Tilda Publishing
Privacy Policy
Thank you for choosing Tilda!

The Privacy Policy is an integral part of the Terms of Service and explains what personal data of Users and their clients is collected and stored by the Administration when using the Tilda Publishing Platform (hereinafter — Platform), as well as when it can be used or transferred to third parties. If you want to use Tilda services, you should read and accept the terms of the Privacy Policy and Terms of Service.

This Privacy Policy (hereinafter — Privacy Policy, Policy) is developed in accordance with the requirements of the Federal Decree Law UAE No. 45/2021 on the Protection of Personal Data (hereinafter — Law), is adopted and in force by the Administration (hereinafter — Administration, we).

Please note that this Privacy Policy applies only to Users whose primary location is in any country other than the European Union, the United States, Russia, Belarus and Kazakhstan.

This document consists of the following sections:
General Provisions
Purposes of Processing Personal Data
Logging of User Actions
Personal Data Processed by Users
Transfer and Receipt of Personal Data from Third Parties
Methods for Collecting Personal Data
Personal Data Storage
Updating and Deleting the User's Personal Data
Rights and Obligations of the User
Rights and Obligations of the Administration
Contacts

By using our Platform and providing us with Personal Data, you agree that this Personal Data will be processed in accordance with this Policy and the Cookie Policy.

If you have any legal questions related to this Policy, please contact us: legal@tilda.cc
For general and technical questions — team@tilda.cc
For questions regarding the organization of processing and protection of personal data — dpo@tilda.cc
1. General Provisions
1.1. This Privacy Policy determines the Administration's responsibilities towards non-disclosure and protection of the confidentiality of personal data provided by the User on the Administration's request when register on the Tilda Platform (hereinafter — the Platform) and during further interaction with the Platform.

1.2. The Privacy Policy refers to all information that the Platform can collect about a User while they are using the services of the Platform. By registering on this Platform, the User consents to all terms of this Privacy Policy.

1.3. The Privacy Policy may be amended by the Administration without prior notification. The current Privacy Policy is at all times available at https://tilda.cc/privacy-cc/.
2. Purposes of Processing Personal Data
2.1. For each purpose of personal data processing, the administration determines the categories and list of personal data processed, the methods, terms of their processing and storage, the procedure for the destruction of personal data when the purposes of their processing are achieved or when other legal grounds arise.

2.2. The Administration has determined the following purposes for processing the User’s Personal Data:
1) Providing access to the Platform (registration);
2) Ensuring the security of the Platform and its correct functioning;
3) Restoring access to the Account (if it was stolen / login and password was lost / login error during registration / it is not possible to use two-factor authentication);
4) Providing access within the framework of paid tariffs when paying by a bank card;
5) Ensuring the reliability of the Platform and the ability to recover data after failures using backup and data recovery technologies;
6) Processing on behalf of the User for the implementation of processes automated by the User using the Platform (regulated by the Data Processing Agreement);
7) Transfer of the User’s Personal Data to another Controller when the User transfers their profile to it.

2.3. The Administration processes Personal Data as described below:

2.3.1. The purpose of processing — to provide access to the Platform (registration)

Processed Personal Data:
  • Name;
  • Email.

Processing is carried out automatically/with the User's participation:
  • IP;
  • City/Country (by IP);
  • Browser Version;
  • Language;
  • UTM parameters;
  • Partner Tag;
  • The address of a website page's referrer;
  • Cookie data used to identify the User without the use of technical measures.

Grounds for processing of Personal Data — processing shall be carried out as part of fulfillment of contractual obligations.

Types of processing of Personal Data:
  • Collection, recording, systematization, accumulation, storage of Personal Data;
  • Clarification (update, modification) is performed by the subject of Personal Data via the profile management form, as well as automatically during the User's interaction with the Website;
  • De-identification, blocking, destruction of Personal Data is performed through the Control Panel for User management.

Retention period of Personal Data — Personal Data shall be stored for the entire duration of the agreement/during the periods established by the current United Arab Emirates legislation.

