The following terms and definitions are used in this Policy:

Blocking of personal data - temporary suspension of personal data processing (except in cases where processing is necessary to clarify personal data);

Personal data information system - a combination of personal data contained in databases and information technologies and technical means ensuring their processing;

Client - a person who has expressed intention to enter into contractual relations with the Company, or a person who is in contractual relations with the Company.

Depersonalization of personal data - actions that make it impossible to determine the ownership of personal data to a specific personal data subject without using additional information;

Personal data processing - any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

Operator (Company) - Cashiva Community Limited Liability Company, located at: 189A K.Tynystanov Street, Pervomaisky district, Bishkek city, Kyrgyz Republic, Reg N 224700-3301-ООО, processing personal data in accordance with current legislation, conditions of this Policy and other internal documents regulating the processing and protection of personal data.

Personal data (PD) - any information relating directly or indirectly to a specific or identifiable individual (personal data subject);

Provision of personal data - actions aimed at disclosing personal data to a specific person or specific group of persons;

Distribution of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;

Company Websites - websites on the Internet used by the Company.

Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual, or foreign legal entity;

Destruction of personal data - actions resulting in the impossibility to restore the content of personal data in the personal data information system and (or) resulting in the destruction of physical media containing personal data.

2.1. The PD subject has the right to receive from the Company information regarding the processing of their PD, including:

• confirmation of the fact of PD processing by the Company;
• legal grounds and purposes of PD processing;
• name and location of the Company, information about persons (except Company employees) who have access to PD or to whom PD may be disclosed based on an agreement with the Company or under Law;
• processed PD relating to the respective PD subject, their source of acquisition, unless another procedure for presenting such data is provided for by Law;
• PD processing terms, including storage terms;
• procedure for exercising rights provided for by Federal Law by the PD subject;
• information about completed or intended cross-border data transfer;
• name or surname, first name, patronymic and address of the person processing personal data on behalf of the Company, if processing is or will be assigned to such person;
• other information provided for by legislation.

A request for information regarding the processing of a subject's PD must contain the series and number of the main identity document of the PD subject or their representative, information about the date of issue of said document and the issuing authority, information confirming the PD subject's relationship with the Company (contract number, contract date, conditional verbal designation and (or) other information), or information otherwise confirming the fact of PD processing by the Company, signature of the PD subject or their representative. The request can be sent as an electronic document and signed with a qualified electronic signature in accordance with legislation.

2.2. The PD subject has the right to require the Company to clarify their PD, block or destroy it if the PD is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, and to take measures provided by law to protect their rights.

2.3. The PD subject's right to access their PD may be restricted in accordance with federal laws.

2.4. Consent to PD processing may be withdrawn by the PD subject. In case of withdrawal of consent by the PD subject, the Company has the right to continue PD processing without the subject's consent if there are grounds specified in Law.

2.5. The PD subject has the right to appeal against actions or inaction of the Company by applying to the authorized body for the protection of personal data subjects' rights.

2.6. The personal data subject has the right to protect their rights and legitimate interests, including compensation for losses and/or moral damage through court proceedings.

2.7. When collecting PD, the Company provides the PD subject upon their request with the information specified in clause 2.1 of the Policy.

2.8. If the provision of PD to the Company is mandatory in accordance with Law, the Company explains to the PD subject the legal consequences of refusing to provide their PD.

2.9. If PD is obtained from sources other than the PD subject, the Company, before starting to process such PD, provides the PD subject with the following information:

• name of the Company or surname, first name, patronymic of its representative, and address;
• purpose of PD processing and its legal basis;
• intended users of PD;
• rights of the PD subject established by Law;
• source of PD acquisition.

2.10. The Company is exempt from the obligation to provide the PD subject with information specified in clause 2.9 of this Policy in cases where:

• the PD subject has been notified of the processing of their PD by the Company;
• PD was obtained by the Company based on Law or in connection with the execution of a contract to which the PD subject is a party, beneficiary, or guarantor;
• PD has been made publicly available by the PD subject or obtained from a publicly available source;
• the Company processes PD for statistical or other research purposes, provided that this does not violate the rights and legitimate interests of the PD subject;
• providing the PD subject with information specified in clause 2.9 of this Policy violates the rights and legitimate interests of third parties.

