1.1. This Personal Data Processing Policy for the "COSORI" Application (hereinafter, the "Policy") has been developed pursuant to the requirements of Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated 27 July 2006 "On Personal Data" (hereinafter, the "Personal Data Law") for the purpose of ensuring the protection of human and civil rights and freedoms during the processing of Personal Data, including the protection of the rights to privacy and personal and family confidentiality.

1.2. This Policy applies to Personal Data processed by Shenzhen Gaea Information Co., Ltd, incorporated under the laws of the People's Republic of China (hereinafter, the "Operator"), in the "COSORI" mobile application (hereinafter, the "Application"), which the Operator may receive from the Personal Data Subject.

1.3. This Policy applies to relations in the field of Personal Data processing that arose with the Operator both before and after the approval of this Policy.

1.4. Pursuant to the requirements of Part 2 of Article 18.1 of the Personal Data Law, this Policy is published in free access on the Internet at the following link: https://www.cosori.cloud/privacy/.

1.5. The Operator does not verify the accuracy of Personal Data received from the Personal Data Subject.

1.6. The Operator ensures the protection of processed Personal Data against unauthorized access and disclosure, unlawful use, or loss in accordance with the requirements of the Personal Data Law.

1.7. The Personal Data Subject agrees to this Policy by providing consent to the processing of Personal Data.

2.1. For the purposes of application and interpretation of this Policy, the principal terms defined below shall be used (unless expressly stated otherwise in the Policy). In the text of the Policy, these terms may be used with an uppercase or lowercase letter, in the singular or plural, and in abbreviated form.

2.1.1. Personal Data means any information relating directly or indirectly to an identified or identifiable individual (Personal Data Subject);

2.1.2. Personal Data Operator means Shenzhen Gaea Information Co., Ltd, a company incorporated under the laws of the People's Republic of China, Unified Social Credit Code (USCC): 91440300MA5HB76T6K, registered address: Room 1408, 14F, Tianjian Chuangye Building, No.7 Shangbao Road, Shiling Community, Lianhua Sub-district, Futian District, Shenzhen, Guangdong Province, China, which owns the Application and independently or jointly with other persons organizes and/or carries out the processing of Personal Data, and also determines the purposes of Personal Data processing, the composition of Personal Data subject to processing, and the actions (operations) performed with Personal Data;

2.1.3. Subject, Personal Data Subject means an individual using the Application whose Personal Data is processed by the Operator or by a third party on behalf of the Operator;

2.1.4. Application means a computer program in the form of a mobile application named "COSORI", made available through the official RuStore platform for the distribution of such computer programs, the primary functionality of which includes:

• registration, login, and account management;
• discovery, addition, connection, binding, unbinding, management, and control of smart devices;
• connection of smart devices to networks, network configuration, status viewing, and status synchronization;
• firmware updates, update status checks, and error notifications;
• browsing recipes and other content, adding items to favorites, and using other related content services;
• submission of feedback, issue reports, obtaining assistance, and customer support.

2.1.5. Processing of Personal Data means any action (operation) or set of actions (operations) with Personal Data performed using automation tools or without the use of such tools. Processing of Personal Data includes, inter alia: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision to a limited group of persons; access by a limited group of persons), dissemination, anonymization, blocking, deletion, destruction.

3.1. Processing of the Subject's Personal Data by the Operator is carried out by means using automation tools or without such tools for the periods necessary to achieve the processing purposes. A condition for termination by the Operator of processing of Subjects' Personal Data may be the achievement of the purposes of such processing, withdrawal by the Subject of consent to the processing of their Personal Data, withdrawal of consent to dissemination of Personal Data, termination of the Operator's activities (reorganization or liquidation), closure of the Application, termination of the agreement between the Operator and the Subject, dismissal of the Operator's employee, or identification of the fact of unlawful processing thereof.

3.2. The Operator's policy regarding the processing of Subjects' Personal Data is that Personal Data must be processed only in cases established by law, based on the Operator's principal areas of activity and taking into account the balance of interests of the Operator and the Subject.

3.3. Personal Data shall be processed by the Operator in compliance with the principles and rules provided for by the Personal Data Law in the following cases:

• with the consent of the Personal Data Subject to the processing of their Personal Data;
• where Personal Data processing is necessary for the performance of an agreement to which the Personal Data Subject is a party, beneficiary, or guarantor;
• in cases where Personal Data processing is necessary for the Operator to exercise and perform functions, powers, and duties imposed by the legislation of the Russian Federation;
• where Personal Data processing is necessary to protect the life, health, or other vital interests of the Personal Data Subject, if obtaining the consent of the Personal Data Subject is impossible.

3.4. The Operator has no right to obtain and process the Subject's Personal Data containing information on racial or ethnic origin, political opinions, religious or philosophical beliefs, or health condition, except with the written consent of the Subject.

