Privacy Notice
Date of effect: March 10, 2025
Last updated: February 28, 2025
We have developed this Privacy Notice ("Privacy Notice") to explain to you how we collect, use, disclose, and store personal data.
Introduction
This Privacy Notice applies to Toloka AI AG and its relevant affiliates listed in Section 16 ("Toloka", "we", "us", "our").
When Does This Privacy Notice Apply?
This Privacy Notice applies to personal data that Toloka handles as a Controller, including when you:
Visit or interact with the toloka.ai, we.toloka.ai and/or mindrift.ai websites (the “Website(s)”), the Toloka Platform, the Toloka, Toloka: Annotators and Mindrift mobile applications, other resources associated with Toloka and the branded social media pages we operate;
Register for or participate in our webinars, events, programs, marketing initiatives, and promotional activities;
Interact with us in person, such as when you visit our offices; and
Inquire about or engage in commercial transactions with us.
After reviewing this Privacy Notice, please check the country-specific provisions at the end of the Privacy Notice, which may apply to the processing of your data based on your country of residence. These provisions either supplement this Privacy Notice or, if required by law, take precedence over any conflicting terms.
This Privacy Notice refers to provisions of:
US privacy legislation (including but not limited to California Consumer Privacy Act (CCPA), California Privacy Rights Act of 2020, California Online Privacy Protection Act (COPPA), Health Insurance Portability and Accountability Act (HIPAA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), Utah Consumer Privacy Act (UCPA))
and other applicable laws in force as of the last update of this Privacy Notice.
1. Controller
Toloka is the controller of the personal data processed under this Privacy Notice. This means that Toloka determines the purposes and means of processing these personal data.
You can contact Toloka with any questions regarding the processing of your personal data at privacy@toloka.ai.
2. Legal bases
Depending on which features of Toloka you use, Toloka will process your personal data based on one or more of the following legal bases:
Contract
To fulfill our contractual obligations to you and provide access to the Toloka Platform, Toloka may process your personal data. This includes activities such as account registration, or money withdrawal.
Legitimate interest
When Toloka has a legitimate interest in using your personal data in a certain way, provided that such use is necessary and justified given any potential risks to you. We conduct a Legitimate Interest Assessment (LIA) to ensure that your personal data is adequately protected. LIA is a form of risk assessment based on the specific context and circumstances of data processing. Conducting an LIA helps us ensure that processing is lawful and considers the impact it may have on individuals.
Consent
When Toloka requests your explicit consent to process your personal data for specific purposes. Providing consent does not affect your right to use Toloka’s services or to offer services to Toloka.
If processing is based on consent (or explicit consent), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. For example, to withdraw consent, you can:
contact Toloka by using the contact details specified in section 1 of this Privacy Notice,
click the unsubscribe link provided at the bottom of each email in direct marketing email.
If you reside in a jurisdiction where consent is the only or most appropriate legal basis for the processing of personal data as described in this Privacy Notice, your acceptance of this Privacy Notice will be considered as your consent to the processing of your personal data for all purposes outlined herein. You may revoke this consent at any time by contacting us at privacy@toloka.ai.
Legal obligation
Toloka may also be required to share your personal data with competent authorities in accordance with applicable legislation.
3. Categories of personal data processed by Toloka
The table below outlines the categories of personal data Toloka collects and processes. Toloka primarily collects personal data directly from data subjects (e.g., by completing the registration form). Additionally, certain personal data may also be obtained from third parties.
Please use horizontal scrolling to navigate through the table.