2.11. When collecting PD, including through the information and telecommunications network 'Internet', the Company ensures the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of PD of Kyrgyz Republic citizens using databases located in Kyrgyz Republic.

2.12. In case of detecting unlawful PD processing, upon request of the PD subject or their representative, or upon request from the authorized body for the protection of PD subjects' rights, the Company blocks unlawfully processed PD relating to that PD subject, or ensures their blocking (if PD processing is carried out by another person acting on behalf of the Company) from the moment of such request for the duration of the verification.

2.13. In case of confirmation of PD inaccuracy, the Company, based on information provided by the PD subject or their representative or the authorized body for the protection of PD subjects' rights, or other necessary documents, clarifies the PD or ensures their clarification (if PD processing is carried out by another person acting on behalf of the Company) within seven working days from the date of providing such information and removes the PD blocking.

2.14. In case of detecting unlawful PD processing carried out by the Company or a person acting on behalf of the Company, the Company shall, within three working days from the date of such detection, terminate the unlawful processing of PD or ensure the termination of unlawful processing by the person acting on behalf of the Company.

2.15. Upon achieving the purpose of PD processing, the Company terminates PD processing or ensures its termination (if PD processing is carried out by another person acting on behalf) and destroys the PD or ensures their destruction (if PD processing is carried out by another person acting on behalf) within thirty days from the date of achieving the purpose of PD processing.

2.16. In case of withdrawal of consent by the PD subject for their PD processing, the Company terminates their processing or ensures termination of such processing (if PD processing is carried out by another person acting on behalf) and in case the preservation of PD is no longer required for processing purposes, destroys the PD or ensures their destruction (if PD processing is carried out by another person acting on behalf) within thirty days from the date of receipt of the withdrawal.

2.17. If it is impossible to destroy PD within the established period, the Company blocks such PD or ensures their blocking (if PD processing is carried out by another person acting on behalf) and ensures the destruction of PD within a period not exceeding six months, unless another period is established by legislation.

3.1. The Company processes PD to achieve the following purposes:

• conclusion and execution of civil law transactions (including those concluded through acceptance of the User Agreement on the Company's Website);
• providing reports to state supervisory authorities in accordance with the requirements of current legislation of the Kyrgyz Republic;
• promotion of services in the market;
• organization of Company employees' records, regulation of labor (civil law) relations between the subject and the Company (ensuring compliance with laws and other regulatory legal acts, assisting employees in employment, training and career advancement, ensuring personal safety of employees);
• consideration of the possibility of establishing contractual relations with the personal data subject at their initiative for the purpose of further concluding an agreement where the PD subject is either one of the parties or a beneficiary;
• provision of corporate mobile communication services;
• implementation of access control to the Company's premises;
• conducting statistical and other research based on depersonalized data.

3.2. Principles of PD processing in the Company:

• PD processing is carried out on a legal and fair basis.
• PD processing is limited to achieving specific, predetermined, and legitimate purposes. Processing of PD incompatible with the purposes of PD collection is not allowed.
• Merging databases containing PD that is processed for incompatible purposes is not allowed.
• Only PD that meets the purposes of its processing shall be processed.
• The content and volume of processed PD must correspond to the stated processing purposes. Processed PD should not be excessive in relation to the stated purposes of their processing.
• When processing PD, the accuracy of PD, their sufficiency, and when necessary, relevance to the purposes of PD processing must be ensured. The Company takes necessary measures or ensures their implementation to remove or clarify incomplete or inaccurate data.
• PD storage is carried out in a form that allows determining the PD subject for no longer than required by the purposes of PD processing, unless the storage period is established by Law, or by a contract to which the PD subject is a party, beneficiary, or guarantor. Processed PD shall be destroyed or depersonalized upon achieving the processing purposes or if such purposes are no longer needed, unless otherwise provided by Law.

3.3. Company employees authorized to process PD must:

• know and strictly comply with the provisions of the Kyrgyz Republic legislation in the field of PD, this Policy, and other internal Company documents on PD processing and security;
• process PD only within the scope of their official duties;
• not disclose PD processed in the Company;
• report actions of other persons that may lead to violation of this Policy;
• report known violations of this Policy's requirements to the Company employee responsible for organizing PD processing in the Company, appointed by the Company's administrative document.