Deletion of Personal Data — Personal Data are deleted by the User in the Personal Account or automatically at the end of the storage period for the data collected in automatic mode. The fact of deletion is recorded in the Platform logs.

2.3.2. The purpose of processing — to ensure the security of the Platform and its correct functioning

Processed Personal Data — phone number.

Grounds for processing of Personal Data — processing is performed within the framework of fulfillment of contractual obligations.

Types of processing of Personal Data:
  • Collection, recording, systematization, accumulation, storage (if fraudulent activities, spam or mass registration are suspected, the User shall provide the Administration with a contact phone number to confirm independent actions in the Personal Account);
  • Viewing, depersonalization, blocking through the Control panel for user management.

Retention period of Personal Data — Personal Data shall be stored during the entire term of the agreement/during the periods established by the current United Arab Emirates legislation.

Deletion of Personal Data — Personal Data are deleted by the User in the Personal Account. The fact of deletion is recorded in the Platform logs and stored for the period of time specified by the current legislation of the United Arab Emirates.

2.3.3. The purpose of processing — to restore access to the Account (if it has been stolen/lost login and password/error in login during registration/no possibility to use two-factor authentication)

Processed Personal Data:
  • The last 4 digits of the bank card;
  • Phone number.

Grounds for processing of Personal Data — processing is performed within the framework of fulfillment of contractual obligations.

Types of processing of Personal Data:
  • Collection, recording, accumulation, storage, depersonalization, blocking, deletion;
  • Viewing through the Control Panel for user management.

Retention period of Personal Data — Personal Data shall be stored for the entire duration of the agreement.

Deletion of Personal Data — Personal Data are deleted by the Administration after the goal is achieved.

2.3.4. The purpose of processing — to ensure the reliability of the Platform operation and the possibility of data recovery after failures using data backup and recovery technologies

Processed Personal Data — all data processed by the Administration and listed in this document.

Grounds for processing of Personal Data — processing is carried out within the framework of fulfillment of contractual obligations.

Types of processing of Personal Data:
  • Storage;
  • Transfer for realization of geo-distributed storage of backup copies;
  • Deletion is performed automatically upon expiration of the retention period of the backup copies of the data

Processing shall be carried out by hosting the Platform on the facilities leased by the Processor in data processing centres provided by partners with whom agreements have been concluded to guarantee the security of the Personal Data processed by them:

Retention period of Personal Data — Personal Data shall be stored for the entire term of the agreement/for the terms established by the applicable laws of the United Arab Emirates.

Deletion of Personal Data — Personal Data is deleted automatically upon expiration of the retention period of the backup copies of the data, as part of the backup and recovery process in place.

2.3.5. Purpose of processing — granting access within the framework of paid plans when paying by bank card

Processed Personal Data:
  • Surname and first name on the card;
  • Last 4 digits of the card;
  • Card validity period;
  • Eemail;
  • User ID;
  • Information about the completed purchase (tariff name, price, currency);
  • Ttransaction number;
  • Invoice ID;
  • Country of issue of the card;
  • Unique card identifier (fingerprint).

Grounds for processing of Personal Data — processing is carried out within the framework of fulfillment of contractual obligations.

Types of processing of Personal Data:
  • Receipt of Personal Data from third parties, recording, systematization, accumulation, storage of Personal Data is carried out after payment for the plans on the page;
  • Clarification (update, modification) is not performed;
  • Deletion, depersonalization, blocking, destruction of Personal Data is performed through the Control Panel for User management.

Retention period of Personal Data — Personal Data shall be stored for the entire term of the agreement/for the terms established by the applicable laws of the United Arab Emirates.

Deletion of Personal Data — Personal Data shall be deleted after the expiration of the retention period specified by the applicable laws of the United Arab Emirates.

Payment for the Plan, in accordance with which the User uses the services of the Platform, shall be carried out using the payment systems Stripe, Telr. These payment systems collect and store financial information in accordance with their user agreements and privacy policies.

The administration does not store full card details and does not process payments, receiving only a notification from the payment system about the fact of successful payment.

