VenMart
Personal Data Processing

Privacy Policy

DATA PRIVACY

and Personal Data Processing Policy

Almaty

This Data Privacy and Personal Data Processing Policy (hereinafter - “Policy”) defines the procedure for collecting, processing, storing, using, transferring and protecting the personal data of users of the website, mobile application, and other VenMart Platform interfaces (hereinafter - “Platform”). The personal data operator of the Platform is VenMart Limited Liability Partnership (hereinafter - “Operator” or “VenMart”).

By using the Platform, completing registration and (or) taking actions aimed at using VenMart services, including linking a bank card, completing Card Verification, performing a Test Transaction, using the Internal Wallet, making purchases, conducting Pre-Authorization (Hold), confirming Pre-Authorization, making an Additional Charge, paying Debts, submitting requests, and using other functions of the Platform, the User confirms that they have read this Policy and give consent to the processing of their personal data on the terms set out herein, unless otherwise required by the legislation of the Republic of Kazakhstan.

This Policy shall apply and be construed jointly with the Terms for Using the VenMart Platform (public offer).

1. General Provisions

  • 1.1. This Policy has been developed in accordance with the legislation of the Republic of Kazakhstan, including the Law of the Republic of Kazakhstan “On Personal Data and Data Privacy”, as well as other regulatory legal acts of the Republic of Kazakhstan governing the processing and protection of personal data.
  • 1.2. The Operator independently organizes and (or) carries out the processing of User personal data and determines the purposes, scope, categories, and methods of personal data processing in accordance with this Policy, the Offer, and the legislation of the Republic of Kazakhstan.
  • 1.3. This Policy applies to all personal data of Users processed by the Operator in connection with the use of the Platform, including registration, authorization, linking a bank card, performing Card Verification and a Test Transaction, using the Internal Wallet, making purchases, conducting and processing Pre-Authorization (Hold), confirming Pre-Authorization, cancelling Pre-Authorization, making Additional Charges, recording and paying Debts, reviewing requests, refunds, and Disputed Transactions.
  • 1.4. The Operator ensures that personal data are processed on the principles of lawfulness, good faith, confidentiality, limitation of processing to the achievement of specific, predetermined, and lawful purposes, as well as minimization of the volume of processed data.

2. Terms and Definitions

  • 2.1. Personal Data — information relating to an identified or identifiable User, recorded on electronic, paper, and (or) other tangible media.
  • 2.2. User — an individual using the VenMart Platform.
  • 2.3. Operator — VenMart LLP, which independently organizes and (or) carries out the processing of personal data and also determines the purposes and methods of personal data processing.
  • 2.4. Personal Data Processing — any action or combination of actions performed with personal data, including collection, recording, systematization, accumulation, storage, use, transfer, granting access, de-identification, blocking, and deletion.
  • 2.5. Personal Data De-identification — actions as a result of which it becomes impossible, without the use of additional information, to determine that personal data belong to a specific User.
  • 2.6. Platform — the aggregate of software, server infrastructure, website, mobile application, interfaces, and integrated VenMart vending machines.
  • 2.7. Payment Partner — TipTop Pay LLP and (or) any other organization ensuring non-cash payment, bank card tokenization, card transaction processing and payment status transmission within the Platform.
  • 2.8. Linked Card — the User’s bank card connected to the Platform using the payment infrastructure of the Payment Partner.
  • 2.9. Internal Wallet — the User’s internal recorded balance within the VenMart system, used for payment for goods and other transactions expressly provided for by the Platform and the Offer.
  • 2.10. Card Verification — verification of the User’s bank card when it is linked to the Platform.
  • 2.11. Test Transaction — a payment transaction in the amount of 100 (one hundred) tenge conducted during Card Verification, with subsequent cancellation (void) or other reversal in accordance with the rules of the Payment Partner and the issuing bank.
  • 2.12. Pre-Authorization (Hold) — a temporary hold on funds on the User’s Linked Card in order to ensure the possibility of subsequent payment for the goods actually selected.
  • 2.13. Pre-Authorization Confirmation — the final charge to the Linked Card of the purchase amount within the limits of the previously blocked Pre-Authorization amount.
  • 2.14. Pre-Authorization Cancellation — cancellation of the Hold and release of funds on the User’s Linked Card if no purchase was made or as otherwise required by the user scenario and the technical logic of the transaction.
  • 2.15. Additional Charge — a separate payment transaction charging the Linked Card an amount exceeding the Pre-Authorization amount if the final purchase cost exceeds the Hold amount.
  • 2.16. Purchase Session — the period from the moment the User is granted access to the vending machine until the moment the vending machine is closed and the composition of selected goods is automatically recorded.
  • 2.17. Debt — the unpaid purchase amount or part thereof arising where the Additional Charge or any other transaction necessary for full payment for purchased goods cannot be successfully processed.
  • 2.18. Disputed Transaction — a situation where the User disputes the correctness of the purchase composition, the total purchase amount, Pre-Authorization, Pre-Authorization Confirmation, Pre-Authorization Cancellation, an Additional Charge, Internal Wallet transactions, Debt recording or the results of automatic goods recording.

