Fasti.me Personal Data Processing and Protection Policy


1.     General Provisions
1.1. This Personal Data Processing and Protection Policy (hereinafter referred to as the “Policy”) governs the relationship between Limited Liability Company “GLS-CONSULTING” (INN 7717738764, OGRN 1127747153192, Russian Federation, 127572, Moscow, Uglichskaya St., 12, Bldg. 1, Room 209), hereinafter “GLS-Consulting”, the “Company”, or the “Operator”, which is the rights holder of websites, services, software and/or other products, including informational, communication, advertising, educational, entertainment, and other types (hereinafter collectively the “Service” or “Fasti.me Service”), located on the Internet, including https://fasti.me and https://app.fasti.me (hereinafter the “Website”), as well as other domains administered by the Company, and individuals — users of the Internet (hereinafter “User”) with respect to the collection and processing of information about the User, including personal data provided by the User during the use of the Service (hereinafter — the “Information”). This Policy is published at: https://fasti.me/privacy_policy_en

1.2. This Policy has been drafted in accordance with the Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data,” Regulation (EU) 2016/679 (GDPR), and other applicable legal acts governing the protection of personal data, and sets forth the procedures for processing personal data and measures for ensuring the security of personal data by Limited Liability Company “GLS-Consulting” (hereinafter referred to as the “Operator”). For users located in the European Union, as well as other users whose data processing falls under the scope of the GDPR by virtue of the nature of the services provided or other circumstances, the processing of personal data shall be conducted in compliance with the provisions directly stipulated by the applicable GDPR requirements.

1.3. The Service is the computer program “Fasti” (registration number 28449 dated June 11, 2025, in the Register of Russian Software), the copyright holder of which is the Company. The Service is designed for task and schedule management and developed to enhance personal and team productivity. The Service provides users with a user-friendly interface for scheduling meetings, managing tasks with priorities and deadlines, as well as receiving reminders about events and tasks.

1.4. By starting to use the Service, the User confirms that they have read this Policy and agree to its terms. Failure to accept the Policy by the User shall result in the inability to continue using the Service.

1.5. Specifics of Data Processing within Integrations with Third-Party Services:
The processing of personal data, including but not limited to collection, storage, use, and transfer of data, is carried out in the course of integrating the Service with external platforms and applications initiated by the User.
The transfer of personal data within such integrations is governed by:
  • this Personal Data Processing and Protection Policy;
  • the applicable legislation of the Russian Federation, including Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data";
  • the documents and terms of third parties, including:
  • the Privacy Policy of LLC “Yandex” (https://yandex.ru/legal/confidential/);
  • as well as other documents and terms explicitly referenced within the Service (hereinafter referred to as the “Policy”).

Prior to using the Service, the User undertakes to carefully review this Policy as well as all applicable data processing terms of the aforementioned third parties. Continued use of the Service and activation of third-party integrations shall constitute the User’s acknowledgement of, and consent to, this Policy and the documents referenced herein, along with the data processing terms imposed by such third parties.

1.6. Upon registration with the Service, the User confirms that they:
- have read and accept the terms of this Personal Data Processing and Protection Policy;
- have read and accept the terms of the User Agreement, available at: https://fasti.me/agreement_policy_en;
- provide Consent to the processing of personal data in the form of a separate document available at: https://fasti.me/consent_to_personal_data_processing_en by performing an active action (checking the corresponding checkbox in the Service interface).

The aforementioned documents are accepted once by an active action (checking the corresponding checkbox in the Service interface) at the time of registration and remain in effect until the User withdraws their consent or deletes their account, unless otherwise required by law.

The Operator reserves the right to request additional consents in cases expressly provided for by the legislation of the Russian Federation or international regulations (for example, when including the User in advertising or informational mailings).
Such consents are provided separately, in a form compliant with applicable law, and accompanied by information regarding the purpose and legal basis of the processing.

In the event of significant changes to the Policy or Agreement terms, the User will be notified accordingly by email or through the Service interface.
2. Definitions Used in the Policy

2.1. Automated Processing of Personal Data — processing of personal data by means of computer technology;

2.2. Blocking of Personal Data — temporary suspension of personal data processing (except in cases where processing is necessary for the clarification of personal data);

2.3. Website — a collection of graphical and informational materials, as well as software and databases that provide their availability on the Internet at the web addresses https://fasti.me and https://app.fasti.me;

2.4. Personal Data Information System — a set of personal data contained in databases, and information technologies and technical means ensuring their processing;

