Sun8
Activate code

Personal data processing policy

This Personal Data Privacy Policy (hereinafter referred to as the "Policy") defines the procedure for collecting, processing, using, storing and protecting personal data of personal data subjects in accordance with the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V "On Personal Data and Their Protection" (hereinafter referred to as the "Law"), the Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan dated October 21, 2020 No. 395/НК "On Approval of the Rules for the Collection, Processing of Personal Data" and other regulatory legal acts of the Republic of Kazakhstan (hereinafter referred to as the "Rules").

1. Basic concepts used in the Policy

1.1. Operator - San 8 LLP (BIN 221140032138, location: Republic of Kazakhstan, Almaty city, Zhetysu district, Raimbek Avenue, house 169A, postal code 050050), which collects, processes and protects personal data of personal data subjects.

1.2. User - a legally capable individual who accesses the Site and/or Application and uses their functionality (services) in accordance with the Sun8 User Agreement (https://sun8.kz/terms), or receives the Operator's services in accordance with the Rules for using the "Service Assistance" service (https://sun8.kz/offer).

1.3. The Website is the official Internet resource of the Operator, located on the Internet at the address: https://sun8.kz, through which the User is provided access to the functional capabilities and services of the Operator.

1.4. Software "Sun8" (SW, Program) — a computer program owned by the Copyright Holder, designed for diagnostics, protection and optimization of user devices. The software provides functions for system analysis, vulnerability scanning, cleaning of unnecessary files, service management, connection to a secure virtual private network (VPN), and also includes Wi-Fi protection tools, report generation, display of information about network activity, technical support via online chat, and the ability to use simultaneously on several devices.

1.5. Personal data – information related to a specific or determinable subject of personal data, recorded on electronic, paper and (or) other tangible media.

1.6. Subject of personal data (hereinafter referred to as Subject/User) – an individual to whom the personal data relates and who is directly or indirectly identified or can be identified on the basis of such personal data.

1.7. User Agreement - an agreement concluded under the terms of a public offer, determining the procedure for using the Sun8 software and regulating the procedure for interaction between the Copyright Holder and the User in the process of using the software. The text of the User Agreement is posted at: https://sun8.kz/terms.

2. General Provisions

2.1. This Policy applies to all personal data received by the Operator from Users through the Site and/or Application, as well as from the Operator’s counterparties and employees, and is aimed at compliance with the requirements of the legislation of the Republic of Kazakhstan in the field of personal data.

2.2. The Policy establishes the procedure for processing personal data and the Operator’s obligations to ensure their confidentiality and protection from unauthorized access, distribution, modification, destruction and other illegal actions.

2.3. This Policy shall enter into force from the moment of its publication on the Site. The Operator has the right to unilaterally make changes and additions to this Policy without prior notice to the Subjects of Personal Data. Changes shall enter into force from the moment of publication of the new version of the Policy on the Site, unless otherwise provided by such version.

2.4. The User's use of the Site and/or Application after the publication of a new version of the Policy is considered as acceptance of the changes. The User undertakes to independently monitor the current version of the Policy published on the Site.

3. Categories of personal data subjects

3.1. The collection and processing of personal data is carried out by the Operator in compliance with the principle of voluntary consent of the Subject of personal data. Consent is provided in the form of an electronic document on the Site by placing a mark (tick) in the appropriate checkbox when filling out forms, registering or otherwise using the Site and/or Application.

3.2. The content and volume of personal data processed correspond to the stated purposes specified in Section 5 of this Policy. The Operator does not process personal data incompatible with the purposes of collecting personal data.

3.3. Personal data whose content and volume are excessive in relation to the purposes of their processing shall not be processed.

3.4. When processing personal data, the Operator ensures compliance with the confidentiality regime with respect to such data, except for cases when the relevant personal data are classified as publicly available in accordance with the legislation of the Republic of Kazakhstan.

3.5. Personal data is stored by the Operator in information systems located on the territory of the Republic of Kazakhstan, in accordance with the requirements of paragraph 2 of Article 12 of the Law.

3.6. Personal data may be transferred to third parties solely for the purposes specified in Section 5 of this Policy. Transfer of data to third parties is carried out only on condition that such third parties accept obligations to ensure confidentiality and fulfill other requirements stipulated by the Law.

