Privacy Policy of the Hotel Booking Platform "Moya Bron"

1. General Provisions

  1. This Privacy Policy (hereinafter referred to as the "Policy") has been developed by the Limited Liability Company "Moya Bron" (OGRN 1247700470566, INN 9717165404, legal address: 129626, Moscow, Prospekt Mira, building 102, block 1, premises 3/7) (hereinafter referred to as the "Operator") in accordance with the requirements of the legislation of the Russian Federation, including Federal Law No. 152-FZ of July 27, 2006 "On Personal Data," and defines the procedure for processing and protecting the personal data of users of the hotel booking service operated through the Telegram messenger (hereinafter referred to as the "Platform"). The Operator guarantees compliance with the rights of personal data subjects and takes the necessary measures to ensure the security of personal data.
  2. The Policy applies to any information about users that the Operator may obtain during the use of the Platform. Personal data (hereinafter referred to as "PD") means any information relating directly or indirectly to an identified or identifiable individual (User). This Policy is an integral part of the user agreement (offer agreement) for the use of the Platform. By beginning to use the Platform or by providing their personal data, the User agrees to this Policy and confirms that they have provided their PD voluntarily.
  3. The processing of Users' personal data is carried out by the Operator — the Limited Liability Company "Moya Bron." The Operator independently or with the involvement of third parties organizes the processing of PD and determines the purposes of processing, the composition of collected PD, and the actions (operations) performed with PD. The Operator's contact details are provided in Section 9 of this Policy.
  4. The Operator collects, records, stores, and destroys personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation, in accordance with the requirements of current Russian legislation. The Operator is guided by the provisions of Federal Law No. 152-FZ "On Personal Data" and other regulatory legal acts of the Russian Federation in the field of personal data protection.

2. Personal Data Collected by the Platform

The Operator collects and processes the following personal data of Users necessary for providing hotel booking services:

  • Last name and first name of the user. For making hotel reservations in the User's name.
  • Phone number. For contacting the User regarding booking confirmation, providing notifications on order status, and for customer support communication.
  • Email address. For sending booking confirmations, payment receipts, informational messages related to service provision, and document exchange.
  • Booking data. Information about the selected hotel (hotel name), check-in/check-out dates (booking date), room type, and accommodation cost. This information is necessary for processing and fulfilling the booking and generating reporting documents.
  • Payment data. To pay for accommodation, payment card details or other requisites necessary for processing payment through the integrated payment system (CloudPayments) may be requested. Note: payment card details are entered by the User on CloudPayments' secure payment page; the Operator does not directly store or process the full card number and other sensitive payment data — their processing is carried out by a third-party payment service (see Section 5).
  • Communication data. The content of the User's inquiries to the support service (via Telegram chat) and other information that the User voluntarily provides when communicating with the Operator. This data may include additional contact or identifying information if the User chooses to share it during the inquiry.
  • Technical and analytical information. When using the Platform, certain technical data is automatically collected: the User's device IP address, device type, operating system version, browser information (if applicable), language, approximate geographic location, data on the facts and times of Platform feature usage. This information is collected using cookies and similar technologies by analytics systems (such as Yandex.Metrica and Google Analytics) for the purpose of improving service performance, usage statistics, and information security (for more details on data transfer to analytics systems, see Section 5).

The Operator does not request or process special categories of personal data (regarding racial or ethnic origin, political views, religious or philosophical beliefs, health status, intimate life) or biometric personal data within the scope of the Platform's operation. The User is obligated to provide accurate and up-to-date data; the consequences of providing inaccurate information are borne by the User in accordance with the User Agreement.

3. Purposes of Personal Data Processing

The User's personal data is collected and processed by the Operator strictly for specific, predetermined, and lawful purposes. The main purposes of PD processing on the Platform include:

