Privacy Policy

Last updated: 22 April 2026

1. Introduction and document status

This Privacy Policy ("Policy") describes how Community Network ("Company", "we") processes personal data of users of the Community Network Platform ("Platform"). The Russian-language version of the Platform is hosted at www.communitynet.ru; the international version at www.communitynet.app. The Policy applies to all products, mobile applications, websites, APIs, notifications and other services, regardless of the entry domain. The Policy is an integral part of the Terms of Service. All limitations of liability set out in the Terms apply equally to the processing of personal data. Data Controller: KG Connect ltd. ("Company"). Some processing may be performed by affiliates; the list and roles are disclosed in section 9. Data Protection Officer (DPO): privacy@communitynet.app / dpo@communitynet.app. EU Representative (GDPR Art. 27) and UK Representative (UK-GDPR) will be appointed upon exceeding the applicable thresholds; current details are published in the /legal/ section of the site. The Policy complies simultaneously with: Russian Federal Law 152-FZ (with 242-FZ on localisation and Roskomnadzor orders), GDPR (EU), UK-GDPR and Data Protection Act 2018, CCPA/CPRA and the comprehensive laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana; sections 394-c/cc/ccc of NY GBL (special requirements for dating services); SHIELD Act; COPPA (in respect of age limits); LGPD (Brazil); PIPEDA (Canada); FADP/nLPD (Switzerland).

2. Role distribution: controller/processor duality

Contour 1 — user's own data. For personal data that the user personally and voluntarily provides when registering and using the Platform (profile data, photos of the user, matching information, payment data, account content), the Company acts as an independent data controller. Contour 2 — third-party data uploaded by the user. For third-party data that the user uploads or posts on the Platform at their own initiative (photos of other individuals, contacts, lists of event invitees, descriptions of staff of a business account, biographies and images of community members), the following model applies: — the user is the primary controller of such data; — the Company acts as a processor on behalf of the user (within the meaning of Art. 28 GDPR and part 3 of article 6 of 152-FZ); — the user is solely responsible to the data subjects and regulators for having a lawful basis, obtaining consents and fulfilling information duties. Contour 3 — administrative and technical data. For technical data collected automatically (logs, security journals, session metadata, fraud protection), the Company is an independent controller on the basis of the legitimate interest of ensuring information security.

3. Categories of processed data

Registration and identification data: first and last name, email, phone number, date of birth (for 18+ age check), gender, gender identity (if explicitly indicated), face image, username/displayId. Profile and preference data: biography, self-description, interests, profession, occupation, city, dating/networking preferences, social-media links (if voluntarily provided), participation in events and communities. Identity verification (KYC) data: identity document (processed exclusively by the KYC provider; the Company does not keep copies after verification), live selfie, verification result. Communication data: content of messages, voice messages, images in the messenger; message metadata; fact and duration of audio/video calls (content is not recorded); reactions, comments, community posts. Usage data: history of visits and interactions, likes, matches, favorites, event participation, search settings. Technical and device data: IP address, browser type and version, OS, device make and model, advertising IDs (only with consent), connection data, time zone, language, cookies. Location data: approximate geolocation from IP (legitimate interest); precise geolocation (GPS/Wi-Fi) — only with your explicit consent, revocable at any time. Payment data: full bank-card data is not stored by the Company; processed by licensed payment providers per PCI DSS; we store fact of transaction, amount, currency, status, transaction identifier, masked last 4 digits of the card. Psychological test data: results used exclusively for algorithmic compatibility and personalisation. Not medical data. Social rating data: aggregated rating (0–100), tier, components (profile completeness, verification, activity, public reputation, network trust, psychological profile), result of automated assessment of public information. Third-party data uploaded by the user (Contour 2) — processed in the interests and under the responsibility of the user-controller.