2.5. Anonymization of Personal Data — actions as a result of which it is impossible to determine the affiliation of personal data to a specific User or other personal data subject without the use of additional information;

2.6. Processing of Personal Data — any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data;

2.7. Operator — a state body, municipal body, legal entity, or individual that independently or jointly with others organizes and (or) carries out the processing of personal data, as well as determines the purposes of personal data processing, the composition of personal data subject to processing, and the actions (operations) performed with personal data;

2.8. Personal Data — any information relating directly or indirectly to an identified or identifiable User of the website https://fasti.me;

2.9. User — an individual who uses the Service (the websites https://fasti.me and https://app.fasti.me), including through registration, authorization, or other interactions with its functionality (for example, via widgets, integrations, or automated scenarios), as well as any site visitor whose IP address may be recorded.

2.10. Data Subject — an individual whose personal data is processed by the Operator within the framework of using the Service. Each User is considered a Data Subject under this Policy.

2.11. Client — a legal entity or individual who obtains access to the functionality of the Service according to the applicable tariff, including for the purpose of providing their own services to Users.
A Client may be an employer, organization, or individual entrepreneur who pays for access to the Service for their employees, representatives, or other authorized persons.
Clients also include specialists and organizations to whom a User may register through a widget of the Service embedded on their website or other interfaces provided by the Service.
Such Clients act as independent data controllers with respect to the personal data of Users they receive, while the Service may act as a controller, joint controller, or processor (depending on the interaction architecture and data processing settings).

2.12. Authorized Representative of the Client — an individual to whom a legal entity or individual entrepreneur (the Client) grants access to the functionality of the Service. Such individual may be an employee, representative, or other engaged person acting on behalf of the Client.
This individual becomes a User of the Service and is recognized as a Data Subject with respect to the personal data provided about them.
The Client bears sole responsibility for the legality and legitimacy of transferring the Authorized Representative’s personal data to the Operator, including ensuring the existence of a proper legal basis (e.g., consent of the data subject, employment or civil contract).
The transfer of data about the Authorized Representative may be carried out by the Client, including by providing the Operator with an email address necessary to activate access.

2.13. Processor (third party) — a person acting on behalf of the Operator or within the integration with the Service, who may be entrusted with the processing of certain categories of personal data (a detailed list of processors is provided in clause 6.2).

2.14. Provision of Personal Data — actions aimed at disclosing personal data to a specific person or a specific range of persons;

2.15. Distribution of Personal Data — any actions aimed at disclosing personal data to an unspecified range of persons (transfer of personal data) or at making personal data available to an unlimited number of persons, including publication of personal data in mass media, placement in information telecommunication networks, or providing access to personal data by any other means;

2.16. Cross-border Transfer of Personal Data — transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual, or foreign legal entity;

2.17. Integrations — functional modules that facilitate data exchange with external systems.

2.18. Widget — a software component of the Service embedded on Clients’ websites (e.g., specialists), through which an individual (User) can book an appointment or engage in other forms of interaction. When using the widget, the Operator (the Service) receives the User’s personal data and transfers it to the Client. In such interactions, the Operator and the Client act as joint controllers of the personal data, jointly determining the purposes and means of processing the User’s data within the scope of their respective responsibilities.

2.19. Destruction of Personal Data — any actions as a result of which personal data are irreversibly deleted with no possibility of further recovery of the content of personal data in the personal data information system and/or as a result of which the physical carriers of personal data are destroyed.
3. Processed Personal Data

3.1. The categories of data subjects whose personal data are processed by the Operator through the Service as an automation tool are hereby defined as follows:
  • Users:
  • individuals visiting the Website without authorization in the Service;
  • individuals authorized in the Service and using its functional capabilities.
  • Third parties:
  • individuals whose data have been uploaded to the Service by a User.

3.2. The Company processes the following categories of personal data:

3.2.1. Account data: surname, first name, patronymic, email address, phone number, links to personal accounts on social networks and messaging apps. Other personal information that the user adds or may add solely at their own discretion. Other data provided during registration or profile completion;

3.2.2. Data transmitted during use of the Service: IP address, device and browser data, information obtained via cookies when accessing the Service, geolocation data, information about actions performed in the interface, data about the Internet service provider;

3.2.3. Information obtained as a result of the User’s actions within the Service, in particular, information about the addition of any content;

3.2.4. Information obtained as a result of actions of other users within the Service;

3.2.5. Aggregated analytical information on the use of internet services;

3.3. The User is obliged to refrain from uploading information containing personal or sensitive data into automated support systems (including the Jivo chatbot by ООО «Живой сайт»). The chatbot is not intended for collecting any personal data and is not used for registration and/or authorization in the Service. Its purpose is primary support of the User regarding Service-related questions (answering inquiries). In case of voluntary provision of such data through the communication form, the User bears full responsibility for the legality and appropriateness of its disclosure.

