TROX RUS PRIVACY POLICY

TROX RUS would like to thank you for visiting our website and for your interest in our company and products. The protection of your personal data is an important concern for TROX RUS and all related to the TROX GROUP companies.

In this Privacy Policy, we establish the list of your personal data processed by us when visiting our website, the basic principles, purposes, methods, conditions for processing of personal data, duties and protocols of TROX RUS and its employees related to the processing of personal data and protection of rights and freedoms of data subjects.

In order to ensure the access of data subjects to certain services available on our company's web site, the following personal data may be processed, including: name and surname, postal address, e-mail address, phone number and other personal data of this kind.

Processing of your personal data when visiting our website is carried out in strict compliance with legislation of the Russian Federation, European legislation, in particular with the General Data Protection Regulation (GDPR) and generally recognized principles of personal data protection to the extent allowed by national legislation.

The TROX RUS website may contain several links leading to the websites of other companies that are part of the TROX GROUP, for which this Privacy Policy does not apply.

1. Definition of terms

In this Privacy Policy and on our website, we use the following terms:

• Personal data

‘Personal data’ means any information relating to an identified or identifiable natural person (referred to as the ‘data subject’)

• Data subject

‘Data subject’ means any identified or identifiable natural person whose personal data are being processed by the operator.

• Operator

‘Data operator’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others organizes and carries out processing of personal data, determines the purposes and means of the processing of personal data.

• Processing

‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Pseudonymisation

‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

• Profiling

‘Profiling’ means any form of automated processing of personal data consisting of the use of those personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

• Erasure

‘Erasure (deletion) of personal data’ means actions performed on personal data contained in the respective database that prevent such data from being restored or destruction of personal data tangible medium.

• Blocking

‘Blocking of personal data’ means he temporary cessation of personal data processing (except for the cases when the processing is needed for personal data specification)

• Cross-border personal data transmission

‘Cross-border personal data transmission’ means transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity

• Automated personal data processing

‘Automated personal data processing’ means processing of personal data via computing tools

• Consent

‘Consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by some other a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and address of the operator

In the context of the current data protection legislation of the Russian Federation, the operator is:

TROX RUS LLC

127495, Moscow,

Dmitrovskoye hwy

163A, bld. 2

Website: www.trox.ru

3. Name and address of the Data Protection Officer

The operator's Data Protection Officer is:

Mr. Svyatoslav Troshkin

TROX RUS LLC

127495, Moscow,

Dmitrovskoye hwy

163A, bld. 2

E-mail: info@trox.ru

Data subjects can contact our Data Protection Officer directly at any time with any questions or comments about data protection.

4. Principles for processing personal data

TROX RUS, as an operator, carries out the processing of personal data in accordance with the following principles:

• Personal data shall be processed on a legal and equitable basis;

• Personal data processing shall be restricted by achieving specific, pre-determined and legal purposes;

• It is not allowed to combine the data bases containing personal data to be processed for incompatible purposes;

• The scope and content of processed personal data must correspond to the stated processing purposes;

• In the course of personal data processing it shall be necessary to ensure the personal data accuracy, sufficiency and in case of need adequacy for processing purposes (operator shall take the required measures or ensure the adoption of such measures in order to delete or replenish incomplete or inaccurate data);

• Personal data shall be stored in a form that allows verification of the identity of personal data subjects only to the extent necessary for processing purposes unless the personal data storage duration is not established by federal laws or agreement concluded with personal data subject as a beneficiary or guarantor party.

5. Rights and obligations of the data operator

TROX RUS, as an operator, has the following rights:

• Right to protect his interests in courts;

• Right to transfer data subjects’ personal data to third parties, as provided by the current legislation of the Russian Federation (tax agencies, law enforcement agencies, etc.);

• Right to refuse the grant of personal data, as provided by the current legislation of the Russian Federation;

• Right to use data subjects’ personal data without his consent, as provided by the current legislation of the Russian Federation.

TROX RUS, as an operator, has the following obligations:

• Data operator must treat personal data as confidential. Personal data can’t be transferred to third parties or disclosed in any form by data operator without data subjects’ consent, unless otherwise permitted by statutory laws;

• Data operator must provide the information required by the legislation on protection of personal data on the data subjects’ request.

6. Rights of the data subject

Every data subject has the following rights:

• If personal data is incomplete, outdated, unreliable, illegally obtained or irrelevant to the purpose of processing, the data subject can demand rectification, blocking or destruction of it;

• The data subject may request information on which personal data relating to him/her has been stored, from which source and for what purpose the data was collected;

• The data subject can receive information on duration of processing and storage personal data relating to him/her;

• The data subject may call for notification of all third parties who have previously been informed of incorrect or incomplete personal data relating to the data subject about all exceptions, corrections or additions made in it;

• The data subject has the right to complain against unlawful acts and omissions of the operator to the authorized government body on protection of data subject rights (The Federal service for supervision of communications, information technology, and mass media (Roskomnadzor));

• The data subject can protect his/her rights and legitimate interests in courts, including seek damages and non-pecuniary damages.

