Mobile application version · Русская версия
Effective from 18 May 2026, version 2.0. Cheboksary. This document describes the processing of personal data on the website online.chuvsu.ru and related web services of the University.
1.1. The data controller is the Federal State Budgetary Educational Institution of Higher Education «I.N. Ulianov Chuvash State University» (hereinafter – the University, the Controller).
1.2. Registered and operating address: 15 Moskovsky Avenue, Cheboksary, Chuvash Republic, 428015, Russian Federation. Founder: Ministry of Science and Higher Education of the Russian Federation. The University was established on 1 September 1967. Educational activities are carried out under licence No. 2276 of 19 July 2016.
1.3. University contacts:
1.4. Legal grounds for the processing of personal data:
1.5. This version of the Policy applies to the website
online.chuvsu.ru and its subdomains hosting University services intended for
students and employees.
1.6. By using the website, the user confirms that they have read this Policy. Consent to the use of analytical cookies, and to the storage of passwords for external systems in the personal Credential Vault (see clause 3.5), is given by a separate explicit action in the website interface and may be withdrawn at any time.
akey.chuvsu.ru and based on the Keycloak platform (OpenID Connect /
OAuth 2.0).HttpOnly, Secure
flags).When the user signs in through the corporate authentication system, the website receives the following information:
sub);
Sensitive items (surname, first name, patronymic, email address, grade book number) are stored
in the website database in encrypted form using the Crypt::encryptString mechanism
provided by the Laravel framework.
User-Agent field);RequestId), timestamp;HttpOnly, Secure,
SameSite=Lax flags (kc_access, kc_refresh,
kc_id_token);firebase-messaging-sw.js service worker.
The website server keeps request and error logs in files named
storage/logs/single_DD_MM_YYYY.log. Logs may record the user identifier, login,
IP address, request route and the context of the encountered error. The following items are
automatically removed prior to writing:
Authorization, Cookie,
Set-Cookie);password, token,
secret, key, auth;img.chuvsu.online via the Thumbor proxy);portald.chuvsu.ru service.
The user may voluntarily store, in the Credential Vault, the accounts (login and password) for
external information systems of the University – the rating module (brs.chuvsu.ru),
the student personal cabinet (lk.chuvsu.ru) and others. Saving an account is
activated by an explicit user action.
The Vault is implemented according to architectural decision ADR-007 and provides two-tier encryption:
The PIN code is neither stored nor transmitted to the University server in clear form. Without the PIN code, neither the website administration nor automated processes can access the contents of the Vault. Anti-brute-force protection: no more than 5 unsuccessful PIN attempts, after which the Vault is locked for 80 minutes.
The user is entitled to delete any stored account or the entire Vault at any time. Loss of the PIN code does not allow the recovery of stored passwords – the user must re-enter them.
The website queries external information systems of the University (rating module, student personal cabinet, timetable, learning portal, certificates portal) and caches the obtained data to improve performance:
Cached sensitive data (the contents of the student profile, identifiers, study results) is stored in encrypted form in a Redis key-value store deployed within the University infrastructure. The website is not the original source of this data; the original source is the corresponding University information system.
tt.chuvsu.ru);lk.chuvsu.ru);portald.chuvsu.ru);bitrix24.chuvsu.ru);
the contents of requests and the user information required to handle the request are
transferred to that system.
Information about students' scientific achievements, participation in the student scientific
society and related documents is stored in a separate database db-module-sno.
