Privacy PolicyVersion dated April 1, 2026This Privacy Policy shall remain in effect indefinitely until replaced by a new version.
1. General Provisions1.1. This Privacy Policy (hereinafter referred to as the “Policy”) has been developed in accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter – “Law 152-FZ”) and defines the procedure for the processing and protection of personal data of individuals (hereinafter – “Users”, “Personal Data Subjects”) which may be obtained by Riva Capital LLC (hereinafter – the “Operator”) when Users use the Beanshe services (mobile applications “Beanshe” and “Beanshe Expert”, website, and related services).
1.2. Operator:- Full legal name: Limited Liability Company “Riva Capital”
- Registered address: 127018, Moscow, intra-city municipal district Maryina Roshcha, Sushchevsky Val St., 16, building 6
- TIN / PSRN: 9715290858 / 1177746082931
- Email: info@beanshe.com
- Phone: +7-929-632-99-79
1.3. The Operator is registered in the Register of Personal Data Operators, Registration Entry No. 77-25-481657; basis for inclusion: Order No. 616 dated September 8, 2025; notification registration date: September 5, 2025.
1.4. This Policy applies to all Beanshe services, including mobile applications, websites, as well as information collected automatically through cookies and other technologies.
1.5. By using Beanshe, the User agrees to the terms of this Policy. If the User does not agree with the terms, they must cease using the services.
2. Legal Grounds for Processing Personal Data2.1. The Operator processes personal data only where there are lawful grounds предусмотренные Law 152-FZ. For each type of processing, a specific legal basis is defined:
– order processing;
– issuance of invoices and sending of receipts;
– account authentication;
– processing of payments;
– provision of access to application functionality;
Legal Basis | Provision of Law 152-FZ | Applicable Processing Purposes |
Processing is necessary for the performance of a contract | Article 6(1)(5) | – order processing; – issuance of invoices and sending of receipts; – account authentication; – processing of payments; – provision of access to application functionality; – communication with the User regarding contract performance. |
Processing is carried out in the legitimate interests of the Operator | Article 6(1)(7) | – adaptation of the service to User preferences; – improvement of service quality and development of new features; – analysis of User behavior to enhance usability; – ensuring security and preventing fraud; – maintaining statistics. |
Processing is based on the data subject’s consent | Article 9 | – sending marketing and advertising communications; – conducting surveys and collecting feedback; – participation in promotions, contests, and loyalty programs; – processing geolocation data for purposes not related to contract performance (where applicable). |
Processing is necessary to comply with legal obligations | Article 6(1)(4) | – compliance with applicable laws (tax, antitrust, etc.); – provision of information upon lawful requests of governmental authorities; – prevention of fraud and unlawful activities. |
For certain categories of personal data, the applicable legal bases are specified in Appendix 1.
3. Categories of Personal Data Processed, Purposes and Retention Periods3.1. The Operator processes only those personal data that are necessary to achieve specific processing purposes. A detailed list of data categories, processing purposes, legal bases, and retention periods is set out in Appendix 1 (for data provided by the User) and Appendix 2 (for data collected automatically).
3.2. Retention periods for personal data:- For data processed on the basis of a contract: for the entire duration of the contract and for 5 years after its termination (unless otherwise required by law, e.g., accounting documents – 5 years, payment data – as required by tax legislation).
- For data processed on the basis of consent: until such consent is withdrawn by the User.
- For data processed on the basis of the Operator’s legitimate interests: until the processing purpose is achieved or the necessity for processing ceases, but no longer than 3 years from the User’s last interaction with the service.
- Upon expiration of the established retention periods, personal data shall be deleted or anonymized (as described in Section 7).
3.3. Specific retention periods by data category:- Contact data and account data – 5 years from the last login to the account.
- Payment data (transaction history) – 5 years from the date of the last transaction.
- Geolocation data – no more than 1 year from the date of collection.
- Chat and support request data – 3 years from the last request.
- Non-essential cookies – until consent is withdrawn, but no longer than 12 months.
4. Procedure for Obtaining Consent for Personal Data Processing4.1. For processing activities requiring consent (marketing, feedback collection, participation in promotions, etc.), the Operator obtains separate, informed consent from the User.
4.2. Consent is obtained:- via the application interface (a separate checkbox not embedded within the Policy text); or
- in the form of a written statement sent to the Operator’s email address.
4.3. Consent is deemed obtained if the User has explicitly and freely expressed their will after ознакомление with the processing terms (data categories, purposes, retention periods, and consequences of refusal).