4. Purposes of processing

Each purpose is supported by a lawful basis (see section 5). We do not use data for purposes incompatible with those listed below. Service provision: account creation and maintenance, authentication, algorithmic matching and recommendations, event organisation, messenger, calls, posts. Personalisation: interface settings, relevant content and recommendation matching, search ranking. Communication: transactional notifications (new match, message, event registration), system notifications (security, changes to terms), rare informational emails (strictly with consent). Security and anti-fraud: identity verification, fraud prevention, anti-spam, violation detection, protection against bots and scraping. Analytics and product improvement: aggregated and anonymised usage analysis, A/B testing, technical-issue detection. Legal compliance: responding to lawful requests from authorities, tax and accounting obligations, AML-compliance norms. AI model training. The Company may use public content for training and fine-tuning recommendation and generative models subject to the following: — you have the unconditional right to opt out via the profile settings; — we never use: content of private messages, data of users under 18 (not allowed on the Platform at all), special categories of personal data, KYC data; — technical measures are applied to minimise reidentification risk.

5. Lawful bases for processing

For each processing purpose the applicable lawful basis is indicated under GDPR articles 6 and 9 (for EU/EEA), 152-FZ articles 6 and 10 (for Russia), and equivalent bases in other jurisdictions. Account creation and service provision: contract performance (GDPR Art. 6(1)(b) / 152-FZ Art. 6(1) p. 5). Identity verification: legal obligation + legitimate interest (Art. 6(1)(c),(f)). Security, anti-fraud: legitimate interest (Art. 6(1)(f) / 152-FZ Art. 6(1) p. 7). Precise geolocation: consent (Art. 6(1)(a)). Psychological tests: consent. Marketing communications: consent + 152-FZ Art. 15. Analytical cookies: consent (for EU/UK). Strictly necessary cookies: contract performance. AI model training: legitimate interest with opt-out. Legal compliance: legal obligation. Withdrawal of consent. Where processing is based on consent, you may withdraw it at any time via the profile settings or by emailing privacy@communitynet.app. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal and may result in the inability to use certain Platform functions.

6. Russian Federation special requirements (152-FZ)

Data localisation. Pursuant to part 5 of article 18 of 152-FZ, the Company ensures that the recording, systematisation, accumulation, storage, updating and retrieval of personal data of citizens of the Russian Federation are carried out using databases located on the territory of the Russian Federation. Roskomnadzor notification. The Company has submitted a notification of intent to process personal data to Roskomnadzor (where the applicable thresholds are met). Details are available in the public registry of operators. Cross-border transfers. Carried out in accordance with article 12 of 152-FZ and Roskomnadzor order No. 128 of 12.07.2023, exclusively to states providing adequate protection of the rights of data subjects, or with the written consent of the subject. Consent for data made available for distribution (152-FZ Art. 10.1). By placing data in public sections of the Platform, the user gives explicit consent to its distribution within the scope of the privacy settings. Breach notification. In the event of an incident falling under part 3.1 of article 21 of 152-FZ, the Company notifies Roskomnadzor within 24 hours of detection, submits a final report on the outcome of the internal investigation within 72 hours and informs affected data subjects.

7. European Economic Area special requirements (GDPR)

Rights of the data subject: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)), right not to be subject to solely automated decisions with legal effect (Art. 22). Breach notification. The Company notifies the lead supervisory authority within 72 hours of detecting an incident and affected subjects without undue delay where a high risk to their rights and freedoms is likely (Art. 33, 34). International transfers. Transfers outside the EEA are based on: — Adequacy Decisions of the European Commission; — EU-U.S. Data Privacy Framework (DPF) for the US; — Standard Contractual Clauses (SCCs); — Binding Corporate Rules (BCRs) where available; — Transfer Impact Assessment (TIA) for jurisdictions without adequacy. Complaint to a supervisory authority. You have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of the alleged infringement.

