Privacy Policy and GDPR

SIA "ORGANIC THERAPY" is committed to protecting and respecting your privacy. We respect
the privacy rights of our visitors and recognise the importance of protecting the
identifying information collected about them. This Privacy Policy provides information on
how we collect and use personal data. This Privacy Policy applies to website owned or
operated by SIA "ORGANIC THERAPY" . SIA "ORGANIC THERAPY" website is located at (the "Site").

According to the GDPR we ask for an active consent before collecting any personal information from the user.

Please, note, we may update this privacy policy from time to time.
The identifying or identifiable information we collect and hold about you may include your
name, email address, phone number, home address, shipping address, payment details, IP
address, search criteria, shopping history, shopping preferences, the type of browser you
use, your referring URL and other content you share with us when you use our Site, date of
birth, login/password details and any other information you may give us.

We collect personal information about you when you register or subscribe for one of our
services, place an order, use our online services, interact with us in any other way, such as
via social media, click on an advert that we put on our or someone else’s website, ask for
information or assistance, give us a testimonial or other feedback, sign up for our special
offers or other updates, participate in research panels.

When you may give us information about yourself if you sign up for an account on our Site,
place an order for products, complete any online forms, opt in to receive our newsletters
and special offers, participate in social media functions with our Site, or correspond with us
(by email, telephone, live chat, social media or otherwise).

We use this information:
to provide you with the products you have ordered. Your information (including name,
address, phone number, email address, and debit or credit card details) will be used so you
can submit, and we can process and fulfil, that order. We may also use your information to
communicate with you about your orders and account and provide you with customer
support when needed.

to provide with marketing updates, our latest offers, products, and
news, to advertise and promote our products, services and brand.

to provide customer care and to help us in any future dealings with you.

Protecting your online order information on is very important to us. We use
a Secure Socket Layer (“SSL”) to encrypt the personal data that you send us during the order
process, require you to establish a password to access your account on our Site, not to keep
details of your credit or debit card that would enable any third party to transact using that
credit or debit card (such as your CCV number).
We use security system to prevent the unauthorised use, access, or disclosure of your
personal information. While we strive to protect your personal information, no system can
ever be 100% secure and we cannot guarantee the absolute security of your personal
information; any transmission is at your own risk.

We collect information about your use of our online services using cookies. Cookies are very
small files that are sent by us to your computer or other device which we can access when
you visit our site in future. Cookies help us remember who you are and other information
about your visits.

If we do hold data about you we will:
-give you a description of it
-tell you why we are holding it
-tell you who it could be shared with
-tell you how long we will keep the data
-if the data was not provided by you, we will give you any available information such as the source of the data
-tell you if the data has been used for automated decision making
-tell you if the data is stored outside of the European Economic Area, and if so what
safeguards are in place to protect your personal data
-let you have a concise and clear copy of the data

You have the right to request a copy of the data that we hold about you (and we will
provide this to you free of charge once we have confirmed your identity).

If you would like a copy of some or all of your personal data, please email or write to us using the contact details in this policy.

Under the Law we must have a valid reason for using your personal data and we may not
collect, store or use data about you that is not compatible with that reason. There are four
valid reasons for our use of your personal data:

Most of the data we collect from you is necessary to allow us to fulfil our contract with you
or to enter into a contract with you e.g. you provide a billing address and email address
when your purchase an item from so that we can process your
payment and send you your order confirmation.

In certain circumstances we will ask for your permission or consent to use your personal
data e.g. if we would like to send you marketing information about items we believe may be
of interest to you via email. If you have given your consent to our use of your personal data,
you are entitled to withdraw this consent at any time.

We may also have a legitimate interest in using your personal data e.g. to ensure that the
content of our website is presented to you and your device as effectively as possible, or to
ensure that our marketing communications are relevant to your interests. If this is our
reason for using your data, we must make sure that our interests do not override yours and
you are entitled to object to this use of your data.

Lastly, we may be required to use your data to meet a legal obligation or to protect your
interests e.g. we may exchange data with other specialist organisations for the purposes of
fraud detection and credit risk reduction and we will retain financial data long term to meet
our statutory obligations.

