Personal Data Processing Policy

This section contains the atasuai Personal Data Processing Policy, which defines the procedure for collecting, using, storing, transferring, and protecting users' personal data. The policy is developed in accordance with the requirements of applicable personal data protection legislation and is aimed at ensuring transparency in information processing and protecting the rights of personal data subjects.
1. 
General Provisions
2. 
Categories of subjects and processed data
3. 
Purposes of personal data processing
4. 
Legal grounds for processing
5. 
Order and conditions of processing, storage
6. 
Transfer of personal data to third parties
7. 
Cookies and analytics
8. 
Measures for the Protection of Personal Data
9. 
Rights of the data subject
10. 
Policy Change
1
.  General Provisions

1.1. This Personal Data Processing Policy (hereinafter referred to as the Policy) has been developed and approved by LLP "Atasuai" (BIN 250740015549, legal address: 050016, Republic of Kazakhstan, Almaty, Kunaev Street, 18/2) (hereinafter referred to as the Operator, Atasuai) in accordance with the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V "On Personal Data and Their Protection" (hereinafter referred to as the Law) and other regulatory legal acts of the Republic of Kazakhstan.

1.2. The purpose of the Policy is to ensure the protection of the rights and freedoms of personal data subjects when processing their personal data, including the protection of the right to privacy, personal and family secrets, as well as to determine the procedure and conditions for processing personal data when using the Atasuai platform.

1.3. The Policy applies to all information, including personal data, that Atasuai may receive about personal data subjects when using:

  • the website https://atasuai.com and its services (hereinafter referred to as the Site);

  • subdomains and individual services, including the marketplace, reseller store showcases, personal account, POS service (hereinafter collectively referred to as the Services);

  • Atasuai mobile applications (if applicable) and/or applications related to order servicing and interaction with partners (hereinafter referred to as the Applications).

1.4. The Policy is part of (or applies in conjunction with) the documents posted on legal.atasuai.com, including (but not limited to):

  • Terms of Service of the platform;

  • User Agreement;

  • Seller Agreement;

  • Reseller Agreement;

  • Payment Policy and Settlement Procedure;

  • Return and Refund Policy;

  • Terms of Use of the POS System.

By registering/logging in, placing an order, creating a showcase, using POS or other functions, the User confirms familiarity with the Policy and consents to the processing of personal data to the extent and for the purposes specified in this Policy, unless otherwise provided by law.

1.5. The Policy is publicly available at: https://legal.atasuai.com/privacy (or [your URL]) and is a public document.

1.6. Terms:

  • Personal data — information related to a specific or identifiable subject of personal data.

  • Subject of personal data — an individual to whom the personal data pertains.

  • Operator — a person organizing and carrying out the processing of personal data, determining the purposes and composition of the data.

  • Processing of personal data — any actions with personal data (collection, recording, systematization, storage, modification, use, transfer, anonymization, blocking, deletion, destruction).

  • Automated processing — processing using computer technology.

  • Processor — a person processing personal data on behalf of the Operator based on a contract.

  • Cross-border transfer — transfer of personal data to the territory of a foreign state (if applicable).

2
.  Categories of subjects and processed data

2.1. Atasuai can process personal data of the following categories of subjects:

  • Buyers (users placing orders);

  • Sellers (merchants/stores selling goods);

  • Manufacturers/suppliers (in wholesale/partnership scenarios, if applicable);

  • Resellers (users provided with an online storefront/store);

  • Site visitors (without registration);

  • Representatives of legal entities (contact persons of counterparties);

  • POS system users (cashiers/store administrators).

 

2.2. Typical composition of processed personal data (depending on the role and scenario):

  • Full name (if necessary);

  • phone number, email address;

  • delivery/location address (for delivery/return);

  • order data (composition, cost, statuses, returns);

  • account identifiers (user ID, logins, tokens);

  • payment data to the extent necessary for payment/return processing (Atasuai does not store full bank card details if processing is carried out through a payment partner/acquirer; in this case, masked data, transaction identifiers, payment/return status may be processed);

  • POS operation data (receipts, items, amounts, time, cash register/sales point);

  • technical data: IP address, cookies, user-agent, language, device/OS type, information about actions on the site, diagnostic logs;

  • correspondence and support requests, call recordings (if enabled and notification is made separately/in the interface);

  • documents for identification/verification of the seller/reseller (if applicable): scan/photo of identity document, business registration information, details, powers of attorney, and other documents — only if necessary and to the extent provided by law and internal KYC/AML procedures.

 

2.3. Atasuai does not process special categories of personal data (race, political views, religion, health, intimate life), except in cases expressly provided by the legislation of the Republic of Kazakhstan.

2.4. Biometric data (if ever applied) is processed only with legal grounds and separately executed consent/procedure in accordance with the legislation.

