Privacy Policy

1. About This Policy

This Privacy Policy explains how VeryNice.kz ("we", "us", "our") collects, uses, stores, shares, and protects your personal data when you visit or interact with the Site. It applies to:

• browsing the Site without an account
• creating an account and signing in
• posting comments or reviews
• registering or managing a Business Account
• using any interactive or AI-powered features

This Policy should be read alongside our Terms of Use and Cookie Policy. The Terms of Use govern your use of the Site. In the event of any inconsistency between this Policy and the Terms, this Policy prevails on data protection matters.

Russian is provided as the second official language of the Republic of Kazakhstan per Article 7(2) of the Constitution and Article 5 of Law No. 7-I. The English version is a convenience translation for international users and does not constitute a legally binding document for purposes of any proceedings in Kazakhstan.

2. Data Controller

The data controller for personal data processed through VeryNice.kz is the individual operator of the Site, reachable at headquarters.mailbox@gmail.com.

3. Personal Data We Collect

3.1 Account and authentication data

When you sign in using Google OAuth (or other future Third-Party Authentication Providers), that provider shares with us: your display name, email address, and profile photo URL. We store in our database (Firebase Firestore): your provider user ID, email address, display name, account role (traveller / business), and account creation timestamp. We do not receive or store passwords — your credentials remain solely with your chosen provider.

3.2 User-generated content (comments and reviews)

When you post a comment or review: the comment/review text; your display name (optional — you may post anonymously); your user ID if signed in; and the submission timestamp. Your IP address is also captured in server logs (see §3.5) for abuse prevention.

3.3 Business account data

When you register a Business Account: business name, type, and description; contact details (phone, email, address); Business Identification Number (BIN / БСН) or IIN / ЖСН where provided for verification; business location and operating hours; images and media you upload; and pricing information.

3.4 Analytics data (with your consent)

If you consent to analytics cookies, Google Analytics 4 (GA4) collects: pages visited and engagement events; time on page; approximate geolocation (country/city, derived from anonymised IP); device type, operating system, and browser; referring URL; and IP address (sent to Google, anonymised before storage by GA4). You can withdraw consent at any time via the cookie preference centre.

3.5 Advertising data (with your consent)

If you consent to advertising cookies, third-party advertising networks may collect: advertising identifiers, ad impressions and clicks, approximate location, browsing behaviour within the Site, and pseudonymous device fingerprint data. See §7 for details and opt-out options.

3.6 Server and infrastructure logs

Our hosting provider (Vercel) automatically logs: your IP address, HTTP request metadata (URL, method, status code, referrer, user agent), and request timestamps. These logs are controlled by Vercel per their own privacy policy (typically retained for 30 days). We do not actively access these logs except to investigate security incidents or technical issues.

3.7 Language preference

Your chosen language is stored in your browser's localStorage. This data never leaves your device and is not transmitted to our servers.

3.8 What we do NOT collect

• Payment card or banking data — no payments are processed on the Site
• Government-issued ID numbers from general users (only BIN/IIN from Business Account holders)
• Precise GPS-level geolocation — we do not request device location permissions
• Sensitive personal data — we do not knowingly or intentionally collect health, biometric, or political data through our systems. Note: user-generated content (comments, reviews) submitted by users may incidentally contain restricted personal data categories (see §3.9); such content is subject to our content moderation process.

3.9 Restricted personal data — Kazakhstan Law No. 94-V, Article 8 (Шектеулі дербес деректер)

Kazakhstan Law No. 94-V Article 8 designates certain categories of personal data as "restricted personal data" (шектеулі дербес деректер), which require explicit written consent and heightened protection. Restricted categories include: racial or ethnic origin; political opinions; religious or philosophical beliefs; membership of political parties or religious organisations; criminal convictions or offences; health or medical information; and sexual orientation or sex life.

We do not knowingly request or collect restricted personal data from users of VeryNice.kz. If you believe you have inadvertently submitted restricted personal data through the Site (for example, through a comment or review), please contact us immediately at headquarters.mailbox@gmail.com so that we can arrange its secure and verified deletion in accordance with Article 21 of Law No. 94-V.

