1. General Provisions

1.1. This Policy defines the operator's policy regarding the processing of personal data of the users of Miras mobile application and contains information about the implemented requirements for the protection of personal data. This Policy is available for review by general public on the Internet.

1.2. The purpose of this Policy is to ensure the protection of the rights and freedoms of individuals when processing their personal data, including the protection of the rights to privacy, personal and family secrets.

1.3. The requirements of this Policy are mandatory for review and compliance by all employees of the operator who are involved in the processing of personal data.

2. Definitions

Personal Data: Any information relating to a directly or indirectly identified or identifiable individual (the subject of personal data).

Operator: An entity that independently or jointly with other entities organizes and/or carries out the processing of personal data, as well as defines the purposes of processing personal data, the composition of the personal data being processed, and the actions (operations) performed with the personal data.

Processing of Personal Data: Any action (operation) or set of actions (operations) performed using automated means or without such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transmission (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.

Automated Processing of Personal Data: The processing of personal data using computational technology.

Distribution of Personal Data: Actions aimed at disclosing personal data to the general public.

Provision of Personal Data: Actions aimed at disclosing personal data to a specific individual or specific group of individuals.

Blocking of Personal Data: Temporary cessation of processing of personal data (except in cases where processing is necessary for the clarification of personal data).

Destruction of Personal Data: Actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which the physical media containing personal data are destroyed.

Depersonalization of Personal Data: Actions as a result of which it becomes impossible, without the use of additional information, to determine that the personal data belongs to a specific subject of personal data.

Information System of Personal Data: A combination of personal data contained in databases and the information technologies and technical means ensuring their processing.

Cross-border Transfer of Personal Data: The transfer of personal data to the territory of a foreign state to a governing body of a foreign state, a foreign individual, or a foreign legal entity.

3. Processing of Personal Data in the Mobile Application

3.1. When using the mobile application, the subject of personal data provides the following information to the operator via the registration form:

• Name;
• Email;
• Phone number (optional).

This data is used for user registration and providing information materials.

3.2. The information specified in section 3.1 will be used by the operator for the purpose of providing the functionality of the mobile application. The operator will ensure an adequate level of data protection against unauthorized use and disclosure.

3.3. The information specified in section 3.1 may be shared with third parties for processing. Such third parties may include government bodies and the operator’s contractors.

3.4. The information specified in section 3.1 will be processed until the purpose of the processing is achieved — either until the subject's refusal to enter into a contract or until the fulfillment of obligations under a concluded contract is completed. The processing of personal data after the occurrence of these events may be carried out by the operator to protect its rights and legitimate interests.

3.5. The subject can withdraw consent to the processing of personal data and request the deletion of data if they are not needed for the performance of a contract concluded with the operator. The subject has the right to send a request to the operator’s email or legal address.

4. Rights and Responsibilities of Operator and Subjects of Personal Data

4.1. The operator is not entitled to make decisions that generate legal consequences in relation to the subject of personal data or otherwise affect their rights and lawful interests, based solely on automated processing of personal data, without written consent, unless otherwise established by law.

4.2. The operator is obligated to explain to the subject the process for making decisions based solely on automated processing of their personal data and the potential legal consequences of such a decision. The operator must provide an opportunity for the subject to object to such a decision and clarify the procedure for the subject to protect their rights and lawful interests. The operator must consider the subject's objection within thirty days of its receipt and notify the subject of the review's outcome.

4.3. The subject of personal data has the right to challenge the actions or inactions of the operator in the authorized body for the protection of the rights of subjects of personal data or through legal proceedings.

4.4. The subject of personal data has the right to protect their rights and lawful interests, including the right to compensation for damages and/or moral harm through legal proceedings.

4.5. In specific countries, data subjects are also granted the following rights:

• Request access to Personal Data: Whenever made possible, the data subject can access, update, or request deletion of their personal data and receive a copy of the personal data.
• Request correction of Personal Data: The data subject has the right to have any incomplete or inaccurate information corrected.
• Object to processing of Personal Data: This right exists where the operator is relying on a legitimate interest as the legal basis for data processing and there is something about the data subject’s particular situation which makes the data subject want to object to processing of personal data on this ground. The data subject also has the right to object where the operator is processing personal data for direct marketing purposes.
• Request erasure of Personal Data: The data subject has the right to ask the operator to delete or remove personal data when there is no legitimate reason for the operator to continue processing it.
• Request the transfer of Personal Data: The operator will provide to the data subject, or to a third-party chosen by the data subject, the personal data in a structured, commonly used, machine-readable format.
• Withdraw consent: The data subject has the right to withdraw data processing consent. If the data subject withdraws consent, the operator may not be able to provide the data subject with access to certain services.

5. Update, Correction, Deletion, and Destruction of Personal Data

5.1. The subject of personal data has the right to demand from the operator the clarification of their personal data, its blocking, or destruction if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing. They also have the right to take measures provided by law to protect their rights.

5.2. In the event of confirmation of the inaccuracy of personal data, the operator updates them.

5.3. If it is confirmed that the processing of personal data is unlawful, the operator stops their processing.

5.4. Personal data is destroyed upon achieving the objectives of personal data processing, and also in the case of withdrawal of consent by the subject of personal data, if:

• Unless otherwise provided by a contract, of which the subject of personal data is a party, beneficiary, or guarantor;
• The operator is not entitled to carry out processing on other legal grounds.

5.5. Within seven working days from the date of provision by the subject of personal data or their representative of information confirming that the personal data is incomplete, inaccurate, or outdated, the operator is obliged to make the necessary changes to it.

5.6. Within seven working days from the date of provision by the subject of personal data or their representative of information confirming that such personal data was unlawfully obtained or is not necessary for the declared purpose of processing, the operator is obliged to destroy such personal data.

