Bioly

Privacy Policy

Updated: May 18, 2026

1. General

This Privacy Policy is drafted under Federal Law of 27.07.2006 № 152-FZ “On Personal Data” (the 152-FZ), Decree of the Government of the Russian Federation of 01.11.2012 № 1119, Order of FSTEC of 18.02.2013 № 21, Order of Roskomnadzor of 14.11.2022 № 187 and other applicable acts, and applies to the Bioly service (https://bioly.app).

2. Operator

Personal-data Operator:

Mikhail Andreevich Mogilnikov

INN 890603192936

Tax on professional income payer (self-employed)
E-mail: legal@bioly.app

3. Categories of personal data processed

The Operator processes a closed list of personal-data categories:

3.1. On registration / use of the Service: e-mail, name/nickname, password (as a hash), device identifiers, IP address, browser and OS data.

3.2. When the User builds a Public Profile (optional): display name, description, photo (avatar), links to external resources, texts and images in bento grid blocks, theme settings, public page address (slug), and other information the User voluntarily places in the editor.

3.3. When the Service is in use: action history, page-visit data, aggregated statistics on click-throughs from the User’s Public Profile (when the relevant features are enabled).

3.4. On payment of a Bioly Pro subscription: the fact and amount of the payment; full card credentials are not processed by the Operator and remain on the acquirer’s side.

Biometric personal data and special categories of personal data (race, political views, health, etc.) are not processed.

4. Purposes and legal grounds

Purposes and the corresponding legal ground (under art. 6 of the 152-FZ — closed list):

  • registering and identifying the User, providing the Service — clause 5 of part 1 of art. 6 (performance of a contract to which the data subject is a party);
  • information security — clause 7 of part 1 of art. 6;
  • compliance with statutory duties (tax, accounting, child-protection, anti-prohibited-information) — clause 2 of part 1 of art. 6;
  • publication of the Public Profile and other data the User permits to be disseminated — separate consent under art. 10.1 of the 152-FZ;
  • service notifications and (with separate consent) marketing — clause 1 of part 1 of art. 6 (consent).

The Operator does not rely on the GDPR ground of “legitimate interest”; the list of grounds in Russian law is closed.

5. Retention

  • Account data — until Account deletion or until consent is withdrawn, but no longer than five (5) years after the User’s last sign-in;
  • Public Profile data — until consent to dissemination is withdrawn or the Account is deleted;
  • payment and receipt records — five (5) years (art. 23 Tax Code);
  • security logs — six (6) months;
  • backups — thirty (30) days after deletion.

6. Third parties. Transfer of data

6.1. Processors. On the basis of an agreement and an assignment under clause 3 of part 1 of art. 6 of the 152-FZ, certain categories of data may be processed by:

  • a hosting provider (Russian data centre), Russian Federation;
  • Selectel LLC (INN 7704800054), Russian Federation — S3-compatible object storage for user-uploaded photos and other files, hosted in a Russian data centre (Saint Petersburg, ru-3 region);
  • an acquirer (payment institution), Russian Federation — for Bioly Pro subscription payments;
  • a fiscal-data operator (OFD) — for Bioly Pro payments and cashier receipts issued under 54-FZ.

6.2. Cross-border transfer. As of the date of this Policy, the Operator does not engage in cross-border transfer of personal data. Before any such transfer the Operator will notify Roskomnadzor no later than ten (10) business days in advance (part 4 of art. 12 of the 152-FZ as amended by Federal Law 266-FZ of 14.07.2022) and will update this Policy accordingly.

6.3. State authorities. Disclosure to authorised state bodies follows the law of the Russian Federation.

7. Database location

Initial recording and updating of personal data of citizens of the Russian Federation is performed using databases located on the territory of the Russian Federation (part 5 of art. 18 of the 152-FZ as amended by Federal Law 23-FZ of 28.02.2025).

Production infrastructure and backups are hosted in a Russian data centre (Saint Petersburg).

8. Security measures

The Operator applies legal, organisational and technical measures necessary to protect personal data from unauthorised or accidental access, destruction, modification, blocking, copying, dissemination, and other unlawful actions (art. 19 of the 152-FZ):

  • TLS 1.3 channel encryption;
  • at-rest database encryption;
  • password hashing;
  • staff and contractor access controls;
  • security event logging;
  • two-factor authentication for administrative access;
  • internal incident response regulation.

The protection level of the personal-data information system is set in accordance with Government Decree № 1119 and FSTEC Order № 21.

9. Incident notification

On detection of an incident leading to unlawful transfer (dissemination, access) of personal data, the Operator notifies Roskomnadzor:

  • of the fact within twenty-four (24) hours;
  • of the investigation outcome within seventy-two (72) hours

(part 3.1 of art. 21 of the 152-FZ; Order of Roskomnadzor № 187 of 14.11.2022).

10. Subject rights

10.1. Under arts. 14, 20, 21 of the 152-FZ, the data subject may:

  • obtain information regarding the processing of his/her data;
  • demand correction, blocking or destruction of personal data that are incomplete, outdated, inaccurate, unlawfully obtained or excessive;
  • withdraw consent to processing;
  • appeal the Operator’s acts or omissions to Roskomnadzor or in court.

10.2. Subject requests are answered within ten (10) business days from receipt. The deadline may be extended once by up to five (5) business days with prior notice.

10.3. Account deletion in the account area automatically deletes the associated personal data save for data the Operator must retain by law.

11. Minors

The Service is information product category 18+ (Federal Law 436-FZ). The Operator does not knowingly collect personal data of persons under eighteen (18). On becoming aware of any such collection the Operator deletes the data without delay.

12. Cookies and similar technologies

The use of cookies and other local-storage means is described in a separate Cookie Policy.

13. Language versions

This Policy is published in Russian and English. The Russian version is the legally authoritative one for data subjects located in the Russian Federation.

14. Amendments

The Operator may amend this Policy. The new version is published at https://bioly.app/legal/privacy and is effective from publication. Material changes are also shown to Users on the next sign-in.

Last revised: 18 May 2026.