Qalan Platform Privacy Policy

Last updated: 01.05.2025

This Privacy and Personal Data Processing Policy (the Policy) denes the procedure for

collecting, using, storing, and protecting Users’ personal data of the Qalan digital

educational platform (website and mobile application), as well as other condentiality

matters. The Policy is developed in accordance with the legislation of the Republic of

Kazakhstan, including the Law of the Republic of Kazakhstan “On Personal Data and Their

Protection,” and is not based on the legislation of other countries (GDPR, etc.) unless

explicitly stated otherwise.

By using the Qalan website or mobile application, the User agrees to the terms of this

Policy. If the User does not agree with any provisions, they must stop using the Platform.

Continued use after the publication of an updated version of the Policy constitutes

acceptance of it.

1. Terms and general provisions

- Personal data – any information relating to an identied or identiable natural person

(personal data subject) that is collected when the User uses the Platform. Such data may

include: full name, date of birth, contact details (phone, email), performance and learning

data, information about completed transactions, as well as other information classied as

personal by law or by the User.

- Personal data operator – LLP “QALANKZ” (the Platform Administration), which organizes

and carries out the processing of Users’ personal data and determines the purposes and

scope of processing. The Operator’s contact details are provided at the end of this Policy.

- Processing of personal data – any action or set of actions with personal data performed

with or without the use of automated tools, including collection, recording,

systematization, storage, clarication (updating, modication), extraction, use, transfer

(distribution, provision, access), depersonalization, blocking, deletion, destruction of

personal data.

- Website – the Qalan Platform website available at qalan.kz, qalan.school, qalan.ru,

qalan.uz or other oicial domains of the Administration.

- Mobile application – the Qalan application for mobile devices (iOS/Android) through

which the User can also use the Platform’s services.

- Other data – anonymized information not related to a specic User, collected for

technical, statistical, or other purposes, such as cookies, service performance data. In the

context of this Policy, data processing generally refers to work with personal data; however,

the general condentiality provisions also apply to other data to ensure their security.

This Policy applies to all information about Users that the Administration may receive

during their use of the Platform, including interactions with the website, the application,

support services, oicial Qalan social media pages, etc. Exceptions may include cases

where a specic service publishes a separate privacy policy or notice governing data

processing within that service.

2. Consent to data collection and processing

2.1. The legal basis for processing Users’ personal data is their consent. When registering

an account, the User conrms that they have read this Policy and consents to the

collection and processing of their personal data by checking the corresponding box in the

registration form. Continued use of the Platform after being presented with a notice of an

updated Policy is considered consent to its terms.

2.2. The User has the right to withdraw their consent to the processing of personal data at

any time by sending a corresponding request to the Operator (see Contact Details in

section 7). After receiving such a withdrawal, the Administration will stop processing the

User’s personal data, except where necessary to fulll a contract or as required by law.

Withdrawal of consent may make it impossible to continue providing the Platform’s

services to the User (as account deletion will result in loss of access to learning materials).

3. User data processed

In the course of using the Qalan Platform, the Administration may collect the following

categories of data about Users:

3.1. Data provided directly by the User:

- When registering an account: username (login); phone number; password (stored in

encrypted form).

- In the User Prole: name, grade/class, educational institution, photo or avatar, and other

information the User voluntarily provides about themselves.

- Learning information: when using the services, the User may enter data related to the

learning process—test results, assignments completed, comments, questions submitted

on the platform. This data is stored to provide the services.

- Support requests: when sending requests or messages to the Administration by email or

via the feedback form, the User may provide their contact details and describe the issue in

detail, which may also include personal information.

3.2. Data collected automatically:

- Technical data: at each visit to the Platform, technical data are automatically collected—

IP address and approximate location based on it, device type and model, browser and

operating system information, app version, screen resolution, language settings, unique

device identiers.

- Log data: the Platform’s servers store in logs information about User actions: which pages

were visited, which features were used, access time and date, volume of data transferred,

any errors, etc. This data is used to analyze the service performance, identify and x issues,

and protect against network attacks.

