Todo operativo
00:00:00:00
ONEKYC // Legal
DOC_TYPE: PRIVACY_POLICY

Política de tratamiento de datos personales

Versión: 1.0Revisión: 2026-04-10Vigencia: 2026-04-10Idioma: ES

Esta Política define los fines y principios del tratamiento de datos personales en ONEKYC y las medidas adoptadas para proteger los derechos de los interesados.

01

Purpose, Operator and Scope

This Personal Data Processing Policy (the “Policy”) defines the purposes and general principles of personal data processing, as well as the measures implemented to protect the rights of personal data subjects by the Operator when using the KYC platform (SaaS) – ONEKYC – for business.

This Policy applies to all personnel of the Operator, including employees under employment contracts, trainees, and persons performing work under other agreements, after they have been ознакомлены with it or such obligations have been imposed by concluding agreements with the Operator.

The requirements of this Policy are also taken into account with respect to other persons where their participation in the Operator’s personal data processing activities is necessary, including partners, contractors, service providers, other counterparties, etc., including under personal data processing instructions, by entering into agreements with such persons and imposing the relevant obligations on them.

Personal Data Operator: Limited Liability Company “Kyulchoro” (LLC “Kyulchoro”) Registered address: Kyrgyz Republic, Bishkek, Leninsky District, Kyzyl-Adyr St. (Archa-Beshik residential area), 172A TIN: 01104202510167 Registration No.: 315102-3301-LLC

For the purposes of this Policy, the terms “personal data”, “personal records”, “owner of personal records”, “processor”, “incident in the digital environment”, “personal data breach”, “cross-border transfer of personal data”, and “automated decision” are used in the meanings established by the Digital Code of the Kyrgyz Republic (including Article 1 of the Digital Code of the Kyrgyz Republic).

02

Compliance with Applicable Laws

This Policy has been developed primarily on the basis of the legislation of the Kyrgyz Republic, as the Operator is registered in the territory of the Kyrgyz Republic. This Policy uses terms and definitions in accordance with their meanings as defined in the Law of the Kyrgyz Republic “On Information of a Personal Nature” dated 14 April 2008 No. 58. The Operator processes personal data taking into account the requirements of the said law, its subordinate regulations, and regulatory and methodological documents of the governmental authorities of the Kyrgyz Republic authorized in the field of information security and protection of the rights of personal data subjects.

With regard to relations in the digital environment, including personal data processing, digital identification/authentication, digital resilience and incident response, the Operator takes into account the requirements of the Digital Code of the Kyrgyz Republic dated 31 July 2025 No. 178 (in particular, Articles 57, 63, 73, 75–76, and 77–91).

Where possible, this Policy also takes into account provisions of other legislation applicable to the Operator’s activities in the field of personal data processing (e.g., the GDPR) to the extent not contradicting the legislation of the Kyrgyz Republic.

03

Principles of Personal Data Processing

The Operator processes personal data on a lawful and fair basis. The main legal grounds and processing principles are determined, inter alia, by Articles 78–79 of the Digital Code of the Kyrgyz Republic. The main legal grounds for processing include:

The Constitution of the Kyrgyz Republic.
The Labour Code of the Kyrgyz Republic.
The Civil Code of the Kyrgyz Republic.
The Tax Code of the Kyrgyz Republic.
The Digital Code of the Kyrgyz Republic.
The Law of the Kyrgyz Republic “On Electric and Postal Communications”.
The Law of the Kyrgyz Republic “On Guarantees and Freedom of Access to Information”.
The Law of the Kyrgyz Republic “On Business Partnerships and Companies”.
The Law of the Kyrgyz Republic “On Mass Media”.
The Law of the Kyrgyz Republic “On Counteracting the Financing of Terrorist Activities and the Legalization (Laundering) of Criminal Proceeds”.