3.5. The Operator does not process special categories of Personal Data or biometric data.

4.1. Obligations of the Operator:

• To organize Personal Data processing in accordance with the requirements of the Personal Data Law;
• To respond to requests and inquiries of Personal Data Subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
• To provide the authorized authority for the protection of the rights of Personal Data Subjects (Roskomnadzor), upon request of that authority, with the necessary information within 10 business days from the date of receipt of such request;
• To take necessary legal, organizational, and technical measures to protect Personal Data against unlawful or accidental access thereto, destruction, modification, blocking, copying, provision, and dissemination of Personal Data.

4.2. The Operator has the right to:

• Independently determine the composition and list of measures necessary and sufficient to ensure fulfillment of the obligations provided for by the Personal Data Law;
• Entrust Personal Data processing to another person;
• If the Subject withdraws consent to the processing of Personal Data, the Operator shall have the right to continue processing Personal Data without the Subject's consent where grounds specified in the Personal Data Law exist.

4.3. The Subject has the right to:

• Receive information concerning the processing of their Personal Data, except in cases provided for by federal laws;
• Give prior consent to the processing of Personal Data for the purposes of promoting goods, works, and services on the market;
• Require the operator to clarify the Subject's Personal Data, block or destroy it if the Personal Data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated processing purpose;
• Appeal to Roskomnadzor or in court against unlawful actions or omissions of the Operator when processing the Subject's Personal Data.

5.1. Personal Data processing shall be limited to the achievement of specific, predetermined, and lawful purposes. Personal Data processing incompatible with the purposes of collecting Personal Data shall not be permitted.

5.2. Only Personal Data that meets the purposes of its processing shall be subject to processing.

5.3. Purpose: Registration of the User in the Application

Categories of Personal Data processed:

• email address;
• accountId, UID, or other account identifiers;
• information related to login credentials;
• deviceId, CID, or other unique device identifiers.

5.4. Purpose: Use of the functional capabilities of the Application and smart devices

Categories of Personal Data processed:

• email address;
• accountId, UID, or other account identifiers;
• information related to login credentials;
• deviceId, CID, or other unique device identifiers.

5.5. Purpose: Contacting customer support

Categories of Personal Data processed:

• email address;
• accountId, UID, or other account identifiers;
• information related to login credentials;
• deviceId, CID, or other unique device identifiers;
• personal data contained in the request and attachments thereto.

6.1. Other technical data is processed in the Application:

6.1.1. User account data:

• Consent records, including the time of consent, Policy version, client version, channel source, and other similar information;

6.1.2. Smart device identification data:

• Smart device model, configModel, deviceRegion, connectionType;
• Firmware version, plugin version, update status;
• Information on binding of the smart device to the account.

6.1.3. Data related to network connection and the network environment:

• Wi-Fi network name (SSID);
• Router MAC, BT MAC, MAC address of the smart device;
• RSSI; IP address; User region;
• Network condition, initialization status, and error codes, logs, and timestamps related to network diagnostics.

6.1.4. Smart device status and remote-control data:

• Information on the smart device being online, information on operating status, mode, time, temperature, and other status data;
• Initiated control commands, results of their execution, confirmation statuses, and error codes;
• Key operation logs necessary for audit, dispute resolution, and service security purposes.

6.1.5. Data on firmware updates and technical maintenance of the smart device:

• Current firmware version of the smart device and the version available for update;
• Update requests, update status, update results, and information related to troubleshooting.

6.1.6. Customer support request data:

• Content of the request;
• Screenshots, images, videos, log files, and other attachments enclosed with the request;
• Account identifiers, smart device identifiers, error codes, and diagnostic information directly related to identifying the cause of the issue.

6.1.7. System operation and security data:

• Application version, operating system version, smart device model;
• Information on login anomalies, security alerts, records of access token revocation;
• Minimum necessary logs required to ensure service stability and security.

7.1. The Operator transfers Personal Data to third parties in the following cases:

• consent to such actions has been obtained from the Personal Data Subject;
• the transfer is provided for by Russian or other applicable law within the procedure established by law.

7.2. The list of persons to whom Personal Data is transferred shall be established by the consent to Personal Data processing provided by the Personal Data Subject or by mandatory provisions of applicable law.

7.3. Provision of the Subject's Personal Data upon request of state authorities (local self-government authorities) shall be carried out in accordance with the procedure provided for by the legislation of the Russian Federation.

7.4. When collecting Personal Data, including through the Internet, the Operator ensures processing of Personal Data of citizens of the Russian Federation using databases located in the territory of the Russian Federation, except in cases specified in the Personal Data Law.

