Terms & Conditions and Privacy Policy

Terms & Conditions and Privacy Policy

 

POLICY ON PROTECTION AND PROCESSING OF USERS’ PERSONAL DATA

This document is an official document of “OXUS PAY” JSC (hereinafter referred to as the Operator), defining the policy regarding the collection, processing, and protection of personal data of individuals (hereinafter referred to as the User). This Policy applies to all information that the Operator and/or its partners may obtain about the User in the course of providing the Service’s services, as well as during the execution by the Operator of any other agreements or contracts aimed at providing services to the User via the Service.

  1. TERMS AND DEFINITIONS

1.1. “BARAKA” Information System: A specialized software product functioning on mobile devices that provides remote use of comprehensive services from “OXUS PAY” JSC and its partners in real-time based on instructions transmitted or received using telecommunication systems.

1.2. Operator: “OXUS PAY” JSC, a legal entity that carries out the processing of User instructions and utilizes the services of the “BARAKA” information system.

1.3. Identification: The procedure for establishing identity based on identity documents in accordance with the legislation of the Republic of Uzbekistan.

1.4. Electronic Notification: A brief notice of a standard form sent by the System to mobile devices (SMS notifications, PUSH messages) and/or to the User’s email address via the global information network “Internet” and/or mobile communication.

1.5. User: A natural person using the “BARAKA” service who, independently or through their legal representative (in case of limited legal capacity), manages and disposes of funds.

1.6. Personal Data: Information recorded on electronic, paper, and/or other material media relating to a specific natural person or enabling their identification, provided by the User for use of the Service.

1.7. Recipient of Personal Data: A natural person or legal entity (including state bodies and law enforcement agencies) to whom the User’s personal data is transferred in accordance with this Policy and current legislation. Such recipients undertake to use the received information exclusively for the purposes for which it was provided and to ensure its confidentiality and protection in accordance with the legislation of the Republic of Uzbekistan.

1.8. Processing of Personal Data: The execution of a single action or a set of actions involving the collection, systematization, storage, modification, supplementation, use, provision, distribution, transfer, depersonalization, and destruction of personal data.

1.9. Service: The totality of all software solutions, products, and services provided by the “BARAKA” mobile Application.

1.10. Social Protection Authority: The National Agency for Social Protection under the President of the Republic of Uzbekistan.

1.11. Third Party: Any person who is not the User or the Operator but is connected to them by circumstances or relationships regarding the processing of personal data, including state bodies, banks, and service providers, within the framework of executing agreements, regulatory acts, or in other cases not contrary to legislation, for the purposes of registration, card creation, execution of transactions, processing of Users’ personal data, and ensuring the successful functioning of the Service.

  1. GENERAL PROVISIONS

2.1. This Policy establishes the procedure for the processing and protection of personal data of Users who register for and use the Service.

2.2. Before starting the registration in the “BARAKA” Service, the User must carefully read the terms of this Policy. Continued use of the Service constitutes the User’s full and unconditional consent to this Policy.

2.3. By checking the corresponding box in the registration form, the User expresses their full consent to the terms of this Policy.

2.4. The User also expresses consent to the transfer of the provided personal data, including data transferred to “OXUS PAY” JSC within the framework of the Public Offer and this Policy, to Third Parties for the purpose of its execution. The retention period for personal data is limited to the achievement of the purposes of its collection and processing, after which the data shall be destroyed in the prescribed manner.

  1. PURPOSES OF PERSONAL DATA COLLECTION AND PROCESSING

3.1. “OXUS PAY” JSC collects and processes Users’ personal data for the following purposes:

3.1.1. Primary Purposes:

  1. a) Verification and Eligibility Assessment: Ensuring that Users meet the established criteria for executing instructions addressed to banks or the Social Protection Authority for the issuance of a “BARAKA” social card.
  2. b) Fraud Prevention and Risk Management: Identifying and preventing misuse, duplication, or fraudulent applications, as well as complying with measures to ensure the protection of personal data against unlawful processing.
  3. c) Transaction Tracking and Reporting: Maintaining transparent records for auditing purposes and compliance with the legislative requirements of the Republic of Uzbekistan.
  4. d) User Profile Management: Enabling the secure updating and management of Users’ personal and banking data.

3.1.2. Secondary Purposes (System Efficiency Support and Compliance):

  1. a) Integration with Other State Systems: Reconciling data with tax databases and other state information systems.
  2. b) Data-Driven Policy Improvement: Analyzing trends in the distribution of social payments to increase the effectiveness of state programs.
  3. c) User Support and Dispute Resolution: Providing assistance regarding payments from Social Protection Authorities and technical issues related to the Service.

3.2. “OXUS PAY” JSC carries out automated processing of User personal data to provide services through the Service. Decisions related to the use of the Service may be made automatically based on algorithms and data analysis without the direct involvement of the User. This approach is applied for: a) Fraud Detection: Automatic detection of suspicious activity to protect the User and prevent financial losses. b) Service Personalization: Providing recommendations and offers based on the User’s individual preferences and behavior.