3.7. Personal data may be transferred to authorized state bodies of the Republic of Kazakhstan only on the grounds and in the manner established by the legislation of the Republic of Kazakhstan.

4. List of personal data

4.1. When using the Site and/or the Application, the Operator processes the following personal data of Users: last name, first name, patronymic; email address; mobile phone number; account balance; User actions on the Site; information about the User's device; information about the User's provider of the Site; data on the User's location and behavior on the Operator's site; information about the User's browser and operating system; information about the screen resolution and color, information about Flash and Java support; information about the User's keywords and search queries; information about the time zone, browser language, screen color depth, page loading parameters, file download, time spent on the Site; other data provided by the User to the Operator.

4.2. The Operator shall process the following personal data of employees: any information related to an individual specified in the employment contract, employee's personal card, documents confirming the employee's work activity (including the work record book), military ID, documents required for concluding an employment contract, other documents received upon conclusion and during the term of the employment contract, including: last name, first name, patronymic; gender; year, month, date and place of birth; citizenship; signature; details of documents confirming the legality of stay in the territory of the Republic of Kazakhstan; bank details (bank account number, name and BIC of the bank); any questionnaire data; details of the personal record sheet and personal card form T-2; identity documents: name, number and date of issue of the identity document; individual identification number (IIN); address of permanent residence and information on registration at the place of residence; address of actual place of residence; Postal and email addresses; telephone numbers; portrait image (photograph); information on education, qualifications, availability of special knowledge or professional training; marital status and family composition; information on previously held positions and length of service (copy of work record book); information on military duty and military service.

4.3. The operator processes the personal data of the counterparty representatives: last name, first name, patronymic (if any), position, other information stipulated by the agreement with the counterparty.

4.4. When the Subjects of personal data use the Operator's Website, the Operator processes data provided for by international protocols for data exchange via the Internet, including (but not limited to): IP address, MAC address, device ID, IMEI, MEID, Cookie data, access time.

4.5. When Users use the Software, the Operator processes the following data, the collection and analysis of which is provided for by the functionality of the Software: Internet connection (IP address of the station in the local network, IP address on the Internet, connection type, provider); network (IP adapter, base speed, connection type); basic operating system parameters (processor model and its load, amount of RAM, video card model, operating system version, % of free space on the disk with the operating system); information on exposure to threats and security (antivirus, startup programs, malware); user software (amount of installed software, list of suspicious software); temporary files; information about all data storage devices; information about installed browsers (name, version); size of system and browser cache; information about the installed router (gateway IP address, gateway manufacturer, connection type to the router, connection speed); WI-FI connection (WI-FI network name, signal level, connection channel, WI-FI network mode), availability of external resources via the current Internet channel, viewing the status of all established external connections, viewing statistics on the operation of all network interfaces, viewing running processes, viewing information in the hosts file; browser and system cache; access to operating system service management; router settings; Wi-Fi environment (signal level of Wi-Fi networks, channel, encryption type).

5. Purposes of personal data processing

5.1. The Operator processes the User’s personal data for the following purposes:

  • providing access to information about the services offered by the Operator;
  • ensuring the possibility of concluding and fulfilling the terms of the User Agreement;
  • identification of the User when using the Site and/or Application;
  • ensuring the functioning, maintenance and improvement of the Site and/or the Application;
  • providing feedback to the User, including sending notifications, requests and information regarding the use of the Site and/or Application;
  • processing requests, applications and claims from the User;
  • directions of advertising and marketing information (if the relevant consent has been obtained);
  • maintaining internal analytics, statistics and reporting of the Operator;
  • compliance with the requirements of the current legislation of the Republic of Kazakhstan,
  • including storage of reporting data provided for by regulatory legal acts.

5.2. The operator processes personal data of employees for the following purposes:

  • fulfilment of the terms of employment contracts concluded between the Operator and employees;
  • fulfilment of the requirements of the Labor Code of the Republic of Kazakhstan dated November 23, 2015 No. 414-V ЗРК;
  • compliance with the provisions of other regulatory legal acts of the Republic of Kazakhstan governing labor and other directly related legal relations (including tax, pension, social and compulsory social health insurance);
  • ensuring the maintenance of personnel, accounting and tax records;
  • formation of statistical and mandatory reporting for authorized government agencies;
  • ensuring compliance with the Operator’s internal regulations governing internal labor relations.