  • Providing booking services. Processing and ensuring hotel reservations at the User's request. The last name, first name, and booking data (hotel, dates, room type) are used to reserve a room in the User's name through the partner booking system.
  • Contract performance and feedback. Contacting the User via the provided phone number or email to deliver booking confirmation, voucher, information about changes or order status, as well as to send payment reminders if necessary. Contact data is used to fulfill obligations to the User under the booking service agreement.
  • Payment processing. Organizing payment acceptance for booked accommodation. The User's payment data is used to process transactions through the integrated payment service (CloudPayments). The purpose of processing is to accept payment and ensure the fulfillment of financial obligations (invoicing, payment confirmation).
  • User support. Processing User inquiries and requests through the Telegram support chat. Personal data contained in such inquiries (e.g., Telegram username, inquiry content, contact details) is used exclusively for consulting the User, resolving issues, correcting possible booking problems, and improving service quality.
  • Service improvement and analytics. Analyzing User activity on the Platform to improve service performance, develop new features, and enhance interface usability. For this purpose, the Operator uses technical and behavioral analytics data (e.g., feature usage statistics, traffic, typical interaction paths with the bot). Anonymized data may be used for statistical and research purposes to identify service usage trends. Web analytics tools (Yandex.Metrica, Google Analytics) help the Operator obtain aggregated statistics and understand audience needs; the Operator strives to anonymize or aggregate data for analytical reports wherever possible.
  • Security assurance. Processing technical data and log files to ensure the Platform's information security, prevent fraud, unauthorized access, and other unlawful actions. For example, IP addresses and other technical information may be used to detect suspicious activity, protect against DDoS attacks and other threats, and to investigate information security incidents.
  • Compliance with legal requirements. The Operator's compliance with mandatory requirements of Russian legislation, for example, in the areas of accounting, tax reporting, storage of accounting documents, and fulfillment of lawful requests from government authorities. Personal data may be used to prepare and store documents (contracts, invoices, acts) for the periods established by law, as well as to provide information to authorized government bodies in cases provided by law (e.g., upon request from a court or law enforcement authorities).

The Operator does not process personal data for purposes incompatible with the originally stated purposes. If it becomes necessary to use data for a new purpose different from those listed above, the Operator will request the User's prior consent for such processing, except in cases directly permitted by law.

4. Legal Bases for Processing

The Operator processes Users' personal data on the following lawful grounds provided by the legislation of the Russian Federation on personal data:

  • User consent. PD processing is carried out with the consent of the personal data subject — the User (in accordance with clause 1, part 1, Article 6 of Federal Law No. 152-FZ). The User provides the Operator with consent to process their personal data through conclusive actions — continued use of the Platform, making a booking, transmitting their data through the Platform interface, checking the box agreeing to the terms of the Policy, etc. The consent is effective until withdrawn by the User (see Section 6 on the User's right to withdraw consent).
  • Contract performance. PD processing is necessary for the performance of a contract to which the User is a party or beneficiary (clause 5, part 1, Article 6 of Federal Law No. 152-FZ). This means that personal data is processed to provide the User with hotel booking services and to fulfill related payment and other obligations. For example, without processing contact and identification data, the Operator would be unable to confirm and fulfill the booking, and without processing payment data — unable to accept payment.
  • Other grounds. In certain cases, the Operator may process personal data without the User's consent if such processing is permitted by law. Such cases include, in particular: the necessity of fulfilling the Operator's legal obligations (clause 2, part 1, Article 6 of 152-FZ), the necessity of protecting the life, health, or other vital interests of the User or other persons when obtaining consent is difficult (clause 6, part 1, Article 6), the necessity of exercising the rights and legitimate interests of the Operator or third parties, provided that the rights and freedoms of the PD subject are not violated (clause 7, part 1, Article 6). The Operator is also entitled to process personal data made publicly available by the User themselves (clause 10, part 1, Article 6). The listed cases typically arise when processing is dictated by legal requirements or extraordinary circumstances.

In all situations requiring separate consent of the PD subject under the law (e.g., when transferring data to countries that do not provide adequate PD protection, when publicly distributing PD, etc.), the Operator requests such consent from the User in the required form. The Operator strictly adheres to the principles and conditions of personal data processing provided by law.