We keep your personal data for a limited period of time in line with our data retention
policy. The specific retention period will vary according to the reason for processing your
personal data. After this period, your data will be permanently erased or otherwise
irreversibly rendered anonymous.


Responsible Vulnerability Disclosure
Customer GDPR Data Processing Agreement
Secure information storage
Data Security
Annex to the Customer GDPR Data Processing Agreement

Responsible Vulnerability Disclosure

Our goal is to keep SIA "ORGANIC THERAPY" safe and secure for everyone. If you have
discovered a security vulnerability we would greatly appreciate your help in disclosing it to
us in a responsible manner. Publicly disclosing a vulnerability can put the entire
SIA "ORGANIC THERAPY" community at risk.

If you have discovered a potential vulnerability we would greatly appreciate you informing
our Security team. You can submit the details of the potential vulnerability in the following ways:

You can also submit the vulnerability by contacting our Customer Support team at

We will work with you to assess and understand the scope of the issue and fully address any
concerns. Submitted vulnerabilities are initially reviewed, triaged, and then assessed in
detail to determine the risk level of the vulnerability. Security vulnerabilities are treated
with the utmost importance to ensure the safety and security of our service.


If you have any other security related questions we would love to hear from you. Our
preferred method is for you to open a support ticket by contacting our Customer Support
team here. Our Customer Support team will get in touch with the Security team to properly
handle the request.

Customer GDPR Data Processing Agreement This Customer Data Processing Agreement reflects the requirements of the European Data
Protection Regulation (“GDPR”) as it comes into effect on May 25, 2018. SIA "ORGANIC THERAPY"
services offered in the European Union are GDPR ready and this DPA provides
you with the necessary documentation of this readiness.

This Data Processing Agreement (“DPA”) is an addendum to the Customer Terms of Service
(“Agreement”) between SIA "ORGANIC THERAPY", legal name SIA "ORGANIC THERAPY"
and the Customer. All capitalized terms not defined in this DPA shall have the
meanings set forth in the Agreement. Customer enters into this DPA on behalf of itself and,
to the extent required under Data Protection Laws, in the name and on behalf of its
Authorized Affiliates (defined below).

The parties agree as follows:


“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under
common Control with an entity.

“Authorized Affiliate” means any of Customer Affiliate(s) permitted to or otherwise
receiving the benefit of the Services pursuant to the Agreement.

“Controller” means an entity that determines the purposes and means of the processing of
Personal Data.

“Customer Data” means any data that SIA "ORGANIC THERAPY" and/or its Affiliates
processes on behalf of Customer in the course of providing the Services under the

“Data Protection Laws” means all data protection and privacy laws and regulations
applicable to the processing of Personal Data under the Agreement, including, where
applicable, EU Data Protection Law.

“EU Data Protection Law” means (i) prior to May 25, 2018, Directive 95/46/EC of the
European Parliament and of the Council on the protection of individuals with regard to the
processing of Personal Data and on the free movement of such data (“Directive”) and on
and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the
Council on the protection of natural persons with regard to the processing of Personal Data
and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and
(ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of
privacy in the electronic communications sector and applicable national implementations of
it (in each case, as may be amended, superseded or replaced).

“Personal Data” means any Customer Data relating to an identified or identifiable natural
person to the extent that such information is protected as personal data under applicable
Data Protection Law.

“Privacy Shield” means the EU-US and Swiss-US Privacy Shield Frameworks, as administered
by the U.S. Department of Commerce.

“Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented
by the Supplemental Principles) contained in Annex II to the European Commission Decision
of 12 July 2016 pursuant to the Directive, details of which can be found at

“Processor” means an entity that processes Personal Data on behalf of the Controller.

“Processing” has the meaning given to it in the GDPR and “process”, “processes” and
“processed” shall be interpreted accordingly.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the
accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to
Personal Data.

“Services” means any service provided by SIA "ORGANIC THERAPY" to Customer pursuant
to and as more particularly described in the Agreement.