7.5. The Operator does not carry out cross-border transfer of Personal Data.

8.1. Procedure for considering Subjects' requests:

• Confirmation of the fact of Personal Data processing by the Operator, the legal grounds and purposes of Personal Data processing, as well as other information specified in Part 7 of Article 14 of the Personal Data Law, shall be provided by the Operator to the Subject or their representative within 10 business days from the moment of the request or receipt of the request of the Personal Data Subject or their representative. This period may be extended, but by no more than five business days.
• The request must contain data allowing identification of the Subject and the signature of the Subject; if the request is signed by the Subject's representative, it must include a document confirming the representative's authority.
• The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

8.2. If inaccurate Personal Data is identified upon the inquiry of the Subject or their representative, or upon their request, or upon the request of Roskomnadzor, the Operator shall block the Personal Data relating to that Subject from the moment of such inquiry or receipt of the specified request for the verification period, unless blocking of Personal Data violates the rights and lawful interests of the Subject.

8.3. If the fact of inaccuracy of Personal Data is confirmed, the Operator, on the basis of information provided by the Subject or their representative, Roskomnadzor, or other necessary documents, shall clarify the Personal Data within seven business days from the date of provision of such information and shall lift the blocking of the Personal Data.

8.4. If unlawful processing of Personal Data is identified upon the inquiry (request) of the Subject or their representative, or Roskomnadzor, the Operator shall block the unlawfully processed Personal Data relating to that Personal Data Subject within three business days from the moment of such inquiry or receipt of the request.

8.5. If the Operator, Roskomnadzor, or another interested person identifies the fact of unlawful or accidental transfer (provision, dissemination) of Personal Data (access to Personal Data), resulting in a violation of the rights and lawful interests of the Personal Data Subject, the Operator shall block such Personal Data from the moment of identification of such fact.

8.6. Deletion of Personal Data is carried out:

• upon achievement of the purposes of processing Personal Data;
• upon expiration of the storage period or achievement of the processing purposes;
• if the Personal Data is unlawful, inaccurate, or unnecessary for the stated purpose;
• upon withdrawal of consent by the Subject and absence of legal grounds for further processing;
• upon termination of the Operator's activities.

8.7. Deletion of Personal Data shall be completed within a period not exceeding 30 (thirty) days from the date of receipt of the corresponding request from the Personal Data Subject, unless a shorter period is established by the Personal Data Law. Upon completion of deletion, the Operator shall notify the Subject in accordance with the procedure provided for by law.

8.8. If the Personal Data Subject withdraws consent to the processing of Personal Data, the Operator has the right to continue processing Personal Data without the consent of the Subject where grounds specified in the Personal Data Law exist.

9.1. The Operator shall take the necessary and sufficient legal, organizational, and technical measures to protect Personal Data against unlawful or accidental access thereto, destruction, modification, blocking, copying, provision, dissemination of Personal Data, and other unlawful actions in relation to Personal Data.

9.2. Organizational and technical measures taken by the Operator to ensure the security of Personal Data when processing them in the Application include:

• appointment of persons responsible for organizing the processing and protection of Personal Data;
• determination of the list of persons having access to Personal Data;
• implementation of internal control procedures;
• compliance with requirements for the protection of information systems;
• use of encryption, access control, and security monitoring technologies;
• regular review and updating of security measures.

9.3. Employees of the Operator who have access to Personal Data are obliged to comply with the requirements of the legislation of the Russian Federation and internal regulations regarding the processing and protection of Personal Data.

10.1. The Operator shall be liable for violation of the requirements of the Personal Data Law in accordance with the legislation of the Russian Federation.

10.2. The Operator shall not be liable for:

• loss or damage to Personal Data resulting from force majeure circumstances;
• actions of third parties that resulted in unauthorized access to Personal Data, if the Operator has taken all necessary measures to protect Personal Data;
• consequences of actions of the Subject related to violation of the rules for use of the Application and security of access credentials.

11.1. This Policy enters into force from the date of its publication in the Application and operates indefinitely until replaced by a new version or until the Subject ceases using the Application.

11.2. The Operator has the right to unilaterally amend this Policy by publishing a new version in the Application.

11.3. The new version of the Policy shall apply to use of the Application after the date of publication unless another effective date is specified therein. By continuing to use the Application, the Subject confirms acceptance of the terms of the new version of the Policy.

11.4. All disputes and disagreements arising from this Policy shall be resolved through negotiations. If an agreement is not reached, the dispute shall be referred to a court in accordance with the legislation of the Russian Federation.

Operator: Shenzhen Gaea Information Co., Ltd

Unified Social Credit Code (USCC): 91440300MA5HB76T6K

Address: Room 1408, 14F, Tianjian Chuangye Building, No.7 Shangbao Road, Shiling Community, Lianhua Sub-district, Futian District, Shenzhen, Guangdong Province, China

For questions regarding use of the Application, devices, and support, please contact: support@cosori.cloud.

For questions regarding personal data, privacy, and account deletion, please contact: legal@cosori.cloud.

For questions regarding business cooperation, partnership opportunities, media relations, as well as cooperation with Content creators and influencers, please contact: business@cosori.cloud.

When contacting support, it is recommended to specify the email address used during registration, the Application version, device model, and a brief description of the issue in order to facilitate processing of the request.