5. Transfer of Personal Data to Third Parties

The Operator does not disclose or transfer Users' personal data to third parties, except in the cases listed below, or when such transfer is provided for by law or expressly authorized by the User. Data transfer to third parties is carried out to the extent necessary to achieve the stated processing purposes, subject to confidentiality and security requirements. The main recipients (third parties) to whom User data may be transferred include:

  • CloudPayments payment service. To process booking payments, the Operator interacts with the external payment system CloudPayments. During the payment process, the User may be redirected to CloudPayments' secure gateway, where they enter their bank card details. The CloudPayments service receives information such as the cardholder's name, card number, expiration date, security code, and payment amount, and may also receive contact details (e.g., phone number or email for payment notification). The transfer of this data is necessary for authorizing and processing the payment transaction. CloudPayments acts as an independent operator (processor) of payment data and processes it in accordance with its own privacy policy. The Operator transmits only the minimum necessary information to CloudPayments (e.g., order ID, payment amount, currency, payer's name) and does not receive access to the full bank card details (except for card type and a portion of the number). All interactions with CloudPayments are protected by encryption compliant with Payment Card Industry Data Security Standards (PCI DSS).
  • Bronevik booking system (Bronevik API). The Platform is integrated with the external hotel booking service Bronevik for obtaining up-to-date hotel information and making reservations. To confirm the User's selected accommodation option, the Operator transmits the necessary personal data through a secure channel to the Bronevik system: the guest's (User's) last name and first name for registering the booking at the hotel, as well as booking details (hotel name, dates of stay, selected rate/room type). This data is used by the partner (Bronevik) solely for the purpose of processing the booking and transmitting information to the relevant hotel property. Bronevik acts as a partner personal data operator and ensures the confidentiality of the information received in accordance with its agreement with the Operator and legal requirements. Without transferring this data, booking a room in the User's name would be impossible.
  • Analytics services (Yandex.Metrica and Google Analytics). For the purpose of collecting statistics and improving the Platform's performance, the Operator uses the web analytics services Yandex.Metrica (provided by Yandex, Russia) and Google Analytics (provided by Google LLC, USA). Using cookies and similar technologies, these services receive and process anonymized data about the User's activity: pages visited or bot commands used, number of bookings completed, technical information about the device and browser, approximate location (country/city by IP), etc. Yandex.Metrica provides the Operator with reports in aggregated form that do not reveal a specific User's identity. Google Analytics also collects analytical data; some data may be transferred and processed on servers outside the Russian Federation (e.g., in Google's data centers in other countries). The Operator has entered into the necessary agreements with these services and/or configured them to ensure compliance with confidentiality (in the case of Google Analytics, the Operator may use the IP address anonymization feature). Data collected by analytics systems is not used to identify Users, but serves to understand overall audience activity and preferences. Users may disable cookie storage in their browser settings if they wish; however, this may affect the proper functioning of certain Platform features.
  • Telegram messenger (support service). User support inquiries are processed via chat in the Telegram messenger. This means that the User's messages containing personal data (e.g., Telegram profile name, inquiry text, possible attachments) pass through Telegram's infrastructure. Telegram may act as an independent data operator for correspondence and store message history in accordance with its own privacy policy. The Operator does not transfer any additional User data to Telegram beyond what the User themselves communicates in the chat. Correspondence with the User is used by the Operator solely to respond to inquiries and resolve User issues. It is recommended to exercise caution when transmitting confidential information via the support chat. The Operator is not responsible for data security on Telegram's side; the User should independently familiarize themselves with Telegram's data processing terms. At the same time, the Operator's support staff are obligated to maintain the confidentiality of correspondence with the User and not to disclose information obtained during communication to third parties without lawful grounds.
  • Government authorities and other third parties on the basis of law. The Operator is entitled to provide personal data to authorized government bodies (e.g., investigative authorities, courts, tax authorities, Roskomnadzor) in the cases and manner established by the legislation of the Russian Federation. Such transfers are carried out only upon receipt of a lawful request and strictly to the extent required by law. Additionally, in the course of complying with legal requirements, the Operator may transfer data for maintaining accounting and tax records (e.g., payment information — to banking or tax institutions, if provided for by regulations). In all cases of data provision on the basis of law, the Operator verifies the legality of the request in advance and ensures transfer through secure communication channels.

The Operator guarantees that under no circumstances does it sell or provide Users' personal data to third parties for commercial purposes not specified in the Policy, without the User's direct consent. Transfer of PD to third-party organizations not named in this Policy is possible only on the basis of separate express consent of the User or upon direct order of the law. All third-party organizations involved in the processing of personal data are bound by obligations to protect the confidentiality of the information received and use Users' personal data only for the purposes for which it was provided by the Operator.