- Cookies and similar technologies: the Platform may use cookies (small text les stored in

the User’s browser) and technologies such as local storage or pixel tags. The User can

manage cookies through their browser settings; however, disabling cookies may limit the

Platform’s functionality.

- Analytics data: the Administration may use web analytics services (Google Analytics,

Yandex.Metrika or similar services) that collect anonymized information about User

behavior on the site: navigation between pages, time on site, interactions with interface

elements, etc. This data does not identify a specic person and is used to improve the

service.

3.3. Data obtained from external sources:

- If the User links their account with an account of a teacher / student / parent / legal

representative, the system receives the corresponding information about the linkage of

proles. Third-party personal data are not disclosed to the student, except for the

name/identier necessary to establish the link.

3.4. Special categories of data. The Platform does not request from Users information

related to special categories of personal data, such as racial or ethnic origin, political

opinions, religious beliefs, health data, sex life, criminal records. The User should refrain

from posting such information about themselves in their prole or messages on the

Platform. If, as part of the learning process, the User voluntarily discloses any sensitive

information on their own initiative, they do so voluntarily; the Administration will treat it as

condential but strongly recommends avoiding such actions.

3.5. Third-party data. If the User provides personal data of a third party (e.g., provides a

parent’s contact details, or a teacher registers a student), the User guarantees that they

have obtained the consent of that third party to such actions. The Administration treats

such data as provided with the subjects’ consent but may request conrmation if

necessary.

4. Purposes of data collection and use

The Qalan Administration collects and processes Users’ personal data for specic,

dened, and lawful purposes. The main purposes of processing are:

4.1. Primarily, the data is needed so that the User can use the Platform’s functionality:

- Registration data is used to create an account, authenticate the User upon login, and

restore access if a password is lost.

- Prole data may be used to personalize the service.

- Performance data, test results, and course progress are used to display the User’s

progress, generate recommendations, and inform the teacher / parent / legal

representative (if the prole is linked) about the learner’s results.

- Processing internal messages, comments, and other User activities enables

communication within the Platform.

- Personal data is also used when providing extended access: for example, full name or

payment card data may be transferred to a bank/payment system to complete a

transaction, and purchase history is stored to account for access to extended content.

4.2. Analysis of anonymized and aggregated usage data helps the Administration

understand user needs, x interface issues, and improve usability. For example,

information about which tasks many Users nd diicult may be used to improve teaching

methods; data on active usage times may be used to optimize teacher schedules, etc. Any

conclusions based on such data are made without reference to specic individuals.

4.3. The Administration uses contact information to communicate with the User on service

matters:

- Resolving technical issues.

- Sending notications about important changes to the Platform’s operation, terms of

service or policy, and security notices.

- In certain cases (with the User’s consent or if it follows from the services provided),

sending informational or educational materials, including marketing content, related to the

Platform’s services. The User can always opt out of marketing communications by using

the unsubscribe link in an email or adjusting preferences in their account.

4.4. Personal data is also processed to comply with the laws of the Republic of Kazakhstan:

- Payment data is stored and may be used for accounting, tax reporting, and fullling the

requirements of nancial monitoring authorities.

- In response to an oicial request from competent authorities, the Administration may use

and transfer the necessary data to comply with the law.

- Information necessary to fulll Users’ data protection rights, particularly when the User

requests information about their data or its deletion; see section 6.

4.5. The Administration may process personal data when necessary to protect the

legitimate interests of the Operator or third parties:

- Detecting and preventing fraud, unauthorized access to accounts, and violations of the

- Investigating incidents related to violations of the Platform’s rules or the law and taking

appropriate measures (blocking, transferring information to authorized bodies).

- Defense in court or other proceedings: in the event of a dispute with a User or a third

party, the Administration has the right to store and provide necessary data as evidence if

needed to establish facts and defend its position under the law.

In all cases, the Administration processes exactly the amount of personal data necessary

to achieve each specic purpose and does not store data longer than required (see section

5 on retention periods).

5. Storage and protection of personal data

5.1. Users’ personal data is stored no longer than necessary for the purposes of its

processing:

- Account data and prole information are stored for the entire period the User uses the

Platform and are deleted or anonymized at the User’s request (when deleting the account)

or at the Administration’s initiative after a long period of inactivity (subject to notifying the

User).

