Privacy Policy
Edition dated October 27, 2025
Privacy Policy of Sole Proprietor Maksim Nikolaevich Pasko (Registration Number: 002-2024-169-7968, TIN: 22312198950079) regarding the processing and protection of personal data information.
1. General Provisions
1.1. This Policy is implemented by Sole Proprietor Maksim Nikolaevich Pasko (hereinafter – the "Operator") regarding the processing and protection of personal data of individuals (Data Subjects) based on Articles 29 and 33 of the Constitution of the Kyrgyz Republic and the Kyrgyz Republic Law dated April 14, 2008 No. 58 "On Personal Information".
1.2. The Policy applies to all personal data that may be obtained by the Operator in the course of its activities, including the Operator's clients. The Operator processes personal data in accordance with the following normative legal acts:
· Law dated April 14, 2008 No. 58 "On Personal Information";
· Resolution of the Government of the Kyrgyz Republic dated November 21, 2017 No. 759 "Procedure for obtaining consent of the personal information subject for the collection and processing of their personal data, procedure and form for notifying personal information subjects of the transfer of their personal information to third parties";
· other normative legal acts of the Kyrgyz Republic and normative documents of executive authorities.
1.3. The purpose of the Policy is to inform persons providing their personal data about the necessary information allowing them to assess what personal data and for what purposes are processed by the Operator, what security measures are implemented, as well as to establish the main principles and approaches to the processing and security of personal data information at the Operator.
1.4. The Policy ensures the protection of the rights and freedoms of Data Subjects (hereinafter – "Subject") during the processing of their personal data using or without automation means, and also establishes liability for persons with access to personal data for failure to comply with the requirements governing the processing and protection of personal data.
1.5. Users, by using the Operator's services and services posted on the Operator's website https://rifify.io/, by providing the Operator with their personal data, including through third parties, acknowledge their consent to the processing of personal data in accordance with this Policy. In case of disagreement with this Policy as a whole or any clause thereof, the User must refrain from using the services and services.
The Operator receives and begins processing the Subject's personal data from the moment of obtaining their consent. Consent to the processing of personal data may be given by the Subject in any form that allows confirming the fact of consent receipt, unless otherwise provided by law: in written, oral or other form provided by applicable legislation, including through the Subject's conclusive actions when using services on the Operator's website https://rifify.io/, using feedback forms and acceptance of offers containing provisions on personal data processing in accordance with applicable legislation and posted on the Operator's website https://rifify.io/. In the absence of the Subject's consent to the processing of their personal data, such processing is not carried out.
1.6. The Subject's consent to the processing of personal data may be withdrawn. In case of withdrawal by the Subject of consent to the processing of personal data, the Operator may continue processing personal data without the Subject's consent if there are grounds specified by applicable legislation.
1.7. This Policy may be amended by the Operator. The Operator has the right at any time at its discretion to make changes to this Policy without prior notice to the Subject. When changes are made, the current edition indicates the date of the last update. The new edition of the Policy comes into force from the moment of its posting on the website, unless otherwise provided by the new edition of the Policy.
1.8. This Policy applies only to information about the Subject obtained in the course of using the Operator's Services. The Operator does not control and is not responsible for the processing of User information by websites of third parties to which the User may go via links available on the Operator's official website.
1.9. Terms used in this policy:
· Personal Information (Personal Data) – recorded information on a material medium about a specific person, identified with a specific person or which can be identified with a specific person, allowing direct or indirect identification of this person through reference to one or more factors specific to their biological, economic, cultural, civil or social identity. Personal data includes biographical and identification data, personal characteristics, information on family status, financial status, health status, and more.
· List of Personal Information – a list of categories of data about one Subject.
· Array of Personal Information – any structured set of personal data of an indefinite number of subjects, regardless of the type of information medium and means of processing used (archives, card files, electronic databases, etc.).
· Public Arrays of Personal Information – arrays of personal data whose access is not restricted by law and intended for general use (directories, telephone books, address books, etc.).
· Confidentiality Regime of Personal Information – normatively established rules defining restrictions on access, transfer, provision and storage conditions of personal data.