Purpose of the processing
Data subjects / Categories of data
Storage Period
Legal Bases
Third parties
The role of the third parties
Third party’s privacy notice
Sending newsletters for marketing purposes via Email
Marketing e-newsletter subscribers:
User ID; Email
Until consent is withdrawn (by unsubscribing) or until the purpose of processing is fulfilled (the relevance of the purpose is assessed every 3 years)
Consent
Hubspot
Processor
Analysis of website visitors' behavior
Our website users:
IP address; Browser type and language used; The Internet service provider information; sending and exiting web pages that were sent and exited; Operating system information; date and time checks; website visits information
Limited by the validity period of cookies (specified in the Toloka Cookie List and Mindrift Cookie List)
Consent (for marketing and analytics cookies); Legitimate interest in ensuring the proper functioning of the website
Google Analytics (for toloka.ai and mindrift.ai);
Facebook Analytics (for toloka.ai); LinkedIn (for toloka.ai); Microsoft Bing (for toloka.ai), HubSpot (for toloka.ai and mindrift.ai)
Processor(s)
User Registration on Toloka
Our Users:
Full name; Email; Native language; Date of birth; Username; Phone number
Within the term of the contract
Contract (with Users)
Toloka affiliates
Joint controllers
N/A
User Registration on Mindrift
Our Users:
Full name; Email; Native language; Date of birth; Username; Phone number; Country; Education; Preferred Language; English proficiency level
Within the term of the contract
Contract (with Users)
Toloka affiliates
Joint controllers
N/A
Tracking fraudulent activities
Our Users:
User ID; User's device details; Location (IP address, phone number); Mouse cursor movement and scrolls tracking; Screen recording; Phone number
5 years from the date of receipt of personal data
Legitimate interest to prevent fraudulent activity
Toloka affiliates
Joint controllers
N/A
Identity verification
Our Users:
Full name; Date of birth; ID (Passport) number / details; ID (Passport) photo; Selfie
5 years from the date of receipt of personal data
Consent
Persona; Databricks
Processors
Sanctions Compliance
Our Users:
Full name; Date of birth; ID (Passport) number / details; ID (Passport) photo; Selfie
Within the term of the contract + 1 year after its termination or earlier in case of withdrawal
Consent
MaxMind; Persona
Processors
Sanctions Compliance
Authorized representatives and shareholders of BPO, Customers, Suppliers: Full name, Position, Email and Phone number, ID / Passport copy
Within the term of the contract + 1 year after its termination
Legal obligation
Refinitiv
Processor
Customer Registration
Our Customers:
Full name;
Work email; Company;
Phone number (optional);
Job Title (optional)
Within the term of the contract
Contract (with Customers)
Toloka affiliates
Joint controllers
N/A
Remuneration to Users by Toloka
Our Users:
User ID; Remuneration amount
Within the term of the contract
Contract (with Users)
Toloka affiliates; Databricks
Toloka affiliates - Joint controllers; Databricks - processor
Withdrawal from the wallet by Users
Our Users:
Email;
Phone number;
User ID;
Wallet number;
Information of performed tasks;
Payment system;
Currency;
Transaction ID;
Account type;
Remuneration amount
Within the term of the contract
Contract (with Users)
Toloka affiliates;
Payoneer;
Papara
Processors
Authorization on Toloka
Our Users and our Customers:
Username;
Email;
Phone number;
Authorization ID
Within the term of the contract
Contract (with Users and Customers)
Toloka affiliates; Authorization service providers that enable Tolokers, AI Tutors and Customers to register or get access to the Toloka Platform using their own tools or widgets: Apple, Google, Facebook, GitHub, Microsoft
Joint controllers
Provision of support
Our Users and our Customers:
Email;
Full name;
Username;
User's device ID;
Phone number
Within the term of the contract
Contract (with Users and Customers)
Toloka affiliates; ZenDesk
Toloka affiliates - joint controllers; ZenDesk - processor
Notification of Users of their actions on the Toloka via SMS
Our Users: Phone number
Within the term of the contract
Contract (with Users)
Mitto; Ding
Processor
Verification of the conscientious completion of tasks by Users
Our Users:
User ID;
Assessment of the task completion
Within the term of the contract
Legitimate interest to improve the quality of provided services to Customers
