1) General Provisions
1.1. This Policy defines the procedures and conditions for processing personal data of authors, reviewers, readers, and other users of the resources of the journal “Neftepererabotka i Neftekhimiya” (hereinafter referred to as the Journal).
1.2. Personal Data Operator: LLC “New Technologies Watch Center”, OGRN 1197746717937, INN 7724495400, address: 121205, Moscow, internal territory of Mozhaysky municipal district, territory of Skolkovo Innovation Center, Bolshoy Boulevard, 42, building 1, e-mail for data subject requests: info@ntwc.ru. The Operator appoints a person responsible for organizing the processing of personal data.
1.3. Personal data processing is carried out in accordance with Federal Law dated 27.07.2006 No. 152-FZ “On Personal Data” and requirements for localization of databases of Russian citizens (including relevant 2025 amendments).
1.4. If the data subject is located in the EEA, the Journal additionally complies with GDPR requirements (in particular, lawful bases, transparency, international transfers).

2) Categories of Data Subjects and Composition of Processed Data
2.1. Authors: Full names, academic degrees and positions, organization/affiliation, ORCID/ResearcherID, contact details (e-mail, phone), postal address (for copies/contracts), information on funding and conflicts of interest, manuscript metadata.
2.2. Reviewers: Full names, academic degrees/positions, affiliation, contact details, areas of expertise, history of reviews and recommendations.
2.3. Readers/site users: subscriptions/notifications, interaction history with materials.
2.4. Special categories of data (biometric, “sensitive” data) are not requested or processed by the Journal. If inadvertently received, they are immediately deleted/blocked.

3) Purposes and Legal Grounds for Processing
3.1. Editorial process: reception, double-blind reviewing, scientific and technical editing, contracting, publication, DOI assignment, indexing. Grounds: execution of contract/offer with the author; exercise of Operator’s rights and legitimate interests while respecting data subject rights; consent where required.
3.2. Communications and mailings: manuscript notifications and service messages; informational mailings based on consent with right to withdraw.
3.3. For EEA data subjects — lawful bases under Art. 6: contract execution, legitimate interest, consent, legal obligation (as relevant).

4) Principles of Processing
Lawfulness, fairness, data minimization, purpose and time limitation, accuracy and relevance, security, and Operator’s responsibility.

5) Transfer to Third Parties and Delegation of Processing
5.1. The Journal may delegate data processing to processors (hosting provider, manuscript submission/review system, mailing/notification services, call/email center) under contracts with confidentiality and security obligations.
5.2. Reviewer data are not disclosed to authors (blind review preserved), except with explicit consent or legal/court requirements.

6) Cross-Border Transfers
6.1. Initial collection/registration of personal data of Russian citizens takes place in databases located in Russia (localization). Additional cross-border transfers are permitted only under restrictions and notification/approval by Roskomnadzor, including new 2025 requirements (up to prohibition).
6.2. When services outside Russia are involved (e.g., publishing platforms, mailings, cloud services), the Operator submits notice to Roskomnadzor before transfer and applies contractual/technical guarantees.

7) Storage Periods
Manuscripts, reviews, correspondence for accepted articles — at least 10 years after publication; publication metadata — indefinitely (for scientific integrity and archival).
Materials for rejected manuscripts — 5 years from decision date (for dispute resolution).
Reviewer accounts — 3 years from last activity (followed by anonymization of key metrics).
Event logs — 12–24 months (unless security requirements specify otherwise).
Subscription data — until consent withdrawal/unsubscription, with addresses possibly stored on a “stop-list” to prevent repeated mailings on subject’s request.
Periods may be changed if required by law or court.

8) Cookies, Web Analytics, and Identifiers
8.1. The Journal uses necessary cookies (session, authentication) and, with user consent, analytic/marketing cookies.
8.2. When using third-party analytics services, the Operator ensures localization/proxy storage or complies with cross-border data transfer regulations, notifying Roskomnadzor.

9) Personal Data Protection Measures
Organizational and technical measures include threat modeling and information system security levels, access control, encryption during transmission and storage, backup, logging and monitoring, NDA with staff and processors, training, regular inspections and audits.

10) Rights of Data Subjects and Their Exercise
Data subjects have the right to access information about processing, request correction, blocking, or deletion, withdraw consent, and challenge Operator actions. Requests are sent to the Operator’s address; response time is up to 30 days (unless otherwise required by law). Changes in processing conditions are subject to Roskomnadzor notification where required.

11) Roskomnadzor Notification
The Operator submits notification of personal data processing before starting processing and maintains registry information up to date; failure or late updates are liable.

12) Automated Decisions and Profiling
The Journal does not make legally significant decisions solely based on automated processing of personal data without human involvement.

13) Policy Updates
This Policy is reviewed when processing procedures, technologies, or legislation change. The current version is published on the website www.npnh.ru.