“Sub-processor” means any Processor engaged by SIA "ORGANIC THERAPY" or its
Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant
to the Agreement or this DPA. Sub-processors may include third parties or any

Scope and Applicability of this DPA

2.1 This DPA applies where and only to the extent that SIA "ORGANIC THERAPY" processes
Personal Data on behalf of the Customer in the course of providing the Services and such
Personal Data is subject to Data Protection Laws of the European Union, the European
Economic Area and/or their member states, Switzerland and/or the United Kingdom. The
parties agree to comply with the terms and conditions in this DPA in connection with such
Personal Data.

2.2 Role of the Parties. As between SIA "ORGANIC THERAPY" and Customer, Customer is
the Controller of Personal Data and SIA "ORGANIC THERAPY" shall process Personal Data
only as a Processor on behalf of Customer. Nothing in the Agreement or this DPA shall
prevent SIA "ORGANIC THERAPY" from using or sharing any data that SIA "ORGANIC THERAPY"
would otherwise collect and process independently of Customer's use of the

2.3 Customer Obligations. Customer agrees that (1) it shall comply with its obligations as a
Controller under Data Protection Laws in respect of its processing of Personal Data and any
processing instructions it issues to SIA "ORGANIC THERAPY"; and (2) it has provided notice
and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws
for SIA "ORGANIC THERAPY" to process Personal Data and provide the Services pursuant
to the Agreement and this DPA.

2.4 SIA "ORGANIC THERAPY" Processing of Personal Data. As a Processor, SIA "ORGANIC THERAPY"
shall process Personal Data only for the following purposes: (1) processing to
perform the Services in accordance with the Agreement; (2) processing toperform any steps
necessary for the performance of the Agreement; and (3) to comply with other reasonable
instructions provided by Customer to the extent they are consistent with the terms of this
Agreement and only in accordance with Customer’s documented lawful instructions. The
parties agree that this DPA and the Agreement set out the Customer’s complete and final
instructions to SIA "ORGANIC THERAPY" in relation to the processing of Personal Data and
processing outside the scope of these instructions (if any) shall require prior written
agreement between Customer and SIA "ORGANIC THERAPY".

2.5 Nature of the Data. SIA "ORGANIC THERAPY" handles Customer Data provided by
Customer. Such Customer Data may contain special categories of data depending on how
the Services are used by Customer. The Customer Data may be subject to the following
process activities: (1) registration and other processing necessary to provide, maintain and
improve the Services provided to Customer; (2) to provide customer and technical support
to Customer; and (3) disclosures as required by law or otherwise set forth in the

2.6 SIA "ORGANIC THERAPY" Data. Notwithstanding anything to the contrary in the
Agreement (including this DPA), Customer acknowledges that SIA "ORGANIC THERAPY"
shall have a right to use and disclose data relating to and/or obtained in connection with the
operation, support and/or use of the Services for its legitimate business purposes, such as
billing, account management, technical support, product development and sales and
marketing. To the extent any such data is considered personal data under Data Protection
Laws, SIA "ORGANIC THERAPY" is the Controller of such data and accordingly shall process
such data in compliance with Data Protection Laws.

1.Subprocessing 3.1 Authorized Sub-processors. Customer agrees that SIA "ORGANIC THERAPY" may
engage Sub-processors to process Personal Data on Customer's behalf. The Sub-processors
currently engaged by SIA "ORGANIC THERAPY" and authorized by Customer are listed in
Annex A.

3.2 Sub-processor Obligations. SIA "ORGANIC THERAPY" shall: (i) enter into a written
agreement with the Sub-processor imposing data protection terms that require the
Sub-processor to protect the Personal Data to the standard required by Data Protection Laws;
and (ii) remain responsible for its compliance with the obligations of this DPA and for any
acts or omissions of the Sub-processor that cause SIA "ORGANIC THERAPY" to breach any
of its obligations under this DPA.

3.3 Changes to Sub-processors. SIA "ORGANIC THERAPY" shall provide Customer
reasonable advance notice (for which email shall suffice) if it adds or removes Sub-processors.