8. US special requirements (CCPA/CPRA, states, NY GBL)

Sale and sharing of data. The Company does not sell or share personal data within the meaning of CCPA/CPRA. Users from the US have the "Do Not Sell or Share My Personal Information" right available at any time — the link is in the footer and in the account settings. Sensitive Personal Information (SPI): geolocation, health data (not collected), sexual orientation (if provided by the user), religious/philosophical beliefs (not collected), racial/ethnic origin (not collected), biometric data (processed only by the KYC provider), content of private messages. The user has the right to limit the use of SPI via account settings. State-resident rights: right to know, right to delete, right to correct, right to opt out of "sale/sharing", right to limit use of SPI, right to portability, right to non-discrimination for exercising rights. New York dating-service special requirements (NY GBL §§ 394-c, 394-cc, 394-ccc): — the Company displays a prominent warning about the risks of meeting individuals first encountered online; — the Company notifies the user if another user with whom communication was established was subsequently banned for fraud (fraud-ban notification); — the Company does not transfer personal identifying information to third parties without the user's explicit written consent, except as required by law. SHIELD Act (New York) cybersecurity programme. The Company maintains reasonable administrative, technical and physical safeguards to protect the private information of New York residents.

9. Data sharing with third parties

The Company does not sell personal data. Data is disclosed to a limited set of recipients: Other Platform users. Within Platform functionality, your public profile is visible to other users subject to your privacy settings. Service providers (processors): — Infrastructure: DigitalOcean (hosting, Spaces), AWS (backups), Cloudflare (CDN, DDoS protection) — US/EU/Russia (segmented); — Email: SendGrid / Mailgun / Postmark — US, EU; — Push: Firebase Cloud Messaging / Apple APNs — US; — SMS: licensed SMS gateways — RU/EU/US; — KYC: SumSub / SmartID — EU/UK; — Payments: Stripe / ЮKassa — EU/US/RU; — Analytics: internal tools + Google Analytics only with consent, with IP anonymisation, retention 14 mo; — AI models (non-training use): OpenRouter, Anthropic, OpenAI — for AI chat features; query content is not used by providers for training. The full current list of processors is published at www.communitynet.ru/legal/processors and www.communitynet.app/legal/processors. Event co-organisers. Upon registering for an event, the minimum necessary information is provided to the organiser to run the event. Law-enforcement and courts. Data is disclosed only on a lawful request to the extent required by law, with each instance recorded in an internal log. Successors. In the event of reorganisation / merger / sale of assets, data is transferred to the successor. Users are notified at least 30 days in advance. All service providers are contractually bound (DPA, SCCs for cross-border transfers) to a level of data protection not below that set by this Policy.

10. Data retention

Account data — for the entire period of Platform use and 30 days after account deletion. Verification data — documents are deleted by the KYC provider upon completion; the verification result is retained for the life of the account. Messenger correspondence and media — for the life of the account. After account deletion — up to 90 days. Payment data — in accordance with financial and tax legislation (usually 5 years from the transaction). Security logs and authorisation journals — up to 12 months, anonymised thereafter. Anti-fraud logs — up to 36 months to detect recidivism and comply with NY GBL fraud-ban notifications. Aggregated and anonymised analytics — indefinitely (does not allow identification). Data in AI training samples — upon opt-out, data is excluded from future training cycles; removal from already-trained models is technically impossible, but anonymisation of samples minimises risk.

11. Data security

The Company applies a layered set of measures: Encryption: TLS 1.2+ in transit, mandatory HSTS; AES-256 at rest (DB, Spaces, backups); keys managed via KMS with rotation; passwords — Argon2id / bcrypt with salt. Access control: MFA/2FA mandatory for all staff with production access; principle of least privilege; brute-force and replay protection; dynamic control strings on password recovery. Monitoring: continuous monitoring of suspicious activity; journalling of authorisations and administrative operations; regular security audits and penetration testing; staff training. Backup: daily encrypted snapshots; geographically distributed storage; regular recovery drills. Incident response: 24/7 on-call, escalation chain; incident response plan; regulator notifications within statutory timelines. Limits of guarantees. Despite the measures taken, no method of transmitting and storing data over the Internet is absolutely secure. The Company cannot guarantee absolute security and is not liable for incidents caused by users or third parties beyond its reasonable control.