5.7. The operator is obliged to notify the subject of personal data or their representative about the changes made and measures taken and to take reasonable measures to notify third parties to whom the personal data of this subject were disclosed.

6. Procedure for Handling Requests from Subjects of Personal Data and Authorized Bodies

6.1. The subject of personal data has the right to receive the following information upon request:

• Confirmation of the fact of processing of personal data by the operator;
• Legal grounds and purposes for processing personal data;
• Purposes and methods of processing personal data used by the operator;
• Name and location of the operator, information about persons (excluding the operator's employees) who have access to personal data or to whom personal data may be disclosed based on a contract with the operator or based on federal law;
• Processed personal data relating to the corresponding subject of personal data, the source of their acquisition, unless another procedure for providing such data is provided by federal law;
• Timeframes for processing personal data, including their retention periods;
• The procedure for to exercise data subject rights as provided by the federal law;
• Information about completed or anticipated cross-border data transfers;
• Name or surname, first name, patronymic, and address of the person processing personal data on behalf of the operator, if processing is or will be entrusted to such a person;
• Information on the methods the operator uses to fulfill obligations;
• Other information as provided by federal laws.

6.2. The operator is entitled not to provide information upon the subject's request if, in accordance with federal laws:

• The processing of personal data, including data obtained as a result of operational investigative activities, counterintelligence, and intelligence activities, is carried out for the purposes of national defense, state security, and the maintenance of public order.
• The processing of personal data is carried out by authorities that have detained the subject of personal data on suspicion of committing a crime, or have charged the subject of personal data with a criminal offense, or have applied a preventive measure to the subject of personal data before charging, except for the cases provided for by the criminal procedural legislation, where the suspect or accused is allowed to familiarize themselves with such personal data.
• The processing of personal data is carried out in accordance with legislation on countering the legalization (laundering) of proceeds from crime and the financing of terrorism.
• The subject of personal data's access to their own personal data violates the rights and legitimate interests of third parties.
• The processing of personal data is carried out in cases provided for by the legislation on transport security, for the purpose of ensuring the stable and safe operation of the transport complex, protecting the interests of the individual, society, and the state in the field of the transport complex against acts of unlawful interference.

6.3. Information to be provided upon the subject's request must be given in an accessible form. The provided information should not contain personal data of third parties unless there are lawful grounds for disclosing such personal data.

6.4. Information must be provided within 10 working days from the date of receipt of the request. This period may be extended by no more than five working days in case the operator sends a reasoned notification indicating the reasons for extending the period.

6.5. The request may be sent in the form of an electronic document and signed with an electronic signature. The request is sent in a free form to the operator's email or address. No recommended forms for requests are provided by the operator. If the request is sent by a representative of the subject, the request must be accompanied by a document confirming the representative's authority.

6.6. The operator shall provide information to the subject of personal data in the form in which the respective inquiry or request was submitted unless otherwise stated in the inquiry or request.

6.7. The subject of personal data may approach the operator again no earlier than thirty days after the initial request. If the information was not provided in full, the subject has the right to contact the operator again before the expiration of the specified period.

6.8. The operator has the right to justifiably refuse the subject in fulfilling a repeated request. The obligation to provide proof of the legitimacy of refusing lies with the operator.

6.9. The operator is obliged to provide the subject of personal data or their representative with the opportunity to access personal data relating to that subject, free of charge, in a manner similar to the provision of information upon the subject's request. In the event of a refusal, the operator must provide a reasoned response, referencing the legal norm serving as the basis for the refusal. The refusal response must be provided within 10 working days from the date of receipt of the request. This period may be extended by no more than five working days in the case of the operator sending a reasoned notification indicating the reasons for extending the period.

6.10. The operator is obligated to provide the authorized body for the protection of personal data subjects' rights with the required information within ten working days from the date of receiving such a request from this body. This period may be extended but by no more than five working days, in case the operator sends a motivated notification to the authorized body for the protection of personal data subjects' rights, indicating the reasons for extending the period for providing the requested information.

7. Implemented Requirements for Personal Data Protection

7.1. The operator takes measures that are necessary and sufficient to ensure compliance with the obligations outlined in the law:

• Application of legal, organizational, and technical measures to ensure the security of personal data.
• Implementation of internal control to ensure that personal data processing complies with the law and the operator's internal regulations.
• Assessment of the harm which may be caused to personal data subjects in case of violation of the data subject rights.
• Familiarization (or appropriate training) of employees directly involved in the processing of personal data with the provisions of legislation on personal data, including requirements for personal data protection, data processing policy, and other internal regulations on personal data matters.

7.2. The operator implements legal, organizational, and technical measures to ensure the security of personal data, based on the levels of protection and current threats to the security of personal data:

• Identifying security threats to personal data during their processing in information systems.
• Applying organizational and technical measures to ensure the security of personal data based on the levels of personal data protection.
• Utilization of information security tools that have undergone the required compliance assessment procedures (as needed).
• Evaluating the effectiveness of the measures taken to ensure the security of personal data before putting the information system into operation.
• Accounting for machine carriers of personal data.
• Detecting unauthorized access to personal data and taking measures to identify, prevent, and eliminate the consequences of cyber-attacks and incidents in information systems.
• Restoring personal data following unauthorized access to it.
• Establishing access rules to personal data and ensuring the registration and tracking of all actions performed on personal data in the information system.
• Monitoring the measures to ensure the security of personal data and the levels of protection of information systems.

Operator: Miras Software - FZCO

Address:United Arab Emirates, Dubai, Silicon Oasis Free Zone

Email: mirassoftwarefzco@gmail.com