3.4. PD security in the Company is ensured by implementing coordinated measures aimed at preventing (neutralizing) and eliminating PD security threats, minimizing possible damage, as well as measures to restore data and ISPD operation in case of threat realization.

• Constitution of the Kyrgyz Republic;
• Labor Code of the Kyrgyz Republic;
• Civil Code of the Kyrgyz Republic;
• Tax Code of the Kyrgyz Republic;
• other regulatory legal acts governing the Company's activities;
• Charter of Cashiva Community Limited Liability Company;
• internal regulatory documents of Charter of Cashiva Community LLC;
• consent for personal data processing;
• agreements (contracts) concluded between the Company and the personal data subject.

5.1. Depending on the PD subject, the Company processes PD of the following categories of PD subjects:

• employee, who is or was in employment relations with the Company, close relatives of the employee - information necessary for the Company in connection with employment relations and concerning the specific employee;
• candidate for vacant positions - information necessary for the Company to evaluate professional and business qualities when considering candidates for vacant positions;
• individual who is a member of the Company's management bodies, an affiliated person or manager, participant or employee of a legal entity that is an affiliated person in relation to the Company - information necessary for the Company to reflect in reporting documents about the Company's activities;
• client, client's representative, beneficiary, beneficial owner of the client - information necessary for the Company to fulfill its obligations within the contractual relationship with the client.

5.2. The list of PD processed in the Company is determined in accordance with the legislation of the Kyrgyz Republic and internal regulatory documents of the Company, taking into account the purposes of PD processing specified in Section 3 of this Policy.

5.3. The Company does not process special categories of PD concerning racial, national origin, political views, religious or philosophical beliefs, intimate life.

6.1. PD processing is carried out in accordance with the purposes predetermined and declared during personal data collection, as well as the Company's authority defined by current legislation of the Kyrgyz Republic and contractual relations with Clients.

6.2. PD processing in the Company is divided into:

• PD processing carried out without automation means;
• PD processing in ISPD using automation means;
• mixed PD processing.

6.3. The Company ensures recording, systematization, accumulation, storage, clarification (updating, modification), extraction of subjects' PD using databases located in Kyrgyz Republic.

6.4. PD processing in the Company is carried out in accordance with Section 3 of this Policy.

6.5. PD processing for promoting Company services in the market through direct contacts with potential consumers using communication means is carried out only with the prior consent of the PD subject. At the request of the PD subject, the Company immediately stops processing their PD for the purpose of promoting its services in the market.

6.6. PD storage is carried out in a form that allows determining the PD subject for no longer than required by the purposes of PD processing, unless the storage period is established by federal law, or by a contract to which the PD subject is a party, beneficiary, or guarantor. Processed PD is destroyed or depersonalized upon achieving the processing purposes or if such purposes are no longer needed, unless otherwise provided by Law.

6.7. The Company's PD processing terms are determined in accordance with the term of the agreement with the PD subject, unless otherwise established by agreement of the parties or legal requirements.

6.8. The Company has the right to assign PD processing to another person with the consent of the PD subject, unless otherwise provided by federal law, based on an agreement concluded with this person (hereinafter - the Company's assignment). In this case, the person processing PD under the Company's assignment is not required to obtain the PD subject's consent for processing their PD.

The person processing PD under the Company's assignment must comply with the principles and rules of PD processing provided for by legislation in the field of personal data.

If the Company assigns PD processing to another person, the Company bears responsibility to the PD subject for the actions of said person. The person processing personal data under the Company's assignment is responsible to the Company.

Assignment of PD processing to a third party is performed only based on a contract. The following are mandatory in said contract:

• list of actions (operations) with PD that will be performed by the processor;
• processing purposes;

processor's obligation to fulfill requirements for ensuring PD security (including maintaining PD confidentiality) during their processing, not to disclose and not to distribute PD without the consent of the PD subject, unless otherwise provided by federal law.

6.9. Obtaining and processing PD in cases provided for by Kyrgyz Republic legislation is carried out by the Company with the written consent of the PD subject except for cases established by Kyrgyz Republic legislation. The PD subject makes the decision to provide their PD and gives consent to their processing freely, of their own will and in their own interest. Consent in the form of an electronic document signed with an electronic signature is recognized as equivalent to consent in written form on paper containing the personal data subject's handwritten signature.