- Learning data (results, progress) is stored for the entire life of the account to ensure the

User’s access to their learning history. After the account is deleted, this data may be

anonymized and used for statistical purposes (without reference to identity).

- Data on completed payments and the fact of providing extended access are stored for at

least 5 years or another period provided by accounting and tax legislation.

- Server logs and technical records are generally stored for up to 1 year, unless a longer

period is needed to detect security incidents or investigate violations. Aggregated analytics

information may be stored longer; it does not identify individuals.

After the relevant retention periods, data is destroyed or anonymized, meaning it is

transformed into a set that does not allow identication of the subject. If the User has

withdrawn consent or terminated the contract (deleted the account) while a mandatory

retention period has not yet expired, the data may be moved to an archival mode—without

active processing, stored only for purposes required by law.

5.2. The Administration implements necessary organizational and technical measures to

protect Users’ personal data from unlawful or accidental access, destruction, alteration,

blocking, copying, distribution, as well as from other unlawful actions:

- Modern encryption is used for the transmission of sensitive data, such as SSL/TLS to

protect traic between client and server; encryption of passwords and nancial

information.

- Access to personal data databases is strictly limited: only authorized employees who

need it to perform their job functions have access, and even then under strict control. All

such persons are obliged to maintain trade secrecy and condentiality.

- Servers and infrastructure are hosted in secure data centers located in the Republic of

Kazakhstan and compliant with security standards. Regular software updates are carried

out to eliminate known vulnerabilities.

- Protection against malware and unauthorized access is implemented.

- Periodic testing and evaluation of the eectiveness of security measures are conducted.

Measures are improved as necessary, particularly considering technological developments

and emerging threats.

5.3. The Administration guarantees that no Users’ personal data will be sold or otherwise

transferred to third parties for commercial purposes without the Users’ consent. Transfer of

personal data to third parties is permitted only in the cases specied in section 4 and in

section 5.4 below, or in the event of reorganization of the operating company with data

transferred to the legal successor under condentiality conditions. All employees and

partners with access to data sign non-disclosure agreements.

5.4. In the course of providing services, some Users’ personal data may be transferred:

- To payment systems and banks when arranging access; necessary data (name, amount,

card details) are transferred to the servicing bank/payment gateway. These organizations

are independently responsible for the security of the data transferred to them and use it

exclusively for nancial operations.

- To educational supervisors: if a User-student joins a class or group under the supervision

of a teacher, the teacher gains access to certain personal data of the student necessary for

the learning process: name, learning results, assignment completion statistics, progress.

The teacher must use this data only for educational purposes and not disclose it to third

parties. Similarly, a parent/legal representative of a minor User gains access to information

about the child’s actions on the Platform. Providing such data to a teacher/parent is carried

out with the consent of the User or their legal representative, which is assumed when

joining the respective educational group.

- To service providers – the Administration may engage third-party companies for certain

processes—for example, messaging services to send notications, cloud hosting services,

analytics tools. In such cases, only the minimum necessary data is transferred. Each such

provider signs an agreement obliging them to protect the received data and use it strictly

according to the Administration’s instructions, without transferring or disclosing it.

- To law enforcement and government authorities upon receipt of a lawful request made in

accordance with legal requirements; the Administration is obliged to provide the requested

data from what it has. Within the law, the Administration will endeavor to provide the

minimum required information and ensure the legality of the request. The User will be

informed of such a request if permitted by law and if informing is possible without harming

the investigation.

- For rights protection: if the User has violated the Terms of Use or committed unlawful acts

that are under review, the Administration may provide the User’s data in the amount

necessary for case consideration to the aected party or experts, but only if there is a legal

basis and within the dispute resolution procedure.

5.5. As stated in clause 5.4, some data recipients may be located outside the Republic of

Kazakhstan. When transferring data abroad, the Administration ensures that the recipient’s

country provides adequate legal protection of personal data subjects’ rights or that the

recipient undertakes contractual obligations to comply with condentiality standards no

lower than those provided in the Republic of Kazakhstan. The User’s use of the Platform

constitutes consent to such cross-border transfer. If the User objects to having their data

hosted on servers abroad, they should refrain from using the Platform.