In the process of receiving payment for the Plan, the Administration may collect additional information related to the payment made by the User, including, but not limited to, the transaction number, time of the transaction, type and expiration date of the card used for payments, as well as the last four digits of the card number, name of the cardholder, country and city in which funds were written off from the card.

2.3.6. The purpose of processing — to transfer of the User’s Personal Data to another Personal Data Controller when the User transfers profile to it

Processed Personal Data:
  • Name;
  • Email.

Grounds for processing of Personal Data — processing is carried out as part of the User’s consent expressed by action.

Types of processing of Personal Data: cross-border transfer of Personal Data. Shall be initiated by the Personal Data Subject by instructing the Administration to transfer his/her Personal Data to another Personal Data Controller located in another jurisdiction. Carried out by the User independently by interacting with the Platform through the User interface.

Retention period of Personal Data — Within the framework of this processing of Personal Data, they are not store.

Deletion of Personal Data — deletion of Personal Data is not performed due to the fact that it is not stored.
3. Logging of User Actions
3.1. When the User performs actions in the Account, for security purposes and to prevent fraudulent activities, the following activity shall be logged: date and time of authorization, date and time of creating a project and page, date and time of deleting projects and pages, date and time of changing the login and password, date and time of transfer of projects or pages to other Accounts.
4. Personal Data Processed by Users
4.1. The Administration provides the User with the Platform, which can be used by the User for processing Personal Data.

The processing and storage of Personal Data processed (including those collected, stored and published) by Users on the Users' websites is carried out legally, for a period of time determined by the User themselves.

4.2. The Controller of this data shall be the User, and the Administration is the Processor, to which the User entrusts processing of Personal Data of their clients (according to the terminology defined by the Law). These relations shall be governed by the Instruction for Personal Data Processing. By using the Platform for processing Personal Data , the User thereby expresses their consent and accepts the Data Processing Agreement.

4.3. The User shall be obliged to obtain all necessary consents from his/her clients when processing their Personal Data, including consent to transfer of Personal Datawithin the Administration’s group of companies, as well as consent to entrusting the processing of Personal Data of their clients to third parties (for example, third-party hosting service providers, etc.).

4.4. The User independently decides which Platform services they uses on their website to process Personal Data of their clients (collecting applications, orders, etc.).

4.5. If the User processes Personal Data of third parties using the functionality and services of the Platform, the User shall bear sole responsibility for compliance with appropriate measures to protect Personal Data in accordance with the Law and other laws and regulations, including in terms of obtaining appropriate permits, placement of the necessary documents and information on the User's Website.

4.6. The Administration shall not be responsible for the User’s relations with their clients or for the methods of the User’s procesing of their Personal Data (even if the User collects it using the functionality and services of the Platform), and the Administration does not and will not provide the User with any legal advice on such issues.

4.7. The Administration shall process Personal Data collected by the User on its websites on behalf of the User for the purposes determined by the User themselves.

4.8. If the User uses the payment system website, the Administration, on behalf of the User, may receive partial data (for example, 4 or 6 digits of the payment card number, the surname and name of the card holder and the name of the card-issuing bank) on the successful payment processing to ensure interaction between the website and the payment system.

4.9. The function of logging and storing partial data on successful payment processing shall be enabled by default. The User shall configure this function independently in the Personal Account. The User can change the data storage period (set a value from 1 to 30 days or delete the data immediately after transfer to the data collection services enabled by the User) or disable this function.

4.10. Data collected on the User’s website shall be stored for a period configured by the User (no more than 30 days, depending on the parameters set by the User).

4.11. The User shall be prohibited from processing special, biometric and other sensitive Personal Data of their clients due to the fact that the Platform is not intended for processing thereof.

4.12. If the User processes Personal Data of third parties, the User shall bear sole responsibility for compliance with appropriate measures to protect Personal Data in accordance with the Law and other laws and regulations, including in terms of obtaining appropriate permits, placement of the necessary documents and information on the User's Website.