Consent for PD processing must be specific, informed, and conscious. Consent for PD processing may be given by the PD subject or their representative in any form allowing confirmation of its receipt, unless otherwise established by federal law.

Consent for PD processing may be withdrawn by the PD subject. In case of withdrawal of consent by the PD subject, the Company has the right to continue PD processing without the subject's consent if there are grounds established by Kyrgyz Republic legislation.

6.10. The Company prohibits making decisions based solely on automated PD processing that produces legal effects concerning the PD subject or otherwise affects their rights and legitimate interests, except for cases and conditions provided for by Kyrgyz Republic legislation in the field of PD.

6.11. The Company in its activities ensures compliance with the principles of PD processing specified in Law .

6.12. The Company in its activities takes measures provided for by (Section 7 of this Policy).

6.13. The Company has the right to transfer PD to investigation authorities and other authorized bodies on grounds provided for by current Kyrgyz Republic legislation. Representatives of state authorities (including controlling, supervisory, law enforcement and other bodies) get access to PD processed in the Company in the scope and manner established by Kyrgyz Republic legislation.

6.14. In order to comply with RF legislation, to achieve processing purposes, and in the interests of PD subjects, the Company in the course of its activities provides personal data to the following organizations:

• Tax Service;
• Pension Fund;
• Social Insurance Fund;
• Insurance companies;
• Credit organizations;
• Judicial authorities;
• Enforcement bodies of judicial acts, acts of other bodies and officials in cases provided for by legislative acts on their activities;

as well as other third parties in cases provided for by legislative acts on their activities or agreements with the Company.

For the purpose of implementing access control to the Company's premises, with the written consent of the employee, the Company provides personal data of employees to the organization that has concluded an agreement with the Company. The list of organizations is approved by the Company's administrative document.

For the purpose of maintaining accounting and personnel records in the Company with the written consent of the employee, the Company provides personal data of employees to the organization that has concluded an agreement with the Company for the provision of these services.

6.15. Conditions for cross-border transfer of PD.

Before carrying out cross-border transfer of personal data, the Company ensures that the foreign state to which personal data is being transferred provides adequate protection of personal data subjects' rights. Cross-border transfer of personal data to territories of foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as other foreign states providing adequate protection of personal data subjects' rights, is carried out in accordance with Law and may be prohibited or restricted to protect the foundations of the constitutional system of the Kyrgyz Republic, morality, health, rights and legitimate interests of citizens, ensuring national defense and state security. One of the criteria for evaluating a state in this aspect may be its ratification of the 'Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data' of 28.01.1981, ETS No. 108. The list of foreign states that are not parties to the Council of Europe Convention and provide adequate protection of personal data subjects' rights.

Cross-border transfer of personal data to territories of foreign states that do not provide adequate protection of personal data subjects' rights may be carried out in the following cases:

• with written consent of the personal data subject for cross-border transfer of their personal data;
• as provided for by international treaties of the Kyrgyz Republic;
• as provided for by federal laws, if necessary to protect the foundations of the constitutional system of the Kyrgyz Republic, ensuring national defense and state security, as well as ensuring the security of sustainable and safe functioning of the transport complex, protecting the interests of individuals, society and the state in the transport complex from acts of unlawful interference;
• execution of a contract to which the personal data subject is a party; protection of life, health, and other vital interests of the personal data subject or other persons when it is impossible to obtain written consent from the personal data subject.

7.1. The Company independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations provided for by Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by laws.

7.2. The following are subject to protection:

• documents containing PD;
• electronic information carriers containing personal data;
• personal data information systems (hereinafter - PDIS);
• communication channels through which PD is transmitted.

7.3. The Company by administrative document appoints a Company employee responsible for organizing PD processing. The employee responsible for organizing PD processing must:

• carry out internal control over compliance by the Company and its employees with the Kyrgyz Republic legislation on PD, including requirements for PD protection;
• inform Company employees about the provisions of the Kyrgyz Republic legislation on PD, local acts on PD processing, requirements for PD protection;
• organize the receipt and processing of requests and inquiries from PD subjects or their representatives and (or) exercise control over the receipt and processing of such requests and inquiries.

