PERSONAL DATA PROCESSING POLICY
FOR THE APP.E-LLI.COM SERVICE

Publication date at https://e-lli.com/privacy-policy-ukr: 07.01.2026

This Personal Data Processing Policy (hereinafter referred to as the "Policy") has been developed in accordance with the requirements of the Law of Ukraine "On Personal Data Protection" dated 01.06.2010 No. 2297-VI and defines the procedure for processing personal data of Users of the e-lli.com service (hereinafter referred to as the "Service"), as well as measures to ensure the security of personal data.

1. GENERAL PROVISIONS

1.1. Scope of Application

This Policy is an integral part of the User Agreement (Public Offer) for the app.e-lli.com service and applies to all personal data that the Service Provider receives from the User during their use of the e-lli.com Website and Service.

1.2. User Consent

The User's use of the Website and/or Service signifies full and unconditional consent to the terms of this Policy and the terms of processing their personal data in accordance with Article 11 of the Law of Ukraine "On Personal Data Protection."

If the User disagrees with the terms of the Policy, they must refrain from using the Service.

1.3. Owner of the Personal Data Database

The owner (controller) of the personal data database is Individual Entrepreneur RYMSKYI ANTON OLEHOVYCH (RNOKPP 3779205754, address: Cherkasy, 25 Heroiv Dnipra St., apt. 31, email: info@e-lli.com).

1.4. Legal Basis

Personal data processing is carried out on the basis of:

Law of Ukraine "On Personal Data Protection" dated 01.06.2010 No. 2297-VI

Law of Ukraine "On Information" dated 02.10.1992 No. 2657-XII

Law of Ukraine "On Consumer Rights Protection" dated 12.05.1991 No. 1023-XII

Civil Code of Ukraine dated 16.01.2003 No. 435-IV

Law of Ukraine "On Electronic Commerce" dated 03.09.2015 No. 675-VIII

Law of Ukraine "On Electronic Trust Services" dated 05.10.2017 No. 2155-VIII

2. BASIC CONCEPTS

2.1. Personal Data

Personal data means information or a set of information about an individual who is identified or can be specifically identified (Article 2 of the Law of Ukraine "On Personal Data Protection").

2.2. Processing of Personal Data

Processing of personal data means any action or set of actions, such as collection, registration, accumulation, storage, adaptation, modification, update, use and distribution (dissemination, sale, transfer), depersonalization, destruction of personal data, including through information (automated) systems (Article 2 of the Law of Ukraine "On Personal Data Protection").

2.3. User

User means any individual or legal entity, as well as an individual entrepreneur, who visits and uses the ELLI Service and accepts the terms of the User Agreement and this Policy.

2.4. Owner of Personal Data Database

Owner of personal data database means individual entrepreneur RYMSKYI ANTON OLEHOVYCH (RNOKPP 3779205754), who determines the purpose of processing personal data, establishes the composition of such data and the procedures for their processing, unless otherwise provided by law (Article 2 of the Law of Ukraine "On Personal Data Protection").

2.5. Consent of Personal Data Subject

Consent of personal data subject means a voluntary expression of will of an individual (provided they are informed) to grant permission for processing their personal data in accordance with the stated purpose of their processing, expressed in writing or in a form that allows concluding that consent has been given (Article 2 of the Law of Ukraine "On Personal Data Protection").

3. DATA COLLECTION METHODS

3.1 DIRECT PROVISION BY USER

Registration forms: When creating an account

Profile questionnaires: When filling in personal information

Interactive sessions: During communication with the AI psychologist

Feedback: Through feedback and suggestion forms

3.2 AUTOMATIC COLLECTION

Cookies: For tracking preferences and sessions

Web analytics: Through integration with Google Analytics

Server logs: Records of technical interactions

Tracking pixels: For analyzing interface effectiveness

3.3 THIRD-PARTY SOURCES

Analytics platforms: Google Analytics, Hotjar (with consent only)

Social networks: When authorizing through social accounts

Partner integrations: When using third-party services

3.4 AUTHENTICATION AND PSEUDONYMIZATION SYSTEM

3.4.1 Clerk Authentication System

The ELLI platform uses Clerk — a professional identity and user authentication management system that complies with SOC 2 Type II and GDPR standards.