The content and scope of the processed personal data are determined based on the purposes of processing. Personal data that are excessive or incompatible in relation to the following main purposes are not processed:

Entering into employment relations with individuals, recruitment (reviewing a candidate for a vacancy, assessing skills and experience, informing about selection results, collecting feedback from the candidate, sending information about new suitable vacancies, events and internships of the Operator).
Entering into and extending the Operator’s contractual relationships.
Identifying the parties to the Operator’s contracts, agreements and transactions.
Performance of the Companies’ contractual obligations, including provision of services, performance of works, and granting rights to use the Operator’s software products.
Use by legal entities and individuals of the Operator’s websites and other information resources in accordance with their terms of use and license agreements.
Registration, identification and personalization of users of the Operator’s websites, applications and other information resources; granting access to resources and functions available only to registered users; improving user convenience, improving software products, and improving the quality of services provided and works performed by the Operator.
Communications (including via mass and automated calls) with individuals and legal entities to send notifications, responses to inquiries, mailings and informational messages, including marketing messages, as well as other actions to promote the Operator’s and partner organizations’ software products, goods, works and services.
Protection of the legitimate interests of the Companies, their partners and customers; exercising due (commercial) diligence in selecting counterparties; counteracting unlawful or unauthorized actions and fraud in the use by customers and users of the Operator’s software products, goods, works and services; ensuring information security.
Conducting research within the Operator’s scope of activity and on the use of the Operator’s software products, goods, works and services for development of new software products, expansion of services provided, works performed and goods offered, and quality control.
Collection and processing of analytical and statistical data within the Operator’s scope of activity and on the use of the Operator’s information resources, software products, goods, works and services.
Compliance with applicable labour, accounting, pension and other legislation of the Kyrgyz Republic.
Compliance with other legislation applicable to the Operator’s activities, including international or local legislation.

The main categories of personal data subjects include:

Visitors and users of the Operator’s websites, applications and information resources.
Individuals who are or were in employment and civil-law relations with the Operator, their close relatives, referees, as well as persons intending to enter into such relations, for example, candidates for vacant positions.
Individuals who are or were in employment and civil-law relations with the Operator’s counterparties, as well as persons intending to enter into such relations.
Individuals listed in various state registers, databases, publicly available and other sources obtained lawfully and used when providing services and in the Operator’s products as data sources.
Individuals who contact the Operator with inquiries, messages, applications, complaints or proposals using contact details or feedback collection tools.
The Operator’s founders.

For the specified categories of subjects, the following may be processed in accordance with the purposes of processing:

Personal information (last name, first name, patronymic, including previous; gender; year, month, date of birth; age; place of birth; nationality; citizenship).
Contact information (postal address, phone numbers, email addresses, pseudonyms, identifiers in social networks and communication services); registration and actual residence addresses.
Information on identity documents; driver’s license; identification numbers in state accounting systems; information on compulsory and voluntary medical insurance policies.
Professional activity (place of work; position; structural unit; personnel number; length of service; participation in legal entities; authority).
Skills and qualifications (education; profession; specialties; foreign languages; completed training courses, internships and practical training).
Family information (marital status; family composition; legal representatives; close relatives).
Social status; property status; information on vehicles.
Information on contracts and agreements and their statuses; participation in partner and bonus programs; referral promo codes; information on products and services used.
References and reviews; information on personnel assessments.
Financial status; payment details; income; information on tax and other contributions to state funds; information on accruals and withholdings, remuneration in other form; information on purchases and orders of goods and services; information on payments.
Information on inclusion in certain state registers, databases and lists.
Military registration information; migration registration information. 3.4.13. recordings). As part of KYC verification, the Platform may process selfies/videos and the results of “liveness” checks solely for the purposes of: (a) verifying the document and confirming that the person presenting the document matches the image in the document; (b) preventing fraud and unauthorized use of documents. At the same time, the Operator does not process biometric data for the purposes of digital identification of an individual by performing searches/matching across multiple subjects (1:N) or by comparing against all biometric data available in databases, unless otherwise expressly required or permitted by applicable law. The Operator also does not use the State Biometric Identification System of the Kyrgyz Republic other than in the cases and in the manner expressly provided for by law (Article 48 of the Digital Code of the Kyrgyz Republic).
Documents and copies of documents.
Electronic user data (user identifiers, network addresses, cookies, device identifiers, screen size and resolution, hardware and software information such as browsers, operating system, installed applications, geolocation, language settings, time zone, time and usage statistics of the Operator’s applications and information resources, user actions in services, sources of referrals to web pages, search and other queries sent, user-generated content); electronic signature certificates. information images; (voice Photo video voice and
Interests and hobbies; personal interests; tastes and preferences; newsletter subscriptions.
Health status; information on disability and incapacity for work.
Information on incentives, awards, disciplinary actions and liability.
Other information provided for by standard forms, established procedures and purposes of processing.

