*Meta products (recognized as an extremist organization and banned in the Russian Federation)
Revision dated June 19, 2025
1.1. For the purposes of this Policy, the terms and definitions below shall have the following meanings:
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, surname, patronymic (if applicable), identification number, taxpayer ID, social security number, bank details, date and place of birth, address, geolocation data, email address, phone number, marital, social or financial status, education, occupation, income, metadata transmitted by the User’s device when using the Service (e.g., location, HTTP headers, IP address, cookie data, browser info, technical specs of device/software, access date/time, requested URLs), or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
For the purposes of this Policy, it also includes any data about the User as defined in the Agreement governing use of the Service.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“CCPA” means the California Consumer Privacy Act.
“Operator” or “Controller” means BHKZ LLP or the User (if they independently determine the purposes and means of processing personal data of end clients while using the Service), performing data processing and defining the scope, purpose, and means thereof. The Operator is the Controller under GDPR.
“User” means any legally capable individual, including one acting on behalf of a legal entity, who may provide personal data to the Operator while using the Service and has accepted the terms of the Agreement, including electronically. This includes persons whose data is processed by the Operator on behalf of the User as per the Data Processing Instruction (part of the User Agreement). If the User is under 16, parental consent is required.
“Service” or “Personal Data Information System” means the platform at https://bothelp.io, offered to the public for use in accordance with its purpose.
“Agreement” means the license agreement-offer, User Agreement, or other agreement governing use of the Service and data processing instructions.
“Processing of personal data” means any operation or set of operations on personal data (automated or not), such as collection, recording, systematization, accumulation, storage, updating, retrieval, use, transfer, depersonalization, blocking, deletion, or destruction.
All other terms (e.g., Processor, Recipient, Third Party, Automated Processing, Cookies, Web Beacons, IP address, etc.) retain their original names and definitions as per applicable law and this Policy.
1.2. All other terms used in this Policy shall be interpreted in accordance with the laws of the Russian Federation and applicable international standards.
1.3. Terms may be used in singular or plural form and capitalized or not, depending on the context.
1.4. Headings are provided solely for convenience and have no legal significance.
1.5. This Policy is developed pursuant to the law of the Republic of Kazakhstan on Personal Data, the Constitution of the Russian Federation, Civil Code, Federal Laws No. 149-FZ and No. 152-FZ, the GDPR, and the CCPA.
1.6. This Policy defines the rules and conditions for processing personal data, transfer to third parties, access, protection, internal controls, and responsibilities.
1.7. This Policy enters into force upon approval by the Operator and remains effective until replaced.
1.8. The Operator may amend this Policy without User consent. Changes are enacted by Operator's internal order.
1.9. This Policy applies to all data processing via the Service, both automated and non-automated. The Operator is not responsible for third-party services linked from the Service.
1.10. Personal data is processed only on lawful grounds, in accordance with declared purposes and subject to prior risk assessment.
2.1. The Operator processes personal data in accordance with the following legal documents:
- Law of the Republic of Kazakhstan on Personal Data;
- Civil Code of the Russian Federation;
- Tax Code of the Russian Federation;
- Federal Laws No. 149-FZ and No. 152-FZ;
- GDPR;
- CCPA;
- and other applicable legal acts.
2.2. The processing of personal data is based on the Agreement between the User and the Operator or on the User’s explicit consent.
2.3. Data of Kazakhstan citizens is stored and processed within the Republic of Kazakhstan. For foreign Users, data is processed in accordance with applicable jurisdiction.
2.4. The Service is only intended for Users aged 16 and older. Users under 16 must provide verified parental consent.
2.5. If the User collects and processes third-party personal data via the Service, the User is the data controller. The Operator (BHKZ LLP) acts as the processor.
2.5.1. The Data Processing Instruction is part of the User Agreement and comes into effect upon first use of the Service.
2.5.2. The User, as Controller, warrants that they have legal grounds to collect and process third-party data, and is solely responsible for compliance.
2.5.3. The User determines the categories of data collected and obtains all necessary consents. The Operator does not use this data for its own purposes.
2.5.4. The Operator processes data only within the User’s instructions and implements appropriate technical and organizational measures.
2.5.5. In case of complaints or investigations, the User bears full legal responsibility. The Operator provides necessary assistance where required by law.
3.1. The Operator collects only data necessary for using the Service or performing contracts unless longer storage is required by law.
3.2. The Operator does not combine databases collected for incompatible purposes.
3.3. Purposes include:
- concluding and performing contracts;
- ensuring proper operation of the Service;
- displaying personalized advertising and marketing;
- conducting research using anonymized data;
- fulfilling legal obligations under applicable law.