Authentication process:

Initial registration: User provides basic data (email, name) through Clerk's secure form

Hash identifier generation: Clerk automatically creates a unique cryptographic hash (e.g., user_2nX8Kq9P3mN7vLbR4tY6wZ1s)

Data separation:

Clerk stores personal identification data in its secure infrastructure

The ELLI platform receives and stores only the hash identifier

The link between personal data and the hash exists exclusively in the Clerk system

Authorized access: With each login, Clerk generates a temporary JWT token containing the hash identifier

3.4.2 Data Segregation Principle

Security architecture:

[Clerk Infrastructure] → Stores: Email, Name, Phone, Password

↓ (transmits only hash)

[ELLI Platform] → Stores: Hash identifier + Therapeutic data

Advantages of this architecture:

Impossibility of re-identification: Even in case of a data leak from ELLI, it is impossible to link therapeutic records to a specific person without access to the Clerk system

Data minimization: ELLI processes a minimal set of identification data

Separation of responsibility: Clerk is responsible for protecting personal data, ELLI — for therapeutic data

Privacy by Design compliance: The architecture is designed with privacy protection in mind (Article 25 GDPR)

3.4.3 Hash-Based Record Keeping Mechanism

All operations on the platform are linked to the hash identifier:

Therapeutic sessions: Recorded as session_data[user_hash]

Interaction history: Stored in the format interaction_log[user_hash][timestamp]

User settings: Stored as preferences[user_hash]

Analytics data: Aggregated by hashes without the possibility of de-anonymization

Technical record example:

{

  "user_hash": "user_2nX8Kq9P3mN7vLbR4tY6wZ1s",

  "session_id": "sess_a7bC9d2E4f6G8h",

  "timestamp": "2025-08-15T14:30:00Z",

  "session_data": "[encrypted content]"

}

Important: Personal data (name, email) is never stored in the same database as therapeutic records.

3.4.4 Legal Basis for Pseudonymization

In accordance with Article 4(5) of the GDPR, pseudonymization is defined as:

"The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately."

Our system fully complies with this definition because:

Hash identifiers are technically impossible to reverse

Additional information (correspondence of hash to real data) is stored separately in Clerk

Access to the Clerk system is strictly controlled and logged

Advantages of pseudonymization according to Recital 28 GDPR:

Reducing risks for data subjects

Helping controllers fulfill data protection obligations

Additional security measure alongside encryption

4. ACCESS, USE, STORAGE AND TRANSFER OF USER DATA FROM GOOGLE, FACEBOOK, APPLE AND OTHER SERVICES

This section details the methods by which the e-lli.com Service interacts with user data obtained through Google, Facebook, Apple, Microsoft, and other authentication services, and describes the process of accessing, using, storing, and transferring such information.

4.1. Data Access

ELLI may request access to certain user data from Google, Facebook, LinkedIn, Apple, Microsoft, and other service accounts only with the explicit consent of the user in accordance with Article 11 of the Law of Ukraine "On Personal Data Protection."

Access is provided through standard authentication protocols (e.g., OAuth 2.0), which allow the user to control the scope of data being transferred.

The Service requests only the data strictly necessary to provide the stated functions, such as user identification and providing access to the Service.

4.2. Data Use

The data obtained is used exclusively for the purposes specified in this Policy, including:

user identification;

providing access to the Service;

sending service messages;

improving the Service;

conducting analytics and usage statistics;

ensuring security.

e-lli.com does not use user data for sending unsolicited advertising or any other purposes not related to the functionality of the Service.

4.3. Data Storage

Data obtained from Google, Facebook, LinkedIn, Apple, Microsoft, and other services is stored in a secure environment for the duration of the User Agreement and the User's use of the Service, as well as for the periods established by the legislation of Ukraine.

