Privacy Notice (United States)

Effective date: 01 January 2025
Last updated: 16 December 2025

This Privacy Policy describes how VASSTA Group — CYBERSECURITY CENTER (Private Educational Institution, Additional Professional Education) (“Company”, “we”, “us”, “our”) collects, uses, stores, discloses, and protects personal data when you use the websites https://marine-cyber.vassta.ru and https://zs-info.ru (collectively, the “Site(s)”), and when you interact with us in connection with cybersecurity services and educational programs, including maritime cybersecurity and related digital infrastructure.

We comply with applicable personal data protection laws, including but not limited to:

• Russian Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;
• EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) — where applicable (e.g., for data subjects located in the EEA);
• UK Data Protection Act 2018 and the UK GDPR — where applicable (e.g., for data subjects located in the UK);
• US privacy laws, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), and similar state laws — where applicable (e.g., for data subjects located in the US).

1. Data controller / personal data operator

Operator / Controller:
VASSTA Group — CYBERSECURITY CENTER (Private Educational Institution, Additional Professional Education)
Address: Office 211, 1 Svobody Street, Novorossiysk, Russia
Websites: https://marine-cyber.vassta.ru, https://zs-info.ru
Privacy contact: info@zs-info.ru

The Company determines the purposes and means of processing personal data within its activities, unless otherwise specified by contract or instruction.

2. Scope of this Policy

This Policy applies to:

• visitors of marine-cyber.vassta.ru and zs-info.ru;
• individuals submitting inquiries, requests, and applications;
• students/trainees and their representatives (within educational programs);
• representatives of customers, partners, and contractors;
• users interacting with us in the course of cybersecurity services and project support.

This Policy does not apply to third-party websites and services that may be linked from the Site(s).

3. Categories of personal data

3.1. Data you provide directly

We may process:

• first name, last name, patronymic (if applicable);
• email address;
• phone number;
• job title and company/organization name;
• content of messages, inquiries, and applications;
• business correspondence;
• information provided within contractual relationships;
• data required for training administration and issuance of training documents (where applicable and to the extent required by law and contract/application).

3.2. Data collected automatically

When you visit the Site(s), we may process:

• IP address;
• device and browser type;
• operating system;
• interface language;
• date and time of access;
• site activity data (pages viewed, clicks, events);
• technical logs and security events (to protect the Site(s) and infrastructure).

3.3. Cookies and similar technologies

We use cookies and similar technologies for technical operation of the Site(s), security, and analytics. Marketing/advertising cookies may not be used; if additional categories of cookies are introduced, we will ensure lawful use (including obtaining consent where required).

4. Purposes of processing

We process personal data for the following purposes:

• operation, administration, and security of the Site(s);
• handling inquiries, applications, and feedback;
• providing and supporting cybersecurity services;
• organizing and delivering education/training (Private Educational Institution, DPO), including communications, recordkeeping, results tracking, and issuance of training documents — where applicable;
• entering into and performing contracts;
• fulfilling legal and regulatory obligations;
• preventing fraud and abuse;
• improving service quality and user experience, and developing services/programs.

5. Legal bases for processing

5.1. Russian Federation (Federal Law No. 152-FZ)

Under Federal Law No. 152-FZ, we process personal data on lawful grounds which may include (depending on the situation):

• the data subject’s consent;
• necessity to perform a contract to which the data subject is a party, or to take steps at the data subject’s request prior to entering into a contract;
• necessity to pursue the Company’s legitimate interests or those of third parties, provided the data subject’s rights and freedoms are not violated;
• other grounds provided by Russian law (including where processing is required to comply with statutory obligations).

5.2. EEA and United Kingdom (GDPR / UK GDPR)

Where applicable (e.g., for data subjects located in the EEA/UK), processing may be based on Article 6 GDPR/UK GDPR:

• performance of a contract;
• compliance with a legal obligation;
• legitimate interests (security, infrastructure protection, service development), subject to balancing;
• consent, where required.

6. Processing on behalf of customers

When providing cybersecurity services, the Company may act as a data processor on behalf of a customer (Controller/Operator), strictly following the customer’s instructions and within the scope of the contract.

In such cases:

• data are used only for the contract and instructed purposes;
• technical and organizational security measures are applied;
• confidentiality and data minimization are maintained.

7. Disclosure and sharing with third parties

We may disclose personal data to the extent necessary for the purposes of processing:

• IT infrastructure, hosting, and cybersecurity service providers;
• email and business communication services;
• payment and accounting services (where contractual relations exist);
• professional advisors (lawyers, auditors) where necessary;
• public authorities where a lawful request applies.

Such parties process data under contracts/instructions and must implement appropriate safeguards and confidentiality.

8. International data transfers

If we transfer personal data across borders, we ensure compliance with applicable requirements (including Russian rules on cross-border transfers under 152-FZ, and where applicable GDPR/UK GDPR), and apply appropriate safeguards such as contractual terms and technical/organizational measures.

9. Data retention

We retain personal data no longer than necessary for the stated purposes, unless a longer period is required by law or contract, including:

• inquiries and correspondence — until no longer relevant or until limitation periods expire;
• contractual and accounting records — as required by applicable law;
• technical logs — for a limited period for security and incident investigation;
• training records — in the periods and scope required by education laws and internal policies (where applicable).

10. Security of personal data

We implement reasonable and proportionate security measures considering risks, including:

• encryption in transit (where applicable);
• access control and segregation;
• monitoring, logging, and incident detection;
• protection against unauthorized access and malware;
• incident response procedures;
• organizational measures (policies, procedures, staff training).

11. Data subject rights

11.1. Russian Federation (Federal Law No. 152-FZ)

Data subjects have rights under Russian law, including the right to:

• receive information about processing;
• request rectification, blocking, or deletion where legal grounds exist;
• withdraw consent (where processing is based on consent);
• complain to the competent authority or seek judicial remedy.

11.2. EEA and United Kingdom

Where applicable, you also have the right to:

• access;
• rectification;
• erasure;
• restriction of processing;
• data portability;
• object to processing;
• withdraw consent (where applicable).

11.3. United States

Depending on your state of residence, you may have the right to:

• know what personal data are processed;
• request deletion or correction;
• opt out of certain processing activities (where applicable).

12. Exercising your rights

Requests to exercise rights and privacy-related questions should be sent to: info@zs-info.ru

We may request identity verification and/or proof of authority for representatives to protect your data and prevent unlawful access.

13. No sale and no advertising-based sharing

We do not sell personal data. We do not share personal data for cross-context behavioral advertising. We do not use targeted advertising based on personal data unless expressly stated on the Site(s) and properly implemented in accordance with applicable law.

14. Children’s data

The Site(s) and services are not intended for individuals under 16 years of age. We do not knowingly collect children’s personal data.

15. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects for data subjects without human involvement.

16. Incident notifications

In the event of a security incident affecting personal data, we will act in accordance with applicable law, including notifying competent authorities and/or data subjects where required.

17. Changes to this Policy

We may update this Policy. The current version is always available at: https://marine-cyber.vassta.ru and https://zs-info.ru. Changes take effect upon publication unless stated otherwise.

18. Contact information

For all questions related to privacy and personal data protection:

Email: info@zs-info.ru
Address: Office 211, 1 Svobody Street, Novorossiysk, Russia
Websites: https://marine-cyber.vassta.ru, https://zs-info.ru