Privacy Policy | ioka SuperApp

This Privacy Policy has been drafted in accordance with the Law of the Republic of Kazakhstan “On Personal Data and Their Protection”.

This document governs the processing of personal data collected through the ioka Mobile Application.

1. General Provisions

ioka fintech LLP, BIN 191140003027 (“We”, “the Company”)

Registered Address: 15 Inzhenernaya Street, Medeu District, Almaty 050051, Republic of Kazakhstan.

The Company operating the ioka Mobile Application (the “Mobile Application”) is the personal data operator and is responsible for the processing of personal data.

By using the Mobile Application, the User consents to the collection and processing of their personal data in accordance with this Privacy Policy.

2. Categories of Personal Data Processed, Purposes of Processing, Legal Basis, and Retention Period

Category	Personal Data	Purpose of Processing	Legal Basis	Source	Retention Period
Authentication	Subscriber number Password (hashed) Individual Identification Number (IIN)	Authorization	Consent	User	For the duration of the Mobile Application’s use and for five years afterward, unless otherwise provided by the legislation of the Republic of Kazakhstan.
Profile	First name, last name, and middle name (if available) Email address Photograph	Identification and contact	Consent	User
Financial Data	Payment card details (card number, PAN, CVV, expiration date, cardholder name) Transaction data — date and time of transaction, amount, currency, items/services purchased	Payment processing	Consent	User / bank (issuer and acquirer)	Five years from the moment the payment is made (or consent is provided).
Technical Data	IP address Push token Device ID	Analytics and security	Legitimate interest	System / SDK	For the duration of the Mobile Application’s use and for five years afterward, unless otherwise provided by the legislation of the Republic of Kazakhstan.
Technical Support	Last name, first name, and middle name (if available) Subscriber number Email address Content of the request	Processing of user requests	Consent	User

The processing of personal data is carried out on the basis of the User’s consent, the performance of a contract, as well as the Company’s legitimate interests (in terms of ensuring security and analytics).

3. Device Functions Accessed by the Mobile Application

To function properly, the Mobile Application may request access to certain device features (e.g., camera, file storage, microphone, notifications, and other system services).

The list of permissions and the purposes for which they are used is displayed prior to the installation of the Mobile Application in the official store and may be further specified in the device settings.

All permissions are granted only with the User’s consent and are used solely to enable the Mobile Application’s features as described in its interface and app store listing.

The User may at any time modify or revoke access through the device’s system settings, which may affect the operation of certain functions of the Mobile Application.

4. Push Notifications and Analytics

The Mobile Application may send push notifications to inform the User about actions and events within the service.

The purposes of the notifications include:

Confirmation of actions (registration, login, transactions);
System and technical messages (changes, updates, security);
Informational notifications (new features, limits, operation statuses);
Promotional offers — only with the User’s separate consent.

The User may disable push notifications at any time through the phone settings (iOS / Android).

Data collected for analytics includes:

Technical events (application launch, session duration, errors);
Anonymized usage metrics (screens viewed, taps, interface interactions);
Information about the device type, operating system, and application version.

Analytics are used solely to improve the stability and usability of the Mobile Application and do not include personal data, payment information, or the content of the User’s account.

5. Recipients of Personal Data, Categories of Data Transferred, Purpose of Data Transfer, Legal Basis, and Security Measures

Recipients	Personal Data	Purpose of Data Transfer	Legal Basis	Security Measures
Second-tier banks of the Republic of Kazakhstan	Last name, first name, and middle name (if available) Individual Identification Number (IIN) Subscriber number Email address Transaction data — date and time of the transaction, amount, currency, and items/services purchased Payment card details (PAN, expiration date, cardholder name, and CVV only at the time of transaction authorization)	Payment processing	Contract	Organizational measures: Restriction of access to personal data. Only authorized employees and contractors who have signed confidentiality agreements are allowed to process personal data. Technical measures: Data transfer is carried out only via secure communication channels using encryption technologies (SSL/TLS). Data is processed in accordance with the PCI DSS standard. Servers are protected against unauthorized access, with access limited to authorized personnel.
Suppliers of goods (works, services) paid for by the User	Last name, first name, and middle name (if available) Individual Identification Number (IIN) Subscriber number Email address Transaction data — date and time of the transaction, amount, currency, and items/services purchased		Contract
International payment systems (e.g., Visa or Mastercard)	Transaction data — date and time of the transaction, amount, currency Payment card details (PAN, expiration date, cardholder name, and CVV only at the time of transaction authorization)		Rules of the International Payment System (IPS)
Government authorities	Last name, first name, and middle name (if available) Individual Identification Number (IIN) Subscriber number Email address Transaction data — date and time of the transaction, amount, currency, and items/services purchased Payment card details (PAN, expiration date, cardholder name) IP address Push token Device ID Content of the request	Compliance with the requirements of the legislation of the Republic of Kazakhstan	Legislation of the Republic of Kazakhstan and request	Organizational measures: Restriction of access to personal data. Transfer of personal data is carried out only on the basis of official requests made in accordance with the legislation of the Republic of Kazakhstan. Only authorized employees and contractors who have signed confidentiality agreements are allowed to process and transfer personal data. All transfers of personal data to government authorities are logged and documented. Technical measures: Data transfer is carried out only via secure communication channels using encryption technologies (SSL/TLS). Requests are authenticated through electronic signatures and official communication channels. Data is processed in accordance with the PCI DSS standard. Servers are secured against unauthorized access, with access limited to authorized personnel only.

