Cross-Border Data Transfer Policy

1. Introduction

This document discloses the procedure and conditions under which personal data of Clipia.ai Users are transferred across national borders in connection with the provision of AI-powered content generation services.

The document is drafted in accordance with Article 12 of Russian Federal Law No. 152-FZ «On Personal Data» (as amended by Federal Law No. 266-FZ of 14 July 2022) and Articles 44–49 of the EU General Data Protection Regulation (GDPR) for data subjects in the European Economic Area.

The data controller is Zakharov Maksim Sergeevich, Individual Entrepreneur registered in the Russian Federation (OGRNIP 324366800070377, INN 361608356714; registered on 19 July 2024; registered address: 396336, Voronezh Oblast, Russian Federation) — owner of the domain and the Clipia.ai service (hereinafter — «Operator», «Service»).

2. Definition and legal grounds

«Cross-border transfer» means the transfer of personal data to the territory of a foreign state, including to foreign legal entities subject to its jurisdiction, or making personal data accessible from the territory of a foreign state.

Legal grounds for transfer:

• Consent of the data subject expressed at registration and upon acceptance of the Terms of Service
• Performance of the contract to which the data subject is a party (to execute generation requests)
• Legitimate interest of the Operator in securing the Service and ensuring service quality

3. Categories of data transferred

Special categories of personal data (race, ethnicity, political or religious beliefs, health, sexual life) are not transferred abroad, except where the data subject voluntarily includes such information in a prompt or reference media.

4. Recipients of personal data

Personal data are transferred to foreign sub-processors of the categories listed below. The identity of specific legal entities with which the Operator has executed Data Processing Agreements (DPAs) is a commercial secret of the Operator and may be disclosed upon a reasoned request of the competent supervisory authority.

4.1. Categories of sub-processors

Russian payment providers and Russian web-analytics providers process data exclusively within the territory of the Russian Federation and do not perform cross-border transfers. Full card details are not passed to the Operator by any provider.

4.2. Specifics of transfers to AI generation providers

Access to machine-learning models may be provided directly or through foreign technology partners (infrastructure aggregators) handling routing, load balancing, failover, and integration security. The identity and details of specific providers and partners constitute a commercial secret of the Operator.

Transmitted: prompt text, reference media, request parameters (model, resolution, duration), anonymised request ID.

Not transmitted: email, username, IP address, payment data, any account content beyond the specific request.

5. Destination countries

Safeguards for transfers to non-adequate jurisdictions:

• Transfer only over secure channels (TLS 1.2+)
• Data minimisation
• Data Processing Agreements (DPAs) with recipients
• Access control and audit
• User identifier hashing where feasible

6. Retention periods at recipients

• Generation content — transit-only, retained by AI providers for no more than 30 days
• Email and account identifiers — until consent is withdrawn
• Error monitoring technical logs — no more than 30 days
• Web-analytics data — no more than 14 months
• Payment data — per PCI DSS and the tax law of the provider's jurisdiction

7. Your rights

Regarding cross-border transfer, you have the right to:

• Withdraw consent — use of the Service becomes impossible, as generation requires sending requests to AI providers
• Request information about specific recipients of your personal data and the grounds for transfer
• Demand that a recipient cease processing if processing violates your rights
• Lodge a complaint with Roskomnadzor, the EU supervisory authority of your residence, or a court of competent jurisdiction

Requests: privacy@clipia.ai. Response within 30 calendar days.

8. Roskomnadzor notification

The Operator notifies Roskomnadzor of its intent to perform cross-border transfer of personal data in accordance with Roskomnadzor Order No. 178 of 28 October 2022.

Notification number and date: filing in progress. Will be published in this section upon assignment.

9. Amendments

The Operator may update this document. Material changes (new recipients, new jurisdictions) are communicated 30 calendar days in advance via email and in-service notice.

10. Contact

Data controller

Supervisory authority

Russian Federation: Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media). Address: 109992, Moscow, Kitaygorodsky Proyezd 7, bld. 2. Website: rkn.gov.ru

Related documents

• Privacy Policy
• Terms of Service
• Cookie Policy