Toloka affiliates
Joint controllers
N/A
Assessing skills based on test results, and determining location for language proficiency tests
Our Users:
Actions in the system (logs);
User ID;
Device ID;
Location (IP address, phone number)
Within the term of the contract
Contract (with Users)
Toloka affiliates
Joint controllers
N/A
Requesting a demo of Toloka services, incl. the form Talk to us
Our prospect Customers:
Full name; Company; Work email;
Job title (optional);
Phone number (optional)
1 year after the date of request
Consent
Toloka affiliates; Hubspot
Toloka affiliates - joint controllers; Hubspot - processor
Registration for webinars, events, programs, and marketing or promotional activities of Toloka
Webinar participants:
Email;
Full name;
Company information;
Job title
1 year after the date of registration or in case of consent withdrawal
Consent
Toloka affiliates; Hubspot
Toloka affiliates - joint controllers; Hubspot - processor
Recording the meeting(s) on video or audio to enhance follow-up and coaching
Our Customers:
Email;
Full name;
Display name;
Picture (optional);
Company information;
Job title;
Speaker's data that was disclosed during the course of the meeting
6 months after the meeting or in case of consent withdrawal
Legitimate interest to communicate with Customers; Consent (for recording)
Zoom; Microsoft Teams; Amazon Chime
Processors
Fixing bugs and implementing software improvements
Our Users and our Customers:
External user ID
Until the purpose of processing is fulfilled (the bugs are fixed)
Legitimate interest to improve Toloka services
Sentry
Processor
Dispatching transaction documents to Customers
Our Customers:
Email;
Phone number;
Country;
City;
Full name;
Company information (name, post address, post code, state (if applicable))
Within the term of the contract
Contract (with Customers)
Stripe; Toloka affiliates
Stripe - processor, Toloka affiliates - joint controllers
Conducting surveys
Our Users who have decided to participate in Toloka's survey(s):
Name;
Country;
Photo
After 2 years from the date of participation in the survey or in case of consent withdrawal
Consent
Toloka affiliates
Joint controllers
N/A
Providing feedbacks for posting them on toloka.ai
Our Users: Name (Full name - oprional); Country; Feedback; Photo; Freelance role
2 years or earlier in case of consent withdrawal
Consent
Toloka affiliates; Google (Google Forms located on EU servers)
Toloka affiliates - joint controllers; Google - processor
Providing feedbacks for posting them on mindrift.ai
Our Users:
Name (Full name - oprional);
Country;
Feedback;
Photo;
Freelance role
2 years or earlier in case of consent withdrawal
Consent
Toloka affiliates; Google (Google Forms located on EU servers)
Toloka affiliates - joint controllers; Google - processor
Customer relations management
Our Customers:
Full name;
Job title;
Email;
Company information
Within the term of the contract
Contract (with Customers)
Hubspot; DocUsign
Processor
Customer relations management for Prospect Clients
Our Prospect Customers:
Full name;
Job title;
Email;
Company information; LinkedIN Profile (for LinkedIN Navigator)
Within the term of the contract or until the moment when it becomes clear that the contract will not be concluded
In order to take steps at the request of the data subject prior to entering into the contract (with Customers)
Hubspot; LinkedIN Navigator; DocUsign
Processors
Invitation Users to apply for a freelance position, pass qualification tests (if required) and further follow-up with results of tests and selecting process
Our Users or prospect Users:
Full name, telephone number, email address, country, language, resume, LinkedIN profile (optional), personal website (optional)
1 year after the meeting or in case of consent withdrawal
Consent
Toloka affiliates; Google; Comeet; Workable; Greenhouse
Toloka affiliates - joint controller; Google, Comeet, Workable, Greenhouse - processors
Contractor management
Our User's / Contractor's:
Full name;
Date of Birth;
Country of residence;
Email;
Phone number;
Role;
Login credentials (user name and passwords);
Government-issued ID; Remuneration amount
Within the term of a contact + 7 years after expiration of a contract (for tax and audit purposes)
Contract (with AI Tutors / contractors); Legitimate interest to enable the company to conduct financial and tax audits (after expiration or termination of a contract)
Toloka affiliates; UpWork; OnTop; Google