Appropriate legal, organizational, and technical measures are applied to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, and other unlawful actions in accordance with Article 19 of the Law of Ukraine "On Personal Data Protection."

4.4. Data Transfer

e-lli.com does not transfer user data obtained from Google, Facebook, LinkedIn, Apple, Microsoft, and other services to third parties, except in cases expressly provided by the legislation of Ukraine or with the prior written consent of the user in accordance with Article 15 of the Law of Ukraine "On Personal Data Protection."

Examples of such exceptions may include:

requirements of law enforcement agencies in accordance with the legislation of Ukraine;

payment processing through payment systems, where payment data is not stored by the Service Provider.

In case of data transfer to third parties, ELLI ensures that they comply with similar standards of personal data protection as provided in this Policy.

4.5. User Rights

Users have the right in accordance with Article 8 of the Law of Ukraine "On Personal Data Protection" to:

receive information regarding the processing of their personal data;

request correction, blocking, or destruction of their personal data;

withdraw their consent to data processing at any time.

Withdrawal of consent to data processing may result in the inability to continue using the Service.

5. LEGAL BASIS FOR PERSONAL DATA PROCESSING

The legal basis for processing the User's personal data in accordance with Article 11 of the Law of Ukraine "On Personal Data Protection" is:

Consent of the personal data subject to the processing of their personal data (clause 1 of part 1 of Article 11), expressed by performing actions that constitute acceptance of the Public Offer (registration on the Website, payment for Services, clicking the "I have read and accept the User Agreement" button).

Performance of a contract to which the personal data subject is a party or beneficiary or guarantor, as well as conclusion of a contract at the initiative of the personal data subject (clause 4 of part 1 of Article 11).

The need to comply with the requirements of the legislation of Ukraine.

6. LIST AND PURPOSES OF PERSONAL DATA PROCESSING

The Owner may process the following personal data of the User for the stated purposes:

Surname, first name, patronymic: User identification, providing access to the Service

Email address: User identification, providing access to the Service, sending service messages

Contact details (e.g., phone number): Communication with the User regarding the use of the Service

IP address, browser and OS data, access time, pages visited: Improving the Service, conducting analytics and usage statistics, ensuring security

Payment data (not stored by the Service Provider, processed by payment systems): Processing payments for Services

Other data voluntarily provided by the User: Providing additional functionality, improving interaction

7. RIGHTS OF THE PERSONAL DATA SUBJECT

The User, as a personal data subject, has the right in accordance with Article 8 of the Law of Ukraine "On Personal Data Protection" to:

Know about the sources of collection, location of their personal data, the purpose of their processing, location or place of residence (stay) of the Owner or controller of personal data or give appropriate instructions to obtain this information to persons authorized by them, except in cases established by law.

Receive information about the conditions for granting access to personal data, including information about third parties to whom their personal data is transferred.

Access to their personal data.

Receive no later than thirty calendar days from the date of receipt of the request, except in cases provided by law, a response as to whether their personal data is being processed, and to receive the content of such personal data.

Present a reasoned request to the Owner of personal data with an objection to the processing of their personal data.

Present a reasoned request for modification or destruction of their personal data by any Owner and controller of personal data if such data is processed unlawfully or is unreliable.

Protection of their personal data from unlawful processing and accidental loss, destruction, damage due to intentional concealment, failure to provide or untimely provision thereof, as well as protection from the provision of information that is unreliable or defames the honor, dignity, and business reputation of an individual.

File complaints about the processing of their personal data with the Ukrainian Parliament Commissioner for Human Rights or the court.

Apply legal remedies in case of violation of personal data protection legislation.

Make reservations regarding the restriction of the right to process their personal data when granting consent.

Withdraw consent to the processing of personal data.

Know the mechanism of automatic processing of personal data.

Protection from an automated decision that has legal consequences for them.