5.3. The operator processes personal data of representatives of counterparties for the following purposes:

  • conclusion, execution, modification and termination of contracts concluded with counterparties;
  • ensuring business interaction and feedback with counterparties;
  • sending notifications, requests, information and other messages related to the fulfillment of contractual obligations;
  • exchange of business correspondence, including emails, telephone calls, instant messengers and other means of communication used within the framework of contractual or business relationships;
  • processing requests, applications, claims and proposals received from counterparties or their authorized representatives.

5.4. The Operator processes data automatically collected during the use of the Site and/or software (SW) for the following purposes: Ensuring the functioning, compatibility and stability of the Site and/or software, including:

  • establishing a technical connection with the User’s device;
  • adaptation of services to the technical parameters of the User’s device;
  • ensuring compatibility of software and hardware components;

Diagnostics, monitoring and troubleshooting of technical problems, including:

  • identifying the causes of failures or performance degradation;
  • analysis of the network connection status and its parameters;
  • detection of malware and other threats.

Improving the quality of services and software performance, including:

  • analysis of the user environment to optimize software operation;
  • improving the architecture and functionality of the software;
  • adaptation of services to the most frequently used configurations.

Information security, including:

  • control of the presence of antivirus protection;
  • identification of potentially dangerous processes and programs;
  • analysis of suspicious connections and network activity.

Conducting statistical analysis and generating anonymous analytics:

  • collection of technical metrics about software operation;
  • summarizing and systematizing data to improve user experience;
  • performance evaluation of different versions and functions of the software.

Ensuring communication with the User, including:

  • providing technical support;
  • sending notifications about errors, updates, security configurations, etc.

6. Cross-border transfer

6.1. Cross-border transfer of personal data – transfer of personal data to the territory of foreign states. Cross-border transfer of personal data to the territory of foreign states is carried out only if these states ensure protection of personal data.

6.2. The operator has the right to carry out cross-border transfer of personal data to the territory of foreign states that do not ensure the protection of personal data, exclusively in the following cases:

  • if there is written consent from the subject of personal data or his legal representative for such transfer;
  • in cases provided for by international treaties ratified by the Republic of Kazakhstan;
  • in cases expressly provided for by the legislation of the Republic of Kazakhstan, when such transfer is necessary for the purposes of:
  • protection of the constitutional order,
  • ensuring public order, protecting the rights and freedoms of man and citizen,
  • protection of health and morality of the population;
  • for the purpose of protecting the constitutional rights and freedoms of man and citizen, if obtaining the consent of the subject of personal data or his legal representative is impossible.

6.3. Cross-border transfer of personal data to the territory of foreign states may be prohibited or restricted by the laws of the Republic of Kazakhstan.

7. Confidentiality of personal data

7.1. Persons who gain access to personal data of restricted access ensure their confidentiality by complying with the requirements not to allow their dissemination without the consent of the Subject or his legal representative or the presence of other legal grounds.

7.2. Persons who have become aware of personal data with limited access in connection with professional, official needs, as well as labor relations, ensure their confidentiality.

8. Accumulation and storage of personal data

8.1. The accumulation of personal data is carried out by collecting them in the volume necessary and sufficient to achieve specific, predetermined processing goals corresponding to the tasks performed by the Operator within the framework of its activities.

8.2. Personal data is stored by the Operator in personal data information systems located on the territory of the Republic of Kazakhstan, in accordance with the requirements of the legislation of the Republic of Kazakhstan, including the provisions of Article 12 of the Law.

8.3. The storage period of personal data is determined in accordance with the purposes of their collection and processing and is limited to the period necessary to achieve them, except for cases where other storage periods are established by the legislation of the Republic of Kazakhstan or contractual obligations.

8.4. Personal data of employees shall be stored until the basis for their processing is lost, except in cases where a longer storage period is provided for by the labor and tax legislation of the Republic of Kazakhstan or regulatory legal acts in the field of archival affairs.

8.5. The personal data of Users are processed by the Operator until the termination of the contractual relationship with the User, that is, until the Operator's software is completely removed from the User's personal device, unless otherwise provided by the legislation of the Republic of Kazakhstan.

8.6. Personal data of counterparty representatives shall be processed until the termination or expiration of the contract with the relevant counterparty. Storage of tangible and electronic media containing personal data of counterparty representatives shall be carried out until the expiration of the limitation period established by the civil legislation of the Republic of Kazakhstan, unless otherwise provided by the current legislation.

