This privacy policy regarding the collection, processing, and protection of personal data is drawn up in accordance with the requirements of the Law of the Republic of Kazakhstan 'On Personal Data and Their Protection' (hereinafter referred to as the Law on Personal Data) and defines the procedure for processing personal data and the measures taken by Kvadrat architects (hereinafter referred to as the Company) to ensure the security of personal data.

1.1. The Company considers the observance of human and civil rights and freedoms during the processing of personal data, including the protection of the right to privacy, personal and family secrecy, as one of its most important goals and conditions for carrying out its activities.

1.2. This Policy of the Company regarding the processing of personal data (hereinafter referred to as the Policy) applies to all information that the Company may receive about users of the Company's mobile application and website.

2.1. Automated processing of personal data - processing of personal data using computer technology.

2.2. Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data).

2.3. Website - a collection of graphical and informational materials, as well as software for computers, mobile devices, and databases that ensure their accessibility on the Internet for the mobile application and the official website of the Company k-kvadrat.kz.

2.4. Mobile application - software owned by the Company, which holds the rights to it, intended for use on computers, smartphones, tablets, and other mobile (portable, handheld) user devices.

2.5. Information system of personal data - a set of personal data contained in databases and the information technologies and technical means that ensure their processing.

2.6. Depersonalization of personal data - actions that make it impossible to determine, without the use of additional information, whether the personal data belongs to a specific User or another subject of personal data.

2.7. Processing of personal data - any action (operation) or set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.

2.8. Company - the owner of the Mobile Application and Website where users submit their personal data, responsible for processing the personal data, as well as determining the purposes of processing, the scope of personal data to be processed, and the actions (operations) carried out with personal data.

2.9. Personal data - any information directly or indirectly related to a specific or identifiable User of the Company’s Website and/or Mobile Application.

2.10. Personal data published by the data subject in the Mobile Application and on the Company Website, including those authorized by the subject for distribution, and made available to an unlimited number of persons by giving consent for processing and dissemination, in accordance with the Law on Personal Data (hereinafter referred to as personal data permitted for distribution).

2.11. User - any visitor to the Website or user of the Company’s Mobile Application.

2.12. Provision of personal data - actions aimed at disclosing personal data to a specific person or a specific group of persons.

2.13. Dissemination of personal data - any actions aimed at disclosing personal data to an indefinite number of persons (transfer of personal data) or making personal data available to an indefinite number of persons, including publishing in the media, posting in information and telecommunication networks, or providing access in any other way.

2.14. By accepting the Offer and registering in the Mobile Application and on the Company Website, the User consents to the cross-border transfer of their personal data — the transfer of personal data to the territory of a foreign state to a government authority of a foreign country, foreign individual, or foreign legal entity involved in fulfilling the User’s order.

2.15. Destruction of personal data - any actions resulting in the irreversible destruction of personal data with no possibility of further recovery in the personal data information system and/or the destruction of tangible media containing personal data.

4.3. Persons who provide the Company with inaccurate information about themselves, or information about another personal data subject without that person’s consent, bear liability in accordance with applicable law.

5.1. The processing of personal data shall be carried out on a lawful and fair basis.

5.2. The processing of personal data is limited to the achievement of specific, pre-defined, and lawful purposes. The processing of personal data that is incompatible with the purposes of personal data collection is not permitted.

5.3. It is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other.

5.4. Only personal data that meet the purposes of their processing shall be subject to processing.

5.5. The content and volume of processed personal data must correspond to the stated purposes of processing. The processing of personal data that is excessive in relation to the stated purposes is not allowed.

5.6. When processing personal data, accuracy, sufficiency, and, where necessary, relevance to the purposes of processing shall be ensured. The Company takes necessary measures and/or ensures that such measures are taken to delete or clarify incomplete or inaccurate data.

5.7. Personal data must be stored in a form that allows identifying the personal data subject for no longer than required for the purposes of personal data processing, unless a longer storage period is established by federal law or by an agreement to which the personal data subject is a party, beneficiary, or guarantor. The processed personal data must be destroyed or anonymized upon achieving the purposes of processing or if the need to achieve these purposes is lost, unless otherwise provided by applicable law.

Purpose of processing – informing the User by sending emails.

Personal data – any information related to the subject of personal data.

Legal basis – applicable legislation and this Privacy Policy.

Types of personal data processing – collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.