6. Cross-Border Data Transfer

For the purpose of conducting and authorizing payment transactions, the User’s personal data (full name, card details, transaction data) may be transferred to international payment systems (hereinafter, “IPS”) such as Visa, Mastercard, UnionPay, and other partner organizations.

Transfers are made to secure servers located in countries that provide an adequate level of data protection, including the United States, the United Kingdom, Belgium, Singapore, and China, in compliance with the legislation of the Republic of Kazakhstan.

IPS are certified in accordance with the PCI DSS and ISO/IEC 27001 standards. Data transfers are carried out via encrypted communication channels (TLS) and only to the extent necessary to perform the transactions.

The Company enters into agreements and applies standard contractual clauses (SCCs) or other legal mechanisms to ensure the protection of personal data in accordance with the requirements of the legislation of the Republic of Kazakhstan.

7. Storage and Security of Personal Data

Personal data is stored on servers located within the territory of the Republic of Kazakhstan, as well as in secure cloud storage that ensures a level of security no lower than that established by the legislation of the Republic of Kazakhstan and international standards.

Data is kept in encrypted form, and access is granted only to authorized personnel on a need-to-know basis.

Data Security Measures:

Restriction of access to personal data based on the principle of necessity;
Use of modern encryption technologies for data storage and transfer;
Regular information security audits;
Implementation of organizational and technical measures in compliance with the requirements of the Information Security Management System (ISMS) and international standards ISO/IEC 27001 and PCI DSS.

8. User Rights

The User has the right to:

Be informed about the Company’s possession of the User’s personal data and to receive information confirming the fact, purposes, sources, methods of collection and processing of personal data; the list of personal data; and the retention periods, including storage duration;
Request the Company to rectify or supplement the User’s personal data upon presentation of supporting documents;
Request the blocking of the User’s personal data;
Request the erasure of the User’s personal data;
Withdraw consent to the collection and processing of personal data;
Restrict the use of their data, obtain a copy, or transfer it to another service; object to the processing of their data; and request that decisions affecting them (e.g., automated checks or transaction denials) be made with human involvement;
Exercise any other rights provided under the Law of the Republic of Kazakhstan “On Personal Data and Their Protection.”

9. Procedure for Data Erasure and Withdrawal of Consent

The User has the right to request the erasure of their personal data by submitting a request to the Company using the contact details provided in this Policy.
If a request for erasure is denied, the User may appeal to the authorized government body responsible for protecting the rights of personal data subjects.

The Company shall erase personal data in the following cases:

Upon expiration of the retention period or achievement of the purpose of processing;
Upon withdrawal by the User of consent to the processing of personal data;
Upon a request by the User for the erasure of personal data, unless otherwise provided by the legislation of the Republic of Kazakhstan;
Upon establishing that the data has been processed in violation of the law;
Pursuant to a final court decision or an act of the authorized government body requiring data erasure.

Procedure for the Erasure of Personal Data:

Personal data shall be deleted from all Company databases and backup copies using specialized software that prevents the possibility of recovery.
Physical media containing personal data shall be irreversibly destroyed.
Personal data will be erased no later than thirty (30) calendar days after the purpose of processing is achieved or upon receipt of the User’s request, unless otherwise required by the legislation of the Republic of Kazakhstan.

10. Contact Information and Designated Person (DPO)

For questions regarding the processing and protection of personal data, as well as for submitting requests, withdrawing consent, or filing complaints, the User may contact the Company via the following email and phone number:
support@ioka.kz
+7 701 540 18 02

Designated Person (DPO): Head of the Company.

Requests are processed within the timeframe established by the legislation of the Republic of Kazakhstan.

In the event of disagreement with the Company’s response or inaction on a request, the User has the right to contact the authorized government body responsible for the protection of personal data subjects’ rights.

12. Terms and Definitions

Personal Data — information relating to a specific or identifiable User, recorded on electronic, paper, or other physical media.

Processing — actions aimed at collecting, storing, modifying, supplementing, using, distributing, anonymizing, blocking, or erasing personal data.

Operator — the Company that collects, processes, and protects personal data.

Data Subject — the User, a natural person to whom the personal data pertains.

Device Permissions — settings in a mobile operating system (iOS/Android) that allow the Mobile Application to access device functions and data (e.g., camera, microphone, geolocation, photos/files, Bluetooth, notifications). Permissions are requested by the Mobile Application and may be changed by the User at any time via the device settings.

Cross-Border Transfer — the international transfer of personal data.

ioka — Privacy Policy