Privacy Policy

1. General provisions

1.1. This Privacy Policy (the "Policy") sets out how the Limited Liability Company "MAOMBI RU" (the "Operator", "we", "us") processes personal data when you use the website https://maombi.com (the "Site"), as well as the measures we take to ensure the security of personal data and the protection of data subjects' rights.

1.2. The Policy is developed in accordance with:

  • the Constitution of the Russian Federation;
  • the Civil Code of the Russian Federation;
  • Federal Law of the Russian Federation No. 152-FZ of 27 July 2006 "On Personal Data" (as amended on 24 June 2025) (the "Russian Personal Data Law");
  • Federal Law of the Russian Federation No. 149-FZ of 27 July 2006 "On Information, Information Technologies and Information Protection";
  • Decree of the Government of the Russian Federation No. 1119 of 1 November 2012;
  • Order of FSTEC of Russia No. 21 of 18 February 2013;
  • Recommendations of the Russian regulator Roskomnadzor of 31 July 2017;
  • where applicable to users located in the European Union, the European Economic Area or the United Kingdom — Regulation (EU) 2016/679 (the "GDPR") and the UK GDPR;
  • where applicable to residents of the State of California — the California Consumer Privacy Act of 2018 (the "CCPA") as amended by the California Privacy Rights Act ("CPRA");
  • other applicable laws and regulations of the Russian Federation in the area of personal data.

1.3. The current version of the Policy is permanently available on the Site free of charge.

1.4. The Policy applies to all processing of personal data carried out by the Operator in connection with the Site, whether automated or non-automated.

2. Defined terms

Personal data — any information relating, directly or indirectly, to an identified or identifiable natural person ("data subject").

Processing — any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Operator / Controller — the legal entity that determines the purposes and means of processing of personal data. For the purposes of this Policy, the Operator and the GDPR "Data Controller" are LLC "MAOMBI RU".

Processor — a natural or legal person which processes personal data on behalf of the Controller (for example, the hosting provider).

Cookies — small text files stored on the user's device that may contain identifiers allowing tracking of sessions and preferences.

User — any natural person who visits the Site and/or performs actions on it (browsing, registration, downloading installation files, posting reviews and other activity).

Registered User — a User who has created an account on the Site and uses it to access functionality requiring authentication.

Cross-border transfer — the transfer of personal data to the territory of a foreign country or to a foreign authority, individual or legal entity.

3. About the Operator

  • Full name: Limited Liability Company "MAOMBI RU"
  • Short name: LLC "MAOMBI RU"
  • Tax identification number (INN): 7703428642
  • Registered address: Russia, Moscow
  • Contact email: support@maombi.com

The Operator does not have a Data Protection Officer ("DPO") appointed under GDPR Art. 37, as the Operator does not consider itself to fall under the mandatory designation criteria. For all matters relating to processing of personal data — including requests, complaints and the exercise of your rights — please contact us at support@maombi.com.

The Operator does not maintain an EU representative under GDPR Art. 27 unless and until expressly required.

4. Principles of processing

The Operator processes personal data in accordance with the following principles, equally reflected in Article 5 of the Russian Personal Data Law and Article 5 of the GDPR:

4.1. Lawfulness, fairness and transparency.

4.2. Purpose limitation — processing is limited to specified, explicit and legitimate purposes.

4.3. Data minimisation — only data adequate, relevant and limited to what is necessary for the purposes is processed.

4.4. Accuracy — reasonable steps are taken to keep data accurate and up to date.

4.5. Storage limitation — data is kept in a form which permits identification of data subjects no longer than necessary.

4.6. Integrity and confidentiality — appropriate security of processing.

4.7. Accountability — the Operator is responsible for and able to demonstrate compliance.

4.8. Localisation in the Russian Federation. In accordance with Article 18(5) of the Russian Personal Data Law, the recording, systematisation, accumulation, storage, clarification and retrieval of personal data of citizens of the Russian Federation are carried out by the Operator using databases located in the Russian Federation.

5. Purposes of processing

The Operator processes personal data of Users for the following purposes:

5.1. Operating the Site, ensuring its technical functionality, security and availability.

5.2. Providing User information about software available on the Site and enabling its download.

5.3. Registration and identification of Users on the Site; granting access to features that require authentication.

5.4. Enabling Registered Users to post reviews of software.

5.5. Protecting accounts from unauthorised access, preventing abuse, and moderating user-generated content.

5.6. Handling User enquiries, providing technical support and feedback.

5.7. Conducting web analytics of Site traffic, analysing User behaviour to improve the Site and the User experience.

5.8. Complying with the Operator's obligations under applicable law.

Processing for any other purpose not listed above is not carried out.