· Subject of Personal Information (Subject) – a natural person to whom the relevant personal data relates.
· Holder (Owner) of Personal Information Array – state authorities, local self-government bodies and legal entities vested with powers to determine the purposes, categories of personal information and control the collection, storage, processing and use of personal information in accordance with this Law.
· Authorized State Body for Personal Data (hereinafter – Authorized State Body) – a state body authorized by the Government of the Kyrgyz Republic to perform functions and powers to ensure compliance of personal information processing with the requirements of this Law, protection of Subjects' rights, registration of holders (owners) of personal data arrays, maintenance of the Register of holders of personal data arrays, other tasks, functions and powers provided by this Law.
· Processor – a natural or legal person designated by the holder (owner) of personal data that processes personal information based on a contract concluded with it.
· Recipient of Personal Information – state authorities or local self-government bodies, legal and natural persons, as well as Subjects to whom personal data is transferred and provided in accordance with this Law.
· Collection of Personal Information – the procedure for obtaining personal information by the holder (owner) of the personal information array from these data Subjects or from other sources in accordance with the legislation of the Kyrgyz Republic.
· Processing of Personal Information – any operation or set of operations performed regardless of methods by the holder (owner) of personal information or on its behalf, using automatic means or without them, for the purposes of collection, recording, storage, updating, grouping, blocking, deletion and destruction of personal data.
· Subject's Consent to Personal Information – expressed in the form provided by this Law, free, specific, unconditional and conscious expression of will of the person, according to which the Subject notifies of their consent to carry out procedures related to the processing of their personal data.
· Transfer of Personal Information – provision by the holder (owner) of personal information to third parties in accordance with this Law and international treaties.
· Cross-Border Transfer of Personal Information – transfer by the holder (owner) of personal information to holders located under the jurisdiction of other states.
· Updating Personal Information – operational making of changes to personal data in accordance with procedures established by applicable legislation of the Kyrgyz Republic.
· Blocking Personal Information – temporary cessation of transfer, clarification, use and destruction of personal data.
· Destruction (Deletion or Destruction) of Personal Information – actions of the holder (owner) of personal information to bring these data to a state that does not allow restoring their content.
· Depersonalization of Personal Information – removal from personal information of that part which allows identifying them with a specific person.
· Personal Information System – a set of personal information contained in databases and information technologies and technical means ensuring their processing.
2. Concept and Composition of Personal Data
2.1. For the purposes of this Policy, personal data means any information relating to a directly or indirectly identified natural person (Personal Information Subject).
2.2. Depending on the Subject, the Operator for carrying out its activities and fulfilling its obligations may process personal data of the following categories of Subjects:
· Client data – information necessary for the Operator to fulfill its obligations under contractual relations with the Client and to comply with the requirements of the legislation of the Kyrgyz Republic;
· personal data of the Client provided during registration on the website https://rifify.io/ including when using services, communication forms posted on the website;
· personal data of other natural persons who have consented to the processing of their personal information by the Operator or natural persons whose personal information processing is necessary for the Operator to achieve the purposes provided by an international treaty of the Kyrgyz Republic or law, to carry out and fulfill the functions, powers and duties assigned by the legislation of the Kyrgyz Republic to the hosting provider and domain name registrar;
· personal data of natural persons made publicly available by them, and their processing does not violate their rights and complies with the requirements established by the Legislation on Personal Information.
2.3. A Subject falling under the list of persons specified in clause 2.2 consents to the processing of the following personal data:
· surname, first name;
· phone numbers;
· email addresses (E-mail).
3. Grounds and Purposes of Personal Data Processing
3.1. The Operator processes personal data to carry out its activities, including to provide services to Clients. The Operator is entitled to:
· carry out functions assigned to the Operator by the legislation of the Kyrgyz Republic in accordance with Law No. 58 "On Personal Information" and other laws and normative legal acts of the Kyrgyz Republic;
· The Operator collects and stores the Client's personal data necessary to provide services, execute agreements and contracts, fulfill obligations to the Client.
