Policy – this Privacy Policy, available on the Internet at https://tilda.cc/privacy/.
Personal Data – any information relating to an identified or identifiable natural person, whether directly or indirectly.
Controller – Tilda Platform Cloud Services Co. LLC, license 1110180, processing Personal Data and independently determining the methods and purposes of such processing.
Platform – a software package located on the Internet at https://tilda.cc/, and intended for creation and publication of websites, letters and documents.
Website – the website available on the Internet at https://tilda.cc/, including all of its pages and related subdomains.
User – a person who uses the functionality of the Platform.
Representative – representative and/or contact person of the User being a legal entity.
Project – website, letter or document created through the functionality of the Platform.
Event – an information, marketing and/or promotional event of the Controller related to the use of the Platform.
Applicant – any person submitting to the Controller an inquiry, complaint, or claim regarding the use and/or operation of the Platform, except for a User.

If there is no definition of a term in the text of the Policy, you should be guided by the interpretation of the term: first of all – as provided by the applicable legislation, secondly – as established (commonly used) on the Internet.

Terms related to the use of the Platform shall be interpreted in accordance with the Terms of Service (hereinafter referred to as the Agreement), regardless of whether capitalized or lowercased.

1.1. Scope of Application of the Policy. This Policy applies to the processing of the following Personal Data by the Controller:
1) Website visitors;
2) Users and Representatives;
3) Applicants;
4) Event attendees.

1.2. Processing the Personal Data on the Projects. By using the functionality of the Platform, the Users may process Personal Data of third parties on the Projects, including the following methods:
1) posting information on the Projects about the individuals, including counterparties, partners, employees and customers;
2) using feedback collection forms, request management systems, as well as tools for creating online stores and training courses, such as shopping carts, delivery services and/or personal accounts on the Projects;
3) analyzing visitation statistics for the Projects published on the Internet.

Users are solely responsible for the processing of Personal Data of third parties. The Controller processes Personal Data of third parties, acting on behalf of the Users in accordance with the Data Processing Agreement.

The Controller shall not be responsible for the actions of Users when processing Personal Data on the Projects. Any claims of third parties related to the processing of their Personal Data should be addressed directly to the User that performs such processing.

1.3. Processing Other Personal Data. The conditions and procedure for processing Personal Data of visitors and users of other websites and/or services of the Controller are determined by the processing policies of the relevant websites and services.

Processing of Personal Data of candidates, employees, counterparties and representatives of the Controller's counterparties shall be carried out in accordance with other documents of the Controller. However, this Policy may be applied to the specified persons in case of their interaction with the Controller as subjects covered by this Policy.

2.1. Informing about the Location. The Website is intended for use by persons whose main location is within the territory of any country, excluding the territories of the Republic of Kazakhstan, the Republic of Belarus, and the Russian Federation.

In order to analyze the location of the Website visitor, the Controller processes IP address thereof, including the country by IP address, based on legitimate interest. If, under applicable law, the visitor’s consent is required to collect the IP address, use of the Website shall be deemed to constitute such consent.

If the Website visitor is located outside the applicable territories, the Controller shall send automatic notification about the regional specificity of the Website and the possibility of switching to the version corresponding to the relevant geographical location.

2.2. Ensuring the Website Functioning. The Controller processes essential and functional cookies of the Website visitors. Cookies are processed based on the Controller's legitimate interest to ensure the Website functioning in accordance with the Cookie Policy.

2.3. Receiving Feedback. Visitors to the Website can leave their feedback about the Platform on the relevant Website page. For receiving feedback, the Controller processes the e-mail address, name and links to social media profiles based on the consent obtained.

2.4. E-mail Distribution. The Controller may send informational and technical materials, notices and messages related to the use of the Platform and updates on the Platform to the e-mail specified in the data collection form on the Website. The e-mail address is processed based on the consent obtained.

The Website visitor can unsubscribe from the Controller's news/promotional mail-outs by clicking on the corresponding link in the e-mail message or by submitting a request to the Controller.

2.5. Feedback Collection and Surveys. Certain subdomains of the Website contain forms required by the Controller to collect feedback and to conduct surveys regarding the use and/or functioning of the Platform.