Toloka affiliates - joint controllers; UpWork, OnTop - controllers; Google - processor
AI Tutors management
Our AI Tutors: Full name, email address, country, User ID, amount of earned money; User ID; freelance role
Within the term of the contract
Contract (with AI Tutors)
Toloka affiliates
Joint controllers
N/A
Product data analytics
Our Users:
Encrypted User ID; encrypted full name; information about completed tasks; wallet number
Within the term of the contract
Legitimate interest to improve Toloka platform
Databricks; Tableau Cloud
Processors
Demonstrating a status of the project to Customer(s)
All Customers who have a dedicated account manager: Full name;
Job title or Role (optional); Location (optional);
Email;
Company information
Within the term of a contract
Legitimate interest to improve quality of provided services
Monday
Processor
Inviting referrals to register
All referrals: Phone number, First name, Last name, Email; Country; LinkedIn profile (optional); Personal website (optional); Resume
2 years or earlier in case of consent withdrawal
Consent
Referral Factory
Processor
Participation in the referral program
All referrees: Email; User ID
Within the term of Mindrift Referral Program
Consent
Referral Factory
Processor
Online communication with AI Tutors
Our Users: Username; First name; Last name; Email; User ID; Avatar (if any)
Within the term of a contract
Legitimate interest to interact with Users
Discord; Telegram (upon User's request)
Controllers
Sending communications to Mindrift Users
Our Users: Phone number, Email, Full name; User_ID; Country
Within the term of a contract
Legitimate interest to communicate with Users
Iterable
Processor
* User means Toloker(s) and/or AI Tutor(s)
4. Transfers to third countries
Toloka transfers personal data to countries that are considered to have insufficient protection of data subjects’ rights under the GDPR ("Third Countries").
For the transfer of your personal data to Third Countries, Toloka employs various tools to:
ensure that the transfer of personal complies with applicable laws;
provide the same level of protection of your personal data as it has in the European Union, United Kingdom, Switzerland or USA;
determine whether the transfer is based on an adequacy decision;
confirm whether the transfer is subject to appropriate safeguards (GDPR Article 46 tools) such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs);
assess whether public authorities in the third country may seek access to the data with or without the knowledge of the data importer, either through legislation, practice, or precedent;
evaluate whether public authorities in the third country may access the data through the telecommunications providers or communication channels, considering applicable legislation, legal powers, technical, financial, and human resources, as well as reported precedents.
Toloka uses a variety of protections tailored to each data transfer to Third Countries, including:
Standard Contractual Clauses adopted by the European Commission (available here https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en); and
technical protections, such as access control, encryption, malware protection, security event monitoring, management of technical vulnerabilities, network security controls, incident management, and technical compliance reviews.
5. Storage periods and deletion of personal data
Toloka processes your personal data only as long as necessary to fulfill obligations under the Agreement and for Toloka’'s legitimate interests, such as:
maintaining the performance of the Toloka Platform;
making data-driven business decisions regarding new features;
complying with legal obligations;
resolving disputes.
Once the data processing purposes have been achieved, upon termination of the Agreement, or upon your request, Toloka will delete or anonymise your personal data so it no longer identifies you, unless Toloka is required to retain certain data or needs to use it for legally justifiable reasons, such as:
if there is an unresolved issue related to your account, such as an outstanding credit earned for performing tasks or an unresolved claim or dispute;
for Toloka's tax, audit, and accounting obligations;
where necessary and as permitted by applicable law, for our legitimate interests such as fraud prevention or to maintain information security.
6. Your basic personal data rights
Please refer to the table below for your rights and their descriptions.