7.4. In addition, the Company applies legal, organizational and technical measures to ensure PD security:

• PD security threats have been identified during their processing in PDIS;
• information protection tools that have undergone the established conformity assessment procedure are applied in cases where the use of such tools is necessary to neutralize current threats;
• effectiveness evaluation of measures taken is conducted before PDIS commissioning;
• removable machine PD carriers are accounted for;
• measures are taken to detect unauthorized access to PD and take appropriate actions;
• the ability to restore PD modified or destroyed due to unauthorized access is ensured;
• rules for access to PD are established, and registration and accounting of all actions performed with PD in the personal data information system is ensured;
• control is exercised over measures taken to ensure personal data security and maintain the PDIS protection level;
• internal control and (or) audit of PD processing compliance with Law and regulatory legal acts adopted in accordance with it, requirements for PD protection, Company policy regarding PD processing, Company local acts is conducted;
• assessment is made of the harm that may be caused to PD subjects in case of violation of this Policy, the correlation between said harm and measures taken by the Company aimed at ensuring the fulfillment of obligations provided for by this Policy;
• security levels have been established for each PDIS.

8.1. In the event of unlawful processing of personal data, the Company blocks the unlawfully processed personal data.

8.2. In the event of inaccurate personal data, the Company blocks the relevant personal data for the period of verification. If the inaccuracy of the personal data is confirmed, based on information provided by the personal data subject or their representative, or the authorized body for the protection of personal data subjects' rights, or other necessary documents, the Company clarifies the personal data and lifts the block on the personal data.

8.3. The Company is obliged to inform the personal data subject or their representative about the processing of the personal data of such a subject upon their request.

8.4. Information regarding the processing of personal data is provided to the data subject or their representative upon receipt of a request from the personal data subject or their representative. The request may be submitted in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

8.5. Consideration of requests from personal data subjects or their representatives, as well as from the authorized body for the protection of personal data subjects' rights:

• 8.5.1. Personal data subjects have the right to obtain information regarding the processing of their personal data, including:
  • confirmation of the fact of personal data processing by the Company;
  • the legal grounds and purposes of personal data processing;
  • the methods of personal data processing used by the Company;
  • the personal data being processed related to the corresponding personal data subject, the source of their collection, if another procedure for providing such data is not stipulated by Law;
  • the duration of personal data processing, including the retention periods in the Company;
  • the procedure for exercising the rights of the personal data subject as provided by the legislation of the Russian Federation in the field of personal data;
  • other information stipulated by the legislation of the Russian Federation in the field of personal data.
• 8.5.2. Upon receiving a request from a personal data subject or their representative, as well as from the authorized body for the protection of personal data subjects' rights, the Company provides the information within the timeframes stipulated by Law.

8.6. Personal data subjects have the right to demand that the Company clarify their personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights.

8.7. The right of the personal data subject to access their personal data may be restricted in accordance with Law, including if the personal data subject's access to their personal data violates the rights and legitimate interests of third parties.

8.8. To obtain the necessary information regarding the processing of personal data as described in paragraph 8.5 of this Policy, the personal data subject (or their legal representative) must complete the appropriate request form for information related to the processing of personal data (Appendix 1 to this Policy) and submit it in person or by mail to the Company's employees who handle citizens' inquiries.

8.9. To clarify certain personal data, the personal data subject (or their legal representative) must complete the appropriate request form for clarification of personal data (Appendix 2 to this Policy) and submit it in person to the Company's employees who handle citizens' inquiries or by mail.

8.10. To destroy or eliminate the unlawfulness of personal data processing, the personal data subject (or their legal representative) must complete the appropriate request form for the destruction of personal data (Appendix 3 to this Policy) and submit it in person to the Company's employees who handle citizens' inquiries or by mail.

8.11. To withdraw the personal data subject's consent for the processing of their personal data, the personal data subject (or their legal representative) must complete the appropriate consent withdrawal form for the processing of personal data (Appendix 4 to this Policy) and submit it in person to the Company's employees who handle citizens' inquiries or by mail. In the case of withdrawal of consent for the processing of personal data, the Company has the right to continue processing the personal data without the subject's consent if there are grounds specified in Law.