For Users covered by the GDPR, the Operator relies on the following legal bases, depending on the type of processing:

Purpose Legal basis
Site operation, security, fraud prevention Legitimate interests (GDPR Art. 6(1)(f))
User account registration, authentication, service provision Performance of a contract (GDPR Art. 6(1)(b)) — the Terms of Use
Publication of reviews by Registered Users Performance of a contract (GDPR Art. 6(1)(b))
Web analytics via cookies (Yandex.Metrica) Consent (GDPR Art. 6(1)(a)) — obtained through the cookie banner
Web analytics via cookies (Google Analytics, Google Tag Manager) Consent (GDPR Art. 6(1)(a)) — obtained through the cookie banner
Cross-border transfer to Google LLC (USA) Consent (GDPR Art. 6(1)(a)) — obtained through the cookie banner
Compliance with legal obligations Legal obligation (GDPR Art. 6(1)(c))

Under the Russian Personal Data Law, the corresponding legal bases are set out in Article 6 (consent, contract performance, legal obligation, legitimate interests).

7. Categories of data subjects

The Operator processes personal data of the following categories of data subjects:

  • Site visitors — natural persons who visit the Site without registration;
  • Registered Users — natural persons who have created accounts on the Site;
  • Enquirers — natural persons who have submitted enquiries to the Operator via feedback forms, email or otherwise.

8. Categories of personal data processed

8.1. For Site visitors, the Operator processes:

  • IP address;
  • cookie identifiers and device identifiers;
  • browser and operating system information;
  • technical data on Site visits, including pages viewed, source of referral, and time of visit;
  • data on User actions on the Site collected by web analytics systems.

8.2. For Registered Users, the Operator additionally processes:

  • name or pseudonym (login) provided at registration;
  • email address;
  • account password (stored only in encrypted form);
  • date, time and other technical information about actions in the account (registration, authentication, content publication and other activity);
  • content of reviews and other materials posted by the User.

8.3. For Enquirers, the Operator processes:

  • name (where provided);
  • email address or other contact method provided by the User;
  • the content of the enquiry.

8.4. Special categories of personal data (relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sex life or sexual orientation, criminal convictions) are not processed.

8.5. Biometric data within the meaning of GDPR Art. 9(1) or Article 11 of the Russian Personal Data Law is not processed.

8.6. Personal data of children under 16 (or such other age as set by an applicable Member State law) is not knowingly processed. The Site is not intended for minors. If you believe a minor has provided us with personal data, please contact support@maombi.com and we will take steps to delete it.

9. Processing of personal data: procedure and conditions

9.1. Methods of processing

Personal data is processed by automated means with transmission over the Internet, by non-automated means where necessary, or by a mixed method.

The Operator does not engage in solely automated decision-making, including profiling, that produces legal effects concerning data subjects or similarly significantly affects them (GDPR Art. 22).

9.2. Actions performed on personal data

Collection, recording, systematisation, accumulation, storage, clarification (updating, modification), retrieval, use, transmission (provision, access), blocking, deletion, destruction.

The Operator does not disseminate personal data of Users (disclose to an unspecified circle of persons), except where Users intentionally publish content on the Site (e.g. reviews of software) which may contain personal information.

9.3. Sources of personal data

  • Directly from data subjects when they complete forms on the Site (registration, feedback forms), or otherwise provide their data;
  • Automatically — through technical means of the Site upon visit (IP address, cookie identifiers, technical information about the browser and device, web analytics data).

9.4. Storage periods

Personal data is stored for the time necessary to achieve the purposes of processing, unless a longer retention period is required or permitted by applicable law. Upon achievement of purposes or the absence of further legal basis for processing, personal data is deleted or anonymised within the periods established by the Operator's internal regulations.

9.5. Database localisation in the Russian Federation

In accordance with Article 18(5) of the Russian Personal Data Law, the recording, systematisation, accumulation, storage, clarification (updating, modification) and retrieval of personal data of citizens of the Russian Federation are carried out by the Operator using databases located in the Russian Federation.

