PERSONAL DATA PROCESSING AND PROTECTION POLICY
OF THE ONLINE STORE «STEELARTKYIV.COM»

Section 1. General Provisions and Definitions

1.1. This Personal Data Processing and Protection Policy (hereinafter — the “Policy”)
governs the collection, storage, processing, and protection of personal data of users of
the SteelArtKyiv online store (hereinafter — the “Store”), located at: steelartkyiv.com (hereinafter — the “Website”).

1.2. The Policy has been developed in accordance with:

• the Law of Ukraine “On Personal Data Protection” No. 2297-VI of 01 June 2010, as amended;
• Draft Law No. 8153 “On Personal Data Protection,” adopted by the Verkhovna Rada of Ukraine as a basis on 20 November 2024, having regard to the principles of the EU GDPR;
• the General Data Protection Regulation of the EU (GDPR, Regulation EU2016/679) — in the part concerning interaction with customers from EU Member States;
• the Civil Code of Ukraine, the Commercial Code of Ukraine, and the Law of Ukraine “On Electronic Commerce.”

1.3. Definitions:
Personal Data — information or a set of information about a natural person who is
identified or can be specifically identified.
Personal Data Database — a named collection of ordered personal data in electronic
form and/or in the form of personal data filing systems.
Data Controller / Personal Data Database Owner — a natural or legal person who
determines the purpose and means of personal data processing. For the purposes of
this Policy — SteelArtKyiv (hereinafter — the Store, the Seller).
Processor / Personal Data Database Administrator — a natural or legal person
authorised by the Seller or by law to process personal data on behalf of the Seller.
Data Subject — a natural person whose personal data are being processed (buyer,Website visitor, subscriber).
Processing of Personal Data — any action or set of actions: collection, recording,
accumulation, storage, adaptation, alteration, updating, use, dissemination, anonymisation, or destruction of personal data. Consent of the Data Subject — a freely given, specific, informed, and unambiguous
expression of will by a natural person granting permission for the processing of their
personal data in accordance with the stated purpose thereof.
Cookie — small text files stored on a user’s device by the browser when visiting the Website.
Special Categories of Data — personal data revealing racial or ethnic origin, political,
religious, or philosophical beliefs, membership of parties or trade unions, as well as
data concerning health or sexual life, biometric and genetic data.
Data Breach — unauthorised access to, destruction, loss, alteration, disclosure, or
transfer of personal data to third parties.
Right to Erasure — the right of a data subject to request the complete deletion of their
personal data in the absence of lawful grounds for their further retention.
1.4. This Policy is public and available on the Website. Prior to placing an order,
registering an account, or subscribing to a mailing list, the data subject confirms their
acknowledgement of this Policy through an active expression of will (by ticking the relevant checkbox).

Section 2. List of Personal Data Databases
2.1. The Store acts as Controller (Owner) of the following personal data databases:

• Customer and Buyer Database — data of persons who have placed an
  order or registered on the Website;
• Subscriber Database — data of persons who have subscribed to
  marketing newsletters or notifications;
• Counterparty Database — data of partners, suppliers, and contract performers.

2.2. Categories of personal data that may be collected and processed:

2.3. The collection of special categories of data (racial or ethnic origin, state of health,
religious beliefs, etc.) is not performed and is strictly prohibited.

Section 3. Purposes and Legal Bases for Processing
3.1. Personal data are processed exclusively on lawful grounds and for defined
purposes:

Purpose of Processing	Legal Basis
Order placement and fulfilment (delivery, payment)	Performance of a contract (Art. 11 of the Law of Ukraine “On Personal Data Protection”)
Customer service, feedback, and support	Performance of a contract / Legitimate interest
Accounting and tax record-keeping	Compliance with statutory obligations(Tax Code of Ukraine; Law of Ukraine “On Accounting and Financial Reporting”)
Marketing newsletters, promotions, personalised ohers	Explicit and freely given consent of the data subject
Website behaviour analysis, UX improvement, cookie analytics	Consent (cookie banner) / Legitimate interest
Fraud prevention and Website security	Legitimate interest of the Seller

3.2. Data collected for one purpose may not be used for another purpose without obtaining a separate consent from the data subject.