9. Changing and supplementing personal data

9.1. The subject has the right to demand from the owner and (or) operator changes and additions to their personal data if there are grounds confirmed by relevant documents

9.2. The subject has the right to know whether the Operator, as well as a third party, has his/her personal data, and to receive information containing:

  • confirmation of the fact, purpose, sources, methods of collecting and processing personal data;
  • list of personal data;
  • the terms of processing personal data, including the terms of their storage.

9.3. In this case, in order to obtain information, the subject or his legal representative sends an appeal (request) to the Operator in writing or in the form of an electronic document or in another way using elements of protective actions that do not contradict the legislation of the Republic of Kazakhstan.

9.4. The operator shall communicate information related to the subject within 3 (three) working days from the date of receipt of the subject’s request or that of his legal representative, unless other timeframes are provided for by the laws of the Republic of Kazakhstan.

9.5. In case of refusal to provide information to the subject or his legal representative, the Operator, within a period not exceeding 3 (three) working days from the date of receipt of the request, shall provide a reasoned response, unless other terms are provided for by the laws of the Republic of Kazakhstan.

10. Destruction of personal data

10.1. Personal data are subject to destruction:

  • after the expiration of the storage period;
  • upon termination of the legal relationship between the Subject of personal data and the Operator;
  • upon entry into force of the court decision;
  • upon detection of the collection and processing of personal data without the consent of the Subject or his legal representative, except in cases where consent is not mandatory;
  • in other cases established by the Law and other regulatory legal acts of the Republic of Kazakhstan.

11. Notification of actions with personal data

11.1. If there is a condition for notifying the Subject about the transfer of his personal data to a third party, the Operator shall notify the Subject or his legal representative within ten working days, unless otherwise provided by the laws of the Republic of Kazakhstan, except in the following cases:

  • performance by state bodies of their functions stipulated by the legislation of the Republic of Kazakhstan, as well as the implementation of activities by private notaries, private bailiffs and lawyers;
  • collection and processing of personal data for statistical, sociological or scientific purposes.

12. Protection of personal data

12.1. The operator ensures the protection of personal data from unauthorized access, loss, modification, blocking, distribution and other illegal actions by applying a set of legal, organizational and technical measures, in accordance with the Law.

12.1.1. Legal measures:

  • development, approval and compliance with the Policy in the field of processing and protection of personal data;
  • definition of the legal grounds for processing, including the consent of the Subject of personal data, execution of the contract, fulfillment of obligations provided by law;
  • notification of the authorized body in case of incidents related to unauthorized access to personal data;
  • compliance with the requirements of the Law, Rules, ST RK 1073-2007 and other regulatory legal acts of the Republic of Kazakhstan;
  • registration of the validity periods of consents, facts of transfer and cross-border transfer of personal data, as well as their dissemination in publicly available sources;
  • ensuring confidentiality within the framework of labor, contractual and other legal relationships with personnel and contractors.

12.1.2. Organizational measures:

  • identification and description of business processes related to the processing of personal and other data;
  • classification of personal data (publicly available / restricted access);
  • establishing the procedure and levels of access to personal data;
  • appointment of a person responsible for organizing the processing and protection of personal data;
  • definition of the list of persons authorized to collect, process and store personal data;
  • implementation of the procedure for blocking and restricting the processing of personal data at the request of the Subject;
  • organization of accounting and control of actions of users processing personal data;
  • ensuring interaction with authorized government agencies and the State Technical Service within the framework of supervision and inspections.

12.1.3. Technical measures:

  • use of information technology objects located on the territory of the Republic of Kazakhstan;
  • use of certified means of cryptographic information protection (not lower than the third level of security according to ST RK 1073-2007);
  • protection of data transmission channels (including cross-border transmission – using encryption and/or secure channels);
  • regular software updates, installation of antivirus protection;
  • maintaining logs of database management system events and user actions;
  • control of data integrity and security;
  • use of identification and authentication tools when accessing personal data;
  • protection of physical media containing personal data from loss or unauthorized access;
  • ensuring backup and recovery of data in the event of failures or security threats.