4.13. The Administration shall not be authorized to provide legal advice to Users, however, it recommends that Users processing Personal Data place a user agreement, privacy policy on the website and add links to these documents and a special field in the data collection form to obtain explicit consent that the user has read and agrees to these rules.

4.14. The website created by the User uses cookies by default. If the User does not plan to use this function and work with Personal Data, they should independently disable the use of cookies that are not necessary for functioning of the Platform in the website settings.
5. Methods for Collecting Personal Data
5.1. The main ways in which the Administration obtains the User's Personal Data:
1) The User provides Personal Data directly (for example, when registering or connecting and using third-party services integrated into the Platform);
2) Personal Data is collected automatically when the User browses or uses the Platform, for example by means of cookies (more details in the Cookie Policy);
3) Personal Data may be obtained from third parties and services integrated into the Platform and used by the User.
6. Transfer and Receipt of Personal Data from Third Parties
6.1. To use various services of the Platform, the User may be required to provide access to accounts of third-party service providers, including, but not limited to, public file storage, instant messaging, social networks, etc. In this case, the Administration may receive from third parties additional Personal Data , including, but not limited to, gender, location, userpic, etc. All information available through the third party service provider shall be processed and stored in accordance with its user agreement and privacy policy.

6.2. The User may be asked for Personal Data and other information by third parties, for example, when it is necessary to make a payment, or to add additional functions using third-party services integrated with the Platform. The user voluntarily provides Personal Data and other information. All Personal Data requested by third parties should be processed and stored in accordance with the aser agreement and privacy policy of the said third parties.

6.3. The Administration may transferPersonal Data within the group of companies for the purposes provided for in this Policy, as well as to providers of services on behalf of the Administration. For example, the Administration may engage third parties to provide support to Users, manage advertisements on third-party resources, send marketing and other messages on behalf of the Administration (as described in the Terms of Service) or provide assistance in storing data. These third parties shall be prohibited from using the Users’ Personal Data for advertising purposes.

6.4. The Administration may disclose the User’s Personal Data in accordance with the law or to protect the rights and interests, if such disclosure is necessary to comply with the law or prevent fraud. In particular, the Administration may disclose the User’s Personal Data in response to official requests from government agencies or in the event of receiving a complaint against the User in connection with a violation of the rights of third parties and/or the user agreement on the grounds provided for by law.

6.5. The Administration may exchange Personal Data with third parties in order to provide the User with targeted advertising, analyze and monitor its effectiveness. For example, the Administration may use an encrypted email address to set up advertising on a social network so as not to show advertising to persons who are already Users of the Platform.

6.6. The Administration may transfer Personal Data to third-party providers of services on behalf of the Administration at the instruction. For example, the Administration engages providers of hosting and server housing services, content delivery networks (CDNs), data transmission and cybersecurity service providers, payment systems, web analytics service providers, service providers for distribution and monitoring of electronic messages, content providers, legal and financial consultants.

6.7. To host and ensure the functioning of the Platform, the Administration uses the services of data processing centre providers located in the United Arab Emirates and States that ensure an adequate level of protection of the rights of data subjects and with whom agreements have been concluded to guarantee the security of Personal Data processed by it:

6.8. To provide the Users with technical support services and process their requests, the Administration may entrust processing (including collection, recording, accumulation, storage, depersonalization, blocking, deletion, viewing) of all Personal Data listed in this document to Tilda Publishing Kaz LLP (050054, Republic of Kazakhstan, Almaty city, Turksib district, Mailina street, building 79/2), with whom the Administration has concluded all necessary agreements guaranteeing the security of processed Personal Data and respect for the rights of the Users.
7. Personal Data Storage
7.1. The processing and storage of the User's Personal Data is carried out legally during the existence of the User's Account, as well as within the terms established by the current legislation of the United Arab Emirates. In case of deletion of the Account, it is possible to retain part of the information to the extent necessary to fulfill legal obligations, settle disputes, prevent fraud, and protect the legitimate interests of the Administration.

7.2. In case of loss or disclosure of the User's Personal Data, the Administration shall notify the User of the fact of their personal data loss or disclosure.