3.4. The Company informs the User about the possibility of implementing an automatic transcription feature for any conversations (including oral consultations, sessions, and other forms of voice interactions made using the Service’s functionality), solely for providing the transcription of such conversations to the User themselves.
Transcription processing occurs strictly on the User’s initiative and only after obtaining separate, informed, and explicit consent expressed in electronic form.
The User undertakes to notify their interlocutor about the recording of the conversation for subsequent transcription purposes.
Transcriptions are not transferred to third parties, except in cases explicitly stipulated by Russian Federation or EU legislation, and are not used for automated analysis, quality control, or other internal tasks of the Operator.
Storage and protection of transcriptions are carried out in accordance with confidentiality and information security requirements.
The User has the right to request deletion of a transcription at any time.

3.5. Account and other data processed by the Company in the volume necessary and sufficient to be classified under the current legislation of the Russian Federation as personal data are processed by the Company as personal data under the terms of this Policy.

3.6. The User is also provided the opportunity to post any other information in the Service (if applicable), beyond that specified in clause 3.2 of this Policy, provided it does not contradict the requirements of the current legislation. The Company does not intend to process such information. By posting information, the User understands that it may be accessible to an indefinite number of internet users, taking into account the desired level of privacy settings.

3.7. If the Service’s functionality allows displaying information about the User in their Account, which is accessible for viewing by other Users of such Service or Internet users, the User agrees to the display of information about themselves in their Account. The User agrees that information, including Account and other data, as well as other information, may be accessible to other Users of the respective Service and/or other Internet users in accordance with the existing functionality of the Service (which may change from time to time by the Company).

3.8. The Company does not verify the Account data provided by the User and cannot judge its accuracy or whether the User has sufficient legal capacity to provide such Account data. The Company assumes that the User provides accurate and sufficient Account data and updates it timely. By registering in the respective Service or accessing it without registration, the User confirms that they have reached the minimum permissible age for using such Service in accordance with applicable law.

3.9. Processing of cookies
Information about the cookies used by the Service, their purpose, retention period, and the procedure for refusing cookies is contained in a separate document — the “Cookie Policy,” available at https://www.fasti.me/cookie_policy
The User can block the use of cookies by changing their internet browser settings. Refusal to use cookies may affect the user interface and some components of the Site or Service. Information on how to disable cookies or change cookie settings for browsers is available at the following links: Google Chrome, Internet Explorer, Safari, Firefox, Opera, Yandex Browser, Microsoft Edge.

3.10. Processing of User location information (geolocation).
The Company may obtain and process information about the User’s location (geolocation) as part of Other Data in compliance with the Purpose specified in clause 4.2 of this Policy, namely: to continuously improve the Service content, prevent and eliminate any errors that may arise when using the Service, personalize the information (including advertising) available to the User in the Service, provide relevant recommendations to the User, and conduct statistical research.
The Company may obtain and process location information of varying accuracy depending on the Service functionality, User-selected settings, sources of location data, as well as the necessity of processing location data to provide Service functionality to the User and improve the user experience.

At the same time, the Company forms its assumptions about the User’s location based on settings selected by the User in the browser or on the mobile device, based on the User’s IP address; device location data; and/or other information about the User’s use of the Service.

The User may restrict the transmission of their location information by changing the settings of their browser and/or mobile device.

3.11. For the purpose of sending advertising, marketing messages, or other materials not related to the provision of the core Service, the Company shall obtain separate, explicit, and informed consent from Users in accordance with Article 18 of the Federal Law No. 38-FZ dated March 13, 2006 "On Advertising." Such consent shall be given by an affirmative action, specifically by marking a checkbox within the Service interface. Upon obtaining such consent, the Company is entitled to send Users notifications and messages regarding new products, services, special offers, and other events, either individually or through mailing services. Users may withdraw their consent at any time by submitting a request via email to info@fasti.me or by using the unsubscribe link included in the received message.

3.12. Processing of Personal Data Provided by the User Concerning Third Parties:
In the event that a User submits personal data of third parties within the Service (for example, when adding participants to a group meeting, such as email address, name, position, phone number, etc.), the User represents and warrants that:
• they act on their own behalf, voluntarily, and at their sole discretion;
• they have a lawful basis for providing such data, including but not limited to obtaining the consent of the data subject or other legal grounds as prescribed by applicable law;
• they acknowledge and accept full responsibility for the accuracy and legality of the information provided, including ensuring that there are sufficient grounds for the transfer and processing of the third parties’ personal data by the Operator.