4. Legal Bases for Processing (GDPR)

For users in the EEA and United Kingdom, we process personal data on the following legal bases under Article 6 of the GDPR (Regulation (EU) 2016/679):

Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw: use the cookie preference centre, or email headquarters.mailbox@gmail.com.

5. Cookies and Tracking Technologies

On your first visit, a cookie consent banner lets you accept all cookies, customise preferences by category, or reject all non-essential cookies. You can change your preferences at any time via the cookie preference centre on the Site.

5.1 Essential cookies (cannot be disabled)

5.2 Analytics cookies (consent required)

Additional opt-out: install the Google Analytics Opt-out Browser Add-on.

5.3 Advertising and targeting cookies (consent required)

Third-party advertising networks (which may include Google AdSense) set cookies when you consent. The specific cookies vary by active network and are listed in the cookie preference centre. Opt-out options:

• Cookie preference centre on this Site
• YourAdChoices: youradchoices.com
• NAI opt-out: optout.networkadvertising.org
• Google ad settings: myaccount.google.com/ad-settings

5.4 localStorage (not a cookie)

We store your language preference in browser localStorage under the key language_preference. This data is never transmitted to our servers and is erased when you clear your browser's site data.

6. Third-Party Services and Sub-Processors

We share personal data with the following third-party services acting as data processors on our behalf. Each is bound by appropriate data protection agreements and processes data only for the purposes described.

SCCs = EU Standard Contractual Clauses (EC Decision 2021/914). DPF = EU-US Data Privacy Framework. DPA = Data Processing Agreement. Copies of applicable transfer safeguards are available on request at headquarters.mailbox@gmail.com.

7. Advertising, Sponsored Content, and Affiliate Links

7.1 Display advertising

The Site displays third-party advertisements. When you consent to advertising cookies, advertising networks may collect pseudonymous identifiers and serve personalised ads based on your browsing behaviour. Advertisements are not endorsements of the advertised products or services.

7.2 Sponsored content

All paid advertising and sponsored content is clearly labelled as "Sponsored", "Advertisement", or equivalent, in accordance with Kazakhstan Law No. 508-II "On Advertising" and Law No. 18-VIII "On Online Platforms and Online Advertising" (2023). Commercial relationships do not influence editorial content or ratings.

7.3 Affiliate links

The Site contains affiliate links to booking platforms and travel services. If you click an affiliate link and make a purchase, we may receive a commission at no additional cost to you. No personal data about you is shared with affiliated third parties via our links — any data you provide to those sites is governed by their own privacy policies.

7.4 How to opt out of personalised advertising

• Cookie preference centre on this Site
• YourAdChoices — youradchoices.com
• NAI — optout.networkadvertising.org
• Google ad settings — myaccount.google.com/ad-settings

8. AI Translation and Content Moderation

8.1 AI translation

Non-English versions of Site content are produced using AI translation services (currently Groq, Google Gemini, and/or OpenRouter-routed models). When translation is invoked, the text content is sent to the AI service. We do not attach your personal data to translation requests. AI translations may contain errors or inaccuracies and are provided for convenience only — the English version is authoritative.

8.2 AI content moderation

User-submitted content (comments, reviews) may be processed by AI tools to detect material that violates our Terms of Use (hate speech, spam, illegal content). Comment text is sent to the AI service; we do not attach your email or other identifying data to moderation requests. Moderation decisions may also be reviewed by human moderators.

8.3 EU AI Act compliance

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) entered into force in August 2024 with obligations phasing in through 2025–2027. Under Article 50, we intend to implement machine-readable labelling of AI-generated content as applicable obligations come into effect for platforms serving EU users. This Policy will be updated accordingly.