8. MEASURES TO ENSURE SECURITY OF PERSONAL DATA

The Owner takes necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data in accordance with Article 19 of the Law of Ukraine "On Personal Data Protection."

Such measures include, in particular:

Appointment of a person responsible for organizing the processing of personal data.

Application of legal, organizational, and technical measures to ensure the security of personal data in accordance with Article 19 of the Law of Ukraine "On Personal Data Protection."

Implementation of internal control over the compliance of personal data processing with the Law of Ukraine "On Personal Data Protection" and regulatory legal acts adopted in accordance with it, requirements for the protection of personal data.

Assessment of harm that may be caused to personal data subjects in case of violation of the Law of Ukraine "On Personal Data Protection," the ratio of such harm and the measures taken by the Owner.

Familiarization of the Owner's employees who directly process personal data with the provisions of Ukrainian legislation on personal data, including requirements for the protection of personal data, documents defining the Owner's policy on the processing of personal data, local acts on the processing of personal data, and/or training of such employees.

Use of modern data encryption technologies during transmission and storage.

Application of antivirus software and systems for protection against unauthorized access.

Data backup to prevent their loss.

Restriction of access to personal data only to those persons who need this information to perform their official duties.

Regular security audits and updates of protection measures.

9. TERMS OF PROCESSING AND STORAGE OF PERSONAL DATA

Processing and storage of personal data is carried out for the duration of the User Agreement and the User's use of the Service, as well as for the periods established by the legislation of Ukraine in accordance with Article 6 of the Law of Ukraine "On Personal Data Protection."

Specifically:

Data for contract performance: stored for the duration of the contract and three years after its termination in accordance with Article 258 of the Civil Code of Ukraine (statute of limitations).

Accounting documents: stored in accordance with the requirements of the Law of Ukraine "On Accounting and Financial Reporting in Ukraine" dated 16.07.1999 No. 996-XIV (at least three years).

Tax documents: stored in accordance with the requirements of the Tax Code of Ukraine dated 02.12.2010 No. 2755-VI (1095 days).

Personal data is destroyed after achieving the purposes of processing or in case of withdrawal of consent by the User, unless otherwise provided by the legislation of Ukraine in accordance with Article 21 of the Law of Ukraine "On Personal Data Protection."

10. CONFIDENTIALITY OF PERSONAL DATA

The Owner undertakes to ensure the confidentiality of the User's information and not to disclose it without the prior written consent of the User, except in cases expressly provided by the legislation of Ukraine, in accordance with Article 7 of the Law of Ukraine "On Personal Data Protection."

Access to the User's personal data is available only to authorized employees of the Owner, who are obligated not to disclose and not to distribute personal data in accordance with Article 19 of the Law of Ukraine "On Personal Data Protection."

11. PROCEDURE FOR AMENDING THE POLICY AND WITHDRAWING CONSENT TO PROCESSING

11.1. Amendment of the Policy

The Owner has the right to make changes to this Policy. The new version of the Policy becomes effective from the moment of its publication on the e-lli.com Website, unless otherwise provided by the new version of the Policy.

The User is obligated to independently familiarize themselves with the current version of the Policy in accordance with Article 12 of the Law of Ukraine "On Personal Data Protection."

11.2. Withdrawal of Consent

The User has the right at any time to withdraw their consent to the processing of personal data by sending a written notification to the Owner at the email address specified in Section 14 of this Policy, in accordance with Article 11 of the Law of Ukraine "On Personal Data Protection."

Withdrawal of consent entails the termination of personal data processing and, as a consequence, the inability to continue using the Service.

The Owner is obligated to cease the processing of personal data or ensure the cessation of such processing (if the processing of personal data is carried out by another person acting on behalf of the Owner of personal data) and, if the storage of personal data is no longer necessary for the purpose of processing personal data, to destroy the personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Owner of personal data) within a period not exceeding thirty calendar days from the date of receipt of the withdrawal of consent, except in cases where another period is established by law or contract to which the personal data subject is a party in accordance with Article 21 of the Law of Ukraine "On Personal Data Protection."