To exercise your rights, you can contact Toloka using the contact details provided in Section 1 of this Privacy Notice. Toloka may ask you to submit your request in writing and to verify your identity before processing the request. Toloka may also refuse to fulfil your request on the grounds set out in applicable data protection legislation.
Right
Description
Access
You can ask Toloka to confirm whether or not your personal data is being processed. If it is, you have the right to access this personal data and request Toloka to explain certain details of the processing.
Rectification
You can request Toloka to correct any inaccurate personal data concerning you. You can ask Toloka to rectify incomplete or inaccurate personal data.
Erasure ('right to be forgotten')
You can ask Toloka to erase personal data concerning you. This applies, for example, if:
1. the personal data are no longer necessary for the purposes for which they were processed;
2. you withdraw your consent to the processing, and there is no other legal ground for the processing;
3. the personal data have been unlawfully processed.
Restriction on processing
You can ask Toloka to restrict the processing of your personal data under applicable law. This applies if:
1. you contest the accuracy of the personal data;
2. you request a restriction of the use of the personal data when their processing is unlawful;
3. you need the personal data to protect your rights when Toloka no longer needs the personal data;
4. you have objected to the processing based on the legitimate interests pursued by Toloka.
Objection to processing
You can object, on grounds relating to your particular situation, to processing of your personal data which is based on the legitimate interests pursued by Toloka or when personal data are processed for direct marketing purposes. Toloka shall no longer process your personal data unless Toloka demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
Data Portability
When the processing is based on your consent or a contract with you, you can receive your personal data, which you have provided to Toloka, in a structured, commonly used, and machine-readable format. You can freely transmit these data to another controller. Where technically feasible, you can also ask Toloka to transmit the personal data directly to another controller.
7. Children's Privacy
We do not knowingly or intentionally collect personal data from children under the age of eighteen (18) years through Toloka Platform. If you are under eighteen (18) years of age, do not attempt to register on Toloka Platform or provide us with any personal data unless you have obtained the requisite parental consent.
If you are a parent or guardian and you are aware that your child has violated this Privacy Notice by providing us with personal data, please contact us using the contact details provided in Section 1 of this Privacy Notice.
In accordance with 47 U.S.C. Section 230(d), Toloka notifies you that parental control protections (such as computer hardware, software, or filtering services) are commercially available to assist you in limiting access to minors. Information about providers of such protections may be found on the Internet by searching “parental control protection” or similar terms.
8. Profiling and automated decision-making
As part of its personal data processing activities, Toloka may perform profiling and automated decision-making to monitor user behavior on the Toloka platform for the purposes of fraud prevention and detection.
Profiling and automated decision-making are conducted through Toloka’s anti-fraud system, which analyzes data collected from user activities on the Toloka platform. This includes features, factors, and statistics derived from user actions. If fraudulent activity is detected, the anti-fraud system may immediately restrict the user's access to task submissions, terminate agreements related to tasks, or, if the fraudulent activity is identified from the task requester's account, restrict their access to Toloka. Factors considered in anti-fraud analysis include, but are not limited to, user task submission logs, user actions in Toloka interface, cookies, CAPTCHA inputs, device details.
You have the right at any time to object to profiling and automated decision-making, and you may request further information about the logic involved and the potential consequences of such profiling and automated decision-making. To exercise this right, you can contact Toloka by sending a request to privacy@toloka.ai. Toloka may ask you to specify your request in writing and to verify your identity before processing the request.
At any time, you may request human intervention in the decision-making process, seek an explanation of the decision made, express your own views, and challenge the decision. To do so, please contact Toloka by sending a request to privacy@toloka.ai. Toloka may ask you to specify your request in writing and to verify your identity. If the fraudulent activity detected is not severe and your identity is successfully verified, your access to Toloka platform may be restored. However, if severe fraudulent activity is detected or you are unable to verify your identity, your access to Toloka may remain restricted.