9. Data Storage and Security

User data is stored in:

• Google Firebase (Firestore and Authentication) — Google Cloud infrastructure
• Vercel Edge Network — for server-rendered pages and API functions

Security measures in place include:

• Transport Layer Security (TLS / HTTPS) on all connections
• Firebase Authentication with secure HTTP-only session tokens
• Role-based access controls on the Firestore database
• No storage of payment data on our systems
• Regular review of third-party service security posture

10. Data Localisation — Kazakhstan

Article 17 of the Law of the Republic of Kazakhstan No. 94-V "On Personal Data and their Protection" (as amended, including the July 2024 amendments) requires that personal data of individuals in Kazakhstan falling within the category of "restricted personal data" (жеке сипаттағы деректер) be collected, processed, and stored on servers physically located in the territory of the Republic of Kazakhstan.

Users in Kazakhstan with specific concerns about the localisation of their personal data may contact us at headquarters.mailbox@gmail.com.

11. Data Retention

When retention periods expire, we securely delete or anonymise the relevant data unless a longer period is required by applicable law.

12. Sharing Your Data

We share data only in the following circumstances:

12.1 With sub-processors

As listed in §6, for the purposes described, under data processing agreements.

12.2 If required by law

In response to a lawful court order, regulatory requirement, or other mandatory legal obligation — including requirements of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan.

12.3 Business continuity

In the event of a sale, merger, or restructuring of the operator's business, to a successor entity that assumes all data protection obligations under this Policy. You will be notified of any such transfer.

12.4 With your explicit consent

In any other circumstances, only with your prior written consent.

Public content. Comments and reviews you post on the Site are visible to all visitors and should be treated as public. If you wish to have a public comment removed, contact headquarters.mailbox@gmail.com.

13. International Data Transfers

Most of our sub-processors are located in the United States. Data is transferred to the US and other countries under the following safeguards:

13.1 EEA and UK users (GDPR / UK GDPR)

• Google (Firebase, GA4, Gemini): EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (Module 2: Controller to Processor, EC Decision 2021/914)
• Vercel: Standard Contractual Clauses (EC Decision 2021/914)
• Cloudinary: Standard Contractual Clauses
• Groq / OpenRouter: Data Processing Agreements incorporating SCCs or equivalent safeguards

13.2 Kazakhstan users (Law No. 94-V)

Cross-border transfer of personal data of Kazakhstan residents requires notification to the Committee for Information Security of MDDIA under Article 18 of Law No. 94-V. This notification must be submitted and acknowledged by MDDIA before the first cross-border transfer of any category of personal data commences. We submit the required Article 18 notification to MDDIA prior to initiating any relevant cross-border data transfer. Where "restricted personal data" (Law No. 94-V, Art. 8) is involved, data localisation requirements apply and cross-border transfer of such data may require separate written consent from the data subject (see §10).

You may request a copy of the relevant transfer safeguards by emailing headquarters.mailbox@gmail.com.

14. Your Rights (All Users)

Regardless of your location, you may at any time:

Access

Request confirmation of whether we hold personal data about you, and receive a copy.

Rectification

Request correction of inaccurate or incomplete personal data.

Erasure

Request deletion of your personal data (subject to legal retention obligations).

Withdraw consent

Withdraw any consent you have given at any time, without affecting prior lawful processing. Use the cookie preference centre for cookie consent, or email us for other consent.

Account deletion

Request deletion of your account and all associated personal data. We will process the deletion within 30 days and confirm by email.

To exercise any right: email headquarters.mailbox@gmail.com with your name, account email, and a description of your request. We will respond within 30 calendar days (GDPR) or within 10 working days for access requests under Kazakhstan Law No. 94-V.

15. Additional Rights — EEA and UK (GDPR / UK GDPR)

If you are located in the EEA or United Kingdom, in addition to the rights in §14, you have:

15.1 Right to restriction of processing

Request that we restrict processing of your data while a dispute is under review.

15.2 Right to data portability

Receive your data in a structured, commonly used, machine-readable format (where processing is based on consent or contract and carried out by automated means).

15.3 Right to object

Object to processing based on legitimate interests. We will cease unless we can demonstrate compelling legitimate grounds that override your interests.