6. Rights of the User (Personal Data Subject)

The Operator respects the rights of each User as a personal data subject and ensures the possibility of their exercise in accordance with Chapter 3 of Federal Law No. 152-FZ. A User whose data is processed on the Platform has the following rights:

  • Right to information about PD processing. The User has the right to receive from the Operator confirmation of the fact that their personal data is being processed, as well as information about the purposes, legal grounds, and methods of processing, the processing periods (storage periods) of their PD, the name and location of the Operator, whether the Operator holds data relating to the given User, and the composition of such data. Upon request, the User is provided with information about persons who have access to their PD or to whom the data may be disclosed on the basis of an agreement with the Operator or in accordance with the law. The procedure for requesting such information is described below (in this section and in Section 9).
  • Right of access to personal data. Upon the User's request, the Operator provides copies or otherwise acquaints the User with their personal data being processed, except in cases provided by law (e.g., if the data contains information about another subject or constitutes a state secret). Information is provided within a reasonable timeframe and, as a rule, free of charge (unless the request is repeated or excessive, as established by law). The User may request this information by sending a corresponding request to the Operator in writing or as an electronic document signed with an electronic signature (in accordance with Russian legislation).
  • Right to correction, blocking, or destruction of PD. If the User discovers that their personal data is incomplete, outdated, inaccurate, or was obtained unlawfully or is not necessary for the stated purpose of processing, they have the right to demand that the Operator: (a) correct (update, amend) their data; (b) block the data (temporarily suspend processing) — for example, if the User disputes the accuracy of the data or the legality of its processing, for the duration of the verification; (c) destroy the personal data if it was processed in violation of legal requirements or if the data is no longer needed to achieve the stated purposes. The User may send such a request to the Operator in any form (via email or postal address specified in Section 9). The Operator undertakes to review such a request and provide a reasoned response within the timeframes established by law (no more than 10 business days for correcting or destroying data from the date of receiving the request or withdrawal of consent, if there are no other lawful grounds for processing).
  • Right to withdraw consent. In cases where personal data processing is carried out on the basis of the User's consent, the PD subject has the right to withdraw their consent at any time by sending the Operator a corresponding notification. Withdrawal of consent has no retroactive effect and means that further processing of the data that was carried out exclusively on the basis of consent will be ceased by the Operator. Upon receiving a withdrawal of consent for PD processing, the Operator undertakes to cease processing and (if retention of PD is no longer required for processing purposes or by law) destroy the personal data within a period not exceeding 30 days, or ensure its destruction (if processing was carried out by another person on the Operator's behalf). It is important to note that in the event of withdrawal of consent for processing data necessary for service provision (e.g., contact details for processing a current booking), the Operator may be unable to continue providing the relevant services to the User.
  • Right to object to or restrict processing. In cases provided by law, the User has the right to object to the Operator's processing of their personal data if they believe that such processing affects their rights and legitimate interests. In particular, the PD subject has the right at any time to object to the processing of their personal data for direct marketing purposes (distribution of advertising or promotional materials); upon receipt of such an objection, the Operator will immediately cease processing the User's PD for marketing purposes. The User may also request restriction (temporary suspension) of processing when disputing the accuracy of data or the legality of its use.
  • Right to protection of rights and appeal. If the User believes that the Operator is violating the requirements of personal data legislation and thereby infringing upon their rights and freedoms, they have the right to file a complaint directly with the Operator (for prompt resolution) or to submit an appeal to the authorized supervisory body — the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor). The User also has the right to judicial protection of their rights. Roskomnadzor's contact details and the procedure for filing a complaint are available on the agency's official website. The Operator recommends first addressing any questions or claims regarding PD processing directly to the Operator — this will allow the situation to be resolved most quickly and effectively.

To exercise their rights, the personal data subject may send a written or electronic request to the Operator, prepared in accordance with legal requirements. The request should preferably include the User's full name, the substance of the inquiry, and contact details for communication. The Operator undertakes to review the request and provide a response or the requested information no later than 30 days from the date of receipt of the request (unless a different timeframe is established by law). In the event of a refusal to satisfy the User's request (in whole or in part), the Operator will provide a reasoned response indicating the grounds for the refusal.