Notice for users located in the European Economic Area, the United Kingdom or other jurisdictions: as a Russian Federation operator, the Operator stores its primary database within the Russian Federation. The Russian Federation has not been the subject of an adequacy decision by the European Commission under GDPR Art. 45. Where you are a User from the EEA, the UK or other jurisdictions whose laws restrict transfer of personal data to third countries, by using the Site you acknowledge that your personal data (in the categories specified in Section 8) will be processed in the Russian Federation. Where required by GDPR Chapter V, the Operator implements appropriate safeguards (such as standard contractual clauses) with its processors.

9.6. Recipients and disclosure of personal data

The Operator may disclose personal data to:

9.6.1. Persons processing personal data on behalf of the Operator ("Processors") under contracts complying with Article 6(3) of the Russian Personal Data Law and Article 28 GDPR, including:

  • the hosting provider on whose servers the Site is hosted;
  • the email service provider used for communication with Users;
  • other persons providing the Operator with services related to the Site's operation.

9.6.2. Authorised state authorities of the Russian Federation — in cases, in the manner and to the extent established by Russian law.

9.6.3. With the data subject's consent — for other purposes specified in the consent.

The Operator does not sell personal data of Users to third parties for any purpose.

9.7. Cross-border transfer of personal data

The Operator carries out cross-border transfer of personal data of Users in connection with the use of web analytics and tag management services provided by foreign suppliers, namely:

Recipient Country Services Categories of data transferred
Google LLC United States of America Google Analytics, Google Tag Manager IP address, cookie identifiers, device and browser data, data on Site visits and behaviour

The United States is not included in the list of foreign countries providing adequate protection of data subjects' rights as approved by Roskomnadzor. For purposes of GDPR, the US is a third country to which transfer requires appropriate safeguards (Google LLC participates in the EU-US Data Privacy Framework, where applicable).

Cross-border transfer of personal data is carried out by the Operator subject to the following conditions:

  • the Operator has submitted to Roskomnadzor a notice of intent to carry out cross-border transfer of personal data under Article 12(5) of the Russian Personal Data Law;
  • the User's consent to the cross-border transfer of their personal data has been obtained, in accordance with Article 12(4)(1) and Article 9 of the Russian Personal Data Law (and, for GDPR-covered Users, GDPR Art. 49(1)(a)).

The detailed terms of cross-border transfer are set out in a separate document — the Consent to Cross-Border Transfer of Personal Data — available on the Site.

A User may decline cross-border transfer of their personal data by not providing the corresponding consent in the cookie information interface on the Site. In that case, the Operator will not transfer the User's personal data cross-border.

10. Cookies and similar technologies

10.1. The Site uses cookies for:

  • ensuring Site functionality (technically necessary cookies);
  • conducting web analytics.

10.2. Cookies on the Site are divided into the following categories:

  • Strictly necessary cookies — required for the basic operation of the Site. Without them, the Site cannot function correctly.
  • Analytical cookies — Russian suppliers — used by Yandex.Metrica to collect anonymised statistics on Site traffic.
  • Analytical cookies — foreign suppliers — used by Google Analytics and Google Tag Manager. The use of these cookies is associated with cross-border transfer of personal data (see Section 9.7).

10.3. Analytical cookies (both Russian and foreign suppliers) are loaded only after the User's corresponding consent, expressed through the cookie information interface on the Site.

10.4. The User may withdraw consent to analytical cookies at any time through browser settings or through the cookie information interface on the Site.

11. Security of processing

The Operator implements appropriate legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, and other unlawful actions, in accordance with Article 18.1 and 19 of the Russian Personal Data Law and Article 32 GDPR.

These measures include:

11.1. Organisational measures:

  • appointing a person responsible for the organisation of personal data processing;
  • adopting internal regulations on the processing and protection of personal data;
  • training employees who process personal data;
  • internal control over compliance with the Russian Personal Data Law;
  • threat assessment for information systems processing personal data;
  • access controls and audit logs.

11.2. Technical measures:

  • security software and tools, including encryption (TLS in transit) and AES-256 at rest where applicable;
  • protection against unauthorised access to data carriers;
  • backup and recovery procedures;
  • maintenance of the appropriate level of protection of personal data in information systems in compliance with Decree of the Government of the Russian Federation No. 1119.

11.3. Physical measures:

  • prevention of uncontrolled access to premises where personal data is processed;
  • safekeeping of data carriers and information security tools.

