1. TERMS AND DEFINITIONS

1.1. The System Administration (hereinafter referred to as the “Operator”) – authorized employees of the System owner who organize and/or carry out the processing of personal data, and also determine the purposes and content of the processing of personal data.

1.2. An information security management system (ISMS) is a part of the overall management system based on a business risk assessment, aimed at establishing, implementing, operating, monitoring, analyzing, supporting, and improving information security in accordance with the principles of ISO/IEC 27001.

1.3. Personal data – any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data).

1.4. Processing of personal data – any action (operation) or set of actions (operations) performed with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.

1.5. Confidentiality of personal data is a mandatory requirement to prevent its dissemination without the consent of the personal data subject or other legal grounds.

1.6. User (Personal Data Subject) – a person who has access to the System via the Internet and uses the System.

1.7. IP address – a unique network address of a node in a computer network built using the IP protocol.

2. GENERAL PROVISIONS. PRINCIPLES OF PROCESSING

2.1. The User's use of the System constitutes his unconditional consent to this Policy and the terms of processing of his personal data.

2.2. In case of disagreement with the terms of the Policy, the User must immediately stop using the System.

2.3. The Operator processes personal data based on the following principles:

Legality, fairness and transparency.

Limitation of processing to predetermined and legitimate purposes.

Data minimization (collecting only the data that is necessary for the stated purposes).

Accuracy and relevance of data.

Storage restrictions in forms that allow identification of the subject for no longer than required for the purposes of processing.

Ensuring an adequate level of data security, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction or damage.

2.4. This Policy applies exclusively to the shai.pro Information System. The System does not control and is not responsible for third-party websites that the User may access via links available on shai.pro.

3. SUBJECT OF POLICY. COMPOSITION OF DATA

3.1. This Policy sets forth the Operator's obligations to maintain confidentiality and ensure the protection and confidentiality of personal data that the User provides when using the System.

3.2. Personal data permitted for processing is provided by the User voluntarily and may include:

Last name, first name, patronymic;

Email address;

Other information necessary to achieve the purposes of processing.

4. PURPOSES OF PERSONAL DATA PROCESSING

The Operator processes the User’s personal data for the following purposes:

4.1. Identification of the User within the framework of using the System services.

4.2. Providing the User with access to personalized resources and functionality of the System.

4.3. Establishing feedback with the User, including processing requests and applications.

4.4. Confirmation of the accuracy and completeness of the personal data provided.

4.5. Providing effective customer and technical support.

4.6. Informing the User, with his consent, about product updates, special offers, newsletters and other information.

4.7. Fulfilment of contractual and pre-contractual obligations to the User.

4.8. Compliance with the requirements of the current legislation of the Republic of Kazakhstan.

5. LEGAL BASIS AND PROCESSING TERMS

5.1. The processing of personal data is carried out on the basis of the User's consent provided in accordance with paragraph 2.1. of this Policy, as well as for the conclusion and execution of agreements to which the User is a party.

5.2. The processing period for personal data is determined by the achievement of the purposes for which they were collected, unless another period is provided for by the agreement or the current legislation of the Republic of Kazakhstan.

5.3. Upon expiration of the processing period, personal data shall be subject to destruction or depersonalization in accordance with the procedure established by the Operator’s internal procedures, which comply with the requirements of ISO/IEC 27001 and the legislation of the Republic of Kazakhstan.

6. TRANSFER OF PERSONAL DATA

6.1. The operator has the right to transfer personal data to third parties in the following cases:

The subject has expressed his consent to such actions.

The transfer is necessary to provide services or fulfill obligations to the User (for example, courier services, communication service providers).

The transfer is provided for by the legislation of the Republic of Kazakhstan in the established manner to authorized state bodies.

6.2. When transferring data to third parties, the Operator takes all reasonable contractual and organizational measures to ensure the confidentiality and security of the transferred personal data.

7. PROTECTION MEASURES AND ISO/IEC 27001 COMPLIANCE

7.1. The Operator shall take the necessary and sufficient organizational and technical measures to protect the User's personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other illegal actions.

7.2. Protective measures include, but are not limited to:

Access management: Implementation of a policy for delimiting access rights to personal data.

Encryption: The use of cryptographic data protection tools during transmission over communication channels and, if necessary, storage.

Regular monitoring and risk analysis: within the framework of the ISMS functioning.

Incident Management: Having a procedure in place to respond to information security incidents involving personal data.

Training and information: Regular training for employees who have access to personal data.

Compliance assessment: Periodic internal audits and review of safeguards.

8. RIGHTS OF THE PERSONAL DATA SUBJECT

In accordance with the legislation of the Republic of Kazakhstan, the User has the right:

8.1. To receive information regarding the processing of his personal data.

8.2. To access, update and correct your personal data.

8.3. Revocation of consent to the processing of personal data. Revocation of consent may result in the inability to use certain System services.

8.4. To destroy your personal data and/or terminate its processing if the data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing.

To exercise their rights, the User may send a corresponding request to the Operator by email: info@shai.pro .

9. OBLIGATIONS AND RESPONSIBILITIES OF THE PARTIES

9.1. The User is obliged to: provide accurate data and update it in a timely manner.

9.2. The Operator undertakes to:

Use data solely for the purposes specified in Section 4 of the Policy.

Ensure the confidentiality of data and not disclose it to third parties without the consent of the User, except in cases provided by law.

Take all measures to protect data as provided by the Policy and legislation.

9.3. The Operator is liable for losses incurred by the User in connection with the unlawful use of his personal data, in accordance with the legislation of the Republic of Kazakhstan.

9.4. The Operator shall not be liable for the loss or disclosure of data if it became publicly known through no fault of its own, was received from a third party, or was disclosed with the consent of the User.

10. DISPUTE RESOLUTION

10.1. Before applying to the court, it is mandatory to submit a written claim.

10.2. The recipient of the claim shall, within 30 (thirty) calendar days from the date of its receipt, notify the applicant in writing of the results of the review.

10.3. If no agreement is reached, the dispute shall be resolved in court in accordance with the legislation of the Republic of Kazakhstan.

11. FINAL PROVISIONS

11.1. The Operator reserves the right to amend this Policy unilaterally. The new version shall take effect upon its posting on the System, unless otherwise provided in the new version.

11.2. All suggestions or questions regarding this Policy should be sent to: info@shai.pro

11.3. The current version of the Policy is posted on the page at: https://shai.pro/en/documents?tab=privacyPolicy.