 

3
.  Purposes of personal data processing

3.1. Atasuai processes personal data solely for specific, predefined, and lawful purposes, including:

  • registration and management of the user account;

  • providing access to platform features (marketplace, reseller showcases, personal account, POS);

  • processing and fulfilling orders, deliveries, returns, and inquiries;

  • conducting payments, refunds, and transaction accounting;

  • communication with users (order notifications, delivery/return statuses, support messages);

  • prevention of fraud, abuse, ensuring service security;

  • compliance with the legislation of the Republic of Kazakhstan (tax/financial accounting, responses to requests from authorized bodies);

  • improving service quality, analyzing user experience, diagnosing errors;

  • conducting advertising and informational communications (marketing) — only with appropriate legal grounds/consent where required.

 

4
.  Legal grounds for processing

4.1. The legal grounds for processing personal data are:

  • The Constitution of the Republic of Kazakhstan;

  • The Civil Code of the Republic of Kazakhstan;

  • Law of the Republic of Kazakhstan No. 94-V "On Personal Data and Their Protection";

  • Law of the Republic of Kazakhstan "On Informatization" and other applicable regulatory legal acts;

  • contracts and agreements concluded with the subject of personal data (User Agreement, Seller/Reseller agreement, POS terms, etc.);

  • consent of the personal data subject (in cases where it is required by law);

  • other legal grounds provided by the legislation of the Republic of Kazakhstan.

 

5
.  Order and conditions of processing, storage

5.1. The processing of personal data is carried out with the use of automation tools and without the use of such tools.

5.2. Atasuai receives personal data:

  • directly from the subject (registration, order processing, profile completion);

  • automatically when using the Site/Applications (cookies, logs);

  • from partners, when necessary for order fulfillment/return (for example, delivery status from a logistics partner) — within the necessary limits.

5.3. Access to personal data is provided only to authorized Atasuai employees and/or processors on a "need-to-know" basis.

5.4. Personal data is stored no longer than necessary for processing purposes, or within the timeframes established by law/contract. Once the purposes are achieved, the data is destroyed or anonymized, unless otherwise required by law.

5.5. Placement and storage of databases: Atasuai takes measures to comply with the requirements of legislation on the localization/storage of personal data in the territory of the Republic of Kazakhstan in cases provided by law. (Cloud: yandex.cloud.almaty)

 

6
.  Transfer of personal data to third parties

6.1. Atasuai may transfer personal data to third parties only to the extent necessary to achieve the processing purposes, including:

  • Sellers/resellers — data necessary for order fulfillment, delivery, return, communication (e.g., contact and delivery address);

  • logistics partners (e.g., QazPost/courier services) — data necessary for delivery/return and tracking (full name/phone/address/shipment ID);

  • payment partners/acquiring banks (e.g., Visa/Mastercard acquiring, Freedom Bank, Halyk Bank, etc.) — data necessary for payment/return processing and compliance with payment system rules (transaction identifiers, amount, status, masked details, etc.);

  • IT infrastructure providers (hosting, cloud services, analytics, push notifications, SMS/email providers) — only as processors under contract and to the minimum necessary extent;

  • government authorities — upon lawful request and in accordance with the legislation of the Republic of Kazakhstan.

6.2. The transfer of personal data is carried out via secure communication channels and/or using encryption, unless otherwise provided by law.

6.3. Cross-border transfer of personal data (if applicable) is carried out with legal grounds and in compliance with the requirements of the legislation of the Republic of Kazakhstan. (If you do not have it, you can add: “atasuai does not carry out cross-border transfers, except in cases of using certain service providers…”.)

 

7
.  Cookies and analytics

7.1. atasuai uses cookies and technical identifiers for:

  • ensuring the functionality of the Site/Applications;

  • saving settings and session;

  • enhancing security;

  • analytics and improving user experience.

7.2. The user can limit the use of cookies in the browser settings, however, this may affect the correct operation of certain functions.

 

8
.  Measures for the Protection of Personal Data

8.1. atasuai takes necessary organizational and technical measures to protect personal data from unauthorized access, alteration, disclosure, destruction, including (but not limited to):

  • HTTPS/encryption of transmission channels;

  • access rights differentiation;

  • action logging and monitoring;

  • backup;

  • regular updates and security audits;

  • employee training.

 

9
.  Rights of the data subject

9.1. The data subject has the right to:

  • receive information about the processing of their personal data;

  • request clarification, blocking, or destruction of data if there are grounds;

  • withdraw consent for processing (in cases where processing is based on consent);

  • other rights provided by the legislation of the Republic of Kazakhstan.

9.2. Withdrawal of consent/request to stop processing may result in the inability to use certain functions of the platform, and in some cases — deletion of the account (if the provision of the service is impossible without data processing).

 

10
.  Policy Change

10.1. atasuai is entitled to make changes to the Policy unilaterally to update it in accordance with legislation and/or changes in the platform's business processes.

10.2. The new edition comes into force from the moment of publication on legal.atasuai.com, unless otherwise specified in the new edition.