PRIVACY POLICY

1. General Provisions

1.1. This Privacy Policy (the “Policy”) describes how personal data of users of the website https://kazakh.travel (the “Website”) is collected, stored, used, transferred and protected.

1.2. The personal data controller is [Individual Entrepreneur / LLP] [name], registered in the Republic of Kazakhstan (the “Controller”).

1.3. This Policy has been developed in accordance with the Law of the Republic of Kazakhstan dated 21 May 2013, No. 94-V “On Personal Data and their Protection” and, where applicable, generally accepted international standards of personal data protection, including the relevant provisions of the EU General Data Protection Regulation (GDPR).

1.4. Use of the Website constitutes the User’s agreement with this Policy and with the terms of processing of their personal data.

2. Categories of Data Processed

2.1. The Controller collects and processes the following categories of personal data:

  • first name, last name, middle name (where applicable);
  • contact details: email address, mobile phone number, messenger identifier;
  • identity document details (where required for permit arrangement or accommodation booking);
  • details of the travel group (number of travellers, age, special needs);
  • payment data — processed by the payment system and not stored by the Controller;
  • technical information: IP address, browser type, operating system, cookies, pages visited, referrer.

    • 2.2. The Controller does not collect special category data (medical information, racial or ethnic origin, political opinions, etc.) except where strictly necessary for performance of obligations to the User and with their explicit consent.

    3. Purposes of Processing

    3.1. The Controller processes personal data for the following purposes:

  • accepting and fulfilling booking requests for the services offered on the Website;
  • processing payments and refunds;
  • communication with the User regarding matters related to the provision of services;
  • compliance with Kazakhstan law, including tax, currency and accounting legislation;
  • marketing communications — only where the User has given separate consent;
  • quality improvement and analytics of Website usage;
  • handling requests, complaints and protection of the Controller’s legal rights.

    • 4. Legal Bases for Processing

    4.1. Processing is carried out on the following legal bases:

  • the User’s consent, expressed through acceptance of the Public Offer and/or this Policy;
  • performance of a contract to which the User is a party;
  • compliance with the Controller’s obligations under Kazakhstan law;
  • the legitimate interests of the Controller that do not override the rights and freedoms of the data subject.

    • 5. Disclosure to Third Parties

    5.1. The Controller may disclose personal data to the following categories of third parties, to the extent necessary for the provision of services:

  • suppliers involved in fulfilling the booking (drivers, guides, accommodation facilities, permit providers);
  • payment systems — for processing payments and refunds;
  • public authorities — upon lawful request.

    • 5.2. The Controller does not sell personal data and does not share it with third parties for marketing purposes without the User’s explicit consent.

    6. Cross-Border Data Transfers

    6.1. Personal data may be transferred outside the Republic of Kazakhstan only where this is necessary for the performance of a User’s booking (for example, when booking services at foreign accommodation facilities or using international payment systems).

    6.2. Cross-border transfers are carried out only where the receiving party ensures an adequate level of data protection.

    7. Retention

    7.1. Personal data is retained for as long as necessary to achieve the purposes of processing, but no longer than the periods set out by Kazakhstan law:

  • data on fulfilled bookings — at least 5 years (primary accounting records retention period);
  • marketing subscription data — until consent is withdrawn;
  • technical information — up to 12 months.

    • 8. Rights of the Data Subject

    8.1. The User has the right to:

  • obtain information about the fact and terms of processing of their personal data;
  • request correction, blocking or deletion of data that is incomplete, outdated or processed unlawfully;
  • withdraw consent to processing by notifying the Controller at the contacts in Section 12;
  • lodge a complaint with the competent data protection authority or with a court regarding actions or inactions of the Controller.

    • 9. Cookies and Analytics

    9.1. The Website uses cookies to ensure its functionality, analyse visits and improve the user experience.

    9.2. The User may disable cookies in their browser settings. In this case, some Website functionality may become unavailable.

    9.3. The Website may use third-party analytics services (Google Analytics, Yandex.Metrica and others). Such services process anonymised data in accordance with their own privacy policies.

    10. Security Measures

    10.1. The Controller takes the necessary organisational and technical measures to protect personal data from unauthorised access, destruction, modification, blocking, copying, distribution or other unlawful actions.

    10.2. Access to personal data is granted only to authorised employees of the Controller and only to the extent necessary for the performance of their duties.

    11. Changes to the Policy

    11.1. The Controller may amend this Policy from time to time. A new version enters into force upon publication on the Website.

    11.2. The Controller notifies Users of material changes to the Policy by posting a notice on the home page of the Website.

    12. Contact Details

  • Personal data controller: ___________________________________________
  • Registered address: _______________________________________________
  • Email for requests: [email protected]
  • Phone: ____________________________________________________________