7. Collection and processing of personal data

When a data subject or an automated system visits our website, we store a set of certain information. The following information can be recorded: (1) the browser types and versions used; (2) the operating system used by the accessing system; (3) the website from which an accessing system arrived at our website (known as the 'referrer'); (4) the web pages visited on our website by an accessing system; (5) the date and time of access to the website; (6) an Internet Protocol address (IP address); (7) the Internet service provider of the accessing system; and (8) other similar data and information that can be used to protect against threats in the event of attacks on our IT systems.

These general data and information are not used by TROX RUS to arrive at any conclusions regarding the data subject. Rather, this information is used (1) to deliver the contents of our website correctly; (2) to optimize the contents of our website and our advertising of it; (3) to ensure the continuous functional capacity of our IT systems and the technology for our website; and (4) to provide the prosecuting authorities with the necessary information in the event of a cyberattack.

These anonymously collected data and information are therefore evaluated statistically by TROX RUS, firstly, and are further evaluated with the aim of improving data protection and data security within our company so as ultimately to ensure the best level of protection for the personal data processed by us. The anonymous data from the server log files are stored separately from all personal data provided by a data subject.

The data subject has the option of registering on our website by providing personal data. Which personal data are transmitted to the operator during that process is determined by the form which is used for registration.

The personal data input by the data subject are collected and stored by the operator solely for internal use and its own purposes. The operator may transfer the personal data to other parties, for example a provider of parcel services, who will likewise use the personal data solely for the internal purposes of the operator.

By registering on our website, the IP address assigned by the data subject's Internet service provider (ISP), the date and the time of registration will furthermore be stored. These data are stored in consideration of the fact that this is the only way to prevent misuse of our services; if necessary, these data also make it possible to resolve copyright infringements and crimes that have been committed against TROX RUS. It is therefore necessary to store these data as a safeguard for TROX RUS. These data will never be transferred to third parties unless there is a legal obligation to do so or such transfer is for purposes of prosecution.

8. Cross-border personal data transmission

TROX RUS is a part of the international group of companies TROX GROUP, and, therefore, personal data may be transferred outside the Russian Federation. TROX RUS and its employees use all reasonable efforts to maintain adequate privacy protection level in a place where the personal data is transfer. In particular, all related to the TROX GROUP companies (including TROX RUS) brought their Privacy policies into compliance with the General Data Protection Regulation (GDPR).

9. Routine erasure and blocking of personal data

The operator processes and stores personal data relating to the data subject only for the period required to achieve the purpose of said storage or to the extent that this has been envisaged by the Russian authorized body for the protection of the data subjects’ rights under laws or regulations to which the operator is subject.

If the storage purpose no longer applies, or a storage period specified by the Russian authorized body for the protection of the data subjects’ rights or current legislation of the Russian Federation expires, the personal data are blocked or erased as a routine matter in accordance with the legal provisions of personal data protection legislation of the Russian Federation.

10. Consent

TROX RUS processes personal data only with the consent of the personal data subject. In this Policy we present all the information necessary to make a well-considered decision about expediency of using our website and transferring your personal data to TROX RUS. Therefore, by visiting our website and interacting with us using electronic means, you consent to the processing of your personal data and secondary personal data (including cookies, connection information and system information) in accordance with the principles set forth in this Policy and current legislation of the Russian Federation and the European Union on personal data.

By signing up on the TROX RUS website or using our online services (e.g. newsletter subscription) that require provision of personal data, you give us your unreserved consent to process your personal data. These personal data will be used only for the purposes in which they are provided to TROX RUS. If you find yourself disagreeing with these conditions you should refrain from using our services.

11. Security of personal data

TROX RUS, as an operator, uses technical and organizational security measures to protect your personal data from manipulation, loss, destruction and access by unauthorized persons. We are constantly improving our security measures in line with technological developments, statutory and regulatory requirements of the Russian Federation and the generally recognized principles of personal data protection. In particular, we take the following measures to ensure the security of your personal data:

• appointment of a person responsible for organizing the processing of personal data;

• issuance of documents setting out the operator’s policies in regard to the processing of personal data;

• reception of data subjects consents necessary for the processing of personal data, except as required by the legislation of the Russian Federation;

• separate storage of personal data and their tangible medium, with different purposes and categories of processing;

• ensuring the safety of personal data tangible medium;

• ensuring that employees of TROX RUS who are directly involved in the processing of personal data are made aware of the provisions of the legislation of the Russian Federation and European Union on personal data, including requirements relating to the protection of personal data, documents setting out the policies of TROX RUS in relation to the processing of personal data and by-laws on the processing of personal data;

• the application of legal, organizational and technical measures to ensure the security of personal data in accordance with Article 19 of Federal Law No. 152-FZ of July 27, 2006 on Personal data.