7.1. Personal data processing is carried out with the consent of the personal data subject to the processing of their personal data.

7.2. Personal data processing is necessary for the performance of the Company’s functions, powers, and duties imposed by applicable legislation, as well as for the proper operation of the Company’s Website and Mobile Application.

7.3. Personal data processing is necessary for the proper use of the Mobile Application and Website by the user, administration of justice, enforcement of a judicial act or an act of another authority or official subject to execution in accordance with applicable legislation.

7.4. Personal data processing is necessary for the execution of a contract to which the personal data subject is a party, beneficiary, or guarantor, as well as for entering into a contract at the request of the personal data subject or a contract under which they will be a beneficiary or guarantor.

7.5. Personal data processing is necessary for the realization of the rights and legitimate interests of the Company or third parties or for achieving socially significant objectives, provided this does not violate the rights and freedoms of the personal data subject.

7.6. Processing is carried out for personal data to which the data subject has granted access to an unlimited number of persons or at the data subject’s request (hereinafter referred to as publicly available personal data).

7.7. Processing is carried out for personal data that must be published or disclosed in accordance with applicable legislation.

The security of personal data processed by the Company is ensured through the implementation of legal, organizational, and technical measures necessary to fully comply with applicable personal data protection legislation.

8.1. The Company ensures the safety of personal data and takes all possible measures to prevent unauthorized access to personal data.

8.2. The User's personal data will never, under any circumstances, be transferred to third parties, except in cases related to the fulfillment of legal obligations or if the personal data subject has given consent to the Company to transfer the data to a third party for the purpose of fulfilling obligations under a civil law contract.

8.3. If inaccuracies are found in the personal data, the User may update them independently by sending a notification to the Company’s email address with the subject 'Personal Data Update'.

8.4. The period of personal data processing is determined by the achievement of the purposes for which the personal data was collected, unless otherwise specified by this Policy, a contract, or applicable law.

The User may withdraw their consent to the processing of personal data at any time by sending a notification to the Company via email with the subject 'Withdrawal of Consent to Personal Data Processing'; in this case, the Company reserves the right to revoke the User's access to the Website and/or the Mobile Application.

8.5. All information collected by third-party services, including payment systems, communication services, and other service providers, is stored and processed by such entities (Companies) in accordance with their User Agreement and Privacy Policy. The personal data subject should familiarize themselves with such documents.

The Company is not responsible for the actions or inactions of third parties, including the service providers mentioned in this section, including in cases of unauthorized actions by third parties such as hacking or database copying.

8.6. Restrictions established by the personal data subject on the transfer (except access provision), as well as on processing or processing conditions (except access) of personal data permitted for dissemination, do not apply in cases of personal data processing in the public interest as defined by applicable legislation.

8.7. The Company ensures the confidentiality of personal data during processing.

8.8. The Company stores personal data in a form that allows identification of the personal data subject for no longer than is required for the purposes of processing, unless a longer storage period is established by applicable legislation or a contract to which the personal data subject is a party, beneficiary, or guarantor.

8.9. Grounds for termination of personal data processing may include the achievement of the purposes of processing, expiration of the subject’s consent, withdrawal of consent by the personal data subject, a request to cease processing, provision of false information by the subject, or detection of unlawful personal data processing.

9.1. The Company carries out the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.

9.2. The Company performs automated processing of personal data with the receipt and/or transmission of the obtained information via information and telecommunication networks or without such transmission.

10.1. Prior to initiating activities involving the cross-border transfer of personal data, the Company is obliged to notify the authorized body for the protection of personal data subjects' rights of its intention to carry out such transfer (this notification is submitted separately from the notification of the intention to process personal data).

10.2. Before submitting the aforementioned notification, the Company must obtain appropriate guarantees from the authorities of the foreign state, foreign individuals, or foreign legal entities to whom the cross-border transfer of personal data is intended, regarding the protection and security of the transferred data.

The Company and other parties who have gained access to personal data are obliged not to disclose or distribute such personal data to third parties without the consent of the personal data subject, unless otherwise provided by applicable law.

12.1. The User can obtain any clarifications regarding the processing of their personal data by contacting the Company via email.

12.2. This document will reflect any changes to the personal data processing policy by the Company. The policy is valid indefinitely until replaced by a new version.

12.3. The current version of the Policy is freely available on the Internet at the following address k-kvadrat.kz.