3.3. In the event of the withdrawal of consent for the processing of personal data or consent for the processing of personal data by automated means, the provision of services becomes impossible, and the User undertakes to cease all use of the Service.

  1. USER INFORMATION COLLECTED AND PROCESSED THROUGH THE APPLICATION

4.1. Within the framework of this Policy, the User’s personal data refers to the following categories of data:

4.1.1. Personal data provided by the User independently during registration in the Service or in the process of its use. This includes personal data necessary to fulfill the terms of any agreements between the User and “OXUS PAY” JSC. Access to certain functions of the Mobile Application is only possible upon the provision of the required data.

4.1.2. Information automatically collected during the use of the Mobile Application, including data transmitted by the software installed on the User’s device. Such data includes:

  1. a) Authentication and Session Information: Authentication Token, Refresh Token, User ID (stored only during an active session and deleted upon session termination);
  2. b) Application Settings: Selected language, Dark Mode Preference;
  3. c) Device Information: SRK registration request ID (temporarily stored during the registration process), Device ID (unique device identifier), Device Brand, Device Model, Platform, Operating System Version;
  4. d) Personal Data: Document type, Document number, Agent’s email (if available), Region, User account, Citizen account, Citizen documents, Citizen benefits, Address (city, street, district, postal code, MSG (Mahalla)), Citizenship, Place of birth, Patronymic, Marital status, PINFL (Personal Identification Number of a Physical Person), Date of birth, Mobile phone number, Email address.

4.2. When using the Mobile Application services, the following anonymized statistical data about the User is automatically collected from cookies and other sources: a) Authentication and Session Information: Authentication Token, Refresh Token, User ID (stored only during an active session and deleted upon session termination); b) Application Settings: Selected language, Dark Mode Preference; c) Device Information: SRK registration request ID (temporarily stored during the registration process), Device ID (unique device identifier), Device Brand, Device Model, Platform, Operating System Version.

4.3. The following technologies are utilized during the operation of the Service: a) Camera Capture Data: Used to capture images or video for features such as identity verification, document scanning, or other specific functions. b) Audio Recordings: Used to enable Text-to-Speech (TTS) and Speech-to-Text functions to ensure accessibility (for example, for users with visual impairments, hands-free use, language learning, or improving user experience).

  1. c) Use of Biometrics: Allows for biometric authentication (e.g., facial recognition) to enhance security and convenience. Biometric data (personal data characterizing the anatomical and physiological features of the User: Face ID), if used when utilizing the mobile application, is stored on the User’s device and transmitted for secure storage to the servers of the authorized state body.
  2. d) Vibration: Provides haptic feedback for user interactions, such as notifications or feedback when performing certain actions.
  3. e) Sending Notifications: Allows the application to send notifications, including updates, reminders, and important alerts.
  4. f) Reading and Writing to External Storage: Access to files saved on the User’s device (e.g., downloaded documents or images) is permitted only for the local database and key storage within the application. This allows saving files or data on the User’s device (e.g., downloaded documents or other accessible content).

4.4. Prior to registration, Users have the opportunity to review the Frequently Asked Questions (FAQ) section, as well as detailed instructions, including an educational video clip explaining the registration process and the core functionalities of the Service.

4.5. By using any service provided by the mobile application, the User agrees that the Service may use statistical data and cookies for subsequent processing by systems, as well as transfer them to third parties for conducting research, performing work, or providing services. The User has the ability to independently manage Cookies by changing the settings on their device.

4.6. “OXUS PAY” JSC may process certain data (for example, IP address, User device ID) to identify and prevent actions that may contradict the legislation of the Republic of Uzbekistan or the provisions of this Policy.

4.7. “OXUS PAY” JSC may receive information about the User from Third Parties. For example, within the framework of executing an agreement with a Third Party, the latter may transfer certain data to the Social Protection Authority, allowing the Third Party to establish a connection between the User and their transfer, information about which is transmitted to the Third Party via the Service.

Here is the translation of Section 5 into English:

  1. CONDITIONS FOR PROCESSING USER PERSONAL DATA AND THEIR TRANSFER TO THIRD PARTIES

5.1. “OXUS PAY” JSC processes Users’ personal data in accordance with the legislation of the Republic of Uzbekistan, this Policy, the terms of provision of specific services, and internal regulations.

5.2. The confidentiality of personal data and User information is fully ensured by “OXUS PAY” JSC.

  1. a) Data Storage: All data is processed and stored in accordance with the legislation of the Republic of Uzbekistan. Biometric data (personal data characterizing the anatomical and physiological features of the User: Face ID), if used when utilizing the mobile application, is stored on the User’s device and transmitted for secure storage to the servers of the authorized state body.
  2. b) Data Security: To protect data from unauthorized access or leaks, measures are applied to ensure the security of personal data, including encryption.