12. CONDITIONS FOR PROVIDING THE SERVICE AND LIMITATION OF LIABILITY

12.1. Nature of the Service

Services are provided in the form of providing access to the ELLI software complex (web service). The fact of service provision (granting access) occurs at the moment of User authorization in the ELLI application after making payment for access to ELLI. The Service is considered provided from the moment of User authorization in ELLI. Access is granted for the period of the selected tariff plan.

12.2. Technical Limitations

The User unconditionally agrees that in the process of using the ELLI Service, temporary technical malfunctions, interruptions, and failures caused by both internal and external factors are possible, including but not limited to:

failures on the part of neural network access service providers (AI providers);

communication channel failures;

restrictions or blockages by government authorities;

maintenance work.

13. CONTACT INFORMATION OF THE OWNER

Name: Individual Entrepreneur RYMSKYI ANTON OLEHOVYCH

RNOKPP: 3779205754

Address: Cherkasy, 25 Heroiv Dnipra St., apt. 31

Email: info@e-lli.com

Bank details: provided to the User upon payment for Services through the payment system

Inquiries from Personal Data Subjects

To exercise their rights provided by the Law of Ukraine "On Personal Data Protection," personal data subjects may contact the Owner:

By mail: Cherkasy, 25 Heroiv Dnipra St., apt. 31

By email: info@e-lli.com

Requests and inquiries are processed within 30 (thirty) calendar days from the date of their receipt in accordance with Article 8 of the Law of Ukraine "On Personal Data Protection."

14. CROSS-BORDER TRANSFER OF PERSONAL DATA

14.1. General Provisions

Cross-border transfer of personal data is carried out in accordance with the requirements of Article 29 of the Law of Ukraine "On Personal Data Protection."

14.2. Conditions for Cross-Border Transfer

The Owner may carry out cross-border transfer of personal data only in the presence of:

Consent of the personal data subject to the cross-border transfer of their personal data.

An international treaty of Ukraine, the consent to be bound by which has been given by the Verkhovna Rada of Ukraine.

In cases provided by law, for the performance of an international treaty of Ukraine.

14.3. Use of International Services

Due to the fact that the Service may use the services of international AI technology providers and cloud services (for example, Google Cloud, OpenAI, Microsoft Azure, and others), Users' personal data may be transferred outside Ukraine.

The User, by accepting the terms of this Policy, gives their explicit consent to such cross-border transfer of personal data for the purposes of providing Services.

The Owner ensures that international partners and service providers comply with appropriate personal data protection standards.

15. USE OF COOKIES AND ANALYTICS SERVICES

15.1. What Are Cookies

Cookies are small text files that are stored on the User's device when visiting the Website. They are used to improve the functionality of the Website and provide a personalized experience.

15.2. Types of Cookies Used

The e-lli.com Website may use the following types of cookies:

Necessary cookies: ensure basic functionality of the Website (authentication, security).

Functional cookies: remember User choices (language, region).

Analytics cookies: collect information about the use of the Website to improve its performance (Google Analytics).

Advertising cookies: used to show relevant advertising (if applicable).

15.3. Managing Cookies

The User can manage or disable cookies through their browser settings. However, this may affect the functionality of the Website.

15.4. Analytics Services

The Website may use third-party analytics services, such as:

Google Analytics

Facebook Pixel

other similar services

These services collect anonymized data about visits to the Website for analysis and improvement of its performance.

16. RIGHTS OF MINORS

16.1. Restrictions for Minors

The Service is intended for use by persons who have reached the age of 18. If the User is under 18 years old, they may use the Service only with the consent of parents or legal representatives in accordance with Article 32 of the Civil Code of Ukraine.

16.2. Processing of Minors' Data

Processing of personal data of minors (under 18 years of age) is carried out only with the consent of parents or legal representatives in accordance with Article 11 of the Law of Ukraine "On Personal Data Protection."

