OnInvestment LLP Personally Identifiable Information Processing and Security Policy

This Personally Identifiable Information Processing Policy (the “Policy”) is a public Contract entered into by and between the owner of http://oninvest.com website, OnInvestment LLP (Business Identification Number 250140025207) (the “Operator”) and users of the Operator’s services.

When organizing and carrying out the personally identifiable information processing, the Operator shall be governed by the Law of the Republic of Kazakhstan No. 94-V of May 21, 2013 “On Personally Identifiable Information and its Protection” and other laws and regulations adopted in accordance therewith.

For the purposes of this Policy, personally identifiable information means any information provided through websites to the Operator and/or collected using such websites, relating to a directly or indirectly identified or identifiable individual (subject of personally identifiable information).

By using the website or other services of the Operator, you agree that you have read and accept this Policy in its entirety. In case of disagreement with its terms and conditions you should stop using the service and opt out of the Operator's services.

By using the service or using other services of the Operator, you confirm your consent to the processing, collection and cross-border transfer of your personally identifiable information in accordance with the Policy and applicable laws of the Republic of Kazakhstan.

The Operator collects information via the website in the following ways:

1. Personal Data Provided by Users:
   • The Operator collects personally identifiable information which is entered into the data fields on the website of the Operator by users themselves or other persons on their behalf.
2. Collecting user IP addresses and cookies.
3. Passive collection of personally identifiable information about the current connection in terms of statistical information (at the Operator’s discretion):
   • website-assigned user ID;
   • visited pages;
   • number of page views;
   • information about navigating through the website pages;
   • user session duration;
   • entry points (third-party sites from which the user follows a link to the website);
   • exit points (links on the website that take the user to third-party sites);
   • user’s country;
   • user’s region;
   • the time zone set on the user’s device;
   • user’s provider;
   • user’s browser;
   • canvas fingerprint;
   • browser fonts available;
   • installed browser plug-ins;
   • browser’s WebGL options;
   • type of media devices available in the browser;
   • ActiveX presence;
   • list of supported languages on the user’s device;
   • user device processor architecture;
   • user’s OS;
   • screen parameters (resolution, color depth, page positioning parameters on the screen);
   • information about the use of automation when accessing the website.

With respect to registered users of the website, the Operator may collect information about the use of ports on users’ devices in order to detect suspicious activity and protect users’ personal accounts. The data can be obtained using various methods, such as cookies and web file beacons, etc.

The Operator may use third-party Internet services (third-party technologies) to organize the collection of statistical personally identifiable information, third-party Internet services provide storage of the received data on their own servers.

The Operator is not responsible for localization of servers of third-party Internet services. However, such third-party Internet services (third-party technologies) installed on the website and used by the Operator can install and read cookies from browsers of end users of the website to collect information in the process of advertising activities on the website. The procedure for the collection and use of data collected by such third-party Internet services (third-party technologies) shall be determ...

The Operator shall not compare any information that is provided by the user independently and that allows to identify the subject of personally identifiable information with statistical personally identifiable information obtained through the use of similar passive methods of information collection.

The processing of personal data by the Operator is carried out strictly in accordance with the legislation of the Republic of Kazakhstan and is limited to achieving specific, pre-defined, and legally justified purposes, including compliance with the adhesion agreement and the payment organization rules.

Only personal data necessary to achieve processing purposes are subject to processing. The content and scope of the personal data processed by the Operator correspond to the declared processing purposes; excessive processing of personal data is not allowed.

When processing personal data, the Operator ensures their accuracy, sufficiency, and, when necessary, relevance to the purposes of processing. The Operator takes necessary measures (ensures their implementation) to delete or correct incomplete or inaccurate personal data.

In the course of its activities, the Operator may provide and/or entrust the processing of personal data to another entity with the consent of the data subject, unless otherwise provided by the personal data legislation of the Republic of Kazakhstan. A mandatory condition for such transfer or delegation of personal data processing is the obligation of the parties to maintain confidentiality and ensure the security of personal data during processing.

The duration of personal data processing is determined in accordance with the purposes for which they were collected.

The subject of personally identifiable information has the right to:

• request clarification of his/her personally identifiable information, blocking or destruction thereof if the personally identifiable information is incomplete, outdated, unreliable, illegally obtained or not required for the stated purpose of processing, as well as to take statutory measures to protect his/her rights;
• request the list of his/her personally identifiable information processed by the Operator and the source from which it was obtained;
• receive information about the timing of processing of his/her personally identifiable information, including the period of its storage;
• demand notification of all persons who have been previously informed of incorrect or incomplete personally identifiable information about all exceptions, corrections or additions made thereto;
• appeal to the authorized body in charge of protecting the rights of personally identifiable information or in court against unlawful acts or omissions in the processing of his/her personally identifiable information;
• the protection of his/her rights and legitimate interests, including compensation for losses and/or compensation for moral damage in a court of law.

If you have any questions about the nature of the application, use, modification or deletion of your personally identifiable information that you have provided, or if you wish to opt out of any further processing thereof by the Operator, please contact us by mail, the Operator’s address or by email: editorial@oninvest.com.

Please note that the Operator of personally identifiable information is not responsible for inaccurate information provided by the subject of personally identifiable information.

To maintain its business reputation and ensure compliance with the legislation of the Republic of Kazakhstan, the Operator considers it a priority to ensure the legitimacy of personal data processing within its business processes and to provide an appropriate level of security for processed personal data.

The Operator requires other persons who have access to personal data not to disclose or distribute personal data to third parties without the consent of the data subject, unless otherwise required by the legislation of the Republic of Kazakhstan.

To ensure the security of personal data during processing, the Operator takes necessary and sufficient legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, and other illegal actions.

The Operator ensures that all measures for the organizational and technical protection of personal data are carried out lawfully, including in accordance with the requirements of the legislation of the Republic of Kazakhstan regarding personal data processing.

To ensure an adequate level of personal data protection, the Operator assesses the potential harm that may be caused to data subjects in case of security violations and determines relevant security threats when processing personal data in information systems.

Based on identified threats, the Operator applies necessary and sufficient legal, organizational, and technical measures to ensure personal data security, including using information protection tools, detecting unauthorized access, restoring personal data, restricting access, recording and tracking actions with personal data, and evaluating the effectiveness of security measures.

The management of the Operator acknowledges the importance and necessity of ensuring personal data security and promotes continuous improvement of the personal data protection system within its core activities.

The Operator has appointed individuals responsible for organizing the processing and security of personal data.

Each new Operator employee directly involved in personal data processing is familiarized with the requirements of Kazakhstan's legislation on personal data processing and security, this Policy, and other internal regulations, and undertakes to comply with them.