3.4 Objection to Sub-processors. Customer may object in writing to SIA "ORGANIC THERAPY"
appointment of a new Sub-processor on reasonable grounds relating to data
protection by notifying SIA "ORGANIC THERAPY" promptly in writing within five (5)
calendar days of receipt of SIA "ORGANIC THERAPY"’s notice in accordance with Section
3.3. Such notice shall explain the reasonable grounds for the objection. In such event, the
parties shall discuss such concerns in good faith with a view to achieving commercially
reasonable resolution. If this is not possible, either party may terminate the applicable
Services that cannot be provided by SIA "ORGANIC THERAPY" without the use of the
objected-to-new Sub-processor.


4.1 Confidentiality of Processing. SIA "ORGANIC THERAPY" shall ensure that any person
who is authorized by SIA "ORGANIC THERAPY" to process Personal Data (including its staff,
agents and subcontractors) shall be under an appropriate obligation of confidentiality
(whether a contractual or statutory duty).

4.2 Security Incident Response. Upon becoming aware of a Security Incident, SIA "ORGANIC THERAPY"
shall notify Customer without undue delay and shall provide timely
information relating to the Security Incident as it becomes known or as is reasonably
requested by Customer.

4.3 Updates to Security Measures. Customer acknowledges that the Security Measures are
subject to technical progress and development and that SIA "ORGANIC THERAPY" may
update or modify the Security Measures from time to time provided that such updates and
modifications do not result in the degradation of the overall security of the Services
purchased by the Customer.

International Transfers

5.1 Processing Locations. SIA "ORGANIC THERAPY" stores and processes EU Data (defined
below) in data centers located inside and outside the European Union. All other Customer
Data may be transferred and processed in the Russian Federation and anywhere in the
world where Customer, its Affiliates and/or its Sub-processors maintain data processing
operations. SIA "ORGANIC THERAPY" shall implement appropriate safeguards to protect
the Personal Data, wherever it is processed, in accordance with the requirements of Data
Protection Laws.

5.2 Transfer Mechanism:
Notwithstanding Section 5.1, to the extent SIA "ORGANIC THERAPY" processes or
transfers (directly or via onward transfer) Personal Data under this DPA from the European
Union, the European Economic Area and/or their member states and Switzerland (“EU
Data”) in or to countries which do not ensure an adequate level of data protection within
the meaning of applicable Data Protection Laws of the foregoing territories, the parties
agree that SIA "ORGANIC THERAPY" shall be deemed to provide appropriate safeguards
for such data by virtue of having certified its compliance with the Privacy Shield and
SIA "ORGANIC THERAPY" shall process such data in compliance with the Privacy Shield
Principles. Customer hereby authorises any transfer of EU Data to, or access to EU Data
from, such destinations outside the EU subject to any of these measures having been taken.

Return or Deletion of Data

6.1 Upon deactivation of the Services, all Personal Data shall be deleted, save that this
requirement shall not apply to the extent SIA "ORGANIC THERAPY" is required by
applicable law to retain some or all of the Personal Data, or to Personal Data it has archived
on back-up systems, which such Personal Data SIA "ORGANIC THERAPY" shall securely
isolate and protect from any further processing, except to the extent required by
applicable law.


8.1 To the extent that Customer is unable to independently access the relevant Personal
Data within the Services, SIA "ORGANIC THERAPY" shall (at Customer's expense) taking
into account the nature of the processing, provide reasonable cooperation to assist
Customer by appropriate technical and organizational measures, in so far as is possible, to
respond to any requests from individuals or applicable data protection authorities relating
to the processing of Personal Data under the Agreement. In the event that any such request
is made directly to SIA "ORGANIC THERAPY", SIA "ORGANIC THERAPY" shall not respond
to such communication directly without Customer's prior authorization, unless legally
compelled to do so. If SIA "ORGANIC THERAPY" is required to respond to such a request,
SIA "ORGANIC THERAPY" shall promptly notify Customer and provide it with a copy of the
request unless legally prohibited from doing so.


9.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full
force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall
prevail to the extent of that conflict.

9.2 This DPA is a part of and incorporated into the Agreement so references to "Agreement"
in the Agreement shall include this DPA.