16.3. Deletion of Minors' Data

If the Owner becomes aware that personal data was collected from a minor without the appropriate consent of parents or legal representatives, such data will be deleted immediately.

17. DATA PROTECTION IN CASE OF SECURITY BREACHES

17.1. Notification of Breaches

In case of detection of a personal data security breach that creates a risk to the rights and freedoms of personal data subjects, the Owner undertakes to:

Immediately take measures to eliminate the breach and minimize its consequences.

Notify the Ukrainian Parliament Commissioner for Human Rights about the breach in accordance with the requirements of Ukrainian legislation.

In cases where the breach creates a high risk to the rights of Users, notify the affected personal data subjects about the nature of the breach and the measures taken.

17.2. Cooperation with Authorities

The Owner undertakes to cooperate with the Ukrainian Parliament Commissioner for Human Rights and law enforcement agencies in investigating incidents related to personal data security.

18. SPECIAL CATEGORIES OF PERSONAL DATA

18.1. Processing Restrictions

The Owner does not process special categories of personal data as defined by Article 7 of the Law of Ukraine "On Personal Data Protection," namely:

race or ethnic origin;

political, religious, or philosophical beliefs;

membership in political parties and trade unions;

criminal convictions;

data concerning health, sexual life;

biometric or genetic data.

18.2. Prohibition of Uploading

The User is strictly prohibited from uploading documents containing special categories of personal data of third parties to the Service, unless such data has been properly anonymized in accordance with the requirements of Section 7 of this Policy.

18.3. Liability for Violations

In case of uploading by the User of documents containing special categories of personal data without proper anonymization, all liability for violation of Ukrainian legislation lies exclusively with the User in accordance with Article 1166 of the Civil Code of Ukraine and Article 24 of the Law of Ukraine "On Personal Data Protection."

19. AUTOMATED PROCESSING OF PERSONAL DATA

19.1. Use of Automated Processing

The Owner may use automated processing of personal data, including profiling, for:

improving the functionality of the Service;

personalizing the user experience;

conducting analytics and statistics;

fraud prevention and ensuring security.

19.2. User Rights

In accordance with Article 8 of the Law of Ukraine "On Personal Data Protection," the User has the right to:

know the mechanism of automatic processing of personal data;

receive information about the logic used in automated processing;

object to an automated decision that has legal consequences for them.

20. CHANGES IN LEGISLATION

20.1. Adaptation to Changes

This Policy may be updated in connection with changes in the legislation of Ukraine, in particular:

upon adoption of new laws in the field of personal data protection;

upon implementation of European Union standards (including GDPR);

upon amendments to current legislation.

20.2. Harmonization with the EU

In connection with Ukraine's European integration and commitments to adapt legislation to EU standards, the Owner undertakes to:

monitor changes in legislation;

implement best practices for personal data protection;

ensure compliance with international standards.

21. FINAL PROVISIONS

21.1. Public Availability of the Policy

This Policy is a publicly available document and is posted at https://e-lli.com/privacy-policy-ukr.

21.2. Language of the Policy

This Policy is concluded in Ukrainian. In case of translation of this Policy into other languages, if there are discrepancies in interpretation, the Ukrainian text shall prevail in accordance with Article 10 of the Constitution of Ukraine and the Law of Ukraine "On Ensuring the Functioning of the Ukrainian Language as the State Language" dated 25.04.2019 No. 2704-VIII.

21.3. Regular Updates

The Owner recommends that Users regularly review this Policy to familiarize themselves with any changes.

21.4. Contact for Questions

If the User has any questions regarding this Policy or the processing of personal data, they may contact the Owner using the contact information specified in Section 14 of this Policy.

Date of last update: 07.01.2026

Owner of the Personal Data Database:

Individual Entrepreneur RYMSKYI ANTON OLEHOVYCH

RNOKPP: 3779205754

Address: Cherkasy, 25 Heroiv Dnipra St., apt. 31

Email: info@e-lli.com