7. Personal Data Protection Measures

The Operator takes the necessary legal, organizational, and technical measures to protect Users' personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, distribution, and other unlawful actions. In accordance with the requirements of Article 19 of Federal Law No. 152-FZ, internal data security documents have been developed and implemented, and modern protection tools have been adopted. The main measures implemented by the Operator to ensure the confidentiality and security of PD include:

  • Data storage in a secure environment. Users' personal data is stored in databases on servers located in the Russian Federation, which complies with the personal data localization requirement (Federal Law No. 242-FZ). Servers are hosted in data centers with restricted access, equipped with security control and monitoring systems (24/7 security, video surveillance, access control systems).
  • Encryption and data transmission. Encryption is used when collecting and transmitting confidential data. All information provided by the User through the Platform interface (including personal data entry and payment) is transmitted via secure communication channels (SSL/TLS protocol). Payment operations through CloudPayments are conducted on encrypted pages using high-level encryption protocols. This prevents interception and unauthorized access to data during its transmission over the Internet.
  • Access restriction and role-based access control. Access to Users' personal data is granted only to those employees of the Operator or associated persons who need it to perform their duties and provide services (the "need-to-know" principle). Each such employee acts on the Operator's instructions and is required to maintain the confidentiality of processed data (corresponding non-disclosure agreements have been signed). Information systems implement role-based access control: accounts and permissions are configured so that employees can only see data relevant to their area of responsibility.
  • Passwords and authentication. Complex passwords and multi-factor authentication mechanisms (where applicable) are used to access databases and administrative panels. Passwords are periodically changed in accordance with the security policy. Access to critical system components is possible only from trusted IP addresses or through secure VPN connections.
  • Antivirus protection and updates. Servers and workstations involved in PD processing have up-to-date antivirus software installed, and regular scans for malicious code are conducted. Software and hardware are promptly updated to the latest versions to eliminate known vulnerabilities and enhance the overall security of the infrastructure.
  • Backup and recovery. The Operator performs backups of key databases and systems in case of failure or data loss. Backup copies are stored in encrypted form. Data recovery procedures from backups are regularly tested, enabling rapid system restoration in the event of an emergency and minimizing the risk of data loss.
  • Monitoring and audit. The Operator monitors information security events: access logs to personal data and key actions with it are maintained. These logs are regularly reviewed for suspicious activity. Additionally, periodic internal reviews of compliance with the Policy and legislation are conducted (internal audit). When necessary, the Operator engages external specialists for security assessments (penetration testing, security audits).
  • Staff training. Employees of the Operator authorized to process personal data undergo appropriate training and instruction on the rules for handling personal data and security measures. The Operator ensures that employees are familiarized with the provisions of Russian personal data legislation and local PD protection regulations, and establishes disciplinary liability for violations in this area.
  • Incident response. In the event of an unauthorized access or personal data breach, the Operator immediately conducts an investigation, notifies the authorized bodies as necessary (including Roskomnadzor, if the incident meets the criteria established by a Government Decree of the Russian Federation), and takes measures to mitigate the consequences of the violation. Users whose data may have been affected by the incident will be notified if required by law or if the Operator considers it necessary to protect their rights.

Personal data in the Operator's information systems is protected in accordance with the requirements established for the corresponding level of protection (Order of FSTEC of Russia No. 21, Order of FSB of Russia No. 378, etc.). The Operator continuously improves the data protection system as technologies evolve and new security methods emerge.

8. Personal Data Retention Periods

The Operator processes and retains Users' personal data no longer than required by the processing purposes specified in this Policy and mandatory legal requirements. PD retention periods are established taking into account the following principles:

