Privacy Policy

1. Introduction

AWW (AI Web Wizard) is a software platform for automating sales on Kaspi.kz, developed and operated by Vast Flow LLP (hereinafter — "Company", "we", "our"), registered in accordance with the legislation of the Republic of Kazakhstan.

We understand that the privacy of your data is not a formality but the foundation of trust. This Privacy Policy explains what personal data we collect when using the AWW platform, how we process, store and protect it, and what rights you have regarding your data.

Using the AWW platform means you agree to the terms of this Policy. If you do not agree with any provision, please stop using the service and contact us using the contact details listed in Section 10.

This Policy is developed in accordance with the Law of the Republic of Kazakhstan "On Personal Data and Their Protection" dated 21 May 2013 No. 94-V and other applicable regulatory acts of the Republic of Kazakhstan.

2. What data we collect

Depending on how you interact with the platform, we may collect the following categories of data:

2.1. Account data

When registering and using your personal account we collect:

• First and last name — for interface personalization and documentation;
• Email address — for authentication, notifications and support;
• Phone number — for two-factor authentication and support communication;
• Store or company name — for identification within the system;
• Registration date and last login — to ensure account security.

2.2. Tokens and access keys

To connect your Kaspi.kz store to the AWW platform we receive and process:

• Kaspi API token — an access key issued by Kaspi.kz for working with their official API. We do not request or store your Kaspi account password;
• Store identifier (Store ID) — to uniquely link your AWW account to your store on Kaspi.

2.3. Service usage data

• IP addresses and country/city-level geolocation;
• Browser type and version, operating system;
• Pages and platform features you visit and use;
• Timestamps of actions — when you perform certain operations;
• Error logs and technical data for diagnosing failures.

2.4. Payment data

We do not store your bank card details or account billing information. Payment transactions are processed directly by certified payment providers. AWW only receives the transaction status (successful / declined) and a payment identifier for subscription accounting.

2.5. Cookies and technical trackers

We use cookies and similar technologies to ensure correct service operation, remember your preferences and collect aggregated analytics. More details are in Section 6.

3. How we use data

We use the collected data exclusively for the following purposes:

3.1. Service delivery and improvement

• Creating and managing your account on the platform;
• Connecting to the Kaspi API and performing operations on your behalf — managing prices, responding to reviews, generating product descriptions;
• Displaying analytics, statistics and reports in your personal dashboard;
• Developing new features based on aggregated usage patterns.

3.2. Support and communication

• Responding to your support requests;
• Notifications about changes to pricing plans, terms of use and the privacy policy;
• Sending technical notifications about the status of your account and store;
• Newsletters and product updates — only with your explicit consent, which you can withdraw at any time.

3.3. Security and fraud prevention

• Detecting and preventing unauthorized access to accounts;
• Monitoring suspicious activity and protecting against abuse;
• Verifying identity for account recovery requests.

3.4. Fulfilling legal obligations

We process data to the extent required to comply with applicable laws of the Republic of Kazakhstan, including tax, accounting and other regulatory legislation.

4. Data storage and protection

4.1. Technical safeguards

We apply a multi-layered data protection system:

• Encryption at rest: all data stored in our databases is protected with AES-256 encryption;
• Encryption in transit: all traffic between your browser and the platform is transmitted over TLS 1.3;
• Isolated token storage: Kaspi API keys are stored in a separate secure secret store with restricted access;
• Two-factor authentication: we support 2FA for additional protection of your account;
• Regular backups: data is backed up daily and stored in geographically distributed locations.

4.2. Data retention periods

• Active account data — retained for the duration of your subscription;
• Data after account deletion — retained for 30 days after deletion, after which it is permanently destroyed. Exceptions are data required to be retained by law;
• Operation and transaction logs — for 5 years in accordance with the tax legislation of the Republic of Kazakhstan;
• Technical logs — for 90 days;
• Backups — retained for 30 days, then overwritten.

4.3. Server locations

Primary user data is stored on servers located in the Republic of Kazakhstan and the European Union (in data centers compliant with ISO 27001 standards). Cross-border data transfers are carried out only with appropriate legal safeguards in place.

5. Sharing data with third parties

We do not sell, rent or disclose your personal data to third parties for commercial purposes. Data is shared only in strictly limited cases:

5.1. Payment providers

To process payments we use certified payment operators. These providers receive the minimum necessary data: payer name, transaction amount and currency. Full card details are not available to us and are not stored on our servers.

5.2. Cloud and technical services

We engage technical subcontractors to operate the platform (hosting, database, email, monitoring). All subcontractors are required to comply with confidentiality standards no lower than ours and sign data processing agreements (DPA).

