Home

Privacy Policy

Effective: June 19, 2026. Version 2.3.

This Policy is developed in accordance with Federal Law 152-FZ of 27.07.2006 "On Personal Data" (hereinafter "152-FZ") and defines the procedure for processing personal data and measures to ensure their security when using the Roomix service (roomix.space).

1. Data Controller

Operator: Chabak Victoria Olegovna, Individual entrepreneur

TIN: 166020802332

OGRNIP: 319169000060604 (registration date: 08.04.2019)

Correspondence address: Kazan, Chuykova str., 62, apt. 329, Russia

Privacy email: roomixsupp@gmail.com

RKN operator registration number: 16-25-037570

Website: https://roomix.space

2. Categories of Data Subjects and Processed Data

The Operator processes data of the following categories of subjects:

  • Designers (registered users): first name, last name, email, profile photo, OAuth provider identifier, studio name, service activity history
  • Designers' clients (invited users): first name, last name, email, profile photo, OAuth provider identifier, approval decisions
  • Site visitors: IP address (in hosting logs), technical browser data (User-Agent), interface language

The Operator does not process special categories of personal data (race, political views, health, biometrics, etc.) and does not work with data of minors. The service is intended for users aged 18 and over only.

3. Processing Purposes and Legal Grounds

Personal data is processed strictly for the purposes listed below. Legal grounds for each purpose: subject's consent (Art. 6, Part 1, Para. 1 of 152-FZ) and/or execution of the offer agreement (Art. 6, Part 1, Para. 5 of 152-FZ).

  • User identification and authentication in the service (via Yandex OAuth, password, or email sign-in link)
  • Providing service functionality: creating projects, chat, approvals, file storage
  • Communicating with the user on technical and service matters (push notifications, email)
  • Ensuring service security, preventing fraud and abuse
  • Compliance with the laws of the Russian Federation (storing approval records as legally significant acts)
  • Processing user requests regarding data subject rights (Art. 14 of 152-FZ)

4. Data Sharing with Third Parties

The Operator does not sell personal data and does not transfer it to third parties for advertising purposes. For technical operation of the service, data is transferred to the following processors:

  • Timeweb Cloud (Russia, Moscow): main application database, file storage, authentication service and application server hosting. All processing and storage of personal data take place within the Russian Federation.
  • Yandex LLC (Russia): OAuth authentication processing (name, email, profile photo).
  • Unisender (Russia): transactional email mailings (invitations, notifications). No marketing mailings used.

Data is disclosed to government authorities only upon a lawful basis (court order, investigator's resolution, etc.) and only in the scope required by such an act.

5. Cookies, localStorage and analytics

The Service uses cookies and localStorage. Analytics cookies load only after your consent through the banner shown on first visit.

Essential (always required, no consent needed):

  • sb-roomix-auth-token-* - authentication session tokens (httpOnly, secure). Lifetime: until sign-out.
  • NEXT_LOCALE - selected interface language (ru / en). Lifetime: 12 months.
  • roomix-cookie-consent (localStorage) - stores your choice from the consent banner. Lifetime: until browser is cleared or consent is revoked.

Functional (localStorage, no consent needed):

  • roomix-ui - interface state (sidebar collapsed, theme). Lifetime: until browser is cleared.

Analytics (loaded only after banner consent):

  • _ym_uid - anonymous Yandex Metrika visitor identifier. Lifetime: 12 months.
  • _ym_d - date of first visit. Lifetime: 12 months.
  • _ym_isad - whether AdBlocker is present. Lifetime: 2 days.
  • _ym_visorc_* - Webvisor session identifier (user action recording). Lifetime: 30 minutes.
  • _ym_metrika_enabled - counter active flag. Lifetime: 30 minutes.

Analytics purpose: traffic measurement, UX problem detection, service improvement. Data is transmitted to LLC "Yandex" (Russian Federation) under its own Privacy Policy.

You may revoke consent at any time by clearing localStorage in your browser settings. Yandex Metrika will then stop loading on subsequent page refreshes. Already collected data is processed by Yandex according to their policy.

6. Data Protection Measures

  • All connections protected by TLS 1.3 (HTTPS)
  • Database protected by Row Level Security (RLS) policies: users physically cannot access other users' projects
  • Passwords are never stored in plain text: only a cryptographic hash is stored by the authentication service
  • File storage is split into isolated buckets with SQL-level access restrictions
  • Daily encrypted at-rest database backups
  • Service keys are stored in a secured server environment, inaccessible to client code
  • Access and change logs of critical tables are kept in audit_log (retained 3 years)

7. Data Subject Rights (Art. 14 of 152-FZ)

As a data subject you have the right to:

  • Receive confirmation of data processing and information about it (data categories, purposes, retention periods)
  • Request correction, blocking or destruction of data if it is incomplete, outdated, inaccurate or excessive
  • Withdraw consent to personal data processing at any time
  • Request termination of personal data processing in cases provided by law
  • Appeal the Operator's actions to Roskomnadzor or in court

Send your request to roomixsupp@gmail.com indicating your full name, account email, and the substance of the request. Response time: 10 working days from the date of receipt of the request (Art. 20-21 of 152-FZ as amended by 266-FZ of 06.07.2024). In complex cases the term may be extended up to 30 calendar days with notification of the subject. Upon withdrawal of consent, the account is deleted within 30 days (see Section 8).

8. Data Retention and Deletion

Personal data is retained for the entire duration of the account.

Upon account deletion, the user is moved to a "pending deletion" state (soft-delete); restoration is available within 30 days via an email link. After 30 days all personal data is permanently destroyed (hard-delete).

Exception: records of legally significant approvals (who, when, what decision) are stored indefinitely as legally significant acts under Clause 6, Art. 5 of 152-FZ. Processing of such records continues after consent withdrawal on the basis of Subclause 5, Clause 1, Art. 6 of 152-FZ (contract execution and protection of parties' interests).

9. Data Localization and Cross-Border Transfer

As of the effective date of this Policy, users' personal data is processed and stored within the Russian Federation (Timeweb Cloud, Moscow), in accordance with the data localization requirement of Part 5, Art. 18 of 152-FZ for personal data of Russian citizens. The web application, file storage and authentication service are hosted on the same Russian infrastructure.

Cross-border transfer of personal data is not performed: all data is processed and stored within the Russian Federation.

Primary processing and storage of personal data of Russian Federation citizens take place on infrastructure located within the Russian Federation (Timeweb Cloud, Moscow), in accordance with the requirements of Part 5, Art. 18 of 152-FZ.

Localization of personal data of Russian citizens is ensured in accordance with Part 5, Art. 18 of 152-FZ.

The Operator does not perform cross-border transfer of personal data.

10. Age Restrictions

The Roomix service is intended only for adult users (18 years and older). The Operator does not intentionally process data of minors. If the Operator becomes aware that data of a minor has entered the service without the consent of a parent or legal guardian, such data will be deleted immediately upon receipt of the corresponding notification.

11. Policy Changes

The Operator may amend this Policy. For material changes, users will be notified via email or in-app notification at least 14 calendar days before the changes take effect. Continued use of the service after notification constitutes acceptance of the updated Policy. The current version is always available at https://roomix.space/privacy.

12. Operator Contacts

For any questions about personal data processing:

Email: roomixsupp@gmail.com

Correspondence address: Kazan, Chuykova str., 62, apt. 329, Russia

Regulatory authority: Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)

Website: https://rkn.gov.ru

Electronic reception: https://rkn.gov.ru/treatments/ask-question/