15.4 Rights related to automated decision-making

We do not make solely automated decisions that produce legal or similarly significant effects on individuals.

15.5 Right to lodge a complaint with a supervisory authority

You have the right at any time to lodge a complaint with the data protection authority in your country of residence. Key authorities:

• UK: Information Commissioner's Office (ICO) — ico.org.uk
• Germany: BfDI — bfdi.bund.de
• France: CNIL — cnil.fr
• Netherlands: AP — autoriteitpersoonsgegevens.nl
• All EEA authorities: edpb.europa.eu

16. Additional Rights — Kazakhstan (Law No. 94-V)

Under the Law of the Republic of Kazakhstan No. 94-V "On Personal Data and their Protection" (as amended, including the July 2024 amendments), data subjects in Kazakhstan have:

16.1 Right to access

Obtain information about whether and how your personal data is processed, and receive a copy within 10 working days of request.

16.2 Right to rectification

Require correction of inaccurate or incomplete personal data.

16.3 Right to deletion (блокирование/жою)

Require deletion of your personal data where it is no longer necessary for the original purpose, consent has been withdrawn, or processing is unlawful.

16.4 Right to restriction

Require that processing be suspended pending resolution of a dispute or verification of accuracy.

16.5 Right to object to processing for marketing

Object at any time to processing of your data for direct marketing purposes; we will cease such processing immediately.

16.6 Supervisory authority

Complaints regarding personal data processing may be submitted to the Committee for Information Security of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (MDDIA). The Committee for Information Security of MDDIA is reachable via the official portal at gov.kz/memleket/entities/mdi or at headquarters.mailbox@gmail.com for assistance locating the correct submission procedure.

17. Children's Privacy

17.1 General minimum age

We do not knowingly collect personal data from children under 13 years of age. If we discover that a child under 13 has provided personal data, we will delete it promptly.

17.2 EEA and UK users

For users in the EEA and United Kingdom, the minimum age for providing independent consent to personal data processing is 16 years under Article 8 of the GDPR, unless the applicable national law of the user's Member State sets a lower age (minimum 13). If a user is between 13 and the applicable consent age in their country, the explicit written consent of a parent or legal guardian is required before the user creates an account or submits any personal data.

17.3 Parental or guardian report

If you are a parent or guardian and believe your child under the applicable consent age has used the Site without your knowledge, please contact us immediately at headquarters.mailbox@gmail.com so that we can take appropriate action, including account deletion and data erasure.

18. Data Breach Notification

18.1 Kazakhstan (Law No. 94-V)

In the event of a personal data security breach, we will notify the Committee for Information Security of MDDIA within 72 hours of becoming aware of the breach, in accordance with the amended Law No. 94-V (amendments effective 1 July 2024). Where the breach is likely to result in a significant risk to data subjects, affected Kazakhstan users will also be notified without undue delay.

18.2 EEA and UK (GDPR / UK GDPR)

If a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority within 72 hours of becoming aware. Where the breach is likely to result in a high risk to individuals, we will notify affected data subjects without undue delay, in accordance with Article 34 of the GDPR.

18.3 Incident response

We maintain documented procedures for responding to security incidents and personal data breaches, including containment, assessment, notification, and post-incident review.

19. Changes to This Policy

We may update this Privacy Policy at any time. We will provide at least 30 days' notice of material changes via a prominent notice on the Site and/or by email to registered users. The revised Policy will be identified by an updated "Last updated" date at the top of this page. Continued use of the Site after the effective date of a revised Policy constitutes your acceptance of those changes.

To stop using the Site and request account deletion, contact headquarters.mailbox@gmail.com.

20. Contact and Supervisory Authority Complaints

If you are not satisfied with our response, you have the right to lodge a complaint directly with your supervisory authority:

• Kazakhstan: Committee for Information Security, MDDIA
• EEA: your national data protection authority (see §15.5)
• UK: Information Commissioner's Office — ico.org.uk