Depending on the form used, the Controller may collect and process the name, e-mail address, information about profession, skills and work experience, messenger nickname, and links to social media profiles. Such processing is carried out for the purpose of collecting feedback and conducting surveys on the basis of the consent obtained.

2.6. Conversion Tracking and Advertising Optimization. On certain subdomains of the Website, the Meta Pixel service is enabled, which installs pixels and collects marketing cookies to recognize unique visitors. The processing of cookies is carried out by the Controller in accordance with the Cookie Policy based on the consent of the Website visitor obtained via a pop-up banner.

The Controller’s use of the Meta Pixel service is not intended to make decisions that produce legal effects or otherwise significantly affect the rights and/or legitimate interests of Website visitors.

2.7. Improvement of the User Experience. The Processor collects analytical cookies to improve the user experience. The processing of cookies is carried out in accordance with the Cookie Policy on the basis of consent obtained via a pop-up banner.

3.1. Providing Access to the Platform Functionality. In order to provide access to the Platform and its functionality, the Controller processes the name, e-mail address, mobile phone number, VAT number, country and technical information – User ID, User Agent, Request ID, as well as IP addresses, including the country by IP addresses, IP ports.

Personal Data is processed by the Controller based on the Agreement with such User.

3.2. Payment of License Fee and Other Services of the Controller. In case of payment of the license fee and other services of the Controller using a bank card, the Controller shall process the masked number of the bank card, validity period of the bank card, country of issue, the date and time of payment, name of the payment system, cardholder name, Customer ID, and payment RRN.

When paying with a bank card, the User uses payment aggregator services Stripe LLC and Technologies FZCO, being the Controller’s partners. Financial information of the Users is processed by payment aggregators and banks in accordance with their policies and processing rules.

The Controller does not receive information about full details of the User's bank card and does not process payment transactions directly.

The processing of the above Personal Data for the purposes of payment of the license fee and other services of the Controller is processed based on the Agreement.

3.3. Restoring Access to the Account. If e-mail address, password from the account on the Platform are lost, and/or there is no access to the linked e-mail address, the Controller may request the User to provide a masked bank card number, bank account number, as well as the last name, first name, patronymic of the User or the Representative.

Personal Data provided to the Controller is processed based on the Agreement and legitimate interest in order to verify the User and further restore access to the account on the Platform in case of verification.

3.4. Removing the Automatic Restriction on Publication of the Project. The Platform has built-in protection against suspicious activities in the User's account. In certain cases, such as when spamming is suspected or security threats are detected, the ability to publish a Project may be automatically restricted by the system.

For the purposes of removing restrictions, the Controller requests the User's phone number to send an SMS message. In this case, the Personal Data provided is processed by the Controller based on the Agreement and legitimate interest.

3.5. User Support. In case of any questions related to the use and/or functioning of the Platform, the User may contact the Controller's support service by e-mail or through the internal system on the Platform.

In order to provide support services, the Controller processes the name, e-mail address, country, User ID, User Agent, IP address, including the city and country of the Users' IP address, as well as any other data specified in the User's application. The Controller processes this data based on the Agreement.

3.6. Creating Portfolios and Searching for Designers. The User may create their portfolio on the Platform for the purpose of client acquisition. When creating a portfolio, the User provides the Controller with the photo, first and last name, description of the activity, e-mail address, and receives a unique designer identifier.

By creating a portfolio, the User understands that their information will be published on the Internet. Disclosure of Personal Data to an unlimited number of persons is carried out by the User independently.

A User wishing to engage a designer to create a Project can fill out a corresponding questionnaire on the Platform or in the designer's profile. In this case, the User provides the Controller with the name, e-mail and information about the Project.

Personal Data mentioned above is processed by the Controller based on the Tilda Experts Service Terms of Use which are an integral part of the Agreement, in order to provide Users with the opportunity to create portfolios and search for designers.

The Controller may also publish links to a User’s portfolio, made publicly available in the Website gallery, as well as on other related websites. By creating a portfolio, the User gives the Controller consent to distribute such Personal Data.