Its contents (student name, faculty, date of achievement, link to the confirming document)
are stored in encrypted form using a PKCS#12 certificate (RSA algorithm). Access to that
database is granted to a limited number of University officials responsible for scientific
work.
| Category | Purpose | Lifetime | Requires consent |
|---|---|---|---|
Strictly necessary (kc_access, kc_refresh,
kc_id_token, Laravel session cookie, CSRF token) |
Maintaining the login session, protection against request forgery | Until the session ends or the token expires | No (required for the website to function) |
| Functional (selected language, theme, preferred subgroup) | Storing user preferences | Until explicitly changed by the user | No (set by user action) |
| Analytical (Yandex Metrica – counter No. 87481519, Mail.ru – counter No. 3607308) | Anonymous collection of visit statistics and on-site behaviour | As determined by the Yandex Metrica and Mail.ru services | Enabled only in the production environment |
| Anti-bot (Yandex SmartCaptcha, Google reCAPTCHA) | Protection against automated requests on login and password recovery forms | Until the session ends | Enabled only when accessing a protected form |
Advertising cookies are not used. The website does not perform automated profiling that produces legal effects concerning the user.
The user may refuse analytical cookies by means of the browser's standard privacy settings or by using blocker extensions. Refusal does not affect access to the website's functions.
Storage of a password for an external University information system in the Credential Vault (clause 3.5) is performed only upon the user's explicit confirmation and entry of the Vault PIN. The user can delete a stored account at any time in the «Settings → Credential Vault» section.
Requested separately by the browser at the time of the first notification attempt. May be withdrawn at any time through the browser settings; the website remains functional except for notifications themselves.
| Service | Purpose | Data transferred |
|---|---|---|
akey.chuvsu.ru – «ChuvSU Key» SSO (Keycloak) |
User authentication, issuance and refresh of tokens | Login, password (entered directly on the Keycloak page, not passed through the website), session identifier |
brs.chuvsu.ru – point-rating system |
Retrieval of grades, attendance, session results | Student identifier; credentials (only if the user voluntarily uses the Credential Vault, see clause 3.5) |
lk.chuvsu.ru – student personal cabinet / portfolio |
Retrieval of profile, achievements, portfolio, photograph | Student identifier; credentials (only if the user voluntarily uses the Credential Vault) |
tt.chuvsu.ru – timetable system |
Retrieval of the class timetable and its changes | Group identifier, student identifier |
study.chuvsu.ru – learning portal |
Retrieval of academic information | Student identifier |
portald.chuvsu.ru – certificates request portal |
Submission and processing of certificate requests | Student identifier, certificate type, contact information |
img.chuvsu.online – Thumbor (image processing) |
Preparation of avatar thumbnails | User identifier in the image source, source URL |
bitrix24.chuvsu.ru – corporate support system |
Registration and handling of technical support requests | User identifier and contact details, request text, attached files |
bugtracker.chuvsu.online – error registration system |
Diagnosis and resolution of software errors | Error message, occurrence context. Sensitive headers are removed before sending;
the send_default_pii setting is disabled |
| Service | Purpose | Data transferred |
|---|---|---|
| Yandex LLC – Yandex Metrica counter No. 87481519 | Anonymous audience measurement | Technical visit information and page navigation |
| VK LLC (Mail.ru service) – counter No. 3607308 | Anonymous audience measurement | Technical visit information and page navigation |
The above counters are enabled only in the production environment and do not receive the information listed in clauses 3.1, 3.5–3.8.
| Service | Purpose | When activated |
|---|---|---|
| Yandex SmartCaptcha (Yandex LLC) | Protection against automated requests on login and password recovery forms | When accessing a protected form (if enabled in the website configuration) |
| Google reCAPTCHA (Google LLC) | Protection against automated requests on password recovery forms of legacy API versions | When accessing the corresponding forms |
Within the operation of anti-bot services, third parties receive a technical browser response (CAPTCHA token) and IP information. Items listed in clauses 3.1, 3.4–3.8 are not transferred to these services.
The website acts as a source of push notifications delivered to user mobile devices and browsers. Technical delivery is performed by the following processors:
The delivery service receives a technical device token and the notification payload (title, text, identifier of the related object). The user identifier and items listed in clauses 3.1, 3.5–3.8 are not transferred to the delivery service.
Email delivery is performed via Yandex LLC (Yandex Mail for Business, corporate SMTP). The data transferred is limited to the notification text and the recipient's address.