The Operator shall process such personal data solely for the following purposes:
• sending invitations to meetings;
• creating calendar events;
• granting access to the Service’s functionality within the scope of the respective invitation.

Emails sent to third parties shall contain:
• information regarding the purposes and legal grounds of the data processing;
• a link to the Personal Data Processing and Protection Policy;
• a mechanism to opt out of further notifications.

If a third party whose personal data has been provided believes that their data is being processed unlawfully, they have the right to contact the Operator by sending a notification to info@fasti.me.
The Operator will review such notification within 10 business days and take necessary measures to protect the rights of the personal data subject, including blocking or deleting the relevant data if a violation is confirmed.

3.13. Sources of Personal Data Collection
The Company collects personal data from the following sources:

(1) Directly from the data subject:
- during registration and completion of forms on the Website, within the User’s personal account, as well as when entering data through the widget interface placed on the Client’s website;
- upon conclusion and performance of contracts, provision of consents, participation in surveys, and completion of questionnaires;
- when contacting customer support (via email, telephone, online chat, or other communication channels).

(2) By automated means during the use of the Operator’s services:
- connection and session data (IP address, date and time of access);
- information from cookies and similar technologies (device identifiers, session tokens);
- metadata and technical characteristics of devices (browser type, screen resolution, operating system, etc.).

(3) From third-party sources in interaction with partners:
- from email services and marketing platforms (mailing lists, CRM systems) subject to the data subject’s prior consent;
- from social media platforms when authorizing through the respective service or integrating an account.

(4) From publicly available sources:
- in accordance with applicable laws and/or user agreements.

(5) From third parties and counterparties:
- on behalf and/or with the consent of the data subject — from legal entities and individuals (counterparties, joint project partners);
- on other lawful grounds provided by the current legislation of the Russian Federation (e.g., pursuant to court rulings, enforcement documents, government agency orders).
4. Grounds and Purposes of Processing

4.1. Personal data shall be processed on the following grounds:
  • The voluntary consent of the data subject (in accordance with Articles 6 and 10 of the Federal Law No. 152-FZ dated July 27, 2006, and Articles 6(1)(a) and 9(2)(a) of the GDPR), in cases expressly provided for by applicable law and the Service's governing documents;
  • The performance of the Agreement with the User regarding the use of the Fasti.me Service (including processing of data obtained within the framework of User interactions with the Service, including when booking through the Service widget installed on the Client's website, for the purpose of booking and transferring data to the Client to facilitate the provision of services);
  • The pursuit of the legitimate interests of the Operator (such as the protection of rights, security, stable operation of the Service, as well as its development and improvement);
  • Processing data as a processor (in accordance with the Client’s instructions), when processing is carried out to facilitate booking, account creation, and transfer of data to the Client for the organization and provision of the relevant services;
  • The legal basis for the processing of Cookie files is the consent to the use of Cookies, which the data subject provides when using the Website after being informed about the use of Cookies through the relevant banner (pop-up window) and a link to the Cookie Policy. In the event the User refuses the use of Cookies, access to certain functions of the Website and the Service may be restricted for the User.
  • Compliance with obligations explicitly stipulated by the legislation of the Russian Federation.

4.2. Purposes of Processing:

The processing of Users’ personal data is carried out for the following purposes:
  • Provision of access to the Service — registration and authorization of Users, creation and administration of User accounts, and provision of personalized Service features;
  • Ensuring the operation of the Service — processing data for recording and storing User information, booking appointments with Service Clients, and creating and displaying data in the User’s personal account;
  • Technical support and feedback — processing data to review User requests, provide consultations (including within support systems such as UseDesk/HelpDesk (LLC “Blizhe k delu”)), and handle claims and complaints;
  • User data visualization — processing of data for the purpose of generating reports and presenting activity data in a user-friendly format within the Service interface.
  • Service improvement and development of new features — processing data to enhance convenience and quality of the Service, optimize functionality, and create recommendations and suggestions for Users;
  • Information security and violation prevention — processing data to protect the Service, User data, and the Company from unauthorized access, information security threats, and to ensure stable operation of the Service;
  • Marketing and informational mailings — processing data to send Users advertising and marketing information only upon receipt of separate, explicit consent from Users in accordance with Article 18 of Federal Law No. 38-FZ “On Advertising”;
  • Quality control of service provision — processing data to verify the quality of the Service, review User requests, and monitor the performance of support staff;
  • Conducting internal audits, analytical, and other inspection activities — processing data to enhance quality, stability, security, protect the interests of Users and the Company, and develop the Service.