3.2. The Operator processes personal data only if at least one of the following conditions exists:
· personal data processing is carried out with the Subject's consent to the processing of their personal data;
· personal data processing is necessary to achieve the purposes provided by law, to carry out and fulfill the functions, powers and duties assigned to the Operator by the legislation of the Kyrgyz Republic;
· personal data processing is necessary to execute a contract of which the Subject is a party or beneficiary or surety, as well as to conclude a contract on the Subject's initiative or a contract under which the Subject will be a beneficiary or surety;
3.3. The Operator and other persons who have gained access to personal information are obliged not to disclose to third parties and not disseminate personal information without the Subject's consent, unless otherwise provided by law.
3.4. The Operator may process Subjects' personal information for the following purposes:
· for identification of the Subject;
· to enable registration and servicing of the Subject on the website services;
· for communication with the Subject if necessary, including sending proposals, notifications, information and requests, both related and unrelated to service provision, as well as processing the Subject's applications, requests and applications;
· for conclusion and execution of a contract between the Subject and the Operator.
3.5. Processing of special categories of Personal Data concerning racial, national origin, political views, religious or philosophical beliefs, intimate life is not carried out by the Operator.
3.6. Legal grounds for processing personal information are the following legal acts:
· contracts concluded between the Operator and the Subject.
4. Principles of Personal Information Processing
4.1. Processing of personal information by the Operator is carried out based on the principles:
· legality of the purposes and methods of Processing personal information;
· good faith of the Operator in personal information, achieved by fulfilling the requirements of the legislation of the Kyrgyz Republic on Processing personal information;
· correspondence of the composition and volume of processed personal information, as well as methods of Processing personal information to the stated Processing purposes;
· accuracy and sufficiency, and where necessary, relevance of Personal Information to the stated purposes of their Processing;
· destruction of Personal Information upon achieving the Processing purposes in a way excluding the possibility of their restoration;
· inadmissibility of merging databases containing personal information whose processing is carried out for purposes incompatible with each other.
4.2. Employees of the Operator admitted to Processing personal information are obliged: To know and strictly comply with the provisions of:
· legislation of the Kyrgyz Republic on personal information, this Policy;
· local acts of the Operator on issues of Processing and ensuring security of personal information;
· process personal information only within the framework of performing their official duties;
· not disclose personal information processed at the Operator;
· report actions of other persons that may lead to violation of this Policy provisions;
· report known facts of violation of this Policy requirements to the person responsible for organizing the Processing of personal information at the Operator.
4.3. Security of personal information at the Operator is ensured by implementing coordinated measures aimed at preventing (neutralizing) and eliminating threats to personal information security, minimizing possible damage.
5. Terms of Personal Data Processing
5.1. Terms of personal information processing – personal data is processed until the moment of sending a consent withdrawal for their processing.
5.2. The condition for termination of personal information processing is the liquidation of the Operator.
6. Circle of Persons Admitted to Personal Information Processing
6.1. To achieve the purposes of Article 3 of this Policy, only those Operator employees on whom such duty is assigned in accordance with their official (labor) duties are admitted to personal information processing. Access for other employees may be granted only in cases provided by law. The Operator requires its employees to comply with confidentiality and ensure security of personal data during their processing.
6.2. The Operator may transfer personal data to third parties in the following cases:
· The Subject has explicitly expressed consent to such actions;
· Transfer is provided by national or other applicable legislation within the procedure established by law. In this case, all obligations to comply with the conditions of this Policy regarding the data received pass to the recipient.
6.3. Upon a reasoned request of the authorized body and in accordance with applicable legislation, the Subject's personal data without their consent may be transferred:
· in connection with the administration of justice to judicial bodies;
· to internal affairs bodies, State Committee for National Security, prosecutor's office;
· to other authorized by applicable legislation and applicable legal norms bodies and the Operator in cases established in normative legal acts mandatory for the Operator.
7. Procedure and Methods of Personal Information Processing
7.1. In the process of providing services, during internal economic activities, the Operator uses automated and non-automated processing of personal information.