9.3 In no event shall any party limit its liability with respect to any individual's data
protection rights under this DPA or otherwise.

9.4 This DPA shall be governed by and construed in accordance with governing law and
jurisdiction provisions in the Agreement unless required otherwise by Data Protection Laws.


Secure information storage

SIA "ORGANIC THERAPY" is firmly committed to the privacy of our customers and their
data stored on the SIA "ORGANIC THERAPY" platform. You can read more about the
privacy of your account information and data in our Privacy Policy.

In addition to the security of your account information, we also treat the data you store on
our services with the utmost sensitivity.

Payment Data Security

Credit / debit card purchases for SIA "ORGANIC THERAPY" services are processed by the
third-party vendor eCommpay. When our customers provide their credit / debit card
information on our website the data is sent to eCommpay, i.e., the payment data is not
stored in our systems.

For PayPal transactions, SIA "ORGANIC THERAPY" passes the request to PayPal and the
transaction occurs directly on the PayPal website. Therefore, the payment data is not stored
in our systems. Both eCommopay and PayPal power online financial transactions for
thousands of businesses globally, and they are compliant with PCI-DSS standards for the
storage and handling of payment information.


All communications with SIA "ORGANIC THERAPY" are transmitted over TLS (HTTPS) for all
of our services. We provide connectivity to our customer via SSL Certificate, a standard
security technology for establishing an encrypted link between a web server and a browser

Data Security

Physical Security
Our data centers are co-located in some of the most respected data center facility providers
in the world. We leverage all of the capabilities of these providers including physical security
and environmental controls to secure our infrastructure from physical threat or impact.
Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry.

Infrastructure Security

SIA "ORGANIC THERAPY"'s infrastructure is secured through a defense-in-depth layered
approach. Access to the management network infrastructure is provided through multi-
factor authentication points which restrict network-level access to infrastructure based on
job function utilizing the principle of least privilege. All access to the ingress points are
closely monitored, and are subject to stringent change control mechanisms.

Systems are protected through key-based authentication and access is limited by Role
-Based Access Control (RBAC). RBAC ensures that only the users who require access to a
system are able to login. We consider any system which houses customer data that we
collect, or systems which house the data customers store with us to be of the highest
sensitivity. As such, access to these systems is extremely limited and closely monitored.

Additionally, hard drives and infrastructure are securely erased before being
decommissioned or reused to ensure that your data remains secure.

Access Logging

Systems controlling the management network at SIA "ORGANIC THERAPY" log to our
centralized logging environment to allow for performance and security monitoring. Our
logging includes system actions as well as the logins and commands issued by our system

Security Monitoring

SIA "ORGANIC THERAPY"'s Security team utilizes monitoring and analytics capabilities to
identify potentially malicious activity within our infrastructure. User and system behaviours
are monitored for suspicious activity, and investigations are performed following our
incident reporting and response procedures.

Employee Access

The security and data integrity of customer accounts is of the utmost importance at
SIA "ORGANIC THERAPY". As a result, our technical support staff do not have access to the
backend hypervisors where virtual servers reside nor direct access to the storage systems
where snapshots and backup images reside. Only select engineering teams have direct
access to the backend hypervisors based on their role.

Annex to the Customer GDPR Data Processing Agreement
List of Sub-processors engaged by SIA "ORGANIC THERAPY" to process Personal Data on
Customer's behalf:

• Paypal

SIA "ORGANIC THERAPY" takes the security of your data and our infrastructure very
seriously. We are committed to providing an environment that is safe, secure, and available
to all of our customers.


Passed in 2016, the new General Data Protection Regulation (GDPR) is the most significant
legislative change in European data protection laws since the EU Data Protection Directive
(Directive 95/46/EC) introduced in 1995. The GDPR, which becomes enforceable on May 25,
2018, seeks to strengthen the security and protection of personal data in the EU and serve
as a single piece of legislation for all of the EU. It will replace the EU Data Protection
Directive and all the local laws relating to it.
We support the GDPR and will ensure all SIA "ORGANIC THERAPY" services comply with its
provisions by May 25, 2018. Not only is the GDPR an important step in protecting the
fundamental right of privacy for European citizens, it also raises the bar for data protection,
security and compliance in the industry.