Section 4. Consent Procedure

4.1. The consent of a data subject must be freely given, specific, informed, and
unambiguous. The following do not constitute consent:

• pre-ticked checkboxes in forms;
• automatically pre-filled fields;
• inaction or silence on the part of the user;
• any actions that do not involve an active expression of will.

4.2. Forms of consent on the Website:

• an unticked checkbox reading “I consent to the processing of my personal
  data in accordance with the Personal Data Protection Policy” when placing an order or
  registering;
• a separate checkbox for marketing newsletters (independent of consent
  for order fulfilment purposes);
• a cookie banner allowing the user to select cookie categories (essential,
  analytical, marketing).
  

4.3. The data subject has the right to withdraw consent at any time in a manner no less
convenient than the one by which it was given: via the “Unsubscribe” button in each
email, via account settings on the Website, or by contacting the Seller at the email
address provided.
4.4. Withdrawal of consent to marketing communications does not ahect the
processing of data necessary for the fulfilment of an order already placed.
4.5. The Seller retains evidence of consent (date, time, method, version of the Policy
under which consent was given) throughout the entire period of data processing and for
a further 3 years after deletion.

Section 5. Personal Data Retention Periods

5.1. Personal data are not retained longer than necessary to achieve the purpose of
their processing:

Data Category	Retention Period
Order and transaction data	5 years (requirements of the Tax Code of Ukraine and accounting legislation)
Account data (where applicable)	Until account deletion by the user + 1 year
Marketing subscription data	Until withdrawal of consent + 1 month
Technical logs, IP addresses	Up to 12 months
Cookie data (analytical, marketing)	As specified in the Cookie Policy
Customer support correspondence	3 years from the date of the last communication

5.2. Upon expiry of the retention period, data are anonymised or destroyed in a manner
that precludes their recovery.

Section 6. Location and Security of Personal Data Databases
6.1. Personal data databases are stored on secure servers, access to which is restricted
and granted exclusively to authorised personnel of the Seller.

6.2. The Seller applies the following technical and organisational security measures:

• connection encryption (HTTPS/TLS protocol for the entire Website);
• encryption of sensitive data in databases;
• restriction of access to personal data on a least-privilege basis (only
  those employees who require access for their work);
• two-factor authentication for administrative panels;
• regular software updates and vulnerability patching;
• data backup;
• logging of actions by persons with access to personal data.
  

6.3. In the event of a personal data breach, the Seller undertakes to:

• notify the competent supervisory authority within 72 hours (where the breach poses a risk to the rights of data subjects);
• notify the data subjects themselves without undue delay where the breach is likely to result in a high risk to their rights and freedoms (particularly where passwords, financial data, or addresses have been compromised);
• take immediate measures to contain the breach and minimise harm.

Section 7. Transfers of Data to Third Parties
7.1. The Seller may transfer personal data only in the following cases:

• with the explicit consent of the data subject;
• for the fulfilment of an order (to delivery services, payment systems);
• pursuant to a legal obligation (to public authorities upon a lawful
  request).

7.2. Categories of third parties to whom data may be transferred for order fulfilment
purposes:

Category	Purpose of Transfer
Delivery services (Nova Poshta, Ukrposhta, international couriers)	Order delivery
Payment systems (LiqPay)	Payment processing
Email newsletter services	Sending order confirmations and newsletters (with consent only)
Analytics services (Google Analytics)	Website trahic analysis
E-commerce platform / hosting provider	Technical operation of the Website

7.3. With each processor/administrator to whom personal data are transferred, the
Seller concludes a Data Processing Agreement (DPA) that obligates them to comply with applicable personal data protection legislation.
7.4. The Seller does not sell, lease, or otherwise transfer personal data to advertising
companies, data brokers, or other third parties for commercial purposes without the explicit consent of the data subject.
7.5. In the event of cross-border data transfers outside Ukraine (e.g., to servers in the EU
or the USA), the Seller ensures an adequate level of protection: by using GDPR compliant services or by entering into Standard Contractual Clauses (SCCs).
7.6. Access to personal data shall not be granted to a third party that refuses to or is
unable to assume obligations to comply with data protection legislation.

