International Energy ClubMembers only
Last updated: Nov 1, 2025·Version history maintained

Privacy Policy

Describes how IEC collects, processes, stores and transfers personal data of members, visitors and counterparties.

Jurisdiction / Legal Basis: Russian Federation (152-FZ) · EU/EEA (GDPR) · International
Presented at: Account registration, KYC onboarding, public footer

1. Identity of the Data Controller

International Energy Club LLC (hereinafter 'IEC', 'we', 'us'), registered in the Russian Federation (OGRN 1197746XXXXXX), 123112 Moscow, Presnenskaya nab. 12, is the data controller in respect of personal data processed through the internationalenergyclub.org platform. For EU residents, IEC acts as controller under Article 4(7) of Regulation (EU) 2016/679 (GDPR). For Russian residents, IEC is the operator of personal data under Federal Law No. 152-FZ 'On Personal Data' (as amended through 2023). A Data Protection Officer (DPO) has been appointed and may be reached at dpo@internationalenergyclub.org or by post to the registered address marked 'Attention: DPO'.

2. Categories of Personal Data Collected

We collect:

  • (a) Identity data — full legal name, date of birth, nationality, passport or national ID number

(b) Contact data — business email address, phone number, LinkedIn profile URL

(c) Professional data — employer, job title, seniority level, industry focus, geographic region

(d) Verification data — KYC/KYB documents uploaded during onboarding (passport copy, proof of address, corporate registry extracts)

(e) Transaction data — subscription payments, marketplace deal participation, data access logs

(f) Technical data — IP address, device fingerprint, browser type, session tokens, access timestamps

(g) Communication data — messages sent via the platform's encrypted messaging layer, deal room document access logs

(h) Preference data — language setting, notification preferences, matchmaking interest tags.

3. Lawful Bases for Processing

We rely on the following lawful bases:

  • (a) Contract performance (Article 6(1)
  • (b) GDPR / Art. 6(1) 152-FZ) — processing your name, email, professional profile and payment data is necessary to provide the membership services described in the Membership Agreement

(b) Legal obligation (Article 6(1)

  • (c) GDPR / Art. 22(2) 152-FZ) — we are required to verify member identities under AML/CFT obligations and to retain certain data for statutory periods

(c) Legitimate interests (Article 6(1)

  • (f) GDPR) — we process technical and usage data to secure the platform, prevent fraud and improve service quality

(d) Consent (Article 6(1)

  • (a) GDPR) — we rely on your consent for marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. Data Residency and Cross-Border Transfers

To comply with Article 18 of Federal Law 152-FZ, personal data of Russian citizens is stored and primarily processed on servers physically located in the Russian Federation (Moscow data centre operated by our certified hosting partner). Cross-border transfers to non-Russian jurisdictions occur only where:

  • (a) the destination country provides an adequate level of protection as determined by Roskomnadzor, or
  • (b) we have executed Standard Contractual Clauses (SCCs) approved under GDPR, or
  • (c) you have provided explicit consent. Prior to any cross-border transfer we record the transfer in our Article 30 Record of Processing Activities and notify Roskomnadzor as required by Art. 12 152-FZ. Transfers to our EU data centre (Frankfurt, Germany) for serving EU members are governed by GDPR SCCs (Commission Implementing Decision 2021/914).

5. Data Subject Rights

Under GDPR you have the right to:

  • (a) Access — request a copy of your personal data within 30 days

(b) Rectification — correct inaccurate data

(c) Erasure ('right to be forgotten') — request deletion where there is no overriding legal basis for continued processing

(d) Restriction — ask us to pause processing pending a dispute

(e) Data portability — receive your profile data in a machine-readable format (JSON/CSV)

(f) Object — object to processing based on legitimate interests

(g) Withdraw consent — for any consent-based processing at any time. Under 152-FZ you have equivalent rights as provided in Articles 14–17 of that law. To exercise any right, submit a written request to dpo@internationalenergyclub.org. We will respond within 30 calendar days (GDPR) or 10 business days (152-FZ), as applicable. Identity verification may be required before fulfilling a request.

6. Retention Periods

We retain personal data only for as long as necessary for the stated purpose:

  • (a) Active member profile data — for the duration of membership plus 3 years after termination

(b) KYC/AML documentation — 5 years after the end of the business relationship (per FATF Recommendation 11 and Russian Federal Law No. 115-FZ on AML)

(c) Transaction and payment records — 7 years for accounting purposes

(d) Security logs — 12 months on a rolling basis

(e) Consent records — 3 years from the date of the last interaction. Upon expiry of the applicable retention period, data is securely deleted or anonymised in accordance with our Data Deletion Standard.

7. Subprocessors

We engage third-party subprocessors to deliver the platform. All subprocessors are bound by data processing agreements (DPAs) containing GDPR-compliant clauses. A current list of subprocessors is maintained at /legal/subprocessors and is updated within 30 days of any change. Key categories of subprocessors include: cloud infrastructure providers (data centres in Russia and EU), email delivery services, identity verification APIs, payment processors, and analytics providers. We conduct due diligence on subprocessors' security certifications (ISO 27001 or equivalent) before engagement.

8. Security Measures

We implement technical and organisational measures appropriate to the risk, including: AES-256 encryption at rest, TLS 1.3 in transit, zero-trust network architecture with role-based access controls, regular penetration testing (minimum annually by an accredited third party), SOC 2 Type II audit programme, hardware security modules for key management, and multi-factor authentication enforced for all administrative accounts. In the event of a data breach likely to result in a risk to rights and freedoms, we will notify the competent supervisory authority (Roskomnadzor / relevant EU DPA) within 72 hours and affected individuals without undue delay, as required by applicable law.

9. Cookies and Tracking

Our use of cookies and similar tracking technologies is described in detail in our separate Cookie Policy. We use strictly necessary cookies (no consent required), analytics cookies (Yandex.Metrica — consent required for Russian visitors; consent required under ePrivacy for EU visitors), and optional marketing cookies. You may manage your preferences at any time via the Cookie Preferences Centre accessible from any page footer.

10. Contact and Complaints

Data protection enquiries: dpo@internationalenergyclub.org. If you are dissatisfied with our response, you may lodge a complaint with your national supervisory authority. For Russian residents: Roskomnadzor (rkn.gov.ru). For EU/EEA residents: the competent data protection authority in your member state (full list at edpb.europa.eu). For UK residents: the Information Commissioner's Office (ico.org.uk).

Document versioning and re-acceptance

This document was last updated on Nov 1, 2025. IEC maintains a versioned archive of all prior versions. Where a material change affects the rights or obligations of existing members, affected members are notified by email at least 14 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the updated terms. To request a prior version, contact legal@internationalenergyclub.org.

← Back to all legal documents