Toloka periodically reviews the algorithms and processes personal data based on anomaly detection in anti-fraud metrics to ensure that the decision-making process is functioning as intended and that the method of processing remains fair, efficient, and equitable.
9. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, particularly in the member state of the European Union where you reside.
10. Principles of data security
We have implemented Information Security Management System (ISMS) compliant with international standard “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements” and Privacy Information Management System (PIMS) compliant with the requirements of the international standard «ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines». Toloka annually passes an audit performed by the independent external auditor to support continuous improvement of approaches and measures used to keep Your data secured.
Technical and organizational measures
We employ various technical and organizational safeguards to protect personal data against loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. These measures include:
encrypting personal data in transit and at rest;
conducting regular vulnerability scans;
implementing organizational and legal measures, such as granting employees restricted access to personal data, holding annual awareness events, and holding them accountable for any unauthorized disclosure or misuse;
committing to privacy user journeys;
conducting data protection impact assessments to ensure compliance with privacy principles.
While we strive to maintain the security of interaction with Toloka, we cannot guarantee absolute security or prevent interception of information during transmission.
Security Breaches
If we become aware of a breach in our security systems, we may either issue a public notice or attempt to inform you via email. We will then take reasonable measures to address the breach in accordance with applicable laws. In the event of a potential breach involving personal data, we will take appropriate actions based on the situation, which may include logging you out from all devices, resetting passwords (by sending temporary passwords for you to use), and other necessary measures.
To report a security incident related to our services, please contact us via email at security@toloka.ai.
11. Cookies
We use cookies and similar tracking technologies to monitor activity on Toloka.ai and store certain information.
You can disable cookies off in the settings of your web browser or mobile device. You can also disable cookies using the “Manage Cookies” section in the footer of our Website.
For more information about the cookies we use and your choices regarding them, please visit our Toloka Cookie Notice (applicable for the website toloka.ai) and Mindrift Cookie Notice (applicable for the website mindrift.ai).
12. This Privacy Notice and Links to Other Sites
Our Privacy Notice is designed to inform you about how Toloka collects, uses, protects, and discloses personal data. However, the Toloka Platform may contain links to other sites that are not operated by us. Please note that this Privacy Notice does not apply to the practices of third parties. Information collected from you by others, such as third-party websites that you access through links on the Toloka Platform, is governed by their respective privacy policies. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policies of each site you visit.
WE HAVE NO CONTROL OVER AND ASSUME NO RESPONSIBILITY FOR THE CONTENT, PRIVACY POLICIES, OR PRACTICES OF ANY THIRD-PARTY SITES AND SERVICES.
13. Difficulty Accessing this Privacy Notice
Individuals with disabilities who are unable to access our Privacy Notice online may contact us using the contact information provided above to inquire about obtaining a copy of the notice in an alternative more accessible format. Under no circumstances will we collect or process any information regarding your health or other sensitive data about you in connection with such a request.
14. STATE/COUNTRY SPECIFIC PRIVACY POLICIES AND NOTIFICATIONS
United States of America
A. Privacy Information for California Residents
This section of the Privacy Notice applies only to California residents. If you are a California resident, this section will prevail over other parts of the Privacy Notice in case of any discrepancies. To avoid any misunderstanding, personal information has the same meaning as personal data.
Personal Information Collected over the Last 12 Months
Personal information we collected directly from you:
Categories of Data Collected
Data collected from you and why it was collected
Characteristics of protected classifications under California or Federal law.
Toloka does not intentionally collect any information on your protected classifications, but Toloka may learn your protected classifications inadvertently (e.g., your age)
Commercial information
Record of services with Toloka
Geolocation Data
None
Financial Information
E-Wallet number. Note that Toloka uses third party payment processors as set forth in Section 3 to facilitate Your payments and Toloka does not store Your payment information.
Biometric Data
Yes, for the purpose of identity verification
Audio, electronic, visual, thermal, olfactory, or similar information
None
Internet/Network Activity
Internet Protocol address (IP address), browser type and language, information about the Internet service provider, sending and exiting pages, information about the operating system, date and time stamps, information about visits; information about mouse movement, scrolls; screen recording; actions in the system (logs).
Professional or Employment-related Information
Area of activities or occupation
Education Information
Highest degree or level of education (it is required for specific cases, such as prior to concluding a freelance agreement with AI Tutor)
Device Information
User's device details
Categories of Personal Information Sold in the last 12 months
We do not sell your personal information to third parties.
Categories of Personal Information Disclosed over the last 12 months
Categories of Data Disclosed
Types of Entities to which Data was Disclosed
Reason for Disclosure of Data
Categories of Recipients
Identifiers, Commercial information, Financial information, Internet/Network Activity Professional or Employment-related Information, Education information, Device Information, Biometric information
Please see section 3 with the detailed description.
Please see section 3 with the detailed description.
Please see section 3 with the detailed description.
Information we sell
We do not sell your personal information to third parties. Please note that “sale” of personal information does not include instances when such information is part of a merger, acquisition, or other transaction involving all or part of Toloka’s business. If we sell all or part of Toloka’s business, make a sale or transfer of assets, or are otherwise involved in a merger or other business transaction, we may transfer your personal information to a third party as part of that transaction. If such a transaction materially affects how your personal information is processed, we will notify you of such change before its implementation.
Your California Privacy Rights
We have implemented policies and procedures to help facilitate the exercise of privacy rights available to California residents under applicable law. If you are a California resident, you are entitled to the rights described in Section 6 of this Privacy Notice. In addition, you may be entitled to the following:
Disclosure of Direct Marketers:
You may request, at no charge, the categories and names/addresses of third parties that have received your personal information for direct marketing purposes. Toloka does not share your personal information with third parties for their direct marketing purposes.
Right to Information About Collecting, Selling, Sharing, or Disclosing Personal Information:
Upon receipt of a verifiable request, you may obtain a list of:
the specific pieces of your personal information that Toloka holds;
the categories of personal information collected about you, sold to third parties, or disclosed to third parties for business purposes;
the categories of personal information sold within the last 12 months;
the categories of sources from which personal information is collected;
the business or commercial purpose for collecting or selling personal information; and
the categories of third parties with whom personal information is shared, sold, or disclosed for a business purpose.
Right to Opt-Out of the Sale of Personal Information:
California residents have the right to opt-out of the sale of their personal information under certain circumstances.
Right to Non-Discrimination
As defined under relevant law, you have a right to non-discrimination in the services or quality of services you receive from us for exercising your rights.
Please contact us with the use of contact details specified in Section 1 of this Privacy Notice if you wish to exercise these rights. Note that we may ask you to verify your identity - such as by requiring you to provide information about yourself - before responding to such requests.
Submitting a Verifiable Request under the CCPA
California residents have certain rights regarding their personal information under the California Consumer Privacy Act of 2018 ("CCPA"). Toloka will respond to an individual's "verifiable request" to exercise their rights under the CCPA - that is, when Toloka has received a request purporting to be from a particular individual, and Toloka has been able to verify the individual's identity. The need to verify an individual's identity is crucial to protecting your information and ensuring that it is not shared with someone pretending to be you or not authorized to act on your behalf.
You may submit a verifiable request using the contact details specified in Section 1 of this Privacy Notice. To process your request, we will ask you to provide information to help us verify your identity. This information may include your name, address, whether you have an account with Toloka, and any other information deemed necessary to reasonably verify your identity.
Once we have your submission, we will compare the information you provide to the information we have on file to verify your identity. If necessary, we may request additional information if we have difficulty confirming your identity.
We will not share your information or fulfill any requests if we are unable to confirm that a request is a "verifiable request". If we cannot verify your identity, we will not be able to process your request.