12. User rights and how to exercise them

You have the following rights in respect of your personal data: — access: obtain a copy of the data being processed; — rectification: request the correction of inaccurate or incomplete data; — erasure: request the deletion of your data (subject to lawful grounds for retention); — restriction of processing; — portability: receive data in a structured, machine-readable format (JSON/CSV); — withdrawal of consent where processing is consent-based; — objection to processing based on legitimate interest, including profiling; — opt-out of automated decisions: request human intervention in decisions with legal effect; — complaint to a supervisory authority (Roskomnadzor, Irish DPC, UK ICO, California CPPA, or the authority in your country). How to exercise rights. Requests go to privacy@communitynet.app with identification of the requester. The Company responds within: — 10 business days — for 152-FZ requests from Russian citizens; — 1 month — for GDPR requests (extendable to 3 months on complexity); — 45 days — for CCPA/CPRA requests (extendable by 45 days); — other statutory timelines where applicable. No discrimination. The Company does not apply discriminatory measures (price increases, quality reduction, service refusal) for exercising your rights. Account deletion. Self-service deletion is available via the profile settings. After deletion, data is anonymised/destroyed per the timelines in section 10, except data the Company is required to retain by law.

13. Cookies and similar technologies

Described in detail in the Cookie Policy: www.communitynet.ru/cookies (RU) / www.communitynet.app/cookies (international). Summary: — strictly necessary cookies work without consent (authentication, CSRF protection); — functional — with your consent (language, theme); — analytical — with your consent (anonymised analytics); — advertising cookies are not used by the Company.

14. Minors

The Platform is intended exclusively for persons aged 18 and over. The Company does not knowingly collect or process personal data of persons under 18. Upon receipt of credible information about the registration of a minor, the Company immediately blocks the account, deletes all related data and notifies legal representatives and, where warranted, competent authorities. Parents and legal representatives who discover the registration of their minor child on the Platform may submit a request for immediate account deletion to privacy@communitynet.app.

15. Changes to the Policy

We may make changes to the Policy. We notify material changes at least 14 days in advance via the Platform, push notifications and email. The date of the last revision is indicated at the top of the document. An archive of previous versions is available on request to privacy@communitynet.app. For material changes (expansion of processing purposes, new recipients, changes in lawful basis) you will be required to re-accept the updated Policy via the consent modal. Refusal to accept results in the inability to use the affected features or the entire Platform.

16. Contact information

Data Protection Officer (DPO): privacy@communitynet.app / dpo@communitynet.app EU Representative: to be appointed upon exceeding thresholds — www.communitynet.app/legal/eu-representative UK Representative: to be appointed upon exceeding thresholds Company: KG Connect ltd. Platform: www.communitynet.ru (Russian-language) · www.communitynet.app (international) Supervisory authorities: — Russian Federation: Roskomnadzor, rkn.gov.ru — Ireland (EU lead supervisory authority): Data Protection Commission, dataprotection.ie — United Kingdom: Information Commissioner's Office, ico.org.uk — California: California Privacy Protection Agency, cppa.ca.gov

17. SMS communications and phone numbers

We use SMS for a single transactional purpose: confirming that a phone number you provide actually belongs to you. A one-time 6-digit code is sent to the number only after you explicitly enter it in the app and tap "Send code". Phone numbers are not collected from any third-party source. What we store: the phone number (encrypted at rest), the date you verified it, and a hashed history of recent OTP attempts (to throttle abuse). Numbers are deleted within 30 days after you delete your account. Frequency. At most 3 SMS per recipient per day (one initial code plus up to two re-sends). We do not send marketing or promotional SMS — only verification. Delivery partner. SMS are transmitted via SignalWire (signalwire.com), our toll-free messaging provider. They process the message in transit only and do not retain or use the contents for any other purpose. They are bound by a data-processing addendum. Cost. Standard message and data rates may apply from your mobile carrier — we never charge you directly for an SMS. Opt-out. Reply STOP to any message to immediately remove your number from our messaging list. Reply HELP or contact hello@communitynet.app for assistance. Opting out does not delete your account, but you will no longer be able to place outbound landline calls until you re-verify a phone number. Carriers (T-Mobile, Verizon, AT&T, international carriers) are not liable for delayed or undelivered messages.