Balm Privacy Policy and Personal Data Processing Notice
What changed in this revision
Version 4.0 extends edition 3.0: a new section on data processing within the “Delivery and rental requests” feature (request geolocation, request text, matching against a host’s active listings and push notifications about matching requests); the list of service providers and the retention terms are updated to reflect the migration of chat to the Operator’s own infrastructure (servers and S3 object storage) instead of a third-party cloud provider; the contact address is unified to balmforpartners@gmail.com.
This English text is an informational summary of Balm’s Privacy Policy, version 4.0, effective from 22 June 2026. The authoritative legal version of this Policy is the Russian-language text published at balm.rentals/ru/privacy, in accordance with Section 1.4 above. In the event of any conflict between this English summary and the Russian version, the Russian version prevails.
1. Scope and acceptance
This Privacy Policy explains what personal data Balm collects, why, how it is processed, with whom it is shared and what rights you have. It applies to the balm.rentals website and the Balm mobile applications for iOS and Android (collectively, the “Service”). By using the Service you confirm that you have read and understood this Policy.
2. Controller
The data controller is Individual Entrepreneur Sergey N. Vikhlyaev, TIN 682004283576, OGRNIP 323680000023219, registered in the Russian Federation. Contact: balmforpartners@gmail.com.
3. Categories of personal data we process
Identity and contact data (name, phone, email, OAuth identifiers from Apple Sign in and Google Sign In, profile picture); listing data (vehicle photos, description, location, contact number); communications (chat messages and attached media, reviews and ratings); request data (the text and parameters of a delivery/rental request and its geolocation – see Section 3A); technical data (IP address, device identifiers, OS and app version, push token, crash and performance logs); usage data (search queries, viewed listings, partner-link clicks, VIP status and metrics); location data (when you grant permission, used while the app is active, including for the requests feature); payment data (transaction status and last four card digits – full card data is never received by us); data received from third parties (Apple, Google, analytics, push providers).
We do not intentionally collect special category data (health, religion, biometrics, etc.). The Service is not directed to minors under 18.
3A. Delivery and rental requests
The Service offers a requests feature: a renter (typically a tourist) publishes a request to have a vehicle delivered and/or rented, specifying the desired vehicle parameters, conditions and location. Hosts who have a matching vehicle within range of the request location receive a push notification about the new matching request and may respond to it; the parties then communicate in the in-app chat.
For this feature we process: the request text and the vehicle parameters it specifies; the geolocation (coordinates or area) you provide or confirm; technical data needed to match the request against hosts’ active listings (vehicle type and characteristics, distance between the request point and the listing location); and the push token used to deliver notifications about matching requests.
The legal basis is performance of the contract with you (providing Service functionality) and, for geolocation, your consent expressed by granting location access and by publishing the request. Matching is automatic, based on geographic and parameter criteria; it is ancillary processing and does not produce legal effects on you (see also Section 9). The request geolocation may be visible to notified hosts only to the extent needed to assess relevance (typically an area or approximate distance, not your exact home address). Push notifications about matching requests are sent only to hosts with matching active listings who have not disabled such notifications. Retention of request data is described in Section 5; request-related chat follows the chat retention rules.
4. Legal bases and purposes
We process your data on the following bases: (a) performance of the contract between you and Balm (to provide the Service, including listings, requests, request-to-listing matching, chat and notifications); (b) compliance with legal obligations; (c) our legitimate interests in security, fraud prevention, analytics and protection of our rights – provided your rights and freedoms do not override them; (d) your consent for marketing communications, advertising cookies, certain cross-border transfers and processing of location data for the requests feature; (e) vital interests in life-threatening situations.
5. Retention
Account data: while the account exists plus 90 days; listings: until archived plus 12 months; requests and their geodata: while active plus 90 days after closure or withdrawal; chat messages and media stored on the Operator’s infrastructure (servers and S3 object storage), including request-related chat: up to 365 days; reviews: indefinitely or until anonymised at user’s request; server logs: 12 months; crash logs: 90 days; payment records: 5 years (statute of limitations); consent records: 5 years after withdrawal.
6. Recipients
We share data only with vetted processors acting under written DPAs: hosting and cloud infrastructure providers in the Russian Federation (which host the backend, database and S3 object storage); Apple (Sign in with Apple) and Google (Google Sign In) as authentication providers; Apple Push Notification service and Firebase Cloud Messaging for push delivery, including matching-request notifications; Firebase Crashlytics, Amplitude or analogous services for crash and product analytics; Google Maps and/or OpenStreetMap tile providers; SMS, email and payment processors; content-moderation tools; and legal, tax and audit advisers under professional confidentiality. We share data with Partners only with your explicit consent (e.g. when you tap to share contact info with a Partner). We do not sell personal data in the sense of CCPA.
Chat data is stored by the Operator. Chat messages, attached media (photos, audio, video) and chat metadata are stored and processed on the Operator’s own infrastructure – its servers and its S3 object storage, hosted with the providers above. Messaging was previously powered by a third-party cloud messaging provider; following the migration to the Operator’s own infrastructure, chat content is no longer handed to such a third-party provider for the purpose of storing the conversation. Only the participants and, to the extent needed for moderation and complaint handling, authorised Operator staff can access chat content.
7. International transfers
Our servers are primarily located in the Russian Federation; certain services (push, analytics, maps) involve transfers to other jurisdictions. For EU/EEA/UK users, transfers rely on EU Standard Contractual Clauses where applicable. For Thai users, transfers comply with Section 28 of the PDPA. For Russian users, primary processing complies with Article 18(5) of Federal Law 152-FZ.
8. Security
We apply industry-standard technical and organisational measures: TLS in transit, encryption of sensitive data at rest, role-based access controls, audit logging, regular patching, backups and confidentiality undertakings by personnel and contractors. In case of a personal data breach likely to result in significant risk to your rights, we will notify the competent supervisory authority within 72 hours (where GDPR applies) and you without undue delay where required by law.
9. Your rights
Depending on your jurisdiction you have the right to access, rectify, erase, restrict or object to processing of your data, to data portability, to withdraw consent, and to lodge a complaint with the competent supervisory authority. The Service does not subject you to solely automated decisions with legal effects; algorithmic moderation and the automatic matching of requests to listings are ancillary. Submit requests to balmforpartners@gmail.com; we respond within 30 days (extendable by 60 days for complex requests). We may require additional information to verify your identity.
10. Cookies (website only)
balm.rentals uses strictly necessary, functional, analytics and marketing cookies. We request your consent for non-essential cookies via a cookie banner. You can change your choice at any time via the “Cookie settings” link in the footer or via your browser settings. Mobile apps do not use cookies; they use local device identifiers and push tokens.
11. Children
The Service is intended for users aged 18 or above and is not directed to children under 16. For users in Thailand, processing of data of minors under 20 generally requires their legal representative’s consent, in accordance with Section 20 of the PDPA.
12. Updates to this Policy
Each version of this Policy is archived at balm.rentals/<lang>/privacy/versions and dated. We will notify you of material changes at least 14 days in advance through the app, by email or by another reasonable channel. Continued use of the Service after the effective date means you accept the updated Policy.
13. Contact
Individual Entrepreneur Sergey N. Vikhlyaev, TIN 682004283576, OGRNIP 323680000023219. Privacy contact: balmforpartners@gmail.com. Effective date: 22 June 2026. Version 4.0.