  • Duration of service provision. Core personal data (name, contact details, booking data) is retained for the entire period of service provision to the User (until the booking, trip, or other service is completed) and for a reasonable period after completion to allow for the settlement of claims, refunds, warranty provision, etc. Typically, data about a specific booking is retained until checkout from the hotel and for an additional 5 years after the service is provided (in accordance with limitation periods and financial reporting requirements).
  • Legal retention requirements. The Operator is required to retain certain information for a specified period by law. For example, accounting documents containing personal data (invoices, acts, payment records) must be retained for at least 5 years after the end of the reporting year, and contracts with Users — for 3 years (which is the general limitation period for civil claims under Article 196 of the Civil Code of the Russian Federation). In such cases, PD will be retained for the period prescribed by the relevant legislation.
  • Retention until consent withdrawal / purpose fulfillment. Personal data processed on the basis of the User's consent (e.g., data for newsletters, if such newsletters are conducted) is retained until consent is withdrawn, unless a shorter period was established at the time of data collection. Personal data that is no longer necessary for the purposes of processing is subject to deletion or anonymization. Upon achievement of the processing purposes (e.g., after the service has been provided and the legally mandated retention periods have expired), all personal data associated with the User is either destroyed within the timeframes established by internal regulations or anonymized, i.e., stripped of characteristics that would allow identification of the user.
  • Deletion upon request. Upon a reasoned request from the User to cease processing and/or destroy personal data (e.g., if the User has withdrawn consent or considers the processing illegitimate), the Operator reviews the request and, if there are grounds, ceases processing and deletes the relevant data (if its retention is not required by law). The fact of personal data destruction is documented in a destruction report. Some information may be retained in backup copies until their cyclical deletion; however, it will not be used in operational activities after the deletion decision has been made.

Upon expiration of the above retention periods, the Operator either destroys the personal data or anonymizes it, eliminating the possibility of identifying the User. Anonymous aggregated data (which does not allow identification of the User) may be stored indefinitely, as it does not constitute personal data.

9. Contact Details of the Personal Data Operator

The operator of Users' personal data on the Platform is LLC "Moya Bron." The User may send any requests, questions, or comments related to their personal data and this Policy to the following contact details:

  • Operator's address: 129626, Russian Federation, Moscow, Prospekt Mira, 102, bldg. 1, premises 3/7.
  • Email address: support@moyabron.ru (for personal data subject inquiries).
  • Telegram support: @moyabronsupport_bot (on business days from 9:00 AM to 6:00 PM Moscow time).

The Operator recommends contacting via email or Telegram for prompt consideration of matters related to personal data processing. The inquiry should briefly describe the substance of the request and, if possible, include the User's full name and phone number for feedback. Upon receiving the inquiry, the Operator will register it and provide a response within the timeframe established by law (see Section 6).

If the User requires an official written response (for submission to other organizations, etc.), they may send a request by registered mail to the Operator's postal address indicated above, or submit it in person at the Operator's location during business hours. Such a request must include the full name, identification document details, the substance of the request, and the applicant's signature.

10. Final Provisions

  1. Effect of the Policy. This Policy takes effect from the date of its approval by the Operator and remains in effect indefinitely until replaced by a new version. The current version of the Policy is available to Users in open access — the Operator publishes the text of the Policy on the official website (if available) or provides it upon request through the support service. It is recommended to periodically review the current version of the Policy.
  2. Amendments and additions. The Operator reserves the right to make changes to this Privacy Policy. Changes may be caused by changes in legislation, development of Platform functionality, changes in PD processing conditions, or introduction of new services. In the event of significant changes (e.g., changes to the list of collected data, purposes, or third-party transfers), the Operator will notify Users by means of an announcement on the Platform (or by other available means, such as email distribution). The new version of the Policy takes effect from the date of its publication (unless otherwise provided by the new version itself). Continued use of the Platform by the User after the changes take effect constitutes the User's acceptance of the updated Policy.
  3. Other documents. In the relationship between the User and the Operator, other documents governing the processing of personal data and confidentiality matters may also apply (e.g., User Agreement, Consent to PD Processing, etc.). In the event of a conflict between the provisions of this Policy and other documents directly related to the protection of personal data, the provisions of the version of the document published later shall prevail.
  4. Additional agreements. If individual agreements have been entered into between the Operator and the User that address the processing and protection of personal data (e.g., a separate written consent or contract), the terms of such agreement shall take priority to the extent they do not conflict with mandatory legal requirements.
  5. Compliance oversight. Responsibility for organizing the storage and ensuring the security of personal data lies with the person appointed by the Operator as responsible for PD processing. Oversight of compliance with the requirements of this Policy is exercised by the Operator's management. Persons found guilty of violating norms governing the processing and protection of personal data shall bear liability in the manner established by the legislation of the Russian Federation.

This Privacy Policy is drawn up in Russian. LLC "Moya Bron" undertakes to comply with the principles of personal data processing set forth herein. By using the Platform's services, the User confirms that they have read the terms of this Policy, understand them, and express their consent to the processing of personal data in accordance with the stated terms.