The Operator processes personal data using a mixed method: with and without automation tools.

Actions performed with personal data include: collection; recording; systematization; accumulation; storage; clarification (updating, modification); extraction; use; transfer (dissemination, provision, access); depersonalization; blocking; deletion; destruction.

During processing, the accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing are ensured (Article 78 of the Digital Code of the Kyrgyz Republic). If inaccurate or incomplete personal data are identified, they may be уточнены and updated. Where updating personal data is outside the Operator’s area of responsibility, processing may be suspended until the data are updated. Obligations and liability for timely updating of personal data for certain processing cases may be established by the Operator’s agreements.

Personal data are processed and stored no longer than required by the purposes of processing, unless there are legal grounds for further processing (Article 78 of the Digital Code of the Kyrgyz Republic).

The processed personal data are subject to destruction or depersonalization upon the occurrence of the conditions listed in this Policy. Where grounds for deletion of personal records as provided for in Article 83 of the Digital Code of the Kyrgyz Republic exist, the Operator deletes personal records without undue delay, provided there are no legal grounds for further retention (for example, for bringing/defending claims or where retention is required by law - Article 83(2) of the Digital Code of the Kyrgyz Republic).

When carrying out cross-border transfer of personal data, the Operator takes into account the requirements of Article 89 of the Digital Code of the Kyrgyz Republic.

Prior to any cross-border transfer, the Operator verifies whether the recipient’s foreign state is included in the list of states ensuring adequate protection of the rights of personal data subjects, if such a list has been approved and published by the sectoral regulator in the field of personal data (Article 89(1)–(3) of the Digital Code of the Kyrgyz Republic).
If the recipient’s state is not included in the said list, cross-border transfer is carried out only where there are grounds provided for in Article 89(4) of the Digital Code of the Kyrgyz Republic, in particular: - where the personal data subject has consented to the cross-border transfer (where applicable); and/or - for the conclusion and/or performance of a contract where the personal data subject is the beneficiary or a party (or a representative) thereto; and/or - where adequate protection of the rights of subjects is ensured by the terms of an agreement between the records owner and the processor (or between records owners) (Article 89(4)(6) of the Digital Code of the Kyrgyz Republic), including obligations regarding confidentiality, security, incident handling, return/deletion, access restrictions, and sub-processors.
Before performing a cross-border transfer, the Operator assesses the risks, security measures and data access regime of the recipient and implements organizational and technical measures (e.g., encryption in transit and at rest, access restriction, logging, and contractual safeguards).

Automated decisions (where applicable): where automated decisions are used that produce legal effects for the data principal or similarly significantly affect them, the data principal is entitled to request that such decisions be discontinued and that they be reviewed with human involvement in accordance with Article 57 of the Digital Code of the Kyrgyz Republic.

04

Processing as a Sub-Processor and Engagement of Subcontractors

In addition to acting as a personal data operator, the Operator may act as a person processing personal data on behalf of other personal data operators under contracts and other agreements. Such cases include, for example:

Granting the Operator’s customers rights to use software products.
Providing the Operator’s customers with services related to data processing.
Joint processing with third-party organizations within the Operator’s partnership arrangements.

Where necessary, the Operator may engage third-party organizations to process personal data as subcontractors, provided that the processing principles are complied with and there is an appropriate contract or agreement with them. Such cases include, for example:

Providing software products, goods, performing works and providing services to the Operator jointly by different Companies, as well as by third-party organizations, technological and other partners of the Operator.
Use of third-party services, computing resources, applications and infrastructure for information processing and for communications with users of software products, works and services, and purchasers of goods.

Personal data processing under the Operator’s contracts and other agreements, including personal data processing instructions, is carried out in accordance with the terms of such contracts/agreements.