5.3. Kaspi.kz

The AWW platform interacts with the Kaspi.kz API on your behalf. Data we send via the API (prices, product descriptions, responses to reviews) is governed by Kaspi.kz's privacy policy. We recommend reviewing it separately.

5.4. Law enforcement and regulators

We may disclose data in response to a lawful request from a court, prosecutor or an authorized government body of the Republic of Kazakhstan. In such cases we provide only the data explicitly requested and, where permitted by law, will notify you of the request.

5.5. Reorganization or sale of business

In the event of a merger, acquisition or sale of assets of Vast Flow LLP your data may be transferred to a successor. We will notify you in advance and you will retain the right to request deletion of your data.

6. Cookies

Cookies are small text files stored in your browser when you visit our site. We use the following types of cookies:

6.1. Strictly necessary cookies

Required for basic platform operation: authentication, session persistence, security settings. Without these cookies the platform cannot function. They do not contain personally identifiable information in plain form.

6.2. Functional cookies

Remember your preferences: chosen theme (light/dark), interface language, notification settings. Retention period — up to 12 months.

6.3. Analytical cookies

Help us understand how users interact with the platform: which pages are visited, how long users stay, where difficulties arise. Data is collected in aggregated and anonymized form. We use in-house analytics tools and do not share this data with third-party advertising networks.

6.4. How to manage cookies

You can configure or disable cookies through your browser settings. Note: disabling strictly necessary cookies may break platform functionality or make authentication impossible. Most modern browsers allow you to:

• View the list of installed cookies;
• Delete individual cookies or all at once;
• Block cookies from specific sites;
• Configure automatic cookie deletion when closing the browser.

7. User rights

Under the Republic of Kazakhstan's personal data legislation you have the following rights:

7.1. Right of access

You may request a list of personal data that we process, as well as information about the sources of that data, processing purposes and retention periods. We will provide a response within 10 business days.

7.2. Right to rectification

If your data is inaccurate or outdated, you can update it yourself in the «Profile settings» section or contact our support. Corrections are completed within 5 business days.

7.3. Right to deletion

You may request deletion of your account and related data. Deletion is completed within 30 days. Data that must be retained by law (for example, financial records) will be deleted after the statutory retention period expires.

7.4. Right to restrict processing

You may request restriction of processing of your data in cases provided by law — for example, if you contest its accuracy or object to processing.

7.5. Right to object

You have the right to opt out of receiving marketing communications at any time by clicking the «Unsubscribe» link in any message from us, or by contacting us directly at support@vastflow.kz.

7.6. How to exercise your rights

To exercise any of the rights listed above, send a request to support@vastflow.kz with the subject «Personal data request». We may request identity verification before processing the request.

8. Kaspi API data

Working with Kaspi.kz data deserves special attention, as it is commercially sensitive information. This section explains how we handle data obtained through the official Kaspi API.

8.1. What data we obtain via the Kaspi API

• Your store's product catalog: titles, SKUs, categories, current prices;
• Order data: statuses, amounts, timestamps (without customers' personal data);
• Customer reviews: review text, ratings, product identifiers;
• Store metrics: rating, number of sales, competitive prices for similar products.

8.2. How we use this data

• Repricer: we analyze competitor prices and adjust your prices in accordance with the configured rules. Changes are applied via the Kaspi API;
• Review management: we generate responses to reviews using AI and publish them on your behalf via the Kaspi API after your approval or automatically — per your preference;
• Analytics: we aggregate sales data to build dashboards and reports exclusively in your personal account;
• Content generation: we use your product data to create SEO-optimized descriptions.

8.3. What we do not do with Kaspi data

• We do not share your store data with competitors or third parties;
• We do not use your data to train AI models available to other users without your explicit consent;
• We do not analyze your data for the benefit of other AWW clients;
• We do not sell analytics about your activities to advertising or research organizations.

8.4. Revoking access

You can revoke the API token at any time directly in your Kaspi.kz account. After revocation, AWW immediately stops performing operations. Previously obtained data is deleted in accordance with the timelines specified in section 4.2.

9. Changes to the policy

We reserve the right to make changes to this Privacy Policy. Changes may be driven by platform functionality updates, changes in the law, or other circumstances.

When making significant changes we will notify you at least 7 days before they take effect by one of the following methods:

• Notification by email to the address registered in your account;
• A banner or pop-up notification at your next sign-in;
• Publication of the updated version on this page with a changed «Last updated» date.

Continued use of the platform after the changes take effect constitutes your acceptance of the updated Policy. If you do not agree with the new version, you may delete your account in accordance with section 7.3.

All previous versions of the Privacy Policy are available upon request at support@vastflow.kz.

10. Contact information

If you have questions about this Privacy Policy, how we process your data, or you wish to exercise your rights, contact us using any of the following methods: