For over twenty years, Yandex has served millions of users, working to maintain their trust through our commitment to protecting their privacy and freedom of expression online. Our commitment to users is rooted in Yandex’s wider responsibility to respecting human rights.
helps users understand more about what data we collect, the reasons why we collect data, who has access to that data, and how users can control it.
Reasons we collect user data
At Yandex, it’s our goal to help consumers and businesses better navigate the online and offline world. A large part of that is offering highly personalised services that cater to each individual user.
Users are different, and data such as their preferences, location, and online history is critical to provide them with the best possible services. To that end, our services take into account various types of relevant data to personalise the experience for each user.
For instance, our music streaming service Yandex.Music recommends artists or songs that match individual tastes of every user based on which songs they "liked" and which they skipped, among many other factors. Yandex.Direct serves the ads most relevant to the current interests of each user. Similarly, a user’s search history helps Yandex choose the most relevant search results specifically for that user. Someone who enters [nevermind] in the search bar might be looking for a definition of “nevermind”, while someone else may be searching for the Nirvana album.
Personalising a user’s experience using historical data improves both the current experience and helps Yandex to develop new products and services. And the more data we utilize, the better the experience we can provide to our users.
User data we collect
We collect user data in two main ways – through Yandex profiles that users create and through users’ interactions and activities on Yandex services. Yandex services automatically collect technical information such as cookie files, IP addresses, and geographic location to better understand users' preferences and settings.
Yandex users can sign up for Yandex ID, or profile, in which they manually enter their name, phone number, and other information, such as age, sex, location, and time zone. When users log in to our services or apps, data about their interactions with the service or app is automatically added to their Yandex ID profile.
How we protect our users’ data
Yandex takes data security very seriously and follows rigorous data protection rules to ensure our users’ data is secure and their privacy is protected. All data is processed automatically in our system, and we prohibit access to the data by any individual other than in times of necessity such as for Yandex customer support or other obligatory administrative and technical help. We also always encrypt all stored confidential information, such as passwords.
Our technological infrastructure securely protects the data that we handle. We implemented a secure HTTPS protocol for all Yandex services, meaning all data is encrypted as it moves between the user and Yandex. We also integrated special protection measures where security is particularly important, such as processing online payments according to the international PCI DSS security standard.
Yandex ID provides unified authentication on all Yandex services and is pivotal to ensuring the security of user data. All data on Yandex ID is securely protected, which is confirmed by regular checks and independent auditors. Each year since 2020, Yandex ID is independently audited according to the SSAE 18 standard overseen by the American Institute of Certified Public Accountants (AICPA) and receives a Service Organization Control (SOC) 2 report
certifying that it meets international security standards.
All Yandex services are tested according to the Data Protection Impact Assessment (DPIA) procedure. Compliance specialists look at how user data is handled on each Yandex service and make sure that all processes comply with international standards for information protection and risk management – ISO 27000 and ISO 31000. In order to prevent data leakage, the services regularly undergo mandatory external audits according to AICPA criteria. Any uncovered data breach is publicly disclosed by Yandex and followed by an internal investigation. To ensure that each Yandex employee understands their responsibility when working with data, all Yandex employees take mandatory courses on information security, corporate ethics, and confidential data protection.
Yandex encourages community-based cyber security research to further enhance data protection on its services. Since 2012, the company has been running a vulnerability reward program
, The Yandex Bug Bounty
, that honors external contributors for reporting vulnerabilities in Yandex’s security system. Yandex understands all potential risks associated with vulnerability research, which may involve getting access to sensitive or confidential information. The company ensures that the program participants are protected from litigation and provides them with assistance in case of third-party litigation, so long as they comply with the terms and conditions of the program.
Instances in which we share our users’ data
Protecting user’s data is a priority for Yandex and it’s important for our users to know about the instances in which we share users’ data and why. Yandex does not sell or share user data with third parties but does share necessary data with some partners in order to provide Yandex services; we also share aggregated user data through our web analytics tools, and to satisfy legal requests.
Yandex shares select data with a partner when it’s necessary to operate a service. For instance, Yandex.Taxi works with taxi companies and their drivers require information about a user’s location so that they can pick up the passengers. Similarly, when a user buys concert tickets through our ticketing service, Yandex.Afisha, the venue box office needs the user’s information to be able to deliver the tickets to the user.
Some of our analytics services, such as our web analytics reporting tool Yandex.Radar, provide aggregated statistics on user behavior. However, these services do not receive any personal information on individual users and strictly provide aggregated reporting.
In some cases, Yandex may be required to provide user data by law. Yandex complies with the laws and regulations in areas in which it operates, including legal requests for information. If we receive a formal request for user data, our top priority is to protect users and we first ensure that there is legal ground for the request. If we find that the request is legitimate, we comply with the authorities to provide only the amount of data absolutely necessary to fulfil the request. If we find that the request is without merit, we refuse to fulfil the request and work with respective authorities to ensure strict compliance with the applicable law. Yandex publishes statistical information about requests for user data it receives in its Transparency Report
Among other things, email correspondence of Yandex users can only be accessed on the basis of an official court order related to a particular user as we protect the secrecy of correspondence under Russian law.
How our users can control their data
It’s vital to Yandex to provide our users with information about how they can control and manage their personal data. Users can view the data, including personal information, available to Yandex and its services on Yandex ID and edit or delete part of this information using a data management tool
. They can also change the settings of their personal Yandex account at any point.
Yandex users, as well as all Internet users, have the ability to further control their data through their browser settings by managing their cookies. Yandex.Browser’s Help page
. To submit any concerns about privacy online, please visit the appropriate support page
. You can navigate to the proper form for the relevant service and submit more detailed information about issues in the feedback form.