4.3. Method of Providing Consent:
- Clear, separate (distinct from other consents and documents), and unambiguous consent in the form of marking a checkbox on the Website or Service interface designated for indicating consent to the provision of personal data or performing an action that is specified on the Website or Service as a condition of agreement to personal data processing (such as receiving and entering an SMS code or other methods);
- Written consent of the personal data subject;
- Conclusion of a contract with the personal data subject.

4.4. Processing of personal data without the consent of the data subject shall be carried out in the following cases:
- where personal data is publicly available;
- upon request of authorized government authorities in cases prescribed by the legislation of the Russian Federation;
- where the processing of personal data is based on the legislation of the Russian Federation that establishes the purpose, conditions for obtaining personal data, the categories of data subjects whose personal data is subject to processing, as well as defining the powers of the Operator;
- where the processing of personal data is necessary for the conclusion and performance of a contract to which the data subject is a party or beneficiary;
- where the processing of personal data is carried out for statistical purposes, provided that the personal data is anonymized;
- in other cases provided for by the legislation of the Russian Federation and this Policy.
5. Collection of Information

Collection of User Account Data occurs upon the User’s registration in the Service by completing the registration form, as well as subsequently when the User edits previously provided information or supplements their Account Data on their own initiative (if applicable) using the tools of the Service.

Collection of Other Data is carried out by the Company independently during the User’s use of the Service. In some cases, the collection of Other User Data begins upon the User gaining access to the Service (for example, when loading an internet page or launching an application) prior to the User’s registration in the Service.
6. Transfer of Data to Processors and Third Parties

6.1. The Company ensures the processing of Users’ Personal Data in accordance with the principles established by the Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006, and Regulation (EU) 2016/679 (GDPR). The transfer of data to third-party processors is conducted solely for the purposes explicitly stated in this Policy, adhering to the principles of legality, specificity, necessity, and data minimization.

6.2. Data Processors:
The Company may engage third-party processors to process Personal Data in order to implement the functionality of the Service, including but not limited to:
  • Organizing and storing data within server and cloud infrastructure: ООО “Registrar of Domain Names REG.RU” (TIN 7733568767, PSRN 1067746613494, Address: 125315, Moscow, Leningradsky Ave., 72, bldg. 3);
  • Sending notifications and email messages: ООО “UNISENDER SMART” (Unisender) (TIN 9731091240, PSRN 1227700213180, Address: 27015, Moscow, Municipal District Butyrsky, Bolshaya Novodmitrovskaya St., 23, office 2/46) — processing data to send notifications, informational emails, and transactional messages within the framework of the Fasti.me Service. Privacy Policy: https://www.unisender.com/ru/privacy-notice/;
  • Integration with external services for calendar synchronization and user authorization using the respective service’s ID:

— ООО “Yandex” (TIN 7736207543, PSRN 1027700229193, Address: 119021, Moscow, Lev Tolstoy Street, 16) — processing data for calendar integration and related services. Privacy Policy: https://yandex.ru/legal/privacy/;
— ООО “Blizhe k delu” (TIN 7706416451, PSRN 1157746054180, Address: 121205, Moscow, Skolkovo Innovation Center Territory, Nobel Street, 5, 2nd floor, room 1, workplace 3) — processing of data to provide technical support to Users of the Service. Privacy Policy: https://www.usedesk.ru/privacy;
— Partners for the purpose of protecting the Service against unauthorized access, safeguarding data, and security monitoring;
— Other technical and service-related processes necessary for the operation of the Service;
— In the event of assignment of rights or change in the ownership structure of the Service — to third parties in accordance with applicable legal requirements and the terms of the Agreement.

All mentioned processors act within the purposes defined by this Policy and in accordance with the terms of agency agreements or public offers (Terms of Service / Data Processing Agreements), which constitute an integral part of the terms for the provision of the respective services (defining the purposes, scope of data, data protection conditions, and security measures). The processors are not entitled to use the data for their own purposes and are obliged to comply with confidentiality and data protection requirements in accordance with Federal Law No. 152-FZ dated July 27, 2006. Each of the aforementioned processors ensures the processing of data in compliance with the requirements of Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006.

6.3. Other Third Parties:

The Company may transfer Personal Data to third parties in the following cases:
- if such transfer is explicitly required by the legislation of the Russian Federation (for example, in response to requests from government authorities);
- if such transfer is made to third parties to whom the rights or obligations have been assigned, or in case of novation under the respective agreement, provided that such parties assume obligations to maintain confidentiality and ensure the protection of personal data equivalent to those binding the Company;
- if it is necessary for the execution of the Agreement or the functionality of the Service (for example, for displaying data in partner applications);
- if the User has given explicit, unambiguous, and active consent (via a separate checkbox) for the processing of data for advertising or marketing purposes, including the transfer of data to advertising partners for the creation of relevant advertising materials and offers;
- if third parties have lawful grounds to process Account and Other Data, for example, if the transfer of Account and Other Data to such parties is carried out with the User’s consent, including when such data is necessary to provide the relevant service to the User or to fulfill a certain agreement or contract concluded with the User. Such parties include partners and affiliated entities of the Company, whose data collection and processing are provided for under the terms of this Policy.

To provide a high-quality, multifunctional, and convenient Service, the Company develops, improves, and optimizes the current functionality and implements new features of the Service (informational, communicational, advertising, educational, entertainment, and other nature), including with the participation of partners and/or affiliates.

6.4. When transferring data to third parties and processors, the Company ensures:
- compliance of the data transfer with the purposes stated in this Policy;
- documented determination of the status of data recipients (whether processors or other third parties);
- definition of the scope of data to be transferred according to the principle of minimal necessary processing;
- implementation of technical and organizational data protection measures in accordance with the requirements of Law No. 152-FZ and GDPR.
7. Storage and Deletion of Personal Data

7.1. Data shall be stored within the territory of the Russian Federation on the Operator’s secure servers.

7.2. The User has the right to withdraw consent to the processing of personal and/or medical data at any time by sending a request to info@fasti.me. Withdrawal of consent shall result in termination of processing and deletion of the data, unless otherwise required by law.

7.3. Storage shall be carried out exclusively on electronic media, and processing shall be carried out using automated systems, except in cases where non-automated processing of Account and Other data is necessary to comply with applicable legal requirements.

7.4. User Account Data (including contact information, account details, and settings) shall be retained for the entire period of the User’s use of the Service and shall be deleted within no more than thirty (30) calendar days from:

• deletion of the User’s account; or
• withdrawal of consent to data processing.

7.5. Submission by the User of a request to delete their personal Account Data shall be deemed a refusal by the User to continue using the Service.

7.6. In the event of prolonged User inactivity, the User’s Account Data shall be retained for no longer than five (5) years from the date of last active use of the Fasti.me Service.

7.7. Technical and system logs may be retained for a period of up to five (5) years from the date of their creation, unless otherwise required by applicable law or internal security regulations.

7.8. Upon expiration of the retention period, data shall be deleted or anonymized, unless otherwise required by law.

7.9. The Operator shall ensure the security of personal data and shall take all possible measures to prevent unauthorized access to personal data.
8. Cessation of Data Processing

8.1. Upon achievement of the purposes of data processing, the Company shall cease processing Account and Other Data by one of the means provided for in the Federal Law “On Personal Data” and the GDPR.
9. Cross-Border Transfer of Personal Data

9.1. Cross-border transfer of personal data to foreign countries or to individuals and organizations located in foreign countries shall be carried out in strict compliance with the provisions of Article 12 of Federal Law No. 152-FZ.
10. Rights of the Personal Data Subject

10.1. The User shall have the right to:
• access their personal data;
• rectify, update, or delete their personal data;
• withdraw consent;
• restrict processing;
• data portability in a machine-readable format (within the limits established by the GDPR);
• lodge a complaint with Roskomnadzor or the applicable EU data protection supervisory authority.

10.2. receive free access to information about themselves by viewing their User Account within the Service;

10.3. utilize tools provided by the Service to set the desired level of privacy regarding information about themselves (access conditions), taking into account the functionality of the Service (if applicable);

10.4. make changes and corrections to information about themselves by editing data in their User Account, provided that such changes and corrections contain accurate and up-to-date information;

10.5. delete information about themselves by editing information in their User Account; however, deletion of certain information by the User from their User Account may result in the inability to provide the User with access to the Service;

10.6. require the Company to clarify, block, or destroy information about the User if such information is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing and if the Service functionality does not allow the User to delete such information independently;

10.7. receive information from the Company regarding the processing of their personal data upon request;

10.8. object to the processing of personal data by submitting a corresponding request to the Company in the manner provided in Section 7 of this Policy.

10.9. For Users from European Union countries, the provisions of the GDPR shall apply with respect to the exercise of such rights to the extent expressly provided by said Regulation.
11. Security Measures

11.1. To ensure the security of personal data during its processing, the Company implements a set of adequate technical, organizational, and legal measures corresponding to the established level of personal data protection. These security measures are implemented in accordance with the requirements of:
- Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data";
- Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of the Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems";
- Order of the Federal Service for Technical and Export Control of Russia (FSTEC) No. 21 dated February 18, 2013 "On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems";
- and other regulatory legal acts of the Russian Federation in the field of information security and personal data protection.

11.2. The Company shall adopt technical and organizational-legal measures to ensure the protection of User information against unauthorized or accidental access, destruction, alteration, blocking, copying, dissemination, as well as other unlawful acts.

11.3. Technical security measures are implemented by the Company in accordance with applicable legal requirements, current technological standards, the nature of the processed information, and associated processing risks.

11.4. Information is predominantly processed automatically without access by Company employees and/or contractors. Where such access is granted to employees or contractors, it shall be limited to the extent necessary for the performance of their official duties or contractual obligations with the Company. Such persons shall bear an obligation to comply with security requirements in accessing the Information. To protect and ensure data confidentiality, all employees and contractors comply with internal rules and procedures related to information processing. Moreover, these persons adhere to all technical and organizational security measures prescribed by applicable laws and required for the protection of User information.

11.5. The Company ensures the regular review and updating of the specified security measures in accordance with changes in the nature of threats, technological advancements, and the requirements of the applicable legislation of the Russian Federation.

11.6. Within the Service, a person responsible for the processing of personal data (in accordance with Federal Law No. 152-FZ) is appointed, who also performs the functions of a Data Protection Officer (DPO) as defined under the GDPR. Contact email for correspondence: dpo@fasti.me

11.7. Actions in the Event of a Data Breach:
In the event of an incident involving a data security breach (including unauthorized access, loss, or leakage of data), the Company undertakes to:

• Immediately conduct an internal investigation to determine the nature, scope, and consequences of the incident;
• Notify the competent authority (including Roskomnadzor and/or other competent EU authorities in the case of a breach involving data of Users from the EU) within the timeframe established by applicable law;
• Where necessary, inform affected Users, including describing the measures taken to protect the data and prevent similar incidents in the future;
• Take all reasonable technical and organizational measures to protect the data and restore security, including modifying security settings, updating software, and auditing internal data protection processes.
12. Specifics of Personal Data Processing When Using the Fasti Widget

12.1. In the event that the User interacts with the Service via a widget placed on a third-party website (for example, a specialist's or a company’s website using the Fasti platform, hereinafter referred to as the Client), the processing of personal data shall be carried out taking into account the following:

A User submitting a request (booking) through the widget on the Client’s website of the Service:

• at the time of interaction with the widget, does not undergo authorization in the Fasti personal account;
• may either have a previously registered account or not, but when interacting with the Service via the widget for booking purposes is treated as an external user (without authorization);
• independently controls their personal data by providing such data in the widget for the purpose of booking, i.e., when booking through the Fasti.me widget installed on the Client’s website, the User voluntarily submits their personal data to book an appointment with the selected specialist (Client) who placed the widget on their website;
• By checking the checkbox in the widget, the User confirms that they are aware of the terms of data transfer to the Client and LLC “GLS-Consulting” for the purpose of booking implementation, and further confirms consent to the processing of personal data established separately for widget users and agrees to the terms of this Personal Data Processing and Protection Policy (links to the relevant documents are provided in the widget interface).

12.2. In this case, LLC "GLS-CONSULTING" (the owner of the Service):
• receives the information entered by the User directly through the widget, processes personal data within its scope of responsibility and purposes, including the organization of the technical capability for recording, storage, and transmission of data to the Client;
• acts as a data processor on behalf of the User, transmitting the information provided by the User to the Client for the purpose of organizing the booking and storing data within the Fasti.me system;
• processes the data solely for the purpose of displaying booking information to the Client through the Service interface;
• does not use the data of widget Users for marketing or advertising purposes;
• does not combine such data with other user databases of the Service.

12.3. Within the architecture of the widget hosted on the Client’s website (whether an organization or specialist), the Service ensures the technical capability to transmit the data provided by the User to the corresponding Client.
The Client acts as an independent personal data controller solely to the extent that it obtains access to the data for the provision of its services, based on the User’s voluntarily given Consent.
The purposes, scope, and other conditions of personal data processing are determined by the Consent provided by the User through the widget interface.

The Service, as the developer and owner of the widget, defines the categories of data collected, the data collection architecture, and performs the initial processing thereof.
Accordingly, the Client and the Service act as joint controllers (joint data controllers) of personal data, each within their respective tasks and legal grounds, as reflected in the relevant Privacy Policies and agreements with the User.

12.4. Within the framework of joint processing of personal data conducted by the Client and the Service:
- The Client independently determines the purposes of processing data collected through the widget and bears responsibility for the lawful use of such data;
- The Service provides the technical implementation for the collection, initial processing, and storage of personal data, and is responsible for ensuring compliance with the security requirements established by law;
- Both parties undertake to act in good faith, ensure the protection of the rights of personal data subjects, and, in the event of receiving claims, cooperate to resolve them.
Each party bears responsibility within its scope of control and in accordance with applicable law.

12.5. A User registering through the widget expresses consent to the processing of personal data within the widget interface by performing an active action — checking a checkbox, which is equated to signing the consent with a simple electronic signature in accordance with the legislation of the Russian Federation. The User has the right to withdraw their consent by submitting a corresponding request to: info@fasti.me.

12.6. This model does not apply in cases where the User registers directly with the Service; in such cases, the general provisions of the Privacy Policy and User Agreement apply, including terms relating to subscription, authorization, analytics, integrations, and data visualization.
13. Use of Artificial Intelligence (AI) Technologies

13.1. The Fasti.me Service may utilize artificial intelligence algorithms to enhance user convenience, analyze data, generate personalized recommendations, and optimize the operation of certain functionalities of the Service.

13.2. AI tools within the Fasti.me Service may be employed for the following auxiliary purposes:

• analyzing user data for the purpose of generating recommendations and analytical reports;
• optimizing scheduling, notifications, and meeting organization;
• automated verification of data accuracy, protection against errors, and unauthorized access.

13.3. The processing of data using AI technologies does not result in fully automated decisions that produce legally binding effects for Users within the meaning of Article 22 of the GDPR or other applicable laws. All recommendations provided by the Service are solely informational or advisory in nature and do not constitute legal or other binding directives. The Service shall not be held responsible for any decisions made by the User based on AI-generated recommendations.

13.4. AI tools used in the Fasti.me Service are implemented in compliance with personal data protection principles established by Federal Law No. 152-FZ dated July 27, 2006, Regulation (EU) 2016/679 (GDPR), other applicable laws, and information security requirements.
14. Limitation of the Company’s Liability

14.1. The Company shall not be liable for the disclosure and dissemination of information about the User by other Users of the Service or other Internet users in cases where such persons obtained access to the said information in accordance with the privacy settings selected by the User within the Service, or in cases of the User’s failure to maintain the confidentiality of their login and/or password or other data necessary for authorization.
15. User Inquiries

15.1. Information regarding data processed by the Company, including the User’s personal data, in connection with the User’s use of the Service, shall be provided to the User or their authorized representative upon request within 30 days from the date the Operator receives such request.

15.2. Requests shall be submitted in writing to the Company’s registered address, by email to info@fasti.me, or in any other form prescribed by the applicable legislation of the Russian Federation.
16. Final Provisions

16.1. This Policy may be modified by the Company at any time by posting a new version of the Policy on the Website without providing individual notifications to Users. Changes to the Policy made by the Company shall enter into force on the day following the day of posting of the new version on the Website. The User undertakes to verify this Policy independently for any updates. The User's failure to act to familiarize themselves with the Policy shall not serve as grounds for the User's non-performance of their obligations or non-compliance with the restrictions set forth in this Agreement.

16.2. The User has the right to refuse acceptance of changes and additions to this Policy, which shall mean the User's refusal to use the Service and all rights previously granted to the User.

16.3. For users from the European Union:
You have the right to file a complaint with the competent data protection supervisory authority in the EU member state where you reside, work, or where you believe your data protection rights have been violated. Additionally, you may contact the competent data protection authority in another EU country.
The list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en.

16.4. Matters not regulated by this Policy shall be considered in accordance with the legislation of the Russian Federation. When processing user data within the framework of specific integrations or in the interests of particular partners subject to the jurisdiction of the European Union, the Service ensures compliance with GDPR requirements to the extent explicitly provided for by applicable regulations.

Date of the last update of this Policy: June 26, 2025.
This Policy is approved by the Order of the General Director of LLC “GLS-Consulting” No. 2PK dated June 26, 2025.
SERVICE
LLC “GLS-Consulting”
OGRN 1127747153192
INN 7717738764
127572, Moscow, Uglichskaya St., 12-1-209
info@fasti.me
LEGAL INFORMATION
© Fasti.me 2025