What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law that goes
into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also
known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.

Data protection laws govern the way that businesses collect, use, and share personal data
about individuals. Among other things, they require businesses to process an individual’s
personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their
personal data (for example, to access, correct or delete their personal data), and ensure
appropriate security protections are put in place to protect the personal data they process.

We have taken steps to ensure that we will be compliant with the GDPR by May 25, 2018.

Who does the GDPR apply to? The GDPR applies to all entities and individuals based in the EU and to entities and
individuals, whether or not based in the EU, that process the personal data of EU
individuals. The GDPR defines personal data as any information relating to an identified or
identifiable natural person. This is a broad definition and includes data that is obviously
personal (such as an individual’s name or contact details) as well as data that can be used to
identify an individual indirectly (such as an individual’s IP address).

What is SIA "ORGANIC THERAPY" role under GDPR?

We act as both a data processor and a data controller under the GDPR.

SIA "ORGANIC THERAPY" as a data processor: When customers use our products and
services to process EU personal data, we act as a data processor.

SIA "ORGANIC THERAPY" as a data controller: We act as a data controller for the EU
customer information we collect to provide our products and services and to provide timely
customer support. This customer information includes things such as customer name and
contact information.

What have we done to comply with GDPR?

We have conducted an extensive analysis of our operations to ensure we comply with the
new requirements of the GDPR. We have reviewed our products and services, customer
terms, privacy notices and arrangements with third parties for compliance with the GDPR.
We can confirm we will be fully compliant with the GDPR by May 25, 2018.

What personal data do we collect and store from our customers?

We store data that customers have given us voluntarily. For example, in our role as data
controller, we may collect and store contact information, such as name, email address,
phone number, or physical address, when customers sign up for our products and services
or seek support help. We also may collect other identifying information from our customers,
such as IP address, Paypal ID for external services.

We separately act as a data processor when customers use our products and services to
process EU personal data. Customers decide what personal data, if any, is uploaded to our
products and services.

What is the SIA "ORGANIC THERAPY" Data Processing Agreement ("DPA")?

Customers that handle EU personal data are required to comply with the privacy and
security requirements under the GDPR. As part of this, they must ensure that the vendors
they use to process the EU personal data also have privacy and security protections in place.
Our DPA outlines the privacy and security protections we have in place. We are committed
to GDPR compliance and to helping our customers comply with the GDPR when they use
our services. We have therefore made our DPA available to all our customers and it can be
found here: Data Processing Agreement.

Are customers required to sign the SIA "ORGANIC THERAPY" DPA?

In order to use our products and services, you need to accept our DPA, which we have
provided a link to on our website: Data Processing Agreement. By agreeing to our terms of
service, you are automatically accepting our DPA and do not need to sign a
separate document.

Can a customer share the SIA "ORGANIC THERAPY" DPA with its customers?

Yes. The DPA is a publicly available document and customers who wish to share it with their
customers to confirm our security measures and other terms may feel free to do so.

Do customers need to notify anyone upon accepting our DPA?
No. You are not required to notify us or any third party upon accepting our DPA though, as
mentioned above, you are free to do so.

Is there any unique DPA needs for certain countries?

The GDPR applies to all of the EU and we offer a DPA that is compliant to the GDPR in all
EU countries.

Do we transfer data internationally?

The GDPR replicates the Data Protection Directive restrictions on transferring data outside
the EU and prohibits the export of personal data outside of the EU to non-EU recipients
unless the export meets certain criteria.

Although we are headquartered in the Russian Federation, SIA "ORGANIC THERAPY" has
data centers and customers in the EU. In certain circumstances, we will process personal
data that originates from the EU in the Russian Federation. We provide a level of protection
of privacy that complies with the EU rules. To confirm this, we have certified the company
under the Privacy Shield.

How do we handle delete instructions from customers?

Customers have the ability to remove or delete information they have uploaded to our
store. Likewise, customers may deactivate their account and request that all personal data
we have collected and is not processed or used.