Where a processor (subcontractor) is engaged, the relevant agreement/legal instrument must contain the terms provided for by Article 86(4) of the Digital Code of the Kyrgyz Republic, including: the processing period, the nature and purposes of processing, the type of data and categories of data subjects, written instructions, confidentiality and access restriction measures, procedures for rectification/deletion/restriction of processing, and records of processing operations (logging).
The processor is not entitled to engage another processor without the Operator’s prior written authorization.
Cross-border subcontractors (added): if the processor/subcontractor is located outside the Kyrgyz Republic or contemplates cross-border transfer/access, the agreement must additionally specify: - the countries where processing/access will take place; - the legal basis for the cross-border transfer; - incident notification requirements (no later than 48 hours from the processor to the records owner); - requirements for deletion/return of data upon completion of processing and upon the owner’s requests; - a prohibition on / procedure for engaging sub-processors; - technical measures (encryption, access control, logging, etc.).
06

Processing of Electronic User Data, Including Cookies

For the purposes of personal data processing set out in this Policy, the Operator may collect electronic user data on its websites automatically, without requiring user participation or any actions to send data.

The Operator does not verify the accuracy of electronic data collected this way; the information is processed “as is” in the form in which it is received from the client device.

Visitors and users of the Operator’s websites may be shown pop-up notices about collection and processing of cookies data with a link to the Policy and buttons to accept the processing terms or close the pop-up notice.

Such notices mean that when visiting and using the Operator’s websites, information resources and web applications, information (e.g., cookies data) may be stored in the browser on the user’s device, allowing subsequent identification of the user or device, remembering a session, or saving certain user settings and preferences specific to those sites. After being stored in the browser and until expiry or deletion from the device, such information will be sent with each subsequent request to the website on behalf of which it was stored, together with such request, for processing on the Operator’s side.

Processing of cookies data is required by the Operator for proper functioning of websites, in particular functions relating to access by registered users to the Operator’s software products, services, works and resources; user personalization; increasing efficiency and convenience of working with websites, as well as other purposes provided for in this Policy.

In addition to cookies set by the Operator’s websites, users and visitors may receive cookies relating to third-party websites, for example, where third-party components and software are used on the Operator’s websites. Processing of such cookies is governed by the policies of the relevant websites and may change without notice to users of the Operator’s websites. Such cases may include placement on the websites of:

Visit counters, analytics and statistical services such as Yandex.Metrica or Google Analytics to collect traffic statistics for publicly accessible website pages.
Widgets of auxiliary services to collect feedback, organize chats and other types of user communications.
Contextual advertising systems, banner and other marketing networks.
Authorization buttons enabling login via social network accounts.
Other third-party components used by the Operator on its websites.

Acceptance by the user of cookies processing terms or closing the pop-up notice in accordance with this Policy is considered consent to processing of cookies data on the Operator’s websites.

If the user does not agree to processing of cookies, they must accept the risk that in this case the website’s functions and features may not be fully available, and then follow one of the following options:

Configure the browser independently according to its documentation/help so that it does not, on a permanent basis, allow receiving and sending cookies for any websites or for a specific Operator website or third-party component website.
Switch to the browser’s “incognito” mode to allow the site to use cookies until the browser window is closed or switched back to normal mode.
Leave the website to avoid further cookies processing.

The user may manage stored cookies data independently through built-in browser tools, including deleting or viewing information about cookies set by websites, including:

Website addresses and paths to which cookies will be sent.
Names and values of parameters stored in cookies.
Cookie expiration periods.
07

Confidentiality and Security of Personal Data

The Operator ensures confidentiality of personal data in accordance with applicable law and the terms of the Operator’s agreements and contracts, except where:

Personal data are contained in publicly available sources of personal data or are permitted by the subject for dissemination.
The information is subject to mandatory disclosure to third parties, including government authorities, in accordance with the legislation applicable to the Operator.

The Operator takes necessary and sufficient legal, organizational and technical measures to ensure personal data security and to protect them from unauthorized (including accidental) access, destruction, alteration, blocking of access and other unauthorized actions. Such measures include, in particular:

Appointment of individuals or legal entities responsible for organizing processing and ensuring personal data security in specific Companies.
Issuance of internal policies on personal data processing and information security, and familiarization of employees with them.
Training employees on personal data processing and information security.
Ensuring physical security of premises and processing facilities, access control, security, video surveillance.
Restricting and differentiating access by employees and other persons to personal data and processing facilities, and monitoring actions with personal data.
Identifying threats to personal data security during processing in personal data information systems and creating threat models on that basis.
Using security tools (antivirus tools, firewalls, protection against unauthorized access, cryptographic information security tools), including, where necessary, tools that have undergone conformity assessment in the established manner.
Accounting and storage of information media to prevent theft, substitution, unauthorized copying and destruction.
Backup of information for recovery.
Internal control over compliance with the established procedure, verification of the effectiveness of measures taken, incident response.
Checking that agreements contain, and if necessary including, clauses on confidentiality and security of personal data.
The Operator takes “privacy by design” (constructive data protection) into account when designing and operating technological systems.
The Operator maintains records of operations involving personal records to the extent necessary to confirm compliance with obligations and to investigate incidents.
The Operator designates a person responsible for personal data processing within the organization in cases provided for by Article 88(2)(3) of the Digital Code of the Kyrgyz Republic.
The Operator organizes training for employees.

Incidents and notifications:

For each incident in the digital environment affecting digital resilience or the rights and legitimate interests of subjects, the Operator notifies the sectoral regulator no later than 72 hours after the incident is discovered.
The processor notifies the records owner about an incident within the timeframe set by the agreement, but no later than 48 hours after discovery.
The notification contains the information provided for by Article 63(7) of the Digital Code of the Kyrgyz Republic and is updated as new information becomes available.

The Operator implements digital resilience and digital-environment risk management measures proportionate to the nature, scope and purposes of processing.

08

Rights of Personal Data Subjects

A personal data subject has the right to withdraw consent to personal data processing by sending a relevant request to the Operator or the Operator’s authorized representatives in other countries by mail or by personal visit.

A personal data subject has the right to receive information relating to processing of their personal data, including:

Confirmation of the fact of personal data processing by the Operator.
Legal grounds and purposes of personal data processing.
Purposes and methods of personal data processing used by the Operator.
Name and location of the Operator, information about persons (except employees) who have access to personal data or to whom personal data may be disclosed under a contract/agreement with the Operator or under the legislation of the Kyrgyz Republic.
Processed personal data relating to the relevant personal data subject, the source of their receipt, unless another procedure is provided for by the legislation of the Kyrgyz Republic.
Personal data processing periods, including retention periods.
The procedure for exercising the rights of the personal data subject under applicable law.
Information on completed or planned cross-border transfer of data.
Name or full name and address of the person processing personal data on behalf of the Operator, if processing is or will be entrusted to such a person.
Other information provided for by applicable law and the Operator’s agreements.

A personal data subject has the right to request that the Operator clarify their personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated processing purpose, and to take measures provided for by applicable law to protect their rights.

If a personal data subject believes that the Operator processes their personal data in violation of applicable law or otherwise violates their rights and freedoms, the subject has the right to appeal the Operator’s actions or inaction in the manner provided for by applicable law.

A personal data subject has the right to protect their rights and legitimate interests, including compensation for losses and/or moral harm, in court.

The rights of the data subject/data principal are also exercised in accordance with the provisions of the Digital Code of the Kyrgyz Republic.

09

Roles and Responsibility

The rights, obligations and responsibility of the Operator are determined by applicable law and the Operator’s agreements.

The liability of the Operator’s employees involved in personal data processing by virtue of their functional duties for proper processing and unlawful use of personal data is established in accordance with the terms of the contract concluded between the Operator and the employee and the non- disclosure obligation.

The liability of persons involved in personal data processing under the Operator’s instructions for proper processing and unlawful use of personal data is established in accordance with the terms of the contract concluded between the Operator and the counterparty, a confidentiality agreement, or another agreement.

Persons guilty of violating rules governing processing and information security of personal data bear material, disciplinary, administrative, civil or criminal liability in the manner established by applicable law and the Operator’s agreements.

10

Publication and Updating of the Policy

The Policy is developed by persons responsible for organizing personal data processing in Limited Liability Company “Kyulchoro” and enters into force after approval by the Operator.

The Policy is a publicly available document of the Operator and provides the possibility for any persons to review its current version, including existing translations into foreign languages, by publishing it on the internet at https://onekyc.io.

Web forms, templates and standard forms of the Operator for collecting personal data must contain user notices about personal data processing in accordance with this Policy with a reference to it.

The Policy is valid indefinitely after approval until replaced by a new version. The Operator has the right to amend the Policy without notice to any persons.

Proposals and comments for amendments to the Policy may be sent by interested persons to info@onekyc.io.

[ Fin del documento · REV 2026-04-10 ]