3.7. Posting Information on the Projects. The functionality of the Platform allows the Users to post documents, diagrams, texts, videos and other objects on the Projects. The User independently manages the information placed on the Projects, including uploading, modifying text materials, as well as exporting the Project in accordance with the terms and conditions of the Agreement.

If the information posted on the Project contains Personal Data of the User who is an individual, the Controller processes the provided Personal Data based on the Agreement. Such processing is carried out by the Controller in order to enable the User to post information on the Project.

However, the functionality of posting Content on the Projects is not intended for publishing images containing the User's Personal Data, including photos thereof and/or scanned copies of documents.

When using the multi-access feature, Personal Data posted on the Project may become available to other Users and, when the Project is published on the Internet, to an unlimited number of persons. The User independently determines the conditions of access to Personal Data in the relevant Project settings.

By publishing the Project in the public domain on the Internet, the User understands and acknowledges that disclosure of Personal Data to an unlimited number of persons is carried out by the User independently.

3.8. Connecting Third-Party Services. When using the Platform functionality, the User may be offered to connect third-party services, including e-mail services, cloud storage and social networks.

In case of connection of third-party services, the Controller may gain access to e-mail addresses and/or nicknames specified in the relevant User's service accounts. This Personal Data is processed by the Controller based on the Agreement in order to ensure integration with third-party services.

3.9. E-mail Distribution. The Controller may send informational and technical materials, notices and messages related to the use of the Platform and updates on the Platform to the e-mail address provided in the User’s account. Depending on the type of mail-out, the User's e-mail address is processed based on the Agreement, the Controller's legitimate interest or the consent obtained.

The User can unsubscribe from the Controller's mail-outs in the Personal Account of the Platform or by clicking on the corresponding link in the e-mail message.

3.10. Technical Provision of the Platform. The Controller processes essential and functional cookies of Users in accordance with the Cookie Policy in order to ensure the functioning of the Platform. Cookies are processed based on the Agreement with such User.

3.11. Information Security. In order to ensure the security of the Platform and prevent unauthorized access, the Controller:
1) uses reCAPTCHA service that analyzes the technical parameters of the device, the User's behavioral characteristics, and the User's digital footprint in accordance with the Cookie Policy;
2) automatically registers the User's actions when working in an account on the Platform.

The specified Personal Data is processed by the Controller based on legitimate interest.

4.1. Reviewing Applications. In order to consider questions, complaints, claims and other requests related to the use and/or operation of the Platform, the Controller processes the following Personal Data of the Applicants and/or their Representatives: last name, first name, patronymic, e-mail address, identity document data, other information indicated directly in the text of the request and documents.

When reviewing requests, Personal Data is processed based on the consent obtained. Consent to Personal Data processing may be provided to the Controller:
1) by ticking the relevant boxes in online forms;
2) by including the consent in the text of the request and/or the content of the electronic message;
3) in any other manner that clearly expresses the Applicant's consent.

4.2. Referrals to Users. The Controller shall be entitled to redirect the Applicant's complaint, inquiry or claim to a specific User, if the content of the received application concerns the actions of the User and/or the Project.

Personal Data contained in the Applicant's application is transferred by the Controller in order to settle a dispute between the User and the Applicant. Thereat, the Applicant's Personal Data may be transferred to the User solely based on the consent given in writing or by including the consent in the text of the request and/or the content of the electronic message.

5.1. Reviewing Grant Applications. Non-profit organizations and/or entities creating non-profit Projects may be entitled to use the Platform to provide grants.

When submitting a grant application, the participant provides the Controller with the last name, first name, patronymic, contact e-mail address, e-mail address of the account on the Platform. The Controller processes the provided Personal Data based on the obtained consent for the purpose of processing grant applications.

5.2. Directing Information about Webinars. For the purpose of sending information about informational and educational webinars, the Controller processes the attendees’ e-mail address.

By filling in an online form on the website, the attendee gives consent to Personal Data processing to the Controller for the purpose of receiving reminders about the upcoming webinar. The attendee may also provide consent to the Controller to receive regular notifications of ongoing webinars.