4.4. The User has the right to withdraw consent at any time by sending a written notification to
info@beanshe.com. Upon receipt of such withdrawal, the Operator shall cease processing and delete personal data processed on the basis of consent within 30 days, unless otherwise required by contract or law.
5. Data Localization5.1. In accordance with Article 18 of Law 152-FZ, all databases containing personal data of citizens of the Russian Federation are stored on servers located within the territory of the Russian Federation. The initial recording of personal data is carried out exclusively in Russian databases.
5.2. Location of databases: 188684, Russian Federation, Leningrad Region, Vsevolozhsky District, urban-type settlement Dubrovka, Sovetskaya Street, Building 1, Litera B.
5.3. Cross-border transfer of personal data is carried out only if:
- a valid legal basis exists (User consent, contract, or legal requirement);
- Roskomnadzor has been notified in advance (for countries not providing adequate protection);
- appropriate data protection measures are implemented.
5.4. The Operator does not currently carry out systematic cross-border transfers of personal data of Russian citizens. If such transfers become necessary, this Policy will be updated accordingly.
6. Transfer of Personal Data to Third Parties6.1. The Operator may transfer personal data to third parties in the following cases:
- Service providers (analytics services, cloud hosting, technical support) – under agreements requiring confidentiality and limiting use to purposes defined by the Operator. All such providers are Russian residents or use servers located in Russia.
- Partners (food and beverage suppliers) – for order fulfillment. Data is transferred in the minimum necessary scope (name, order number, delivery address).
- Government authorities – in accordance with applicable law.
- In case of reorganization or sale of the business – to the new owner subject to compliance with this Policy.
6.2. A list of specific third parties and purposes of transfer is provided in Appendix 4.
6.3. The Operator does not sell personal data to third parties.
7. Personal Data Security Measures7.1. The Operator implements necessary organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, dissemination, and other unlawful actions.
7.2. Measures include:- appointment of a person responsible for personal data processing;
- development and implementation of internal policies and procedures;
- use of certified information security tools (FSTEC/FSB, where applicable);
- encryption of data transmission channels (SSL/TLS);
- access restriction based on job responsibilities;
- logging of access events;
- regular security testing;
- control over third parties with access to personal data.
7.3. In case of data breaches or unlawful processing, the Operator shall promptly notify Roskomnadzor and affected data subjects in accordance with applicable law.
8. Procedure for Destruction of Personal Data8.1. Personal data shall be destroyed in the following cases:
- achievement of processing purposes;
- expiration of retention periods;
- withdrawal of consent (where applicable);
- detection of unlawful processing;
- liquidation of the Operator.
8.2. Destruction methods:- electronic data – deletion from databases with additional secure erasure;
- paper records – shredding or incineration.
8.3. Destruction is documented in a formal act stored for at least 3 years.
9. Rights of Personal Data Subjects9.1. The User has the right to:
- obtain information about processing purposes, legal bases, and methods;
- request correction, blocking, or deletion of inaccurate or unlawfully processed data;
- withdraw consent;
- lodge complaints with Roskomnadzor or courts;
- request data portability (for contract- or consent-based processing).
9.2. Requests must be sent:
- in writing to: 127018 Moscow, Sushchevsky Val St., 16, bldg. 6; or
- electronically to: info@beanshe.com
Request must include:
- full name;
- identity document details;
- issuing authority and date;
- request description;
- signature (handwritten or electronic).
9.3. Requests are processed within 10 business days, extendable to 30 days in exceptional cases.
9.4. Person responsible: Olga A. Mashorina, General Director
Phone: +7-929-632-99-79
Email:
info@riva.capital,
all@beanshe.com10. Processing for Marketing Purposes10.1. Marketing communications are sent only with separate consent.
10.2. Users may consent to receive:- push notifications;
- emails;
- messaging app communications.
10.3. Opt-out methods:- account settings (“Notifications”);
- “Unsubscribe” link in emails;
- written request to info@beanshe.com.
10.4. Opting out does not affect transactional or service messages.
11. Use of Cookies and Similar Technologies11.1. The Operator uses cookies and tracking technologies to ensure service functionality, collect statistics, and improve service quality.
11.2. Types of cookies and legal bases:Cookie Type | Purpose | Legal Basis |
Strictly necessary | Ensuring the operation of the application (authentication, shopping cart) | Performance of a contract (Art. 6(1)(5) of Law 152-FZ) |
Functional | Remembering user preferences (language, region) | Legitimate interests of the Operator (Art. 6(1)(7) of Law 152-FZ) |
Analytical | Collection of usage statistics, behavior analysis | User consent (Art. 9 of Law 152-FZ) |
Advertising / marketing | Targeted advertising, retargeting | User consent (Art. 9 of Law 152-FZ) |
For analytics purposes, the Operator uses services that ensure data storage on servers located within the Russian Federation (Yandex.Metrica and others). The use of foreign services (Google Analytics, Firebase, etc.) is carried out only after the initial recording of data in Russian databases and with the User’s consent.