7.3. In order to ensure adequate protection of the User's Personal Data, the Administration:
1) Appoints a person responsible for organizing the processing of Personal Data (Data Protection Officer;
2) Issues documents defining the Administration's policy regarding the processing of Personal Data, local acts on the issues of Personal Data processing, defining for each purpose of Personal Data processing the categories and list of processed Personal Data, categories of subjects whose Personal Data are processed, methods, terms of their processing and storage, the procedure for destruction of Personal Data upon achievement of the goals of their processing or upon occurrence of other legitimate grounds, as well as local acts establishing procedures aimed at detecting and preventing violations of the United Arab Emirates legislation and eliminating the consequences of such violations;
3) Applies legal, organizational and technical measures to protect Personal Data from unlawful or accidental access to it, destruction, modification, blocking, copying, provision, distribution of Personal Data, as well as from other unlawful actions in relation to Personal Data, necessary to fulfill the requirements to the protection of personal data established by the Law.;

4) Identifies threats to the security of personal data during its processing in personal data information systems;

5) Evaluates the effectiveness of the measures taken to ensure the security of Personal Data prior to the commissioning of Personal Data information systems;
6) Detects unauthorized access to Personal Data and takes measures to detect, prevent and eliminate the consequences of computer attacks on Personal Data information systems and respond to computer incidents therein;
7) Restores Personal Data modified or destroyed due to unauthorized access to it;
8) Establishes rules of access to Personal Data processed in Personal Data information systems, as well as ensures registration and record keeping of all actions performed with Personal Data in Personal Data information systems;
9) Exercises control over the measures taken to ensure the security of Personal Data and the level of protection of Personal Data information systems;
10) Exercises internal control and (or) audit of compliance of Personal Data processing with the Law, regulatory legal acts adopted in accordance with it, requirements to Personal Data protection, operator's policy on Personal Data processing, local acts of the operator;
11) Assesses the harm that may be caused to the subjects of Personal Data in case of violation of the Law, the correlation between this harm and the measures taken by the operator to ensure the fulfillment of obligations under this Law.

7.4. The Administration shall organize, inter alia:
1) A system of continuous monitoring of detection of non-standard behavior of information systems with subsequent analysis for unauthorized access or common errors;
2) Provision of a secure channel for accessing/processing Personal Data (HTTPS, TLS1.2+);
3) Introduction of two-factor authorization for both Administration employees and Users;
4) Annual audit of the information system, which is a control over the measures taken to ensure the security of Personal Data and the level of protection of the information system of Personal Data;
5) Loosely coupled microservice architecture, where each microservice processes only those Personal Data and the minimum necessary for its operation;
6) Storage of sensitive data in encrypted form with a variable encryption key;
7) Implementation of the public Bug Bounty vulnerability search program, within the framework of which each User can inform the Administration about the vulnerabilities they have discovered.

7.4. The Administration detects facts of unauthorized access to Personal Data and takes measures, including detection, prevention and elimination of consequences of computer attacks on information systems of Personal Data and response to computer incidents in them.
The Administration has adopted local acts on Personal Data security issues.

7.5. Employees of the Administration having access to Personal Data are familiarized with this Policy and local acts on Personal Data security issues.
8. Updating and Deleting the User's Personal Data
8.1. The User can independently, by authorizing in the Personal Account, update, restrict the use or change Personal Data they have provided.

8.2. In order to withdraw Personal Data and delete the Account, the User should send a relevant request to the legal@tilda.cc email address, in response to which the User will receive a letter with a link to the page in the Personal Account, where they will have to confirm their intention to delete Personal Data and the Account.
The deadline for deleting Personal Data is 30 days.

8.3. For technical reasons, the information may be deleted not immediately, but with a delay. In this case, the Administration blocks such Personal Data until their complete deletion from its databases, in connection with which, such Personal Data become inaccessible and their use - impossible.
It should also be taken into account that it is possible to retain some of the information to the extent necessary for the fulfillment of legal obligations, dispute resolution, fraud prevention and protection of legitimate interests of the Administration.