8.12. Upon achieving the purposes of personal data processing (provided that anonymization of the personal data is not possible), upon identifying irremediable unlawful actions regarding the personal data of subjects, at the request of the client or the authorized body for the protection of personal data subjects' rights, and in the event of the personal data subject's withdrawal of consent for their processing, the personal data must be destroyed if:

• this is not otherwise provided for by the contract, of which the personal data subject is a party, beneficiary, or guarantor;
• this is not otherwise provided for by another agreement between the Company and the personal data subject;

8.13. Upon receiving a request from the personal data subject or their representative, as well as from the authorized body for the protection of personal data subjects' rights, regarding the rectification, blocking, or destruction of personal data and the elimination of violations of the law committed during the processing of personal data, the Company takes the appropriate measures and notifies them of the actions taken within the timeframes specified by Law.

Conditions for using cookies when using the Company's Websites:

Cookies are information files that can be stored on the Client's computer or other devices (smartphone, tablet, etc.) when visiting the website. They usually contain the name of the website from which they were received, information on how long the file will stay on the device, and a value (usually a randomly generated unique number). Cookies are used to store data on the Client's side and allow the Company to identify the Client for the purpose of fulfilling the contract/agreement with them and to save the Client's settings, take into account preferences, track the session status, etc. They also help the Company collect statistics on the most visited pages, determine the effectiveness of advertisements, and provide insights into the Client's behavior, allowing the Company to improve the Website, optimize its speed, improve navigation, and adapt it to the Users' needs. Cookies do not identify the Client as a person and are deleted from the system after the necessary analytical work is completed.

If the Client agrees to use cookies, they need to configure their browser accordingly. Most browsers are initially set to automatically accept cookies. The Client can independently change the settings to block cookies or receive warnings when such files are sent to the device. Disabling cookies may lead to incorrect functioning of the Website and closure of access to some of its sections. We recommend ensuring that the browser used on a computer or other devices (smartphone, tablet, etc.) is configured to work with cookies in accordance with your preferences for handling these files when visiting the Website. The Company reserves the right to change the way cookies are used, including methods of collecting, transmitting, and processing them, as necessary.

The following types of cookies are used on the Company's websites:

• Session cookies - temporary files that are active from the moment the Client enters the Website until the end of that particular session in the browser. When the browser is closed, these files become unnecessary and are automatically deleted.
• Persistent cookies - files that remain on the device for an extended period or until the Client manually deletes them. The duration of storage of such files depends on the 'lifetime' of a specific file and the browser settings.

By functionality, cookies are divided into 4 types:

• Strictly necessary cookies - required for the correct operation of the Website. They allow navigation on the resource, enable the Website to remember the Client's actions when returning to the page during the same session, and let the Client use all the Website's features. Disabling these cookies may affect the performance of the Website or its components.
• Performance cookies - help determine how the Client interacts with the Website by providing information on areas visited by the Client and the time spent on the Website. They also show issues in the Website's operation, such as error messages.
• Functional cookies - allow the Website to remember the Client's choices and recognize Users returning to the Website. Blocking these types of cookies affects the performance and functionality of the Website and may limit access to certain information (content) on the Website.
• Advertising and analytics cookies - used to provide the Client with information that may interest them, ensuring the ability to deliver advertisements or other information in closer alignment with the Client's explicit interests. They can be used to deliver targeted advertising or, conversely, limit the number of times advertisements are shown. These cookies record information about your actions on the Internet, including visits to the Website and its pages, as well as data about the links and ads the Client chose to view. Analytics cookies help measure the effectiveness of advertising campaigns and optimize the content of the Website for those interested in the ads displayed on the Website. They also remember the websites visited by the Client. The Company reserves the right to provide this information to third parties.

10.1 The Privacy Policy and the personal data processing policy of the guarantee.money secured transaction service, in accordance with Law, must be published on the Company's Websites.

10.2. Employees of the Company who process personal data of the Company's subjects, and persons to whom the Company entrusts the processing of personal data, bear the responsibility provided by the legislation of the Kyrgyz Republic for violating the regime of protection, processing, and use of personal data of the Company's subjects.

10.3. The manager who grants access to an employee of the Company to the personal data being processed bears personal responsibility. Employees of the Company who receive access to the personal data being processed bear personal responsibility for maintaining the confidentiality of the information received.