5.3. Data transfer is permitted with the consent of its owner for the purposes of providing state, educational, medical, social, banking, and other services through the automated systems of state bodies and organizations, as well as non-governmental organizations. “OXUS PAY” JSC has the right to transfer the User’s personal data to Third Parties in the following cases:

5.3.1. The transfer is necessary to provide a specific Service or a service of Third Parties, as well as to execute the User’s instructions. Personal data may be transferred to the following categories of third parties:

  1. a) Credit organizations and other participants involved in the transfer process. For example, to ensure the necessary level of security for online payments made using social and bank cards, “OXUS PAY” JSC may transfer data—the list of which is determined by the security protocols of payment systems—to acquiring/issuing banks and payment systems. Data transfer may be mandatory (e.g., information regarding user equipment: IP address, operating system, geographical location, device ID/type, channel used (browser or application), payment authorization, identification/verification) or optional (e.g., data regarding address matching, account information with a Third Party, email address, mobile phone number, payment amount, and risk level determined by the Third Party or payment system).
  2. b) To ensure the functioning and promotion of services, improve the quality of services provided, conduct marketing and analytical activities, and for other legal purposes related to the implementation and execution of Services offered by the Service.
  3. c) To social protection authorities — for the execution of User instructions and/or the submission of relevant applications required for the processing of state benefits or other services provided by social protection bodies.
  • “OXUS PAY” JSC may provide access to certain data (e.g., statistical data) for the purpose of conducting scientific research and other analyses.
  • “OXUS PAY” JSC may provide access to data regarding the User’s payment transactions, which are used by Third Parties to determine the possibility of providing the User with discounts, bonuses, or other rewards, provided that the User fulfills specific requirements established by said Third Parties.
  • “OXUS PAY” JSC may provide access to the User’s email address, enabling a Third Party to ensure the delivery of a fiscal or other document as prescribed by the legislation of the Republic of Uzbekistan.
  • When the User utilizes services provided by Third Parties, information about the User may be transferred to such Third Parties in the volume and for the purposes necessary for the proper provision of services to the User or to enhance the convenience of their use (for example, data may be used for the pre-filling of registration forms).

5.3.2. For the purpose of protecting the rights and legitimate interests of “OXUS PAY” JSC or third parties in cases where “OXUS PAY” JSC has sufficient grounds to believe that the User is violating the terms of the applicable Policy and/or the requirements of the legislation of the Republic of Uzbekistan.

5.4. When the User utilizes the services of “OXUS PAY” JSC, the User’s personal data may be transferred to “OXUS PAY” JSC and/or its affiliates for processing under the terms and for the purposes established by this Policy. Such information includes any personal data for which the User has provided consent for processing, including information regarding receipts and expenditures on bank cards for monitoring purposes.

5.5. When processing Users’ personal data, the Parties are guided by the Law of the Republic of Uzbekistan “On Personal Data” and other regulatory legal acts governing the security of personal data.

5.6. “OXUS PAY” JSC may disclose anonymous data (i.e., data that does not allow for the direct or indirect identification of the User), as well as aggregated data (data about groups and categories of Users), to Third Parties. “OXUS PAY” JSC may also permit Third Parties to collect anonymous and aggregated data as part of providing specific Service functions to Users, which may subsequently be transferred to “OXUS PAY” JSC.

  1. MODIFICATION AND DELETION OF PERSONAL DATA BY THE USER, AS WELL AS ACCESS TO THEM

6.1. Within the framework of the provided services, the User is given the opportunity to modify (update, supplement) or delete the data they have provided. The User has the right to withdraw their consent to the processing of personal data by deleting the application from their mobile device.

6.2. Within the limits established by the legislation of the Republic of Uzbekistan, “OXUS PAY” JSC undertakes to notify every recipient to whom personal data has been disclosed of any modification or destruction of said data, except in cases where this is impossible or requires disproportionate effort.

6.3. In accordance with the legislation of the Republic of Uzbekistan, “OXUS PAY” JSC may be obliged to process and/or store the User’s personal data obtained during the use of the Service. Such processing and/or storage shall be carried out in the cases, on the grounds, and for the durations specified by the legislation of the Republic of Uzbekistan and this Policy.

  1. MEASURES FOR THE PROTECTION OF USERS’ PERSONAL DATA

7.1. “OXUS PAY” JSC processes and protects Users’ personal data in accordance with the Law of the Republic of Uzbekistan “On Personal Data” and other regulatory legal acts governing the security of personal data.

7.2. “OXUS PAY” JSC takes the necessary organizational and technical measures to protect the User’s personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other unauthorized actions. These measures include, but are not limited to: the classification of data into publicly accessible and non-publicly accessible, establishing procedures for access and processing, appointing responsible persons, and utilizing information security and encryption tools.

  1. CHANGES TO THE PRIVACY POLICY AND APPLICABLE LAW

8.1. “OXUS PAY” JSC has the right to make unilateral changes to this Policy.

8.2. In the event of disagreement with the updated Policy, the User undertakes to immediately cease using the Service and send a corresponding withdrawal of consent for the processing of personal data.

8.3. This Policy and all relationships between the User and “OXUS PAY” JSC are governed by the legislation of the Republic of Uzbekistan and regulatory acts governing the protection of personal data.

  1. INTERACTION WITH USERS REGARDING PERSONAL DATA PROCESSING

9.1. “OXUS PAY” JSC reserves the right not to answer questions that do not pertain to the provisions of this Policy. However, this does not restrict the User’s ability to send such questions to the address: ________.