Section 8. Cookie Policy
8.1. The Website uses cookies for functionality, analytics, and marketing purposes.
Cookie categories:

Type	Description	Consent Required
Essential	Ensure Website functionality (shopping cart, authentication, security)	Not required
Analytical	Collect visitor statistics (Google Analytics)	Required
Marketing	Retargeting, advertising pixels (Facebook Pixel,etc.)	Required

8.2. Upon the first visit to the Website, the user is shown a cookie banner allowing them
to select cookie categories. Continued browsing of the Website does not constitute
consent to the use of non-essential cookies.
8.3. The user may change cookie settings at any time via the relevant section of the
Website or via browser settings.

Section 9. Rights of the Data Subject
9.1. The data subject has the following rights:

• Right to Information — to know what data are held about them, for what
  purpose, and to whom they are transferred;
• Right of Access — to receive a copy of their personal data free of charge;
• Right to Rectification — to request correction of inaccurate or incomplete
  data;
• Right to Erasure (“Right to be Forgotten”) — to request deletion of their
  data where there are no lawful grounds for their further retention;
• Right to Restriction of Processing — to request temporary suspension of
  processing in disputed cases;
• Right to Data Portability — to receive their data in a structured, machinereadable format (JSON, CSV, etc.);
• Right to Object — to object to the processing of data on the basis of
  legitimate interest or for marketing purposes;
• Right to Withdraw Consent — at any time, without adverse consequences
  for the data subject;
• Right to Lodge a Complaint — to contact the Ukrainian Parliament
  Commissioner for Human Rights (Ombudsman) or a court in the event of a violation of
  their rights.
  

9.2. To exercise any of the rights listed above, the data subject submits a request to:
steelartkyiv@ukr.net.

Section 10. Request Handling Procedure
10.1. A request from a data subject to exercise their rights must contain:

• full name;
• contact email or other identifying information;
• a clear statement of the nature of the request (the right being exercised).
  
  

10.2. The Seller acknowledges receipt of a request within 5 business days.
10.3. Requests are fulfilled within 30 calendar days of receipt. In exceptional cases, the
deadline may be extended to 45 calendar days, with mandatory notification of the data
subject explaining the reason for the delay.
10.4. Access to personal data and provision of a copy thereof are provided free of
charge.
10.5. In the event of a refusal to satisfy a request, the Seller is obliged to state the legal
basis for the refusal and to explain the procedure for appealing such a decision.

Section 11. Processing of Data of EU Customers
11.1. Scope of Application
This section applies to the processing of personal data of natural persons located in the
territory of European Union Member States or the European Economic Area (hereinafter
— “EU/EEA customers”), in connection with the purchase of goods from the Store or the visiting of the Website.
11.2. Legal Basis
The Store acknowledges that, pursuant to Article 3(2) of the General Data Protection
Regulation (GDPR, Regulation EU 2016/679), its activities fall within the scope of the
GDPR with respect to the processing of personal data of EU/EEA customers, given that the Store ohers goods to persons located in the EU. Such data are processed exclusively in compliance with the requirements of the GDPR.

11.3. Legal Bases for Processing:

Basis	GDPR Article	Application
Performance of a contract	Art. 6(1)(b)	Order processing, delivery,payment
Legal obligation	Art. 6(1)(c)	Accounting and tax recordkeeping
Legitimate interests	Art. 6(1)(f)	Fraud prevention, Website security
Explicit consent	Art. 6(1)(a)	Marketing newsletters, cookies

11.4. Rights of EU/EEA Customers
EU/EEA customers have the following rights under the GDPR:

• Right of access (Art. 15) — to obtain confirmation of processing and a
  copy of their data;
• Right to rectification (Art. 16) — to request correction of inaccurate data;
• Right to erasure (Art. 17) — to request deletion (“right to be forgotten”);
• Right to restriction of processing (Art. 18) — to suspend processing in
  disputed cases;
• Right to data portability (Art. 20) — to receive data in a machine-readable
  format (JSON, CSV);
• Right to object (Art. 21) — to object to processing based on legitimate
  interests or for direct marketing purposes;
• Right not to be subject to automated decision-making (Art. 22) — not to
  be subject to a decision based solely on automated processing that produces legal
  ehects concerning them.
  

Requests for the exercise of rights should be submitted to: steelartkyiv@ukr.net. A
response will be provided within 30 calendar days; in exceptional cases, within 60 days,
with notice of the extension.

11.5. Transfers of Data Outside the EU
Any transfer of personal data of EU/EEA customers outside the European Economic
Area is carried out only where one of the following safeguards is in place:

• an adequacy decision by the European Commission with respect to the
  recipient country (Adequacy Decision);
• execution of Standard Contractual Clauses (SCCs), as approved by
  European Commission Decision 2021/914;
• other mechanisms provided for under Chapter V of the GDPR.
  

11.6. Response to Data Breaches
In the event of a personal data breach ahecting EU/EEA customers, the Store undertakes to:

• notify the competent EU supervisory authority for data protection within
  72 hours of becoming aware of the breach (pursuant to Art. 33 GDPR);
• notify the data subjects themselves without undue delay where the
  breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR);
• record all breaches in an internal incident register (Art. 33(5) GDPR).
  

11.7. Supervisory Authorities
EU/EEA customers have the right to lodge a complaint with the data protection
supervisory authority in their country of habitual residence or establishment. In
particular:

• Spain: AEPD — Agencia Española de Protección de Datos (aepd.es);
• Poland: UODO — Urząd Ochrony Danych Osobowych (uodo.gov.pl);
• Germany: the competent Land authority (BfDI at the federal level);
• Full list of authorities: edpb.europa.eu.
  
  

11.8. EU Representative (Art. 27 GDPR)
Where the volume of processing of personal data of EU customers exceeds an
occasional or non-systematic character, the Store undertakes to appoint an EU
representative in accordance with Art. 27 GDPR within the applicable timeframe, or to
engage a specialised company as an authorised representative. The contact details of the representative will be published on the Website upon appointment.

Section 12. Responsible Person
12.1. The person responsible for the processing and protection of personal data in the
Store is: FOP (Sole Trader) Tatosian Naira, steelartkyiv@ukr.net.

12.2. Duties of the responsible person:

• compliance with and supervision of the implementation of this Policy;
• organisation and conduct of internal audits;
• handling requests from data subjects;
• reporting of identified violations;
• ensuring the retention of evidence of consent granted by data subjects.
  

Section 13. Privacy by Design and Privacy by Default
13.1. The Store adheres to the principle of “Privacy by Design” in the development and
improvement of the Website: data protection measures are integrated into technical
solutions from the moment of their design.
13.2. By default, the Website is configured for minimal data collection (“Privacy by
Default”): only those data that are objectively necessary for the performance of a
specific purpose are processed. Enhanced tracking features or transfers of data to third
parties are not activated automatically.

Section 14. Liability and Amendments to the Policy
14.1. Persons with access to personal data who violate the requirements of applicable
legislation shall bear liability in accordance with the laws of Ukraine, including
administrative and criminal liability.
14.2. The Seller reserves the right to amend this Policy. The current version is always
available on the Website. In the event of material changes, the Seller shall notify
registered users or subscribers by email no fewer than 14 days prior to the changes
taking ehect.
14.3. Continued use of the Website after the changes take ehect shall constitute
acceptance of the updated Policy.
Date of entry into force of this Policy: «» ___ 2026
Version: 1.0
Contact address for personal data protection matters: steelartkyiv@ukr.net
Translator’s Notes:

• “ФОП” (ФОП Татосян Наіра) — Фізична особа-підприємець, translated
  as “FOP (Sole Trader / Individual Entrepreneur),” the Ukrainian legal form equivalent to a
  sole proprietorship.
• “ПКУ” — Податковий кодекс України, rendered as “Tax Code of
  Ukraine.”
• “Закон «Про бухоблік»” — rendered in full as “Law of Ukraine ‘On
  Accounting and Financial Reporting’” (Law No. 996-XIV of 16 July 1999).
• All GDPR article references (Art. 6(1)(a–f), Arts. 15–22, 27, 33, 34) are
  preserved verbatim from the original in accordance with their ohicial English
  designation in Regulation (EU) 2016/679.
• “Standard Contractual Clauses (SCCs)” — referenced per Commission
  Implementing Decision (EU) 2021/914 of 4 June 2021.