3. Categories of Personal Data Processed

  • 3.1. The Operator processes User personal data in the minimum volume necessary to achieve the purposes set out in this Policy.
  • 3.2. In connection with the use of the Platform, the Operator may process the following categories of data.
  • 3.2.1. Identification and Account Data
  • unique User identifier within the Platform;
  • technical identifiers, session tokens, authorization tokens, and other account data required for the functioning of the Platform;
  • information confirming registration, authorization, and acceptance of the Offer and the Policy, including the date, time, and version of the documents.
  • 3.2.2. Data Related to Use of the Platform and Purchases

information on Purchase Sessions;

information on the User actions within the Platform;

information on selected goods, purchase composition, and the total purchase amount;

information on the statuses of purchases, refunds, cancellations, Disputed Transactions, and Debts;

information on the payment method selected by the User;

information on accrual, reservation, blocking, charging, return of the unused balance, adjustment, and the balance of funds in the Internal Wallet.

  • 3.2.3. Contact Details

email address;

telephone number;

other contact details provided by the User when contacting customer support or in other cases provided for by the functionality of the Platform.

  • 3.2.4. Payment and Payment-Related Data

information on the fact of card linking;

information on completion of Card Verification and Test Transaction;

technical identifiers of the payment transaction;

information on successful or unsuccessful Pre-Authorization;

information on Pre-Authorization Confirmation;

information on Pre-Authorization Cancellation;

information on successful or unsuccessful Additional Charge;

information on the refund, cancellation, or rejection of a payment transaction;

information on Debt availability, amount, status change and settlement;

masked and (or) technical payment instrument data, if such data are transmitted by the Payment Partner to the Operator within the permissible scope;

history of transactions related to the Internal Wallet and payment for goods.

  • 3.2.5. Technical Data

IP address;

transaction date and time;

information on the device, browser, operating system, application, and software used by the User to access the Platform;

technical logs, error logs, and event logs related to the use of the Platform.

  • 3.2.6. Video Surveillance and Evidentiary Data

photographs;

short video recordings;

technical logs and other materials generated for the purposes of security, prevention of misuse, investigation of incidents, and resolution of disputed situations.

  • 3.3. The Operator does not collect, store, or process the full details of Users’ bank cards, including the full card number, CVC/CVV code, and other data. They are processed independently by the Payment Partner or the bank.
  • 3.4. With respect to the payment infrastructure, the Operator receives and processes only the information necessary for:

linking a payment transaction to the User;

reflecting the status of Card Verification and the Test Transaction;

reflecting the status of Pre-Authorization, Pre-Authorization Confirmation, Pre-Authorization Cancellation, and an Additional Charge;

maintaining the Internal Wallet;

recording and settling Debts;

processing refunds, cancellations, and Disputed Transactions;

executing the Offer and this Policy.

  • 3.5. Surname, first name, patronymic, Individual Identification Number (IIN), as well as other data required by the Payment Partner for processing payment transaction may be processed independently by the Payment Partner in accordance with its own documents and the legislation of the Republic of Kazakhstan. To the extent that such data are not transferred to the Operator, the Operator does not receive, store, or process them.
  • 3.6. The User’s biometric personal data, including data used by third parties for facial image, palm image authentication or other biometric identifiers, are not processed by the Operator unless otherwise expressly specified in a separate version of the Policy and accompanied by a separate legal basis and the User’s proper consent.

4. Evidentiary Materials and Video Recording

  • 4.1. In order to ensure the safe operation of automated devices, the correctness of goods accounting, confirmation that transactions took place, and resolution of disputed situations, technical events may be recorded in the area where the vending machine is located, including photo and (or) short video recording.
  • 4.2. Such materials may contain personal data and are processed by the Operator in the minimum volume necessary solely for the following purposes:

misuse prevention;

incident investigation;

reviewing Disputed Transactions and Users’ requests;

verifying the correctness of Purchase composition automatic recording, Purchase Session completion, payment transactions, including Pre-Authorization, Pre-Authorization Confirmation, Pre-Authorization Cancellation, an Additional Charge, Internal Wallet transactions, and Debt recording;

  • protecting the property, rights, and legitimate interests of the Operator, the Users, and other persons;
  • compliance with the requirements of the legislation of the Republic of Kazakhstan.
  • 4.3. Such recording is not used by the Operator for User biometric identification.
  • 4.4. Access to evidentiary materials is granted only to authorized persons of the Operator or to other persons on lawful grounds, within the scope necessary to complete processing.