7.2. The Operator may entrust the Processing of personal information to another person with the Subject's consent, unless otherwise provided by the legislation of the Kyrgyz Republic, based on a contract concluded with this person, a mandatory condition of which is compliance by this person with the principles and rules of Personal Data Processing provided by the Law "On Personal Information".
7.3. Personal data is not disclosed to third parties and not disseminated in other ways without the Subject's consent, unless otherwise provided by the legislation of the Kyrgyz Republic.
7.4. Representatives of state authorities (including regulatory, supervisory, law enforcement and other bodies) gain access to personal information processed at the Operator in the volume and procedure established by the legislation of the Kyrgyz Republic.
7.5. Within the framework of personal information processing, the following rights are established for the Subject and the Operator.
7.5.1. The Subject has the right:
· to receive information regarding the processing of their personal data in the procedure, form and terms established by the Legislation on Personal Information;
· to demand clarification, blocking or destruction of their personal information if it is incomplete, outdated, inaccurate, illegally obtained, not necessary for the stated processing purpose or used for purposes not previously stated when the Subject gave consent to personal data processing;
· to conclude with the Operator an Agreement on private access regime to the Subject's personal information;
· to take measures provided by law to protect their rights;
· to withdraw their consent to personal data processing.
7.5.2. The Operator has the right:
· to process the Subject's personal data in accordance with the stated purpose;
· to demand from the Subject provision of reliable personal data necessary for contract execution, service provision, Subject identification, as well as in other cases provided by the Legislation on Personal Data;
· to restrict the Subject's access to their personal data if the Processing of personal information is carried out in accordance with anti-money laundering legislation, the Subject's access to their personal data violates the rights and legitimate interests of third parties, as well as in other cases provided by the legislation of the Kyrgyz Republic;
· to process publicly available personal data of natural persons;
· to carry out processing of personal data subject to publication or mandatory disclosure in accordance with the legislation of the Kyrgyz Republic;
· to entrust personal information processing to another person with the Subject's consent.
7.6. In case of confirmation of the fact of inaccuracy of personal information or illegality of their processing, the personal information is subject to updating by the Operator, and processing must be terminated.
7.7. Upon achieving the purposes of personal information processing, as well as in case of withdrawal by the Subject of consent to its processing, personal information is subject to destruction if:
· otherwise not provided by the contract, a party to which, beneficiary or surety under which is the Subject;
· otherwise not provided by the agreement between the Operator and the Subject of personal information.
7.8. The Operator is obliged to inform the Subject or their representative about the personal information processing carried out by it upon the latter's request.
7.9. The Operator also has other rights and bears other duties established by the Law "On Personal Information".
8. Implementation of Personal Data Protection
8.1. The Operator's activities for processing personal information in information systems are inseparably linked with the Operator's protection of the confidentiality of the received information. All Operator employees are obliged to ensure confidentiality of personal data, as well as other information established by the Operator, if this does not contradict applicable legislation of the Kyrgyz Republic.
8.2. Security of personal information during its processing in the Operator's information systems is ensured using an information protection system. Ensuring security of processed personal information is carried out by the Operator within a single comprehensive system of organizational-technical and legal measures to protect information constituting a trade secret, taking into account the requirements of the Legislation on Personal Information, normative legal acts adopted in accordance with it.
8.3. Exchange of personal information during its processing in information systems is carried out via communication channels protected by technical information protection means.
8.4. During processing of personal information in the Operator's information systems, the following is ensured:
· implementation of measures aimed at preventing unauthorized access to personal information and/or its transfer to persons without access rights to such information;
· timely detection of unauthorized access to personal information facts;
· prevention of impact on technical means of automated personal data processing, as a result of which their functioning may be disrupted;
· possibility of immediate restoration of personal information modified and destroyed as a result of unauthorized access to it;
· constant control of the personal information protection level;
· appointment of officials responsible for organizing the processing and protection of personal information;
· restriction of the composition of persons with access to personal information;
· familiarization of Subjects with the requirements of legislation and Operator's normative documents on personal information processing and protection;
· Operator's employees carrying out personal information processing are familiarized with the requirements of the legislation of the Kyrgyz Republic on personal information, local acts on personal information processing issues.