5.6. The Administration may use and transfer to third parties anonymized data that does

not allow direct identication of Users. Such anonymized aggregate data is not considered

personal and may be used freely; however, the Administration will still require third parties

receiving it not to attempt to de-anonymize the information.

6. User rights regarding personal data

In accordance with the legislation of the Republic of Kazakhstan on personal data, the

User, as a personal data subject, has the following rights:

6.1. Right to obtain information about processing. The User has the right to request from

the Administration information concerning the processing of their personal data:

conrmation of the fact of processing; a list of personal data processed by the Operator;

sources of their receipt; purposes, terms, and methods of processing; the name and

location of the Operator; as well as other information provided for by Article 11 of the Law

“On Personal Data and Their Protection.” Such information is provided upon the User’s

request (see section 7 for the procedure) no later than 5 business days from the date of the

request, unless another period is established by law.

6.2. Right to request correction or deletion of data. If the User nds that any of their

personal data is outdated, inaccurate, or unnecessary, they have the right to update it at

any time on their own through the Personal Account or send the Administration a justied

request to modify or delete it. If there are grounds, the Administration will make the

necessary changes or delete the specied data, if technically possible and not contrary to

legal retention requirements, within no more than 15 business days, or provide a reasoned

refusal if there are legal grounds for refusal.

6.3. Right to withdraw consent and demand cessation of processing. The User may

withdraw previously given consent to the processing of personal data at any time (see

clause 2.2). In addition, even if another basis for processing exists, the User has the right to

object to further processing of their personal data for marketing purposes or for any other

purpose not required to fulll the contract.

6.4. Right to le requests and complaints. If the User believes that the Administration is

processing their personal data in violation of legal requirements or their lawful rights, they

may le a complaint directly with the Administration or submit a complaint to the

authorized state body for personal data protection (in the Republic of Kazakhstan, this

function is performed by the personal data protection unit under the Ministry of Digital

Development, Innovations and Aerospace Industry, or another body designated by the

government). The User also has the right to protect their rights in court by ling a claim for

the protection of personal data, compensation for damages and moral harm, if any, in

accordance with the law.

6.5. Right to restrict dissemination. The User has the right to prohibit the dissemination of

their personal data without their consent or other legal grounds.

6.6. Other rights. The laws of the Republic of Kazakhstan may provide for other rights of

data subjects, such as the right to clarication of the consequences of refusing to provide

data, the right to require notifying third parties to whom data was previously transferred

about the deletion or correction of data, etc. The Administration respects all Users’ rights

under the law and is ready, upon request, to provide additional information on the

implementation of specic rights.

7. User requests regarding data

7.1. Operator’s contact details:

LLP “QALANKZ” – Operator of personal data of Users of the Qalan Platform.

Mailing address: 050000, Republic of Kazakhstan, Almaty, 27 Edil Yergozhin St., Oice 41.

Email for personal data inquiries: qalan.education@gmail.com.

7.2. To exercise the rights listed in section 6, the User may send a written request by email

or on paper. The request should indicate:

- The User’s full name (or their representative’s) and contact details for feedback;

- The essence of the request—which right the User wishes to exercise: obtain information,

change/delete data, withdraw consent, etc.;

- A description of the relevant data;

- In the case of a representative’s request—a document or power of attorney conrming

their authority.

7.3. The Administration handles personal data-related requests as a priority. A response to

a request for information (clause 6.1) or other action with data is provided within no more

than 20 business days from the date of receipt of the request, unless a shorter period is

established by law. If an extension is necessary, the Administration will notify the User,

indicating the reasons for the delay.

7.4. Following the review of the request, the Administration will provide a written response.

The response will contain the requested information or a description of the measures taken

at the User’s request, or a reasoned refusal if the request is denied, with reasons indicated.

When satisfying requests for changing/deleting data, the Operator will also take steps to

notify third parties to whom the User’s data was previously transferred (if applicable and

possible).

8. Additional: cookies and their use

(This section may be issued separately if necessary. The main provisions are provided

below.)

