PersAI

Personal AI

·

Personal Data Processing Policy of PersAI

PrivacyRF market
International

Version dated 19 May 2026.

This Policy defines the procedure for processing personal data of users of the PersAI service and other individuals whose data is received by the controller in connection with the use of the website, applications, feedback forms, payments, support, and other service-related processes.

1. Data Controller

The personal data controller is:

  • Individual Entrepreneur Karnaukh Alexey Sergeevich
  • Tax ID (INN): 615010297306
  • Primary State Registration Number for Individual Entrepreneurs (OGRNIP): 317619600160244
  • Location: Rostov Region, Rostov-on-Don, Russian Federation
  • Email for personal data inquiries: support@persai.dev

The controller publishes this Policy and ensures unrestricted access to it on the pages where personal data is collected.

2. Categories of Data Subjects

The controller may process personal data of the following categories of data subjects:

  • PersAI users and account holders;
  • persons contacting support, legal, and privacy channels;
  • representatives of clients, partners, and counterparties;
  • recipients of informational and marketing messages, where separate consent is required.

3. What Data May Be Processed

Depending on the PersAI usage scenario, the following data may be processed:

  • identification and profile data: first name, last name, email, language, country, account identifiers;
  • service usage data: login history, tariff information, subscription status, limits, and in-app actions;
  • user content: messages, files, documents, media, memory notes, prompts, and generated results;
  • technical data: IP address, cookies, session ID, user agent, device information, security logs, diagnostic events;
  • payment and billing data: payment status, payment identifiers, tariff data, transaction history, but not full bank card details where such details are processed by a payment provider;
  • communication data: support request content, emails, responses, attachments, and message delivery metadata.

Special categories of personal data and biometric personal data must not be submitted to PersAI unless expressly provided for by a separate written agreement or mandatory law.

4. Purposes and Legal Grounds for Processing

Purpose of ProcessingCategories of DataLegal Basis
Registration, account login, and access administrationname, email, account identifiers, technical dataconclusion and performance of a contract, actions initiated by the data subject
Providing PersAI features: chat, memory, files, documents, media generation, integrationsuser content, profile and technical dataperformance of a contract, legitimate interest in operating the service
Payment, subscription, accounting, and tax recordspayment identifiers, tariff information, contact detailsperformance of a contract, compliance with legal obligations
Support, handling requests, claims, and personal data subject requestscontact details, correspondence, related technical dataperformance of a contract, compliance with legal obligations
Informational and marketing messagesemail, subscription identifiers, and communication preferencesseparate consent of the data subject where required
Security, abuse prevention, and incident investigationtechnical data, event logs, account identifierscontroller’s legitimate interest, compliance with legal obligations

5. Methods and Principles of Processing

The controller may collect, record, systematize, accumulate, store, clarify, extract, use, transfer, anonymize, block, delete, and destroy personal data, both by automated means and without the use of automation.

The controller processes only the data necessary to achieve the stated purposes and does not permit excessive processing.

6. Use of Cookies and Technical Identifiers

PersAI uses cookies and similar technical identifiers for:

  • user authentication and session maintenance;
  • saving interface settings, including language and country;
  • abuse prevention, security, and service stability;
  • correct request routing and result delivery.

If separate consent is required for certain types of analytics, marketing, or advertising technologies, such consent must be requested separately.

7. Transfer of Data to Third Parties and Processing by Order

For PersAI to operate, the controller may transfer personal data to or entrust processing to third parties to the extent necessary to achieve the processing purposes, including:

  • identification and authorization providers, including Clerk;
  • payment providers, including CloudPayments;
  • email and notification delivery services, including Postmark;
  • AI and document providers, including OpenAI, Anthropic, Gamma, and PDFMonkey;
  • cloud and infrastructure providers, including storage and computing services.

The controller requires such parties to maintain confidentiality and security and to process data only within the agreed scope and for the specified purposes.

8. Cross-Border Transfer of Personal Data

When certain technology providers are used, some data may be processed or stored outside the Russian Federation. If cross-border transfer of personal data is required to fulfill a user request, operate an integration, generate an AI result, or deliver a document, the controller carries out such transfer on lawful grounds and in compliance with applicable legal requirements.

By uploading content to PersAI and initiating the relevant function, the user understands that some data may be processed by such providers to the extent technically necessary to fulfill the request.

9. Retention Periods

Personal data is retained no longer than required for the purposes of processing and mandatory legal retention periods.

General retention guidelines:

  • account data and usage history — for the duration of the account and a reasonable period after closure for rights protection, security, and dispute resolution;
  • payment and accounting data — for the periods established by the laws of the Russian Federation;
  • support requests and legally significant correspondence — for the duration of request handling and thereafter within limitation periods or other mandatory periods;
  • data for marketing messages — until consent is withdrawn or the relevant processing purpose ends;
  • technical logs and security events — for the period necessary to ensure protection and service stability.

Once the purposes of processing are achieved, or other lawful grounds arise, the data is to be deleted, anonymized, or destroyed if further retention is not required by law.

10. Personal Data Protection Measures

The controller takes the legal, organizational, and technical measures necessary and sufficient to protect personal data, including:

  • access control and role-based restrictions;
  • authentication and account protection measures;
  • logging of access events and administrator actions;
  • backup, secure transmission channels, and incident monitoring;
  • contractual and organizational measures when engaging providers and contractors.

11. Rights of the Data Subject

The data subject has the right to:

  • receive information about the processing of their personal data;
  • request correction, blocking, or deletion of data if it is incomplete, outdated, inaccurate, unlawfully obtained, or no longer necessary for the stated purpose;
  • withdraw consent to personal data processing in cases where processing is based on consent;
  • opt out of marketing and promotional messages;
  • appeal the controller’s actions or omissions to the competent authority or a court.

12. How to Submit Requests

To exercise their rights, the data subject may send a request to support@persai.dev. The request should preferably include:

  • full name or other information allowing identification of the requester;
  • the email address of the account or another identifier linked to the request;
  • the substance of the request;
  • a reply contact address.

The controller may request reasonable additional information to verify the requester’s identity and protect data from unlawful disclosure.

13. Changes to the Policy

The controller may amend this Policy. The current version takes effect upon publication on the website unless a different effective date is stated in the Policy itself.