6.1. Methods and Sources of Collection. The Controller may collect Personal Data:
1) directly from data subjects in the course of providing the Platform, collecting applications, and receiving questions or other requests related to the use and/or operation of the Platform;
2) through the automatic collection of technical data on the Website and/or the Platform, including IP addresses, cookies, and automatically logged activities;
3) from third parties, for example, when integrating third-party services into the Project, including cloud storage services, social networks, and e-mail services.

In certain cases, the provision of Personal Data is necessary for the performance of a contract under the Agreement, including for granting access to the functionalities of the Platform. In particular, the Controller will not be able to register a User without obtaining information about the User’s country and e-mail address.

6.2. Processing Operations. The Controller carries out processing of Personal Data by means of the following processing operations: collection, recording, organization, structuring, storage, modification adaptation or alteration), viewing, use, disclosure by transmission, dissemination or otherwise making available, restriction, blocking, erasure, or destruction.

Processing of Personal Data may be carried out using automated means as well as without such means.

6.3. Personal Data Processing Terms. The Controller processes Personal Data no longer than is necessary for the purposes for which the Personal Data are processed:
1) when processing is based on the performance of the Agreement – for the duration of the Agreement and, following its termination on any grounds, for the applicable limitation period based on the Controller’s legitimate interests;
2) when processing is based on legitimate interests – for as long as such legitimate interests persist;
3) when processing is based on consent – until such consent is withdrawn.

A specific term may be set by applicable legislation or by separately obtained consent.

7.1. Purposes of Personal Data Transfer. Personal Data is transferred by the Controller solely to achieve the purposes set out in this Policy. The Controller does not sell Personal Data to third parties for marketing and/or advertising purposes.

7.2. Transfer to Third Parties. The Controller transfers Personal Data to the following processors under data processing agreements:
1) Hetzner Online GmbH – for the storage of Personal Data on servers;
2) G-Core Labs S.A. – for the storage and backup of Users’ projects;
3) Tilda Publishing Kaz LLC – for providing technical support and handling data subject requests;
4) Google Cloud EMEA Limited – for ensuring the security of processing on the Website and the Platform;
5) Meta Platforms Inc. – for conversion tracking and advertising optimization;
6) Voyage SMS Inc. – for sending SMS messages for authentication purposes.

Such processors are contractually bound to implement appropriate technical and organizational measures to ensure the confidentiality and security of Personal Data.

The Controller shall be entitled to transfer Personal Data to third parties without acting on the basis of a data processing agreement where such transfer if such transfer is based on the consent obtained, is necessary to fulfill obligations provided for by the Agreement, is required by applicable law, or occurs within the framework of assignment, transfer of debt and/or in the order of legal succession.

In particular, the Controller transfers Personal Data to:
1) entities maintaining the Platform on other top-level domain names, when changing the country of the profile on the Platform at the initiative of the User;
2) payment aggregators and/or acquiring banks in case the User initiates the procedure of disputing the payment by bank card;

7.3. Cross-Border Transfers. The Controller transfers Personal Data to third countries, including:
1) Member States of the European Union – for data storage and ensuring security of processing;
2) the United States of America – for storage and backup of Users’ projects, conversion tracking, sending SMS messages, and handling payment disputes;
3) the Republic of Kazakhstan – for profile country changes, technical support, and handling requests;
4) other countries where entities maintaining the Platform are established – in connection with changes to the User’s profile country.

Prior to any transfer of Personal Data to a third country, the Controller assesses whether the country ensures an adequate level of protection in accordance with applicable data protection laws.

Where Personal Data are transferred to a third country that does not ensure an adequate level of protection, the Controller shall implement appropriate safeguards, including the conclusion of standard contractual clauses or the application of binding corporate rules.

Derogations may apply where the data subject has explicitly consented to the proposed transfer, or where the transfer is necessary for the performance of the Agreement.

8.1. Ensuring Personal Data Protection. The Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with applicable data protection laws. The Controller also carries out regular testing, assessment, and evaluation of the effectiveness of measures for ensuring the security of processing.