10.4. Disclosure of personal data of a subject (including transferring it to unauthorized persons, including employees of the Company who do not have access to it), public disclosure, loss of documents or other media containing personal data of the Company’s subjects, as well as other violations of obligations for their protection and processing established by this Policy and other local regulations of the Company regarding the processing of personal data, will result in disciplinary action against the responsible employee.

10.5. In case of changes to the legislation of the Kyrgyz Republic, if there are conflicts between the provisions of the Company's internal documents and the norms of current legislation, certain provisions of the Company's internal documents lose their legal force. Until the authorized body of the Company approves new versions of the internal documents, the Company's employees must comply with the current legislation of the Kyrgyz Republic. The invalidation of one or more sections of internal documents does not affect the validity of the entire document.

10.6. Amendments and additions to this Policy are approved by the Company's Director and come into force by their order.

10.7. The Company's employees are introduced to this Policy under signature.

10.8. Clients are informed of this Policy on the Company's Website. For Clients using the Company's Websites, changes to the Policy come into effect from the date they are published on the respective Website. The Client is obliged to independently and regularly check the Website for updates to the Policy. If the Client disagrees with the changes made by the Company to this Policy, they must stop using the Website and terminate contractual relations with the Company.

Annex 1:
to the Privacy Policy and Personal Data Processing Policy of the Secure Transactions Service escrow.me

Request Form for a Data Subject regarding the existence and review of personal data

To __________ «___________»
From: _________________________________
Address: _________________________________
_________________________________
Passport: Series ______№_________________
Issued by: _________________________________
_________________________________
_________________________________

REQUEST

In accordance with Article 14 of Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006, I have the right to obtain information from __________ «___________» about the existence of my personal data.
I request that __________ «___________» provide me with the following information:

1. Whether my personal data is being processed.
2. A list of my personal data being processed and the source of its acquisition.
3. Legal grounds and purposes for processing my personal data.
4. Methods of processing my personal data.
5. Which individuals have or may have access to my personal data.
6. The retention period of my personal data.
7. Whether cross-border transfer of my personal data is being conducted.
8. Other (specify):

Please send the response to this request in writing to the address provided above within the timeframe established by law.

_________________________/_________________/ «____»_______________20___
Full Name / Signature / Date

Annex 2:
to the Privacy Policy and Personal Data Processing Policy of the Secure Transactions Service escrow.me

Request Form for a Data Subject to Amend Personal Data

To __________ «___________»
From: _________________________________
Address: _________________________________
_________________________________
Passport: Series ______№_________________
Issued by: _________________________________
_________________________________
_________________________________

REQUEST

In accordance with Article 20 of Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006, and in connection with ____________________________, I request that __________ «___________» make the following amendments to my personal data: __________________________________

Please send the response to this request in writing to the address provided above within the timeframe established by law.

_________________________/_________________/ «____»_______________20___
Full Name / Signature / Date

Annex 3:
to the Privacy Policy and Personal Data Processing Policy of the Secure Transactions Service escrow.me

Request Form for a Data Subject to Delete Personal Data

To __________ «___________»
From: _________________________________
Address: _________________________________
_________________________________
Passport: Series ______№_________________
Issued by: _________________________________
_________________________________
_________________________________

REQUEST

In accordance with Article 20 of Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006, and in connection with ____________________________, I request that __________ «___________» delete the following personal data of mine: __________________________________

Please send the response to this request in writing to the address provided above within the timeframe established by law.

_________________________/_________________/ «____»_______________20___
Full Name / Signature / Date

Annex 4:
to the Privacy Policy and Personal Data Processing Policy of the Secure Transactions Service escrow.me

Request Form for a Data Subject to Withdraw Consent for Personal Data Processing

To __________ «___________»
From: _________________________________
Address: _________________________________
_________________________________
Passport: Series ______№_________________
Issued by: _________________________________
_________________________________
_________________________________

REQUEST

In accordance with Article 20 of Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006, and in connection with ____________________________, I request that __________ «___________» cease processing my personal data: __________________________________

Please send the response to this request in writing to the address provided above within the timeframe established by law.

_________________________/_________________/ «____»_______________20___
Full Name / Signature / Date