4.1. Data is collected via the Service, technical support, marketing events, etc.
4.2. Only data necessary to deliver the Service is processed.
4.3. Data provided directly by Users may include: login credentials, tokens, device IDs, emails, phone numbers, messenger IDs, IP addresses, cookies, payment information, etc.
4.4. Automatically collected data includes HTTP headers, cookies, IP addresses, browser details, device info, telemetry data, messenger IDs, geolocation, and biometric data (if consented).
4.5. Subjects of personal data include Users, legal representatives, and end clients whose data is processed by the User.
4.6. Data is used for identification, analytics, technical support, service improvement, and legal compliance.
5.1. Data is considered confidential and protected under applicable law.
5.2. Storage is for the duration of the Agreement or as required by law.
5.3. Confidentiality applies except where the User voluntarily discloses data.
5.4. Data may be transferred to third parties only:
- with User’s request or consent;
- to fulfill Service features or contracts;
- if required by law;
- in case of Service ownership transfer;
- to protect Operator’s or third-party rights.
5.5. For EU Users, data breaches are reported within 72 hours. For Kazakhstan and Russian Users, within 24 hours.
5.6. Data is encrypted via HTTPS and safeguarded using technical and organizational measures.
5.7. Users are notified of breaches unless mitigated or impractical.
5.8. Both parties act to prevent unauthorized disclosures or losses.
5.9. Data may be shared with authorities when legally required.
5.10. Kazakhstan Users’ data is stored on servers located within the Republic of Kazakhstan. For foreign Users, data is stored in accordance with applicable jurisdiction.
5.11. Processing ends upon consent expiry, withdrawal, or Operator liquidation.
6.1. Only authorized Operator employees may access personal data.
6.2. Access is managed via an official access control list.
6.3. Third-party access is prohibited without consent or legal basis.
6.4. Access is revoked upon termination or role change.
6.5. These provisions apply when the Operator acts as Processor per Section 2.5.
7.1. Users may update or delete their data via the Service.
7.2. The Operator corrects inaccuracies when identified.
7.3. Unverifiable data is deleted.
7.4. Unlawful data processing is terminated and data deleted.
7.5. Users may submit written requests to modify or delete data.
7.6. Corrections are made within 7 working days.
7.7. Unlawful or unnecessary data is deleted within 7 working days.
7.8. Users are notified of actions taken and third parties informed as appropriate.
7.9. Legal obligations may restrict data removal or updates.
8.1. Users may request information about data processing, including:
- confirmation of processing;
- legal grounds and purposes;
- methods of processing;
- recipients;
- data sources;
- processing duration;
- rights and how to exercise them;
- cross-border transfers;
- processor details.
8.2. Responses are provided within 30 calendar days.
8.3. In case of denial, a reasoned written reply is given.
8.4. Deletion requests can be sent to hello@bothelp.io.
8.5. Data will be deleted within 30 calendar days of request.
9.1. Protection is based on a risk model and legal requirements.
9.2. Measures include legal, organizational, technical, and other safeguards.
9.3. Third-party processors must comply with the same protection standards.
9.4. The Operator ensures:
- prevention of unauthorized access;
- prompt detection of breaches;
- data recovery;
- continuous monitoring.
9.5. A private threat model has been developed.
9.6. The Operator determined data protection level per Government Decree No. 1119.
9.7. An official protection level certificate has been issued.
9.8. Technical and organizational security measures are in place.
9.9. Data protection tools and logs are maintained.
9.10. Removable storage is tracked.
9.11. Hardware is located in secure premises.
9.12. All employees are trained and familiarized with this Policy.
9.13. Security training is provided.
9.14. Breaches or risks must be immediately reported by employees.
10.1. Consent is given freely, voluntarily, and in the User’s interest.
10.2. Consent is specific, informed, and conscious.
10.3. If data is processed under a contract, no separate consent is required (Article 6(1)(b) GDPR).
10.4. Explicit consent via button, checkbox, SMS, or email is considered valid and is digitally signed.
10.5. Consent may be withdrawn at any time in accordance with applicable laws.
11.1. Use of the Service implies agreement with this Policy.
11.2. This Policy is governed by the laws of the Republic of Kazakhstan. For Users in Russian Federation, EU, or California, respective laws apply.
11.3. This Policy is available at: https://bothelp.io/policy/
11.4. Questions may be sent to hello@bothelp.io
BHKZ LLP
BIN: 240640003609
Legal address: 010000, Republic of Kazakhstan, Astana city, Almaty district, Temirbek Zhurgenov street, house 18/2, office 19
Email: hello@bothelp.io
