Privacy & Data

Revised on Jul 1, 2026

1.General Provisions

This Privacy Policy describes how personal data of Basalt PMS users is collected, processed, stored, transferred, and protected. Basalt PMS is available at basaltpms.com. For users in Russia, processing is governed by Federal Law No. 152-FZ on Personal Data and the Russian-language legal documents.

By using the Platform, registering an account, or accepting access to the client portal, the User confirms that they have read this Policy.

2.Data Controller

Data controller/operator: Aleksandr Zhukov, self-employed service provider, Tax ID (INN) 665840158406. Contact address: 620000, Yekaterinburg, Russia. Telegram: @basalt_pms_bot.

Email for personal data requests: support@basaltpms.com.

3.Legal Bases

Personal data is processed on the following bases:

  • the User's consent when registering, connecting integrations, using the client portal, or subscribing to marketing communications
  • performance of the agreement and public offer
  • compliance with legal requirements, including tax, accounting, and payment records
  • protection of the Operator's rights and legitimate interests, including Platform security, abuse prevention, incident investigation, and dispute resolution

4.Purposes of Processing

Data is processed for account registration, authentication, and access recovery; management of companies, projects, roles, tasks, files, and the client portal; cloud storage, video review, comments, approvals, project finance, and reporting; payment processing, subscriptions, trials, refunds, and receipts; transactional notifications about security, payments, deadlines, invitations, and project events; technical support; protection against automated attacks and fraud; AI features requested by the User; Platform improvement using anonymised or aggregated data; and legal compliance.

5.Categories of Data

Basalt PMS may process:

  • account data - email, first and last name, avatar, locale, profile settings, role, company, and membership status
  • authentication and security data - user ID, sessions, IP address, User-Agent, login history, device information, MFA/TOTP status, passkey and recovery data in technical form, verification codes, magic-link tokens, and audit logs
  • workspace data - companies, projects, tasks, deadlines, notes, comments, approval history, client messages, financial records, and settings
  • files and media - videos, images, documents, thumbnails, file metadata, storage paths, versions, and public links
  • client portal data - name, email, Telegram ID or username, access rights, login history, messages, and approval actions
  • payment data - plan, payment status, amount, currency, YooKassa payment/refund ID, and subscription history

Bank card details are not collected or stored by the Operator

6.Data Uploaded by Users

The User determines what data is uploaded to the Platform, including video editing materials, scripts, briefs, files, comments, client contacts, contractor data, and other information. If such materials contain personal data of third parties, the User must have a valid legal basis to transfer and process that data in Basalt PMS.

The Operator processes such data only to provide Platform functionality, security, technical support, and performance of the agreement.

When the User uploads personal data of third parties, the User acts as the operator of such data and the Platform Operator acts as a party processing it on the User's instruction (Part 3, Article 6 of Federal Law No. 152-FZ); the terms of this instruction are set out in the 'Personal Data Processing Instruction' section of the Service Agreement.

7.Storage and Retention

Account data and workspace data are stored for the duration of Platform use and up to 3 years after account or company deletion, unless a shorter period applies under Platform settings, a valid User request, or law.

Technical logs, IP addresses, and login data are generally retained for no more than 90 days unless a longer period is required for incident investigation. Client portal data and magic-link tokens are stored according to access validity and company settings. Payment, refund, receipt, tax, and accounting records are retained for the periods required by law.

Backups may retain deleted data until the backup lifecycle expires.

8.Processors and Third-Party Services

YooKassa (YooMoney NBCO LLC, Russia) - payment processing. Transferred data: email for receipt, transaction data. Server: Russia.

UniSender Go (UniSender LLC, Russia) - email notification delivery. Transferred data: email, name. Server: Russia.

Timeweb (Timeweb LLC, Russia) - hosting and VPS infrastructure. Transferred data: all Service data. Server: Russia.

Yandex Cloud Object Storage (Yandex.Cloud LLC, Russia) - S3-compatible object storage for files and media. Transferred data: files, media, file metadata, storage paths. Server: Russia.