11.4. The User may manage cookies:
- through browser or mobile device settings;
- within the application – in the “Privacy Settings” section.
11.5. Disabling cookies may result in the inability to use certain functions of the service.
12. Final Provisions12.1. The Operator reserves the right to amend this Policy. The new version shall enter into force upon its publication in the application and on the website, unless otherwise specified.
12.2. Any questions related to the processing of personal data may be sent by the User via email to
info@beanshe.com or by post to the Operator’s registered address.
12.3. This Policy is a publicly available document and is subject to unrestricted distribution.
Appendix 1. Personal Data Provided by the UserData Category | Data Elements | Purpose of Processing | Legal Basis | Retention Period | Recipients |
Contact data | Full name, email address, phone number, delivery address | Order processing, account creation, authentication | Performance of a contract (Art. 6(1)(5) of Law 152-FZ) | 5 years from last login | Service providers (analytics, cloud hosting), partners (for order fulfillment) |
Payment data | Card number (encrypted), authorization code, transaction date and amount | Payment processing, issuance of receipts | Performance of a contract (Art. 6(1)(5) of Law 152-FZ) | 5 years from transaction date | Payment processors (YooKassa, CloudKassir, etc.) |
Geolocation data | GPS coordinates (precise) | Display of nearby coffee shops, distance calculation | Legitimate interests (Art. 6(1)(7) of Law 152-FZ) | 1 year | Analytics services (on servers in the Russian Federation) |
Social media data | Name, user ID, profile data (when logging in via social networks) | Authentication, account creation | Performance of a contract (Art. 6(1)(5) of Law 152-FZ) | 5 years from last login | Not transferred |
Chat and support data | Message content, communication history | Customer support, service improvement | Legitimate interests (Art. 6(1)(7) of Law 152-FZ) | 3 years from last request | Support services (e.g., Wazzup) |
Data Category | Data Elements | Purpose of Processing | Legal Basis | Retention Period | Recipients |
Technical data | IP address, device type, operating system version, device identifiers | Ensuring security, debugging, compatibility | Legitimate interests (Art. 6(1)(7) of Law 152-FZ) | 1 year | Not transferred |
Usage data | Activity history, visit time, pages viewed | Behavior analysis, service improvement | Legitimate interests (Art. 6(1)(7) of Law 152-FZ) / Consent (for detailed analytics) | 3 years | Analytics services (e.g., Yandex.Metrica) |
Cookies | Session identifiers, preferences | Service operation, personalization | Performance of a contract / Consent (depending on cookie type) | Up to 12 months | Not transferred |
Cookie Type | Provider | Retention Period | Purpose | Legal Basis |
Strictly necessary | Beanshe | Session / up to 1 year | Authentication, shopping cart functionality | Performance of a contract |
Functional | Beanshe | Up to 1 year | Language, region, user preferences | Legitimate interests |
Analytical | Yandex.Metrica | Up to 2 years | Website traffic statistics, user behavior analysis | Consent |
Analytical | (other Russian services) | Up to 2 years | Usage analysis | Consent |
Third Party Name | Categories of Data Transferred | Purpose of Transfer | Legal Basis | Country (Data Location) |
Yandex LLC | Analytical data, cookies | Collection of statistics, service improvement | Consent | Russian Federation |
MTS PJSC | Contact data, technical data | Provision of communication services, analytics | Performance of a contract / Legitimate interests | Russian Federation |
TBank JSC | Payment data | Payment processing | Performance of a contract | Russian Federation |
Cloud Technologies LLC (CloudKassir) | Payment data | Issuance of receipts, fiscalization | Performance of a contract | Russian Federation |
Wazzup LLC | Chat data, contact data | Technical support | Legitimate interests | Russian Federation |
Google LLC (only with consent) | Analytical data (anonymized) | Behavioral analysis | Consent | Russian Federation (data is copied to РФ after initial recording) |
All third parties listed in this Appendix are residents of the Russian Federation or use servers located within the territory of the Russian Federation and have valid agreements in place requiring them to comply with the requirements of Law 152-FZ.
This Policy has been approved and enacted by order of the General Director of Riva Capital LLC dated April 1, 2026. The previous version shall become invalid as of the date of publication of this version.