Submitting a request through an authorized agent.
Under California law, a California resident can appoint an “authorized agent” to submit certain verifiable requests on their behalf, such as the right to know what information we collect or to request the deletion of the consumer's information. An authorized agent may submit a request by following the steps outlined above.
An authorized agent may submit a request by following the steps outlined above. However, the agent must identify the consumer they are acting on behalf of and provide the information necessary for us to verify the consumer’s identity. Additionally, we will require the authorized agent to submit proof of their authorization to act on the consumer’s behalf.
To ensure the security and privacy of your information, we will request that you provide written consent for the person acting as your authorized agent. This consent may include us contacting you directly to confirm that the individual claiming to be your agent has your permission to access or delete your information. We will also verify your identity independently to ensure that an unauthorized person is not attempting to exercise your rights without permission.
We will not share your information or honor any requests in situations where you have not provided written authorization for an agent to act on your behalf, or where we are unable to verify your identity.
Submitting a Request for Removal of Minor Information.
To request the removal of information about a minor from T, parents or guardians may submit a request with the subject line “Removal of Minor Information.” This request must come from the minor’s parent or guardian; minors themselves may not submit information to us via email.
Your submission should include the following details:
• the nature of your request
• the identity of the content or information to be removed
• whether the content or information is found on the Toloka Platform
• the location of the content or information on the Toloka Platform (e.g., providing the URL of the specific web page where the content or information is found)
• a statement that the request is related to the “Removal of Minor Information”
• your name, street address, city, state, ZIP code, and email address
If we become aware that a minor has provided personal data or otherwise used the Toloka Platform in violation of the Privacy Notice, we will take steps to remove that information.
Our Policy on "Do Not Track" Signals under the California Online Protection Act
We do not support Do Not Track (DNT). DNT is a preference you can set in your web browser to inform websites that you do not wish to be tracked. You can enable or disable DNT by visiting the “Preferences” or “Settings” section of your web browser.
Please note that third parties may collect data about you. We cannot control how third parties respond to Do Not Track signals or other similar mechanisms. The collection and use of data by third parties, and their responsiveness to Do Not Track signals, is governed by their respective privacy policies.
B. Privacy Information for Residents of Colorado, Utah, Virginia, and Nevada:
Unless otherwise stated by the law of your state of residence, the provisions in Chapter A “Privacy Information for California Residents” will apply to the processing of your data. If you have questions related to your rights or any other aspects of this Privacy Notice, please contact us using the methods outlined in Section 1.
15. Changes to this Privacy Notice
Toloka may update this Privacy Notice from time to time, at its discretion, but not less than once every 12 months. When changes are made, Toloka will take reasonable steps to notify you about these changes and their effects, using appropriate methods and providing timely notice.
We recommend that you regularly review this Privacy Notice, which is located at the footer of the Website, and always check for updates, especially when becoming aware of any changes. Any updates will be reflected in the revised Privacy Notice and the “last updated” date at the top of this page.
The changes will take effect on the “Date of Effect,” which will be no earlier than the date they are posted on this page.
In the event of discrepancies between the English version of this Privacy Notice and any translations into other languages, the English version will take precedence.
16. Affiliates
TOLOKA AI AG (SWITZERLAND), registration number: CHE - 132.532.069, registered address: Werftestrasse 4, 6005 Luzern, Switzerland
TOLOKA AI, INC. (USA), identification number: 5938185, registered address: 10 State street, Newburyport, MA 01950, United States
TOLOKA D.O.O. BEOGRAD (SRB), registration number: 21804126, registered address: Starine Novaka 23, Sprat 4, Belgrade (Palilula). 11000, Belgrade, Serbia
Toloka AI BV, registration number: 82041350, registered address: Schiphol Boulevard 165, 1118 BG Schiphol, The Netherlands
Previous versions of the document: