Privacy Policy of OnInvestment LLP

This Personal Data Processing Policy (hereinafter referred to as the "Policy") is a public agreement between the owner of the website http://oninvest.com, OnInvestment LLP (BIN 250140025207) (hereinafter referred to as the "Operator"), and the users of the Operator's services.

In organizing and carrying out the processing of personal data, the Operator adheres to the requirements of the Law of the Republic of Kazakhstan No. 94-V dated May 21, 2013, "On Personal Data and Their Protection," and other regulatory legal acts adopted in accordance with it.

For the purposes of this Policy, personal data refers to any information provided to the Operator through websites or collected using such websites that relates to a directly or indirectly identified or identifiable individual (subject of personal data).

If you use the website or other services of the Operator, you confirm that you have read and fully accept this Policy. If you disagree with its terms, you should stop using the service and decline the Operator's services.

By using the service or other services of the Operator, you confirm your consent to the processing, collection, and cross-border transfer of your personal data in accordance with this Policy and the applicable legislation of the Republic of Kazakhstan.

The Operator collects information through the website in the following ways:

1. Personal Data Provided by Users:
   • The Operator collects personal data that users or other persons on their behalf enter into data fields on the Operator's website.
2. Collection of User IP Addresses and Cookies
3. The Operator passively collects personal data about the current connection for statistical purposes (at the Operator’s discretion), including:
   • User identifier assigned by the website;
   • Visited pages;
   • Number of page visits;
   • Information on page navigation;
   • Duration of user sessions;
   • Entry points (external websites from which the user accessed the site);
   • Exit points (links on the site that redirect users to external websites);
   • User’s country;
   • User’s region;
   • Time zone set on the user’s device;
   • User’s service provider;
   • User’s browser;
   • Browser fingerprint (canvas fingerprint);
   • Available browser fonts;
   • Installed browser plugins;
   • WebGL browser parameters;
   • Type of available media devices in the browser;
   • Presence of ActiveX;
   • List of supported languages on the user’s device;
   • Processor architecture of the user’s device;
   • User’s operating system;
   • Screen parameters (resolution, color depth, page placement on the screen);
   • Information about the use of automation tools to access the website.

For registered users, the Operator may collect data on port usage on users' devices to detect suspicious activity and protect user accounts. Such data may be collected through various methods, such as cookies and web beacons.

The Operator may use third-party internet services (third-party technologies) to collect statistical personal data, and such third-party services store the collected data on their own servers.

The Operator is not responsible for the location of third-party internet service servers. These third-party internet services (third-party technologies) installed on the site and used by the Operator may set and read cookies in end users' browsers to collect information for advertising purposes. The procedures for collecting and using data by such third-party services are determined by them independently, and they are directly responsible for compliance with these procedures and the use of the collected data, including compliance with applicable personal data laws of the Republic of Kazakhstan.

The Operator does not correlate the information voluntarily provided by the user, which allows identifying the subject of personal data, with statistical personal data obtained through such passive data collection methods.

The processing of personal data by the Operator is carried out strictly in accordance with the legislation of the Republic of Kazakhstan and is limited to achieving specific, pre-defined, and legally justified purposes, including compliance with the adhesion agreement and the payment organization rules.

Only personal data necessary to achieve processing purposes are subject to processing. The content and scope of the personal data processed by the Operator correspond to the declared processing purposes; excessive processing of personal data is not allowed.

When processing personal data, the Operator ensures their accuracy, sufficiency, and, when necessary, relevance to the purposes of processing. The Operator takes necessary measures (ensures their implementation) to delete or correct incomplete or inaccurate personal data.

In the course of its activities, the Operator may provide and/or entrust the processing of personal data to another entity with the consent of the data subject, unless otherwise provided by the personal data legislation of the Republic of Kazakhstan. A mandatory condition for such transfer or delegation of personal data processing is the obligation of the parties to maintain confidentiality and ensure the security of personal data during processing.

The duration of personal data processing is determined in accordance with the purposes for which they were collected.

A personal data subject has the right to:

• Request clarification, blocking, or deletion of their personal data if the data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the declared processing purpose, as well as take legally prescribed measures to protect their rights;
• Request a list of their personal data processed by the Operator and the source of data collection;
• Obtain information on the processing duration of their personal data, including storage periods;
• Require notification of all parties who were previously provided with incorrect or incomplete personal data regarding all exclusions, corrections, or additions made;
• Appeal unlawful actions or inactions related to personal data processing to the authorized body for personal data protection or in court;
• Protect their rights and legitimate interests, including seeking compensation for damages and/or moral harm in court.

If you have questions about the application, use, modification, or deletion of your personal data provided by you, or if you want to withdraw your consent for further processing by the Operator, please contact us by mail at the Operator’s address or via email: editorial@oninvest.com.

Please note that the personal data Operator is not responsible for inaccurate information provided by the data subject.

To maintain its business reputation and ensure compliance with the legislation of the Republic of Kazakhstan, the Operator considers it a priority to ensure the legitimacy of personal data processing within its business processes and to provide an appropriate level of security for processed personal data.

The Operator requires other persons who have access to personal data not to disclose or distribute personal data to third parties without the consent of the data subject, unless otherwise required by the legislation of the Republic of Kazakhstan.

To ensure the security of personal data during processing, the Operator takes necessary and sufficient legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, and other illegal actions.

The Operator ensures that all measures for the organizational and technical protection of personal data are carried out lawfully, including in accordance with the requirements of the legislation of the Republic of Kazakhstan regarding personal data processing.

To ensure an adequate level of personal data protection, the Operator assesses the potential harm that may be caused to data subjects in case of security violations and determines relevant security threats when processing personal data in information systems.

Based on identified threats, the Operator applies necessary and sufficient legal, organizational, and technical measures to ensure personal data security, including using information protection tools, detecting unauthorized access, restoring personal data, restricting access, recording and tracking actions with personal data, and evaluating the effectiveness of security measures.

The management of the Operator acknowledges the importance and necessity of ensuring personal data security and promotes continuous improvement of the personal data protection system within its core activities.

The Operator has appointed individuals responsible for organizing the processing and security of personal data.

Each new Operator employee directly involved in personal data processing is familiarized with the requirements of Kazakhstan's legislation on personal data processing and security, this Policy, and other internal regulations, and undertakes to comply with them.