Privacy Policy of the Foundation for the Development of Contemporary Art and Culture “DON” Version date: 15 March 2026 1. General Provisions 1.1. This Personal Data Processing Policy (hereinafter – the “Policy”) has been developed in accordance with Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” (hereinafter – the “Personal Data Law”) and defines the procedure for processing personal data carried out by the Foundation for the Development of Contemporary Art and Culture “DON” (hereinafter – the “Operator”) when the Operator’s website (hereinafter – the “Website”) is used. 1.2. The personal data operator is: Foundation for the Development of Contemporary Art and Culture “DON” Primary State Registration Number (OGRN): 1146100003610 Taxpayer Identification Number (INN): 6167111816 Address: 344019, Russian Federation, Rostov-on-Don, 16th Liniya Street, 7A E-mail: funddonfoundation@gmail.com 1.3. Personal data is processed within the territory of the Russian Federation on servers located in the Russian Federation. 2. Definitions 2.1. “Personal data” means any information relating directly or indirectly to an identified or identifiable individual (personal data subject). 2.2. “Processing of personal data” means any action (operation) or a set of actions (operations) performed on personal data, whether or not by automated means, including collection, recording, systematisation, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymisation, blocking, deletion and destruction of personal data. 2.3. “Automated processing of personal data” means processing of personal data by means of computer technology. 2.4. “Provision of personal data” means actions aimed at disclosing personal data to a specific person or a specific circle of persons. 2.5. “Distribution of personal data” means actions aimed at disclosing personal data to an indefinite circle of persons or at making personal data available to the public. 3. Data Subjects and Categories of Personal Data 3.1. The Operator processes personal data of the following data subjects:  • individuals who use the Website (hereinafter – the “Users”). 3.2. The Operator processes the following personal data of Users:  • surname, first name;  • e-mail address;  • contact telephone number;  • data provided by the User when filling in forms on the Website (feedback forms, applications for participation in events, registration of a personal account);  • data indicated by the User in the personal account (delivery address, information on orders);  • cookies;  • IP address;  • data on the User’s browser and device. 4. Purposes of Personal Data Processing 4.1. Personal data of Users is processed for the following purposes:  • identifying the User when registering on the Website and authorising in the personal account;  • providing access to personalised services of the Website;  • communicating with the User, including sending notifications and responses to requests related to the use of the Website;  • concluding and performing civil-law contracts with the User;  • processing payments and making refunds;  • providing the User with information about the Foundation’s events and services;  • organising and conducting events of the Foundation;  • analysing Website traffic and User behaviour;  • improving the quality of the Foundation’s services and the operation of the Website;  • carrying out advertising activities using electronic communication means (subject to the User’s consent). 5. Legal Grounds for Personal Data Processing 5.1. Personal data is processed on the following legal grounds:  • Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;  • the User’s consent to personal data processing;  • a contract to which the personal data subject is a party or beneficiary;  • Federal Law No. 129-FZ dated 8 August 2001 “On State Registration of Legal Entities and Individual Entrepreneurs”;  • Resolution of the Government of the Russian Federation No. 1119 dated 1 November 2012;  • other regulatory legal acts in the field of personal data protection. 6. Procedure for Personal Data Processing 6.1. Personal data is processed by the following means:  • with the use of automated tools;  • without the use of automated tools. 6.2. The Operator carries out the following actions (operations) with personal data: collection, recording, systematisation, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), anonymisation, blocking, deletion and destruction. 6.3. Access to personal data is granted to employees of the Operator and to persons engaged on the basis of contracts, to whom such access is necessary for the performance of their functions. 7. Transfer of Personal Data to Third Parties 7.1. The Operator transfers personal data to third parties in the following cases:  • where personal data processing is entrusted to such persons under a contract;  • where a request is received from competent public authorities in cases provided for by the legislation of the Russian Federation. 7.2. Third parties engaged by the Operator for personal data processing include:  • hosting providers ensuring the operation of the Website;  • analytics services (Yandex.Metrica);  • electronic payment services;  • e-mail services. 8. Cross-Border Transfer of Personal Data 8.1. The Operator carries out cross-border transfer of personal data in accordance with Article 12 of the Personal Data Law. 9. Personal Data Retention Periods 9.1. Personal data of Users is processed for the following periods:  • until the purposes of personal data processing are achieved;  • until the User’s consent to personal data processing is withdrawn;  • during the retention periods established by the legislation of the Russian Federation. 9.2. Specific personal data retention periods are determined in the Operator’s internal records. 10. Rights of the Personal Data Subject 10.1. The User has the right to:  • request the Operator to confirm the fact of processing of personal data relating to the User;  • obtain from the Operator information concerning the processing of the User’s personal data;  • obtain information about all third parties to whom the Operator transfers the User’s personal data;  • request the Operator to clarify the User’s personal data, block or destroy it if such data is incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purposes of processing;  • withdraw consent to personal data processing. 10.2. To exercise his or her rights, the User shall contact the Operator by e-mail: funddonfoundation@gmail.com. 11. Personal Data Security Measures 11.1. In order to ensure the security of personal data during processing, the Operator implements the following measures:  • identifies threats to the security of personal data when processed in personal data information systems;  • establishes access control to personal data information systems;  • assesses the effectiveness of measures taken to ensure the security of personal data;  • provides physical protection of premises where personal data is processed;  • carries out internal control and (or) audits of compliance with personal data processing requirements. 12. Final Provisions 12.1. This Policy applies to all personal data processed by the Operator, regardless of the method and form of their receipt. 12.2. The Operator has the right to amend this Policy. When amendments are made, the Operator notifies Users by publishing a new version of the Policy on the Website. 12.3. Any proposals or questions regarding this Policy shall be sent to the following e‑mail address: funddonfoundation@gmail.com.