and/or biometric personal data, including technical filters. Upon detection of signs of violation of the prohibition, the Operator has the right to immediately delete Content and/or restrict its processing, block functionality, suspend/terminate the User's access to the Service, and take other measures aimed at stopping the violation and minimizing risks. The User agrees that the Operator has the right to act on the basis of reasonable suspicion (indicators/signals) of the presence of prohibited data and is not obligated to request explanations from the User in advance.

10. Publication of the Policy and Amendments

10.1. The Operator ensures unlimited access to the Policy by posting a link to it in the Bot interface.

10.2. The Operator has the right to amend the Policy. The new version comes into force from the moment of posting in the Bot, unless otherwise specified in the new version.

11. Operator Details

Individual Entrepreneur Lyashch Maxim Mikhailovich

INN 770302130747

OGRNIP 324508100365725

Address: 143082, RUSSIA, MOSCOW REGION, ODINTSOVO, ODINTSOVO, ZHUKOVKA VILLAGE, TER ZHUKOVKA-21, BLDG 1B

Email for inquiries: info@whispersummary.com