Personal Data Processing Policy

1. General provisions

In this Policy, Cartelta means the Cartelta JSIR service and brand used to process business requests, organize demonstrations, and communicate about client-side security, PCI DSS, and payment page protection on https://cartelta.com and the Russian version at https://cartelta.com/ru.

Contractor details, legal requisites and applicable contractual terms are provided before placing an order, making a payment or entering into an agreement for the relevant service.

2. Terms and definitions

Personal data, operator, processing, data subject, disclosure, restriction, deletion, and related terms are used in the sense of applicable personal data laws and the Russian source document.

Cookies and similar technologies mean small data fragments or web storage keys that the site or a connected service may store in the user's browser.

Operator information

Cartelta JSIR — Cartelta JSIR is a client-side security service for script inventory, integrity control and payment page change detection in the PCI DSS 4.0.1 context.

Email for personal data requests: support@cartelta.ru. Support email: support@cartelta.ru.

Person responsible for personal data processing: responsible Cartelta representative for request handling and communication. Primary data collection database location: infrastructure location and applicable providers are specified in contractual, technical, or compliance documents for the relevant service.

3. Sites covered by this policy

• https://cartelta.com
• https://cartelta.com/ru

4. Data subject categories

• site visitors;
• people who submit business requests through contact forms or by email;
• potential customers and representatives of customer organizations;
• future account area users if account access is provided.

5. Processing purposes

• operating the site and maintaining page availability and security;
• processing incoming business requests and providing a response;
• organizing Cartelta JSIR demonstrations and preparing commercial proposals;
• communicating about PCI DSS 6.4.3/11.6.1, web skimming, formjacking, and payment page protection;
• maintaining the security of the site and account area, including security logs;
• fulfilling contractual and compliance obligations if an agreement is entered into;
• site analytics and improvement only after consent to analytics cookies.

6. Personal data categories

• name or full name provided by the user;
• position and organization, if provided;
• email address;
• phone number if provided voluntarily;
• company website and request content if provided;
• technical site data: IP address, user agent, date and time, URL, referrer, cookie identifiers, browser and device data, security logs;
• data needed for a demo, pilot, agreement, or support if applicable;
• analytics data if the user consents to analytics cookies.

7. Legal bases

• data subject consent when submitting the contact form;
• user consent for analytics cookies when analytics is enabled;
• processing the user's request and preparing a response;
• contractual and compliance obligations if an agreement is entered into;
• other legal bases confirmed for the relevant service or engagement.

8. Processing operations

Cartelta may collect, record, organize, accumulate, store, update, retrieve, use, transfer where legally permitted, anonymize, restrict, delete, and destroy personal data.

9. Retention periods

• requests and correspondence: for the period necessary to process the request, prepare a proposal, confirm communication, and protect legitimate interests of the parties;
• cookie choice: until the user changes settings, clears browser data, or the established retention period expires;
• analytics data: according to Yandex Metrica, Google Analytics, and operator settings if analytics is connected;
• security logs: within the period necessary to maintain security, investigate incidents, and comply with applicable requirements.

10. Third parties and services

• Yandex LLC, Yandex Metrica analytics, if enabled and the user has consented.
• Google Analytics / GA4, if enabled and the user has consented. This requires separate legal review.
• Hosting providers and infrastructure vendors used to operate the site and Cartelta JSIR.
• Cartelta email, SMTP, or CRM tools used to process requests; access is limited to responsible Cartelta representatives.

Current configuration flags: Yandex Metrica is disabled, Google Analytics is disabled. Loading happens only after consent.

11. Cross-border transfer

Google Analytics may involve processing or transferring technical data outside the Russian Federation. This is noted here and must be reviewed before Google Analytics is enabled.

Before Google Analytics is enabled, Cartelta reviews regulatory notification requirements, data scope, destination country, recipient, contractual basis, and Google Analytics settings.

12. Localization

Primary collection, recording, organization, accumulation, storage, update, and retrieval of Russian citizens' personal data must use databases located in the Russian Federation where that rule applies.

infrastructure location and applicable providers are specified in contractual, technical, or compliance documents for the relevant service.

13. Data subject rights and requests

• receive information about personal data processing;
• request correction, restriction, or deletion of data;
• withdraw consent;
• send requests to Cartelta about personal data processing.

Requests may be sent to support@cartelta.ru. Cartelta may request information needed to confirm the identity of the requester or the authority of a representative.

14. Protection measures

• HTTPS;
• minimization of required contact form fields;
• restricted access to requests and contact data;
• honeypot, submission delay, and rate limiting for the contact form;
• encrypted local request storage on the server when a valid key is configured;
• security headers including Referrer-Policy, X-Content-Type-Options, and Permissions-Policy.

15. Cookies and analytics

For cookie categories, consent settings, Yandex Metrica, Google Analytics, and the cookie table, see the Cookie Policy.

16. Final provisions

The current version is published on the site and is available without registration. The document is updated when processing operations, service providers, or legal requirements change.

Version: 2026-05-09.1. Revision date: 2026-05-09.