12.2. The Operator's obligations to ensure the protection of personal data arise from the moment of their receipt and are valid until the moment of their destruction or depersonalization

13. Rights and obligations of the Subject of personal data

13.1. The subject has the right:

13.1.1. to know whether the Operator has their personal data, and also to receive information containing (a) confirmation of the fact, purpose, sources, methods of collecting and processing personal data, (b) a list of personal data, (c) the terms of processing personal data, including the terms of their storage;

13.1.2. demand that the Operator change and supplement their personal data if there are grounds for doing so, confirmed by relevant documents;

13.1.3. demand that the Operator block their personal data if there is information about a violation of the terms of collection and processing of personal data;

13.1.4. demand that the Operator destroy their personal data, the collection and processing of which was carried out in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by the Law and other regulatory legal acts of the Republic of Kazakhstan;

13.1.5. revoke consent to the collection, processing, distribution in publicly available sources, transfer to third parties and cross-border transfer of personal data, except in cases provided for by the Law;

13.1.6. give consent (or refusal) to the Operator to distribute their personal data in publicly available sources of personal data;

13.1.7. to protect their rights and legitimate interests, including compensation for moral and material damage;

13.1.8. to exercise other rights provided for by the Law and other regulatory legal acts of the Republic of Kazakhstan.

13.2. The subject is obliged to provide his personal data in cases established by the laws of the Republic of Kazakhstan.

14. Rights and obligations of the Operator

14.1. The operator has the right to collect and process personal data in the manner prescribed by the Law and other regulatory legal acts of the Republic of Kazakhstan.

14.2. The operator is obliged to:

14.2.1. approve the list of personal data necessary and sufficient to perform the tasks carried out by it, unless otherwise provided by the laws of the Republic of Kazakhstan;

14.2.2. approve documents defining the Operator’s policy regarding the collection, processing and protection of personal data;

14.2.3. take and comply with the necessary measures, including legal, organizational and technical, to protect personal data in accordance with the legislation of the Republic of Kazakhstan;

14.2.4. comply with the legislation of the Republic of Kazakhstan on personal data and their protection;

14.2.5. provide, at the request of the authorized body, within the framework of consideration of appeals from individuals and legal entities, information on the methods and procedures used to ensure the Operator’s compliance with the requirements of the Law;

14.2.6. take measures to destroy personal data in the event that the purpose of their collection and processing has been achieved, as well as in other cases established by the Law and other regulatory legal acts of the Republic of Kazakhstan;

14.2.7. provide evidence of receipt of the Subject’s consent to the collection and processing of his personal data in cases stipulated by the legislation of the Republic of Kazakhstan;

14.2.8. upon the request of the Subject, communicate information related to him within the timeframes stipulated by the legislation of the Republic of Kazakhstan;

14.2.9. in case of refusal to provide information, the Subject or his legal representative shall submit a reasoned response within the timeframes stipulated by the legislation of the Republic of Kazakhstan;

14.2.10. The operator is obliged to:

  • change and (or) supplement personal data on the basis of relevant documents confirming their authenticity, or destroy personal data if it is impossible to change and (or) supplement them;
  • block personal data related to the subject if there is information about a violation of the terms of their collection or processing;
  • destroy personal data in the event of confirmation of the fact of their collection, processing in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by this Law and other regulatory legal acts of the Republic of Kazakhstan;
  • unblock personal data in case of failure to confirm the fact of violation of the terms of collection and processing of personal data;
  • from the moment of detection of a breach of personal data security, notify the authorized body of such breach, indicating the contact details of the person responsible for organizing the processing of personal data;
  • provide, free of charge, the Subject or his legal representative with the opportunity to become familiar with personal data related to this Subject;
  • appoint a person responsible for organizing the processing of personal data.

15. Final Provisions

15.1. This Policy is subject to change and supplementation in the event of entry into force of new legislative acts and special regulations on the processing and protection of personal data, as well as by decision of the Operator.

15.2. Control over compliance with the requirements of this Policy is carried out by the person responsible for organizing the processing of personal data.

15.3. Issues not regulated by this Policy are governed by the current legislation of the Republic of Kazakhstan.

15.4. The User has the right to send any suggestions or questions regarding this Policy to the Operator’s address: Republic of Kazakhstan, Almaty city, Zhetysu district, Raimbek Avenue, building 169A, postal code 050050, or to the email address: partners@sun8.kz