Telegram (Telegram Messenger FZ-LLC) - Telegram bot for activation code delivery and notifications. The Operator does not proactively transfer personal data to Telegram; data is received from the User as part of the User's interaction with the bot.

Yandex Metrica (Yandex JSC, Russia) - anonymised web analytics. Data: behavioural data, cookies. Policy: https://yandex.ru/legal/confidential/. Server: Russia.

Yandex SmartCaptcha (Yandex.Cloud LLC, Russia) - protection of registration, login, and password recovery forms from automated attacks. Transferred data: IP address, browser User-Agent, behavioural signals (cursor movement, typing patterns), captcha session identifier.

Data is processed automatically and used exclusively to distinguish real users from bots. Legal basis - the Operator's legitimate interest in ensuring Service security. Policy: https://yandex.ru/legal/smartcaptcha-notice/. Server: Russia.

9.Cookies

The Platform uses technical cookies and similar identifiers for authentication, user sessions, the client portal, form protection, language and theme preferences, and selected settings.

Yandex Metrica may also be used for anonymised web analytics, and Yandex SmartCaptcha may be used to protect registration, login, and password recovery forms from automated attacks. Advertising cookies are not used by default.

10.International Transfers

International transfer of personal data is not carried out. All data is stored on servers in the Russian Federation.

11.Connected Integrations

The User may explicitly interact with the Telegram bot, connected Service functions, and external cloud services if such functionality is available in the interface. The Platform accesses only the files, folders, links, metadata, and other data that the User uploads, selects, imports, or transfers through the Platform.

The Operator does not receive general access to the User's entire external cloud account and does not view data that has not been transferred through the Service. Processing by an external service is additionally governed by that service's own privacy policy and terms.

The User is responsible for the lawfulness of connecting an external cloud service and transferring data through it.

12.AI Features

Basalt PMS AI features, if available to the User, may use briefs, project descriptions, tasks, comments, financial metrics, audio, transcripts, and other data submitted by the User to the relevant feature. Personal data is not transferred to external AI providers separately unless this Policy and the list of processors are updated.

AI outputs are auxiliary, may contain errors, and do not constitute legal, financial, tax, or professional advice.

13.Notifications and Marketing

Transactional messages about registration, security, payments, subscriptions, invitations, deadlines, comments, and project events are sent as part of the Platform and agreement. Marketing messages, product news, and promotional offers are sent only with an applicable consent or other legal basis.

The User may opt out of marketing emails via the unsubscribe link, Platform settings, or by contacting us in Telegram: @basalt_pms_bot.

14.Security

The Operator applies technical and organisational safeguards, including HTTPS/TLS in transit, role and company-based access control, MFA and passkeys, encrypted storage of sensitive tokens, audit logs, rate limiting, CAPTCHA protection, suspicious activity monitoring, backups, and access limitation based on need to know.

If a personal data incident is identified, the Operator takes steps to contain, investigate, and notify where required by law.

15.Your Rights

Depending on applicable law, the User may request information about processing, access to data, correction, blocking, deletion, withdrawal of consent where processing is based on consent, objection to marketing communications, and lodging a complaint with a supervisory authority.

Requests should be sent in Telegram: @basalt_pms_bot or by email to support@basaltpms.com.

We respond within the legally required period, usually up to 30 days.

16.Deletion and Erasure

Data is deleted or erased when processing purposes are achieved, consent is withdrawn, retention periods expire, an account or company is deleted, or a valid request is received.

Active data is generally deleted within 30 days after confirmation, except data that must be retained by law, is required for payments, security, dispute resolution, or remains in backups until the backup lifecycle expires.

17.Policy Changes

The Operator may update this Policy when the Platform, processors, legal requirements, or internal processes change. The current version is always available on this page. Material changes are notified by email, through the Platform, or by another available method.

18.Contact Information

For questions about personal data processing, contact the data controller/operator:

ControllerAleksandr Zhukov
Tax ID665840158406
Telegram@basalt_pms_bot
Emailsupport@basaltpms.com
Address620000, Yekaterinburg, Russia

Basalt. Your data is your property.

© 2026 Basalt PMS