8.1. What cookies are. Cookies are small les that a website or application stores on the

User’s device (on their hard drive or device memory) when visited. Cookies allow the site to

remember information about the User’s visit, such as preferred language, settings, and

other data to make the next visit more useful and convenient.

8.2. How Qalan uses cookies. The Qalan Platform uses cookies and similar technologies

for the following purposes:

- Authentication and session persistence: to keep the User logged in without entering a

password on each page; to remember that the User has already signed in.

- Settings and personalization: saving user preferences (for example, interface language

choice, enabling/disabling video sound, etc.) so that they are applied automatically at each

visit.

- Analytics: collecting statistical information about traic, pages viewed, and interactions

with the interface. This helps improve content and functionality.

- Advertising and marketing (if applicable): if the Platform hosts advertising materials or

referral programs, cookies may be used to show more relevant ads or to track the User’s

participation in promotional activities.

8.3. Cookie management. When rst visiting the website, the User may be shown a notice

about the use of cookies with an option to agree or congure them. The User can change

cookie settings at any time via the Platform interface (if implemented) or through their

browser settings:

- The browser can be congured to block cookies from all sites or specic sites, as well as

to delete previously saved cookies. Many browsers also have “incognito” or “private mode,”

in which cookies are not retained after closing the window.

- Note that refusing cookies may result in some Platform features becoming unavailable or

functioning with limitations.

8.4. Third-party cookies. Pages of the Platform may include embedded elements from

third-party services (for example, YouTube videos, social media widgets). Such elements

may store their own cookies, which are not controlled by the Administration. For example,

YouTube may store cookies to track statistics for embedded video views. The Platform

endeavors to minimize, where possible, the transfer of data to third parties via cookies;

however, it may be impossible to completely eliminate third-party cookies if their services

are used. The User can block third-party cookies in the browser settings (“Block third-party

cookies”).

9. Changes to this Policy

9.1. Policy relevance. The Administration reserves the right to periodically make changes to

this Privacy Policy due to changes in legal requirements, development of the Platform’s

functionality, or changes in the methods and purposes of data processing. When changes

are made, the header of the Policy will indicate the new last updated date.

9.2. Notice of changes. In the event of material changes to the Policy terms (for example,

changes in the list of collected data, purposes of processing, transfers to third parties,

etc.), the Administration will notify Users by posting a prominent announcement on the

website/in the application or by sending a message to the email address provided during

registration. It is recommended to regularly review the current version of the Policy on the

website to stay informed of its terms.

9.3. Consent to changes. If the User continues to use the Platform after the new version of

the Policy takes eect, this constitutes consent to the updated terms of personal data

processing. If the User disagrees, they must stop using the services and may delete their

account if they wish, having rst informed the Administration of their objections.

10. Additional provisions

10.1. Relationships related to the processing of personal data within this Policy are

governed by the legislation of the Republic of Kazakhstan. This Policy is drafted considering

the requirements of the Law of the Republic of Kazakhstan “On Personal Data and Their

Protection.” The rights and obligations of the parties not expressly regulated by the Policy

are determined by the said law.

10.2. For matters not regulated by this Policy, the User and the Administration may

conclude additional agreements. Such agreements must not contradict the Policy and the

legislation of the Republic of Kazakhstan.

10.3. Within the Operator’s organization, a person responsible for ensuring the protection

of personal data has been appointed (their contacts can be provided upon request). Any

questions, comments, and suggestions regarding this Policy can be sent to:

qalan.education@gmail.com. We strive to review them promptly and improve our privacy

practices.

10.4. If any third-party organization provides you with access to the Qalan Platform and

acts as a separate personal data operator, the relationship between you and that

organization may be governed by that organization’s separate privacy policy. This Policy

governs only data processing directly by QALANKZ. We recommend clarifying with third

parties how they process your data if you interact with the Platform through them.

10.5. The User conrms that they have carefully read this Policy, understand its content,

and agree to the stated terms for processing their personal data. The Administration, for its

part, guarantees compliance with these conditions and thanks Users for their trust and

cooperation in ensuring condentiality.