8.2. Measures Applied. The Controller ensures the security of Personal Data by, including, without limitation:
1) identification of business processes involving Personal Data and maintaining records of processing activities;
2) defining a list of persons authorized to collect and process Personal Data or to have access thereto;
3) establishing access control procedures for Personal Data;
4) use of secure communication channels and encryption;
5) application of pseudonymization techniques, including the use of IDs in the Controller’s internal systems;
6) implementation of identification and/or authentication mechanisms when processing Personal Data;
7) use of backup and recovery systems;
8) assessment and management of information security risks;
9) addressing data protection and security requirements in contracts and/or data processing agreements with service providers;
10) conducting regular technical audits and implementing a Bug Bounty program.

9.1. Withdrawal of Consent to Processing. If, in accordance with this Policy, the Controller processes Personal Data based on consent, such consent may be withdrawn at any time by submitting a request to the Controller in the manner provided for by this Policy.

If the consent is withdrawn, the Controller shall be entitled to continue processing Personal Data without the consent if there are other legal grounds provided for by the applicable legislation.

9.2. Erasure of Personal Data. The Controller erases Personal Data upon expiry of the applicable retention period, withdrawal of consent, deletion by the User on their own, detection of unlawful processing, termination of activities, as well as in other cases provided for by the Policy and/or the applicable legislation.

9.3. Blocks and Restrictions on the Platform. In case of violation of or reasonable suspicion that the User has violated the Agreement and/or the applicable legislation, the Controllershall be entitled to erase such information such information, block the User's account, as well as take other measures provided for by the Agreement.

The User understands and acknowledges that if the Controller takes administrative measures, the Personal Data provided, posted and/or published by the User may be erased without the possibility of subsequent recovery.

10.1. Data Subject Rights. Each data subject whose Personal Data are processed in accordance with this Policy has the right to:
1) withdraw consent where processing is based on consent;
2) obtain access to their Personal Data and information related to the processing thereof;
3) request rectification of Personal Data where they are incomplete, outdated or inaccurate;
4)request cessation or erasure of processing of Personal Data in cases provided for by applicable law;
5) request restriction of processing in cases provided for by applicable law;
6) request data portability, including obtaining copies of their Personal Data;
7) object to the processing of Personal Data where such processing is based on the Controller’s legitimate interests;
8) lodge a complaint with a supervisory authority regarding any actions, omissions or decisions of the Controller that violate their rights.

10.2. Requests and Applications. Requests and applications related to the Personal Data processing procedure under this Policy may be sent to the Controller in writing to the address: post office box number 452972, Dubai, United Arab Emirates, or in the electronic form to e-mail address dpo@tilda.cc.

Where a request includes a requirement to access Personal Data, the data subject must provide sufficient information to enable identification.

The Controller shall respond to requests within 30 days of receipt, unless otherwise required by applicable law.

10.3. Procedure for Amending the Policy. This Policy may be changed by the Controller unilaterally by publishing a new version of the Policy on the Internet. The current version of the Policy is available at the link.

Any changes to the Policy come into force on the day following the day the Policy is published in the amended version. The Controller is entitled, but not obliged, to notify of changes to the Policy.

Where required by applicable law, the Controller shall notify data subjects of material changes by e-mail or via the User’s account on the Platform.

10.4. Languages. This Policy is drawn up in English and may be provided for review in another language. In the event of a discrepancy between the English version of the Policy and the version of the Policy in another language, the provisions of the English version shall apply.

10.5. Applicable Law. As the Controller’s principal place of business and registered address are located in the United Arab Emirates, this Policy and the processing of Personal Data hereunder shall be governed by and construed in accordance with the laws of the United Arab Emirates.

Where the data subject is located in a Member State of the European Union and/or the European Economic Area, the provisions of the General Data Protection Regulation shall also apply.

Controller's details: Tilda Platform Cloud Services Co. LLC, License 1110180, P.O. Box number 452972, Dubai, UAE
For Personal Data processing issues: dpo@tilda.cc
European Union Representative’s details: Tilda Publishing Ltd., registration number: 3701272VH, address: Pembroke House, 28–32 Pembroke Street Upper, Dublin 2, D02 NT28, Ireland
For issues related to the application of the General Data Protection Regulation: gdpr@tilda.cc