Google services (Firebase Cloud Messaging for web PWA and for delivery to devices with Google services; Google reCAPTCHA) process the technical identifiers and events transmitted to them on servers located outside the Russian Federation. The transfer is performed on the basis of the user's consent to push notifications and is subject to notification of the authorised body for the protection of the rights of personal data subjects in accordance with Article 12 of Federal Law No. 152-FZ. The data transferred abroad is limited to the technical device token and the notification payload; the personal data listed in clauses 3.1, 3.5–3.8 is not transferred to those services.
The website may embed public materials of the official communities of the University on the social network VKontakte (video records, announcements). These materials are loaded from the public API of the social network using the University community identifier and do not entail identification of the user by the social network. VKontakte is not used as an identity provider.
The website's databases and cache are hosted in the University's infrastructure within the territory of the Russian Federation. Account and academic process information is retained for the period established by University internal regulations on the retention of administrative and educational documentation, in line with GOST R 7.0.97-2016 and the regulations of the Ministry of Science and Higher Education of the Russian Federation.
Indicative periods for technical categories:
In accordance with Articles 14, 18.1, 20 and 21 of Federal Law No. 152-FZ the user has the right:
7.1. To obtain information about the processing of their personal data, including:
7.2. To request clarification, blocking or destruction of personal data where such data is incomplete, outdated, inaccurate, obtained unlawfully or no longer necessary for the declared purpose of processing.
7.3. To withdraw consent to processing. Withdrawal of consent in relation to personal data whose processing is necessary for the performance of the education contract or for purposes expressly provided for by law may result in the impossibility of performance of the corresponding obligations by the Controller.
7.4. To refuse analytical cookies by means of the browser's standard settings (clause 4.2); this action does not affect access to the website's main functions.
7.5. To delete, in full or in part, credentials stored in the Credential Vault (clause 3.5) at any time through the website interface.
7.6. To request the deletion of the account and the related personal data in accordance with the University's internal regulations. The request is sent to online@chuvsu.ru; the response time is no more than 30 calendar days.
7.7. To receive a copy of the processed data in a structured, machine-readable format (the right to data portability). The request is sent to the support address and is executed to the extent technically feasible on the website side.
7.8. To appeal against the actions or inaction of the Controller to the authorised body for the protection of the rights of personal data subjects (Roskomnadzor) or through the courts.
8.1. All communication between the user's browser and the University servers is performed over HTTPS (TLS).
8.2. Passwords of the «ChuvSU Key» SSO accounts are stored in Keycloak as a hash that does not allow recovery of the original password.
8.3. Sensitive items in the website database (surname, first name, patronymic, email address, grade book number) are stored in encrypted form. The cached student profile in Redis (clause 3.6) is encrypted. The Credential Vault contents (clause 3.5) are encrypted using the user's PIN under the AES-256 + PBKDF2 scheme (ADR-007). Scientific achievements information (clause 3.8) is encrypted using a PKCS#12 certificate.
8.4. Access to the administrative section of the website is granted to a limited number of University officials on a least-privilege basis and is performed through the «ChuvSU Key» SSO using roles assigned by the University.
8.5. Request and error logs (clause 3.3) undergo automatic stripping of
sensitive headers and parameters before being recorded. Transfer to the error registration
system (bugtracker.chuvsu.online) is performed with the
send_default_pii setting disabled.
8.6. Upon detection of an incident involving a breach of confidentiality, integrity or availability of personal data, the Controller notifies the authorised body in the manner and within the time frame established by Article 21 of Federal Law No. 152-FZ.
The website is intended for students, employees and other persons whose relationship with the University is confirmed in the account system. Consent to the processing of personal data of persons under the age of 14 is given by their legal representatives.
10.1. The University reserves the right to amend this Policy. A new version becomes effective upon its publication at online.chuvsu.ru/doc/privacy_policy.
10.2. The version history is maintained in the University's documentation repository. Material changes affecting the categories of processed data or the list of third parties are accompanied by information to users through the website interface.