Privacy policy
1. General Provisions
This privacy policy regarding the collection, processing, and protection of personal data is drawn up in accordance with the requirements of the Law of the Republic of Kazakhstan 'On Personal Data and Their Protection' (hereinafter referred to as the Law on Personal Data) and defines the procedure for processing personal data and the measures taken by Kvadrat architects (hereinafter referred to as the Company) to ensure the security of personal data.
1.1. The Company considers the observance of human and civil rights and freedoms during the processing of personal data, including the protection of the right to privacy, personal and family secrecy, as one of its most important goals and conditions for carrying out its activities.
1.2. This Policy of the Company regarding the processing of personal data (hereinafter referred to as the Policy) applies to all information that the Company may receive about users of the Company's mobile application and website.
2. Key Terms Used in the Policy
2.1. Automated processing of personal data - processing of personal data using computer technology.
2.2. Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data).
2.3. Website - a collection of graphical and informational materials, as well as software for computers, mobile devices, and databases that ensure their accessibility on the Internet for the mobile application and the official website of the Company k-kvadrat.kz.
2.4. Mobile application - software owned by the Company, which holds the rights to it, intended for use on computers, smartphones, tablets, and other mobile (portable, handheld) user devices.
2.5. Information system of personal data - a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
2.6. Depersonalization of personal data - actions that make it impossible to determine, without the use of additional information, whether the personal data belongs to a specific User or another subject of personal data.
2.7. Processing of personal data - any action (operation) or set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
2.8. Company - the owner of the Mobile Application and Website where users submit their personal data, responsible for processing the personal data, as well as determining the purposes of processing, the scope of personal data to be processed, and the actions (operations) carried out with personal data.
2.9. Personal data - any information directly or indirectly related to a specific or identifiable User of the Company’s Website and/or Mobile Application.
2.10. Personal data published by the data subject in the Mobile Application and on the Company Website, including those authorized by the subject for distribution, and made available to an unlimited number of persons by giving consent for processing and dissemination, in accordance with the Law on Personal Data (hereinafter referred to as personal data permitted for distribution).
2.11. User - any visitor to the Website or user of the Company’s Mobile Application.
2.12. Provision of personal data - actions aimed at disclosing personal data to a specific person or a specific group of persons.
2.13. Dissemination of personal data - any actions aimed at disclosing personal data to an indefinite number of persons (transfer of personal data) or making personal data available to an indefinite number of persons, including publishing in the media, posting in information and telecommunication networks, or providing access in any other way.
2.14. By accepting the Offer and registering in the Mobile Application and on the Company Website, the User consents to the cross-border transfer of their personal data — the transfer of personal data to the territory of a foreign state to a government authority of a foreign country, foreign individual, or foreign legal entity involved in fulfilling the User’s order.
2.15. Destruction of personal data - any actions resulting in the irreversible destruction of personal data with no possibility of further recovery in the personal data information system and/or the destruction of tangible media containing personal data.
3. Main Rights and Obligations of the Company
3.1. The Company has the right to:
— receive accurate information and/or documents containing personal data from the subject of personal data;
— in the event of the withdrawal of consent by the subject of personal data for the processing of their personal data, or if the subject sends a request to stop processing, the Company has the right to continue processing without the subject's consent if there are legal grounds as specified by the Law on Personal Data;
— independently determine the scope and list of measures necessary and sufficient to fulfill the obligations stipulated by the Law on Personal Data and related regulations, unless otherwise provided by the Law on Personal Data or other legal acts.
3.2. The Company is obliged to:
— provide the subject of personal data, upon request, with information concerning the processing of their personal data;
— organize the processing of personal data in accordance with current legislation;
— respond to requests and inquiries from personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;
— provide the authorized body for the protection of personal data subjects’ rights with the necessary information within 10 days of receiving such a request;
— publish or otherwise provide unrestricted access to this Policy regarding the processing of personal data;
— take legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, dissemination, and from other unlawful actions;
— cease the transfer (distribution, provision, access) of personal data, stop processing, and destroy personal data in accordance with the procedures and cases stipulated by the Law on Personal Data;
— fulfill other obligations provided by the Law on Personal Data.
4. Main Rights and Obligations of Personal Data Subjects
4.1. Personal data subjects have the right to:
— receive information regarding the processing of their personal data, except in cases provided for by applicable law. The information must be provided by the Company in an accessible form and must not contain personal data relating to other subjects, unless there are legal grounds for disclosing such data. The list of information and the procedure for obtaining it are established by the Law on Personal Data;
— request that the Company clarify, block, or delete their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights;
— make the processing of personal data for the purpose of promoting goods, works, and services on the market subject to prior consent;
— withdraw consent to the processing of personal data and/or send a request to stop processing their personal data;
— appeal to the authorized body for the protection of the rights of personal data subjects or to the courts against unlawful actions or inaction by the Company in the processing of their personal data;
— exercise other rights provided by applicable law.
4.2. Personal data subjects are obliged to:
— provide the Company with accurate information about themselves;
— promptly notify the Company of any clarification (update, modification) of their personal data.
4.3. Persons who provide the Company with inaccurate information about themselves, or information about another personal data subject without that person’s consent, bear liability in accordance with applicable law.
5. Principles of Personal Data Processing
5.1. The processing of personal data shall be carried out on a lawful and fair basis.
5.2. The processing of personal data is limited to the achievement of specific, pre-defined, and lawful purposes. The processing of personal data that is incompatible with the purposes of personal data collection is not permitted.