12. Data processing for the application procedure

TROX RUS collects and processes personal data from applicants for the purposes of the application procedure. This processing can also take place using electronic means. This is especially the case where an applicant transmits corresponding application documents to the operator via electronic means, such as by email. If the operator enters into an employment contract with an applicant, the transmitted data are stored, in compliance with

the Labor Code of the Russian Federation and Federal Law No. 152-FZ of July 27, 2006 on Personal data, for the purposes of the employment relationships. If the operator does not enter into an employment contract with the applicant, the application documents are automatically erased six months after notification of the rejection decision provided such erasure does not contravene any other legitimate interests of the operator.

13. Cookies

The TROX RUS websites use cookies. Cookies are text files that are stored on a computer system by means of a web browser.

A large number of websites and servers use cookies. Many cookies have a 'cookie ID'. This is a unique identifier for the cookie. It is made up of a series of characters by means of which websites and servers can be associated with the specific web browser in which the cookie has been stored. This makes it possible for the websites and services visited to distinguish the individual browser of the data subject from other web browsers containing other cookies. A particular web browser can be recognized and identified by means of the unique cookie ID.

TROX RUS uses cookies to provider users of this website with more user-friendly services that would not be possible without setting cookies.

A cookie can be used to optimize the information and offerings on our website for the benefit of the user. As already mentioned, cookies enable us to recognize users of our website. The purpose of this recognition is to make it easier for users to use our website. The user of a website that uses cookies does not need to re-enter his or her login data every time they visit the website, for example, because this is handled by the website and the cookie stored on the user's computer system.

The data subject can prevent cookies from being set by our website at any time using the corresponding setting in the web browser used, thereby permanently rejecting the setting of cookies. In addition, cookies that have already been set can be deleted at any time using a web browser or other software programs. This is an option in all current web browsers. If the data subject deactivates the setting of cookies in the web browser used, it may not be possible to make full use of all functions of our website in some circumstances.

14. Data protection provisions relating to the use of Google Analytics (with anonymization function)

We have integrated Google Analytics (with anonymization function) into our website. Google Analytics is a web analytics service. 'Web analytics' is the collection, compilation and evaluation of data relating to the behavior of visitors to websites. A web analytics service records data including the website from which a data subject arrived at a given website (known as the 'referrer'), which web pages on the website were accessed, or how often and for how long a web page was viewed. Web analytics is predominantly used for website optimisation and for cost-benefit analysis of online advertising.

The operating company of Google Analytics is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The operator uses the extension “_gat._anonymizeIp" for web analytics using Google Analytics. This extension truncates and anonymises the IP address of the data subject's Internet connection if access to our websites originates from the Russian Federation or countries which are parties to personal data protection international treaties of the Russian Federation.

The purpose of Google Analytics is to analyze the flow of visitors to our website. Google uses the data and information obtained for purposes including to evaluate use of our website, to create online reports for us which illustrate activities on our websites, and to provide other services relating to the use of our website.

Google Analytics sets a cookie on the data subject's IT systems. Cookies have been defined in paragraph 13 of this Policy. Setting the cookie makes it possible for Google to analyze the use of our website. Every time a web page of this website is retrieved that is operated by the operator and into which Google Analytics is integrated, the web browser on the data subject's IT system is automatically prompted by the Google Analytics component to transmit data to Google for the purposes of online analytics. During that technical process, Google acquires personal data, such as the data subject's IP address, which make it possible for Google to trace the origin of the visitor and his or her clicks and, consequently, calculate commission.

The cookie stores personal information, such as time of access, location from which access is made, and frequency of visits to our website by the data subject. Each time our websites are visited, those personal data, including the IP address of the Internet connection used by the data subject, are transmitted to Google in the United States. Those personal data are stored by Google in the United States. In certain circumstances, Google may pass those personal data collected by means of the technical process to third parties.

As described above, the data subject can prevent cookies from being set by our website at any time using the corresponding setting in the web browser used, thereby permanently rejecting the setting of cookies. Making this setting in the web browser used would also prevent Google from setting a cookie on the data subject's IT system. Furthermore, a cookie that has already been set by Google Analytics can be deleted at any time using the web browser or other software programs.

