Personal Data Processing Policy

This Personal Data Processing and Privacy Policy (the "Policy") applies to the AI Content Zavod website and service available at aicontentzavod.tech, including user accounts, APIs, payment features, integrations, generation tools, and publishing workflows (the "Service").

The Policy is prepared under Russian personal data law, including Federal Law No. 152-FZ "On Personal Data", and explains what data is processed, for what purposes, on what legal bases, to whom it may be transferred, and how a data subject may exercise their rights.

Data controller/operator: Individual Entrepreneur Mikhail Sergeevich Martsinyuk, INN 229100804842, place of business: Rostov-on-Don, Russian Federation. Contact for personal data requests: martsinyuk.pl@gmail.com.

By using the Service, creating an account, connecting integrations, uploading materials, or paying for services, the user confirms that they have read this Policy. Where a separate consent is required, the relevant operation is performed after such consent is obtained or where another lawful basis applies.

The terms "personal data", "operator", "data subject", "personal data processing", "transfer", "blocking", "destruction", and related terms are used in the meaning established by Russian Federal Law No. 152-FZ.

"User content" means texts, prompts, images, video, audio, scripts, publication metadata, project settings, and other materials uploaded, created, generated, edited, stored, or published through the Service.

The operator follows these processing principles:

• processing is carried out on a lawful and fair basis;
• the scope of data is limited to the purposes of the Service;
• data is not used for purposes incompatible with the stated purposes;
• access is limited and data minimization is applied where feasible;
• retention is limited by processing purposes, contract, law, and rights protection;
• data is corrected, blocked, or deleted when lawful grounds arise.

Depending on how the Service is used, the operator may process:

• registration data: name or display name, email, password hash, user ID, registration date, account status;
• authentication and security data: session and refresh tokens, login events, suspicious activity indicators, password recovery data;
• project data: project names, topics, prompts, scripts, generation settings, schedules, task statuses, generated outputs, covers, audio, video, and other files;
• integration data: connected Upload-Post profiles and channels, technical access keys, page, channel, account, and board IDs, publishing statuses, and analytics data received via service integrations;
• payment data: top-up and debit amounts, currency, wallet operation history, payment IDs, payment statuses, payment provider technical responses, and auto top-up data if enabled;
• communications: support requests, service notices, email correspondence, and data required to respond to the user;
• technical data: IP address when contacting the server, user-agent, browser language, device type, date and time of request, request path, HTTP status, error details, runtime logs, and security logs;
• cookies and similar technologies: technical browser records for sessions, interface settings, remembering analytics choices, and analytical identifiers after consent.

The Service does not require special categories of personal data or biometric personal data as a condition of use. However, user content may contain faces, voices, names, nicknames, logos, trademarks, or personal data of third parties. The user is responsible for having a lawful basis for uploading, processing, generating, and publishing such materials.

Data is processed for the following purposes:

• creating, maintaining, and securing user accounts;
• providing Service features, including AI generation, editing, storage, and publishing;
• connecting external platform accounts and performing actions on the user's behalf within granted permissions;
• maintaining the wallet balance, accepting payments, debiting paid operations, and keeping transaction history;
• support, service notices, and access recovery;
• security, abuse prevention, and technical incident investigation;
• aggregated or anonymized traffic statistics and interface improvement;
• legal compliance, responses to lawful authority requests, and protection of rights.

Processing is based on:

• conclusion and performance of the Terms of Service;
• the data subject's consent, including for integrations, analytical cookies, and optional features;
• compliance with applicable legal obligations;
• the operator's rights and lawful interests, including security, service accounting, abuse prevention, and rights protection, provided this does not violate the rights and freedoms of the data subject;
• data made public by the data subject or provided by the user for publication through connected platforms.

The operator may collect, record, systematize, accumulate, store, update, retrieve, use, transfer, provide, grant access to, anonymize, block, delete, and destroy personal data, as well as perform other operations required for the purposes described in this Policy.

Processing may be automated, non-automated, or mixed.

The Service uses strictly necessary browser records for authentication, security, session storage, interface settings, and remembering the user's analytics choice. These records are necessary for website operation or for honoring the user's choice.

Before the user makes an analytics choice, the Service collects minimal first-party aggregated traffic statistics without analytical cookies and without writing analytical identifiers to the browser. This layer includes date, page path without query string, referrer host without full URL, UTM tags, device type, browser language, and consent state. It does not store IP address, cookie ID, or user ID.

Yandex Metrica and analytical cookies are enabled only after the user selects "Accept" in the notice. Once enabled, Metrica may use cookies, localStorage, and other browser identifiers for web analytics, page performance measurement, link tracking, and Service improvement. Webvisor is not used in the current configuration.

The user may select "Necessary only". In that case analytical Metrica is not loaded, while first-party aggregated traffic statistics without cookies continue to be collected as described above. Clearing browser localStorage/cookies may cause the notice to appear again.

The primary database and S3-compatible object storage for files are hosted with REG.RU / Reg.Cloud in the Russian Federation. This infrastructure stores the main account, project, payment, publication, and user file records where applicable to the current configuration.

The frontend and backend code run on a LightNode VPS in Germany. When the user accesses the Service, HTTP requests, technical headers, runtime logs, and related technical data may be processed on that server infrastructure. This processing is necessary for application operation, request routing, diagnostics, and security.

As of this Policy date, the Service does not use Cloudflare, a CDN, or an external proxy in front of the website; domain and DNS are used directly through REG.RU. If the infrastructure changes, this Policy will be updated.

The operator does not sell personal data. Data is transferred to third parties only to the extent necessary for Service operation, contract performance, legal compliance, payments, support, security, or rights protection.

The following providers and recipient categories may be involved:

• REG.RU / Reg.Cloud - database, object storage, domain, and DNS;
• LightNode - VPS hosting for the application and API in Germany;
• Yandex Metrica - web analytics after user consent;
• OpenAI and xAI - generation of text, images, video, scripts, metadata, and other AI materials;
• ElevenLabs and Speechify - voice synthesis and voice-related features;
• Pexels - search and retrieval of stock materials;
• Upload-Post - content publishing, profile connection, statuses, and publication analytics;
• T-Bank - payment acceptance, verification, and support;
• state authorities and other persons - where required by law or a binding request.

* Meta Platforms Inc. is recognized as an extremist organization whose activity is prohibited in the Russian Federation; Instagram and Facebook are owned by Meta Platforms Inc.

Data transfer is limited to what is required for a specific function: payment parameters for payment processing, content and access tokens for publishing, prompts and source materials for AI generation, and so on.

Because part of the infrastructure and third-party services are located outside the Russian Federation, certain data may be transferred or technically processed abroad. This includes the LightNode VPS in Germany and foreign services used for generation, publishing, analytics, stock materials, and social platforms.

Cross-border transfer is performed for contract performance, content publishing, material generation, voice synthesis, analytics, payments, diagnostics, and security. The transfer is limited to the necessary data scope.

Where required by law, the operator carries out cross-border transfers in compliance with Article 12 of Russian Federal Law No. 152-FZ, including filing notifications with the competent personal data authority where such notification is required.

Personal data is retained no longer than required for processing purposes, the Terms of Service, legal obligations, accounting and tax records, security, dispute resolution, and rights protection.

• account data is retained while the Service is used and thereafter only as necessary for claims, records, and legal compliance;
• payment, wallet, and operation data is retained as needed for settlements, reporting, refunds, anti-fraud checks, and accounting;
• user content and files are retained until deleted by the user, account deletion, expiration of the storage need, or another lawful deletion ground;
• Upload-Post integration data is retained until integration disconnection, account deletion, credential expiration, or another ground for ending processing;
• technical logs are retained for diagnostics, security, and incident investigation;
• aggregated first-party traffic statistics that do not contain IP, cookie ID, or user ID may be retained longer for traffic analysis.

Upon a deletion request, the operator deletes or anonymizes data to the extent permitted by law. Data required for legal compliance, accounting, dispute resolution, or confirmation of delivered services may be retained until the relevant retention ground expires.

The operator applies reasonable organizational and technical safeguards: access separation, account and token controls, secure transmission where available, restricted access to secrets, technical event logging, backups, and other measures proportionate to the nature of the data and risks.

Absolute security of Internet transmission and storage cannot be guaranteed. The user is responsible for securing their device, email, password, tokens, and connected external accounts.

The data subject may:

• receive information about the processing of their personal data;
• request correction, blocking, or destruction of data where it is incomplete, outdated, inaccurate, unlawfully obtained, or no longer needed;
• withdraw consent where processing is based on consent;
• disconnect integrations and revoke permissions on external platforms;
• challenge the operator's actions or inaction before the competent authority or court;
• exercise other rights provided by Russian law.

Requests should be sent to martsinyuk.pl@gmail.com. To protect data, the operator may request information required to verify the requester's identity and connection to the relevant account. Responses are provided within the time limits established by applicable law.

The Service is intended for users aged 18 or older. The operator does not target children and does not knowingly collect minors' data. If the operator learns that a person under 18 has registered, the account may be restricted or deleted.

The Service uses automated algorithms and third-party AI services for content, scripts, metadata, images, video, and audio. Results may contain errors, inaccuracies, or materials requiring review. The operator does not use automated processing to make decisions that produce legal effects for the user without user involvement.

The user is responsible for reviewing legality, accuracy, rights, and publishing suitability of final content before posting it to external platforms.

The operator may amend this Policy due to changes in law, infrastructure, Service features, providers, or actual processing practices. The new version takes effect upon publication on this page unless stated otherwise.

Users are encouraged to review the current version periodically. Continued use of the Service after publication means the user has reviewed the updated document.