8.4. After the final deletion of data and Account, all Personal Data and information will be deleted from the databases of the Administration (after the expiration of storage periods established by applicable law). Upon completion of this process, the User will no longer be able to use the Platform services, and the Account and all data will be deleted without the possibility of recovery.
9. Rights and Obligations of the User
9.1. In relation to the Administration, the User provides their Personal Data and keeps it up to date.

9.2. The User independently regulates relations with third parties, with whom they interact through their website, regarding the data collected on the User's website and bears responsibility both to third parties and to regulatory authorities.

9.3. In accordance with the applicable law, the User has the following rights in relation to Personal Data processed by the Administration:
1) The right to receive information about the processing of Personal Data by the Administration;
2) The right to receive from the Administration the Personal Data processed by it in a generally accepted machine-readable format;
3) The right to correct or delete Personal Data;
4) The right to restrict the processing of Personal Data;
5) The right to terminate the processing of Personal Data;
6) The right to restrict decision-making based solely on the automated processing of Personal Data.

9.4. To exercise the listed rights, the User should contact the Administration, as described in the Contacts section hereof.

9.5. Also, according to the applicable law, the user has the right to contact the government body supervising the processing of Personal Data — UAE Data office.
10. Rights and Obligations of the Administration
10.1. The Administration undertakes to:
1) Use Personal Data provided by the User exclusively for the purposes specified in this Privacy Policy;
2) Keep the confidentiality of Personal Data; not to disclose Personal Data of the User without prior permission of the User, except as expressly provided by law; not to sell, exchange, publish or disclose it Personal Data by any other means, except as specified in this Privacy Policy;
3) Take measures to protect the confidentiality of the User's Personal Data in accordance with the internal procedures of the Administration;
4) Immediately block the User's Personal Data after receiving a request from the User or their legal representative or the appropriate authority for the protection of the User's Personal Data during the verification of this information in case of detection of invalid data or unauthorized actions.

10.2. In accordance with the applicable law, the Administration may request from the User confirmation of the existence of legal grounds regarding the User’s processing of personal data processed by him/her using the Platform.

10.3. The Administration shall be entitled not to respond to the User’s request in the following cases:
1) The request is not related to the User’s Personal Data, or is repeated too often;
2) The request is contrary to judicial procedures or investigations carried out by the competent authorities;
3) The request has a negative impact on the Administration’s efforts to ensure information security;
4) The request concerns the confidentiality of Personal Data of third parties which are not Clients of the User;
5) The request contradicts other legislation to which the Administration is subject.

10.4. The Administration shall be entitled to continue processing of Personal Data without the Consent of the Personal Data subjects in the following cases:
1) When processing is limited to storage of Personal Data;
2) When processing is necessary for initiation or defense of any proceedings relating to a claim of rights or legal action, or connected with legal proceedings;
3) If processing is necessary to protect the rights of third parties in accordance with the applicable law.
4) When processing is necessary for reasons of public interest.

10.5. In case of failure to perform its obligations, the Administration accepts liability for any losses, which amount is limited to the cost of the Plan, incurred by the User as a result of the unauthorized use of their Personal Data, in accordance with the legislation of the United Arab Emirates, except for the cases when Personal Data:
1) Was disclosed to the competent authorities of the United Arab Emirates;
2) Was disclosed by the third party after it was shared by the Administration with the User's consent;
3) Became public before it was lost or disclosed;
4) Was received from a third party before it was provided to the Administration;
5) Was disclosed with the User's consent;
6) Was disclosed as a result of a force majeure event;
7) Was disclosed as a result of a justified claim addressed to the User regarding the violation of the third parties' rights and/or the Terms of Service Agreement.
11. Contacts
If you have any questions, comments or complaints about this Privacy Policy, please send us a request to the ticket system if you are an authorized User of the Platform.

If you are not an authorized User of the Platform, please contact us by sending an email to legal@tilda.cc — on legal issues and dpo@tilda.cc — on issues related to the organisation of processing and protection of personal data.
The current version of the Privacy Policy is dated 14.05.2024
Made on
Tilda