5.3. It is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other.
5.4. Only personal data that meet the purposes of their processing shall be subject to processing.
5.5. The content and volume of processed personal data must correspond to the stated purposes of processing. The processing of personal data that is excessive in relation to the stated purposes is not allowed.
5.6. When processing personal data, accuracy, sufficiency, and, where necessary, relevance to the purposes of processing shall be ensured. The Company takes necessary measures and/or ensures that such measures are taken to delete or clarify incomplete or inaccurate data.
5.7. Personal data must be stored in a form that allows identifying the personal data subject for no longer than required for the purposes of personal data processing, unless a longer storage period is established by federal law or by an agreement to which the personal data subject is a party, beneficiary, or guarantor. The processed personal data must be destroyed or anonymized upon achieving the purposes of processing or if the need to achieve these purposes is lost, unless otherwise provided by applicable law.
6. Purposes of Personal Data Processing
Purpose of processing – informing the User by sending emails.
Personal data – any information related to the subject of personal data.
Legal basis – applicable legislation and this Privacy Policy.
Types of personal data processing – collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.
7. Conditions for Personal Data Processing
7.1. Personal data processing is carried out with the consent of the personal data subject to the processing of their personal data.
7.2. Personal data processing is necessary for the performance of the Company’s functions, powers, and duties imposed by applicable legislation, as well as for the proper operation of the Company’s Website and Mobile Application.
7.3. Personal data processing is necessary for the proper use of the Mobile Application and Website by the user, administration of justice, enforcement of a judicial act or an act of another authority or official subject to execution in accordance with applicable legislation.
7.4. Personal data processing is necessary for the execution of a contract to which the personal data subject is a party, beneficiary, or guarantor, as well as for entering into a contract at the request of the personal data subject or a contract under which they will be a beneficiary or guarantor.
7.5. Personal data processing is necessary for the realization of the rights and legitimate interests of the Company or third parties or for achieving socially significant objectives, provided this does not violate the rights and freedoms of the personal data subject.
7.6. Processing is carried out for personal data to which the data subject has granted access to an unlimited number of persons or at the data subject’s request (hereinafter referred to as publicly available personal data).
7.7. Processing is carried out for personal data that must be published or disclosed in accordance with applicable legislation.
8. Procedure for the Collection, Storage, Transfer, and Other Types of Personal Data Processing
The security of personal data processed by the Company is ensured through the implementation of legal, organizational, and technical measures necessary to fully comply with applicable personal data protection legislation.
8.1. The Company ensures the safety of personal data and takes all possible measures to prevent unauthorized access to personal data.
8.2. The User's personal data will never, under any circumstances, be transferred to third parties, except in cases related to the fulfillment of legal obligations or if the personal data subject has given consent to the Company to transfer the data to a third party for the purpose of fulfilling obligations under a civil law contract.
8.3. If inaccuracies are found in the personal data, the User may update them independently by sending a notification to the Company’s email address with the subject 'Personal Data Update'.
8.4. The period of personal data processing is determined by the achievement of the purposes for which the personal data was collected, unless otherwise specified by this Policy, a contract, or applicable law.
The User may withdraw their consent to the processing of personal data at any time by sending a notification to the Company via email with the subject 'Withdrawal of Consent to Personal Data Processing'; in this case, the Company reserves the right to revoke the User's access to the Website and/or the Mobile Application.
8.5. All information collected by third-party services, including payment systems, communication services, and other service providers, is stored and processed by such entities (Companies) in accordance with their User Agreement and Privacy Policy. The personal data subject should familiarize themselves with such documents.
The Company is not responsible for the actions or inactions of third parties, including the service providers mentioned in this section, including in cases of unauthorized actions by third parties such as hacking or database copying.
8.6. Restrictions established by the personal data subject on the transfer (except access provision), as well as on processing or processing conditions (except access) of personal data permitted for dissemination, do not apply in cases of personal data processing in the public interest as defined by applicable legislation.
8.7. The Company ensures the confidentiality of personal data during processing.
8.8. The Company stores personal data in a form that allows identification of the personal data subject for no longer than is required for the purposes of processing, unless a longer storage period is established by applicable legislation or a contract to which the personal data subject is a party, beneficiary, or guarantor.
8.9. Grounds for termination of personal data processing may include the achievement of the purposes of processing, expiration of the subject’s consent, withdrawal of consent by the personal data subject, a request to cease processing, provision of false information by the subject, or detection of unlawful personal data processing.
9. List of Actions Performed by the Company with Collected Personal Data
9.1. The Company carries out the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.
9.2. The Company performs automated processing of personal data with the receipt and/or transmission of the obtained information via information and telecommunication networks or without such transmission.
10. Cross-Border Transfer of Personal Data
10.1. Prior to initiating activities involving the cross-border transfer of personal data, the Company is obliged to notify the authorized body for the protection of personal data subjects' rights of its intention to carry out such transfer (this notification is submitted separately from the notification of the intention to process personal data).
10.2. Before submitting the aforementioned notification, the Company must obtain appropriate guarantees from the authorities of the foreign state, foreign individuals, or foreign legal entities to whom the cross-border transfer of personal data is intended, regarding the protection and security of the transferred data.
11. Confidentiality of Personal Data
The Company and other parties who have gained access to personal data are obliged not to disclose or distribute such personal data to third parties without the consent of the personal data subject, unless otherwise provided by applicable law.
12. Final Provisions
12.1. The User can obtain any clarifications regarding the processing of their personal data by contacting the Company via email.
12.2. This document will reflect any changes to the personal data processing policy by the Company. The policy is valid indefinitely until replaced by a new version.
12.3. The current version of the Policy is freely available on the Internet at the following address k-kvadrat.kz.