The data subject additionally has the option to object to collection of the data generated by Google Analytics relating to use of this website and to processing of those data by Google and to prevent such collection and processing. To do this, the data subject must download and install a browser add-on from https://tools.google.com/dlpage/gaoptout. This browser add-on uses JavaScript to notify Google Analytics that no data or information relating to visits to websites may be transmitted to Google Analytics. The installation of the browser add-on is classified by Google as an objection. If the data subject's IT system is deleted, formatted or reinstalled at a later date, the data subject must reinstall the browser add-on in order to deactivate Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or another person under his or her authority, it is possible to reinstall or reactivate the browser add-on.

More information about Google Analytics can be found at https://www.google.com/analytics/.

For more information and Google's current privacy policy, visit https://policies.google.com/privacy/ and https://www.google.com/analytics/terms/gb.html.

15. Data protection provisions relating to the use of Google AdWords

We have integrated Google AdWords into our website. Google AdWords is an online advertising service that makes it possible for advertisers to place adverts both in Google search engine results and in the Google ad network. Google AdWords enables advertisers to define keywords in advance which are then used to display an advert in the Google search engine results only if the user uses the search engine to retrieve a search result that is relevant to the keyword. In the Google ad network, the adverts are allocated to websites covering relevant topics by means of an automated algorithm and observing the predefined keywords.

The operating company for Google AdWords services is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is to advertise our website by showing adverts that are of interest on the websites of third-party companies and in search engine results returned by Google, and to show third-party adverts on our website.

If a data subject arrives at our website via a Google advert, Google places a 'conversion cookie' on the data subject's IT system. Cookies have been defined in paragraph 13 of this Policy. A conversion cookie becomes invalid after thirty days, and is not used to identify the data subject. Provided it has not expired, the conversion cookie is used to track whether certain webpages, such as the basket of an online shopping system, have been retrieved on our website. Both we and Google can use the conversion cookie to track whether a data subject who has arrived at our website via an AdWords advert has generated a sale, i.e. has completed or cancelled a purchase.

The data and information collected through the use of the conversion cookie are used by Google to create visitor statistics for our website. These visitor statistics are in turn used by us to determine the total number of users transferred to us via AdWords adverts, i.e. to determine the success or otherwise of the respective AdWords advert and to optimize our AdWords adverts for the future. Neither our company nor other advertising customers of Google AdWords receive information from Google by means of which the data subject could be identified.

The conversion cookie stores personal information, for example the websites visited by the data subject. Each time our websites are visited, personal data, including the IP address of the Internet connection used by the data subject, are accordingly transmitted to Google in the United States. Those personal data are stored by Google in the United States. In certain circumstances, Google may pass those personal data collected by means of the technical process to third parties.

As described above, the data subject can prevent cookies from being set by our website at any time using the corresponding setting in the web browser used, thereby permanently rejecting the setting of cookies. Making this setting in the web browser used would also prevent Google from setting a conversion cookie on the data subject's IT system. Furthermore, a cookie that has already been set by Google AdWords can be deleted at any time using the web browser or other software programs.

The data subject additionally has the option to object to advertising from Google that relates to his or her interests. To do this, the data subject must follow the link https://adssettings.google.com/ from each web browser used and make the appropriate settings there.

For more information and Google's current privacy policy, visit https://policies.google.com/privacy/.

16. Social Media Plug-ins

Several pages of the TROX RUS website have social media plug-ins from Facebook, Twitter, LinkedIn, Xing, Google+ and YouTube as well as links to these social networks. The social media plug-ins and links can be identified via their respective network icons.

When calling up a social media network via a plug-in or link, a direct connection is created with the server of the social media provider. Facebook, Instagram, LinkedIn, Xing, Google+ and YouTube record the respective Internet page from which their services were accessed. If a user of the TROX RUS website is registered with one of these providers and is logged on at this time, the call-up of the Internet site can be associated with his/her user account.

The social media providers Facebook, Instagram, LinkedIn, Xing, Google+ and YouTube do not provide any information about which specific information is recorded during the use of their plug-ins. TROX RUS therefore has no information on the content, scope or the use of the data acquired by Facebook, Instagram LinkedIn, Google+ and YouTube. Further information on this can be found in the data protection policy of the social media providers.

The data protection policy of the social media networks used by TROX RUS can be found at the following links:

Facebook
LinkedIn
Instagram
Xing
Google+
Youtube

Users who do not want to authorize the collection by a social media provider of personal data on the Internet pages of TROX RUS can deactivate the plug-ins in their browser. To prevent a connection being created to an existing user account, users must log out before visiting the TROX RUS website.