5. Purposes of Personal Data Processing

  • 5.1. Users’ personal data are processed by the Operator solely for the purposes necessary for the functioning of the Platform and the execution of obligations provided for by the Offer and the legislation of the Republic of Kazakhstan, including:

providing Users with access to the Platform and vending machines;

User account registration, authorization, and maintenance;

recording, processing, and storing information on Purchase Sessions and use of the Platform;

displaying the history of purchases and related transactions to the User;

ensuring the information and technical security of the Platform;

prevention of unauthorized use of services, abuse, fraud, theft, property damage, and other unlawful acts;

ensuring the safety of the Platform, vending machines, and Users;

compliance with the requirements of the legislation of the Republic of Kazakhstan;

protecting the rights and legitimate interests of the Operator.

  • 5.2. Personal data are not used by the Operator for purposes incompatible with the purposes set out in this Policy and are not processed in an excessive volume.
  • 5.3. Automatic recording of a Purchase Session, determination of the total purchase amount, recording of Pre-Authorization status, Pre-Authorization Confirmation, Pre-Authorization Cancellation, an Additional Charge, Internal Wallet transactions, and Debts are carried out in an automated mode with the possibility of subsequent verification during the review of a Disputed Transaction.

6. Legal Grounds for Personal Data Processing

  • 6.1. The Operator processes User personal data on the following legal grounds:

the User’s consent to the processing of personal data;

the necessity to process personal data for concluding and executing a contract to which the User is a party;

the necessity to process personal data for exercising the Operator’s rights and legitimate interests, provided that the User’s rights and freedoms are not violated thereby;

executing obligations imposed on the Operator by the legislation of the Republic of Kazakhstan.

  • 6.2. In cases where personal data are processed on the basis of the User’s consent, the User may withdraw this consent in the manner prescribed by the legislation of the Republic of Kazakhstan, taking into account limitations related to the need to execute the contract, maintain the Internal Wallet, retain transaction history, settle Debts, review refunds, claims, and Disputed Transactions, maintain mandatory documentation, and comply with legal requirements.
  • 6.3. The Operator organizes the processing of personal data taking into account the distribution of roles between the Operator and the Payment Partner. The Payment Partner processes data within its own payment infrastructure and on its own legal grounds, including in respect of card linking, Card Verification, Test Transaction, Pre-Authorization, Pre-Authorization Confirmation and Cancellation, an Additional Charge, refunds, and other card transactions, unless otherwise provided by legislation and the contractual relations of the parties.

7. Conditions and Methods for Personal Data Processing

  • 7.1. Users’ personal data are processed by the Operator using automation tools and (or) without the use of such tools.
  • 7.2. The Operator processes personal data only in the volume necessary to achieve the purposes set out in this Policy.
  • 7.3. The Operator takes the necessary legal, organizational, and technical measures to protect personal data against unauthorized or accidental access, destruction, alteration, blocking, copying, dissemination, loss, as well as other unlawful actions.
  • 7.4. Access to personal data is granted exclusively to authorized employees of the Operator and (or) other persons admitted to the processing of personal data on lawful grounds, within the scope necessary to perform their functions.
  • 7.5. Persons admitted to the processing of personal data shall maintain confidentiality and ensure personal data protection in accordance with the legislation of the Republic of Kazakhstan and the Operator’s internal documents.
  • 7.6. In the event a personal data security breach is identified, the Operator acts in the manner prescribed by the legislation of the Republic of Kazakhstan.

8. Storage of Personal Data and Retention Periods

  • 8.1. User personal data shall be stored and processed for the period necessary to complete the processing set out in this Policy, as well as for the periods established by the legislation of the Republic of Kazakhstan.
  • 8.2. After completing personal data processing or upon expiration of the established retention periods, personal data shall be deleted or de-identified, unless otherwise provided by the legislation of the Republic of Kazakhstan or required for the review of Disputed Transactions, refunds, claims, Debt settlement, confirmation card transaction and Internal Wallet transaction history, as well as incident investigation.
  • 8.3. Specific retention periods for certain categories of personal data may be established by the Operator’s internal documents, taking into account the nature of the data, the purposes of their processing, and the requirements of the legislation of the Republic of Kazakhstan.
  • 8.4. Video recordings obtained through the video surveillance systems and other technical recording tools shall be stored for a period not exceeding 30 (thirty) calendar days from the date of recording, unless a longer retention period is required to:

review Disputed Transactions;

investigate an incident;

ensure security;

comply with the requirements of the legislation of the Republic of Kazakhstan;

respond to requests of authorized state authorities.