12. Your rights as a data subject

12.1. Rights under the Russian Personal Data Law

You have the right to:

  • be informed about the processing of your personal data;
  • request clarification, blocking or destruction of your personal data if such data is incomplete, outdated, inaccurate, unlawfully obtained or unnecessary for the declared purpose;
  • withdraw your consent to processing at any time;
  • demand cessation of unlawful actions in respect of your personal data;
  • appeal the Operator's actions or omissions to Roskomnadzor or in court;
  • protection of your rights, including compensation for damages and moral harm.

12.2. Additional rights under the GDPR (for Users in the EEA, UK and other GDPR-covered jurisdictions)

If you are a data subject within the territorial scope of the GDPR, you also have the following rights:

  • Right of access (GDPR Art. 15) — to obtain confirmation as to whether your personal data is being processed and a copy of such data;
  • Right to rectification (Art. 16) — to obtain correction of inaccurate personal data;
  • Right to erasure / "right to be forgotten" (Art. 17) — to request deletion of your personal data, subject to legal exceptions;
  • Right to restriction of processing (Art. 18) — to request that processing of your data be limited in certain circumstances;
  • Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where the processing is based on consent or contract and is carried out by automated means;
  • Right to object (Art. 21) — to object to processing based on legitimate interests, including profiling;
  • Right not to be subject to solely automated decision-making (Art. 22) — the Operator does not engage in such decision-making;
  • Right to lodge a complaint with a supervisory authority (Art. 77) — typically the supervisory authority in the EEA Member State of your residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact support@maombi.com. We will respond within 30 days from receipt of the request, with the possibility of extending this period by up to two further months for complex requests (GDPR Art. 12(3)).

12.3. Rights under the CCPA / CPRA (for California residents)

If you are a resident of the State of California, you have the following rights under the CCPA / CPRA:

  • Right to know what personal information is collected, used, shared, or sold;
  • Right to delete personal information held by us (subject to legal exceptions);
  • Right to correct inaccurate personal information;
  • Right to opt-out of the "sale" or "sharing" of your personal information. We do not sell or share personal information within the meaning of the CCPA;
  • Right to limit use and disclosure of sensitive personal information. We do not knowingly collect sensitive personal information;
  • Right to non-discrimination for exercising any of your CCPA rights.

To exercise these rights, please contact support@maombi.com. We will respond within 45 days, with possible extension by an additional 45 days where reasonably necessary.

13. How to exercise your rights

13.1. To exercise any of the rights described in Section 12, contact the Operator:

  • by email at support@maombi.com;
  • in writing to the Operator's address indicated in Section 3.

13.2. Your request should include sufficient information to verify your identity and to confirm your relationship with the Operator (for example, the email address of your account on the Site).

13.3. The Operator processes requests within the time limits applicable to the relevant law:

  • requests under the Russian Personal Data Law — within 10 business days from receipt;
  • requests under the GDPR — within 30 days (extendable by up to 60 days for complex requests);
  • requests under the CCPA — within 45 days (extendable by 45 additional days).

13.4. Withdrawal of consent. You can withdraw your consent by:

  • changing your preferences in the cookie information interface on the Site;
  • adjusting your browser settings (deleting cookies);
  • sending a written notice to support@maombi.com.

Upon receipt of a withdrawal notice, the Operator will cease processing your personal data and delete it within 30 days, unless retention is required by law or another legal basis applies under Article 6(1)(2)–(11) of the Russian Personal Data Law.

13.5. Upon notice of unlawful processing, the Operator blocks the relevant personal data pending verification.

14. Liability

The Operator is liable for breaches of personal data law in accordance with applicable law. This includes the Russian Personal Data Law, the GDPR (where applicable), the CCPA (where applicable), and other relevant statutes.

15. Updates and final provisions

15.1. This Policy takes effect upon approval by the Operator's authorised person and remains in force until replaced by a new version.

15.2. The current version is permanently available at https://maombi.com/pages/privacy-policy/.

15.3. The Operator may amend the Policy. The new version takes effect upon publication on the Site, unless otherwise specified. We will indicate the date of the last update.

15.4. Severability — if any provision is held invalid, the remaining provisions remain in force.

15.5. For matters not regulated by this Policy, the relations between the Operator and data subjects are governed by the laws of the Russian Federation and, where applicable, the GDPR and the CCPA.