Personal Data Processing Policy

1. General provisions

1.1.This Policy describes how personal data is processed and protected in Smart Home Design.

1.2.Operator: Mark Igorevich Kats, an individual located in Moscow, Russian Federation; email: info@xyz.su.

1.3.The Policy applies to visitors, registered users, representatives of organizations, customers, contractors, employees, invited project members and other persons whose data is lawfully submitted to the Service.

1.4.Processing is governed by the laws of the Russian Federation, including Federal Law No. 152-FZ on Personal Data.

2. Definitions

2.1.Service means the Smart Home Design platform, web interface, API, MCP, modules, databases, storage, collaboration tools and integrations.

2.2.User means an individual using the Service personally or on behalf of an organization.

2.3.Organization means a workspace combining users, projects, access rights and data.

2.4.Project means data concerning a facility, diagrams, devices, controllers, documents, tasks, finance, discussions and integrations.

3. Data categories

• registration and contact data, including name, login, email and phone number;
• account and authentication data, session identifiers and access credentials;
• organization, project, customer, employee, contractor, facility, document and communication data;
• IP address, browser and device data, access logs, audit trails, errors and security events;
• controller and device identifiers, connection settings, telemetry, commands, execution logs and integration tokens;
• files, images, diagrams, messages and other content uploaded by users.

The Operator does not request sensitive categories of personal data. Users must not upload such data without a lawful basis and a genuine need.

4. Purposes

• registration, identification and authentication;
• administration of organizations, projects, roles and permissions;
• project design, document management, collaboration, accounting and equipment control;
• controller commands, telemetry, API, MCP, notifications and public links;
• performance of agreements, contracts and maintenance requests;
• support, diagnostics, security and incident response;
• backup, recovery and continuity;
• compliance with law and protection of legitimate rights.

5. Legal grounds

5.1.Consent of the data subject.

5.2.Entering into and performing the User Agreement or another contract.

5.3.Compliance with Russian law.

5.4.Legitimate interests of the Operator or third parties where the subject's rights are not overridden.

5.5.An organization that uploads data about its customers, employees or other persons is responsible for the lawful basis for doing so. Smart Home Design processes such data only as required to provide the Service.

6. Access

6.1.Access within an organization is managed by its owner, administrators, roles and project settings.

6.2.The Operator and authorized personnel may access data only where necessary for support, diagnostics, security, contract performance and project maintenance.

6.3.Privileged actions may be recorded in audit logs.

7. Disclosures and integrations

7.1.Data may be disclosed to infrastructure and software providers as required for hosting, object storage, email, single sign-on, push notifications, cloud storage and collaboration.

7.2.When enabled by the user, data may be exchanged with Yandex Alice, Asana, Seafile, Telegram, Zulip, Gitea, Grafana, Authentik/OIDC, WebAuthn, MCP/API and facility automation systems or controllers.

7.3.The actual recipients depend on the features enabled by the organization. Personal data is not sold.

7.4.Disclosure to public authorities takes place only where required by law.

8. Data location and international transfers

8.1.Russian users and projects are hosted on servers in the Russian Federation subject to applicable localization requirements.

8.2.Foreign projects may be hosted and processed outside the Russian Federation.

8.3.Enabling foreign integrations may result in an international data transfer.

9. Retention and deletion

9.1.Data is retained while the account, organization membership or contract remains active and as long as required for the stated purposes or by law.

9.2.The organization owner may request deletion of the organization. User account deletion is performed through support at info@xyz.su after identity and authority verification.

9.3.Certain records may be retained for legal compliance, dispute resolution, abuse prevention and audit purposes.

9.4.Database backups retain the latest 35 snapshots with up to three snapshots created per day; project backups retain up to 7 daily copies; application and file backups retain up to 8 weekly copies. Deleted data may remain in pre-existing encrypted backups until scheduled rotation and is not used in ordinary operations.

10. Security

10.1.The Operator uses access controls, authentication, encryption of selected secrets and backups, audit logging, software updates, monitoring and backups.

10.2.No transmission or storage method is absolutely secure. Incidents are handled according to risk and applicable law.

11. Data subject rights

11.1.A subject may request information, correction, restriction or deletion, withdraw consent and lodge a complaint.

11.2.Requests must be sent to info@xyz.su. Identity or authority verification may be required.

11.3.Withdrawal of consent does not affect prior lawful processing and does not stop processing based on another lawful ground.

11.4.Where data was submitted by an organization, the subject may contact both the Operator and that organization.

12. Public links and shared access

12.1.Users and organizations may create public links, invitations and other access methods and are responsible for their scope, duration and recipients.

12.2.The Operator may restrict public access where there is a security threat, legal violation, rights-holder complaint or accidental disclosure.

12.3.Before publishing a link, users must ensure that it does not expose unnecessary personal data, secrets, tokens or confidential information.

13. Logs, analytics and automated processing

13.1.The Service may keep logs of sign-ins, changes, commands, errors, API requests and privileged operations for security, diagnostics and evidence.

13.2.Automated mechanisms may detect failures, suspicious activity, limit violations and technical anomalies.

13.3.No decision producing legal effects for a user is made solely by automated processing unless law or a separate agreement provides otherwise.

14. Processing on behalf of organizations

14.1.An organization uploading customer, employee, contractor or other third-party data determines the purposes of processing and is responsible for lawful collection.

14.2.The Operator processes such data on the organization's behalf within Service functionality, contracts, access settings and instructions.

14.3.Organizations must avoid excessive data collection and handle relevant data-subject requests without undue delay.

15. Incidents and notices

15.1.If a security incident is identified, the Operator takes containment, assessment, recovery and notification measures where required by law.

15.2.Users must promptly report lost access, leaked tokens, accidental public links, suspicious commands or other incidents.

16. Final provisions

16.1.This Policy may be amended when the Service or applicable law changes. A new version applies from publication unless stated otherwise.

16.2.Contact: info@xyz.su.