  • 8.5. For the purposes of this Policy, an incident means an event identified and recorded by the Operator or brought to the Operator’s attention by a User, a state authority, or another authorized person, which requires additional investigation, preservation of evidentiary materials, and (or) response measures.

9. Transfer of Personal Data to Third Parties

  • 9.1. The Operator may transfer Users’ personal data to third parties solely in the volume necessary to complete processing set out in this Policy and only in the following cases:
  • 9.1.1. To Payment Partners
  • to the extent necessary for card linking, Card Verification, Test Transaction, Pre-Authorization, Pre-Authorization Confirmation, Pre-Authorization Cancellation, an Additional Charge, refunds, cancellation of transactions, confirmation of payment statuses, and other actions related to cashless payment.
  • 9.1.2. To Persons Providing Technical Support and Maintenance of the Platform
  • to the extent necessary for the functioning of the Platform, troubleshooting, investigating incidents, and ensuring information security, provided that they comply with confidentiality requirements and applicable legislation.
  • 9.1.3. To State Authorities and Other Authorized Persons
  • in cases and in the manner expressly provided for by the legislation of the Republic of Kazakhstan.
  • 9.1.4. To Other Persons
  • upon the User’s consent or other lawful basis.
  • 9.2. The Operator does not carry out cross-border transfer of Users’ personal data unless otherwise expressly provided for in a separate version of this Policy and compliant with the requirements of the legislation of the Republic of Kazakhstan.
  • 9.3. If part of the User’s personal data is processed independently by the Payment Partner within its own payment infrastructure, the relations between the User and the Payment Partner in the relevant part shall additionally be governed by the documents of that Payment Partner.

10. User Rights and Operator Obligations

  • 10.1. User Rights
  • 10.1.1. The User has the right to receive information relating to personal data processing carried out by the Operator, in the scope and in the manner provided for by the legislation of the Republic of Kazakhstan.
  • 10.1.2. The User has the right to demand clarification, blocking, or destruction of their personal data if such data are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated processing purposes.
  • 10.1.3. The User has the right to withdraw consent to the processing of personal data in the cases and in the manner provided for by the legislation of the Republic of Kazakhstan, taking into account limitations related to the executiong of the contract, maintenance of the Internal Wallet, transaction history, settlement of debts, review of refunds, claims, and Disputed Transactions, as well as the need to retain information on card transactions related to Pre-Authorization, Pre-Authorization Confirmation, Pre-Authorization Cancellation, and an Additional Charge.
  • 10.2. Operator Obligations
  • 10.2.1. The Operator undertakes to process Users’ personal data in accordance with this Policy and the requirements of the legislation of the Republic of Kazakhstan.
  • 10.2.2. The Operator takes the necessary legal, organizational, and technical measures to protect Users’ personal data.
  • 10.2.3. The Operator undertakes to provide the User with information on the processing of their personal data in the cases and in the manner provided for by the legislation of the Republic of Kazakhstan.
  • 10.3. User Obligations
  • 10.3.1. The User undertakes to provide accurate information in the volume necessary for the use of the Platform where the functionality of the Platform requires such provision.
  • 10.3.2. The User undertakes to comply with the requirements of this Policy and the Offer when using VenMart services.

11. Amendments to the Privacy Policy

  • 11.1. The Operator has the right to introduce amendments and additions to this Policy, subject to compliance with the requirements of the legislation of the Republic of Kazakhstan.
  • 11.2. A new version of the Policy shall enter into force from the moment it is posted on the Platform, unless otherwise provided for by that version itself or by the legislation of the Republic of Kazakhstan.
  • 11.3. If amendments affect the purposes, scope, or methods of User personal data processing, the amendments shall be brought to Users’ attention by posting an updated version of the Policy on the Platform and, where necessary, by obtaining the User’s renewed consent.

12. Final Provisions

  • 12.1. This Policy shall apply and be construed jointly with the Terms for Using the VenMart Platform (public offer).
  • 12.2. In the event of any inconsistency between this Policy and the Offer with respect to personal data processing, the provisions of this Policy shall prevail unless otherwise provided for by the legislation of the Republic of Kazakhstan.
  • 12.3. This Policy is a publicly available document and is posted on the Platform for review by an unlimited number of persons.

13. Operator Contact Information

VenMart LLP

BIN 250740007924

Address: 050060, Republic of Kazakhstan, Almaty, Almaly District, 252 Baizakov Street, premises 1

Email: info@venmart.kz